AWS AmazonECS high security documentation change
Summary
Expanded image scanning documentation with AWS native scanning replacing Clair, added deprecation timeline and vulnerability severity details
Security assessment
Directly addresses security scanning capabilities by deprecating an older vulnerability detection method (Clair) and promoting a more secure AWS-native solution. Includes CVE handling details and vulnerability severity guidance, which impacts container security posture.
Diff
diff --git a/AmazonECS/latest/developerguide/security-tasks-containers.md b/AmazonECS/latest/developerguide/security-tasks-containers.md index 9402ed2a9..3d625035c 100644 --- a//AmazonECS/latest/developerguide/security-tasks-containers.md +++ b//AmazonECS/latest/developerguide/security-tasks-containers.md @@ -53 +53,14 @@ Similar to their virtual machine counterparts, container images can contain bina -Images that are stored in Amazon ECR can be scanned on push or on-demand (once every 24 hours). Amazon ECR basic scanning uses [Clair](https://github.com/quay/clair), an open-source image scanning solution. Amazon ECR enhanced scanning uses Amazon Inspector. After an image is scanned, the results are logged to the Amazon ECR event stream in Amazon EventBridge. You can also see the results of a scan from within the Amazon ECR console or by calling the [DescribeImageScanFindings](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeImageScanFindings.html) API. Images with a `HIGH` or `CRITICAL` vulnerability should be deleted or rebuilt. If an image that has been deployed develops a vulnerability, it should be replaced as soon as possible. +Amazon ECR provides two versions of basic scanning that use the Common Vulnerabilities and Exposures (CVEs) database: + + * **AWS native basic scanning** – Uses AWS native technology, which is now GA and recommended. This improved basic scanning is designed to provide customers with better scanning results and vulnerability detection across a broad set of popular operating systems. This allows customers to further strengthen the security of their container images. All new customer registries are opted into this improved version by default. + + * **Clair basic scanning** – The previous basic scanning version which uses the open-source Clair project and is deprecated. For more information about Clair, see [Clair](https://github.com/quay/clair) on GitHub. + + + + +Both AWS native and Clair basic scanning are supported in all regions listed in [AWS Services by Region](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/), except for those that were added after September, 2024. Because Clair support is deprecated, Clair will not be supported in new regions as they are added and will no longer be supported in all regions as of October 1, 2025. + +Amazon ECR uses the severity for a CVE from the upstream distribution source if available. Otherwise, the Common Vulnerability Scoring System (CVSS) score is used. The CVSS score can be used to obtain the NVD vulnerability severity rating. For more information, see [NVD Vulnerability Severity Ratings](https://nvd.nist.gov/vuln-metrics/cvss). + +You can also see the results of a scan from within the Amazon ECR console or by calling the [DescribeImageScanFindings](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeImageScanFindings.html) API. Images with a `HIGH` or `CRITICAL` vulnerability should be deleted or rebuilt. If an image that has been deployed develops a vulnerability, it should be replaced as soon as possible.