How can ECR enhanced scanning be configured or activated using AWS CDK?

edit

To configure or activate ECR enhanced scanning using AWS CDK, you can follow the below steps:

1. Install the necessary AWS CDK dependencies and set up your project.

2. In your code editor, import the necessary libraries:

import { Effect, PolicyStatement } from '@aws-cdk/aws-iam';
import { Repository } from '@aws-cdk/aws-ecr';
import { CfnRepository } from '@aws-cdk/aws-ecr';

1. Create an ECR repository:

const ecrRepository = new Repository(this, 'ECRRepositoryName', {
  repositoryName: 'example_repository_name',
  removalPolicy: RemovalPolicy.DESTROY,
});

1. Enable ECR enhanced scanning for the repository by adding the following policy statements to allow ECR to perform the relevant actions:

ecrRepository.addToResourcePolicy(new PolicyStatement({
  actions: [
    "ecr:DescribeImages",
    "ecr:DescribeRepositories",
    "ecr:ListImages",
    "ecr:GetAuthorizationToken",
    "ecr:BatchCheckLayerAvailability",
    "ecr:GetDownloadUrlForLayer",
    "ecr:BatchGetImage",
    "ecr:PutImageScanningConfiguration",
  ],
  principals: [new ServicePrincipal('ecr.amazonaws.com')],
  effect: Effect.ALLOW,
}));

1. Finally, you need to set the ImageScanningConfiguration property of the CfnRepository instance:

const ecrRepoCFN = ecrRepository.node.defaultChild as CfnRepository;
ecrRepoCFN.imageScanningConfiguration = {
  scanOnPush: true,
};

1. Deploy your application and the ECR repository with the enhanced scanning feature will be created with the configured settings.

Note: Make sure you have sufficient permissions to create an ECR repository and to add the required policy statements.