AWS Security ChangesHomeSearch

AWS inspector documentation change

Service: inspector · 2025-05-19 · Documentation medium

File: inspector/latest/user/scanning-ecr.md

Summary

Added documentation for container image-to-container mapping feature to prioritize vulnerabilities in running containers

Security assessment

Introduces documentation for a new security feature that helps prioritize remediation based on operational risk, improving security posture management.

Diff

diff --git a/inspector/latest/user/scanning-ecr.md b/inspector/latest/user/scanning-ecr.md
index 85aaa78c8..ab22cdb43 100644
--- a//inspector/latest/user/scanning-ecr.md
+++ b//inspector/latest/user/scanning-ecr.md
@@ -5 +5 @@
-Scan behaviors for Amazon ECR scanningSupported operating systems and media types
+Scan behaviors for Amazon ECR scanningMapping container images to running containersSupported operating systems and media types
@@ -48,0 +49,12 @@ You can check when a container image was last checked for vulnerabilities from t
+## Mapping container images to running containers
+
+Amazon Inspector provides comprehensive container security management by mapping container images to running containers across Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS). These mappings provide insights into vulnerabilities for images on running containers. 
+
+With this feature, you can prioritize remediation efforts based on operational risks and maintain security coverage across the entire container ecosystem. You can monitor container images currently in use and when container images were last used on an Amazon ECS or Amazon EKS cluster in the past 24 hours. This information will be available in [your findings](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html) through the Amazon Inspector console on the details screen for your container image findings and with the [Amazon Inspector API](https://docs.aws.amazon.com/inspector/v2/APIReference/API_FilterCriteria.html) through the `ecrImageInUseCount` and `ecrImageLastInUseAt` filters. 
+
+###### Note
+
+This data is automatically sent to Amazon ECR findings when you activate Amazon ECR scanning and configure your repository for continuous scanning. Continuous scanning must be configured at the Amazon ECR repository level. For more information, see [Enhanced scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html) in the _Amazon Elastic Container Registry User Guide_. 
+
+You can also [re-scan container images](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_configure_duration_setting_ecr.html) from clusters based on their last-in-use date. 
+