AWS inspector medium security documentation change
Summary
Updated ECR scanning activation criteria to focus on last-in-use images and reduce default retention period for new accounts, added IAM policy requirements for viewing container mappings, noted data latency for new accounts/images, and expanded Fargate support.
Security assessment
The documentation clarifies that AWSReadOnlyAccess alone is insufficient to view container image mappings, requiring AWSInspector2ReadOnlyAccess. This addresses a potential security visibility gap where users might misconfigure permissions and miss critical findings. The retention period reduction (90 days to 14 days for new accounts) tightens default security monitoring windows but does not directly resolve a vulnerability.
Diff
diff --git a/inspector/latest/user/scanning-ecr.md b/inspector/latest/user/scanning-ecr.md index ab22cdb43..49434b6d2 100644 --- a//inspector/latest/user/scanning-ecr.md +++ b//inspector/latest/user/scanning-ecr.md @@ -27 +27 @@ This section provides information about Amazon ECR scanning and describes how to -When you first activate ECR scanning, and your repository is configured for continuous scanning, Amazon Inspector detects all eligible images that you have pushed within 30 days, or pulled within the last 90 days. Then Amazon Inspector scans the detected images and sets their scan status to `active`. Amazon Inspector continues to monitor images as long as they were pushed or pulled within the last 90 days (by default), or within the ECR rescan duration you configure. For more information, see [Configuring the Amazon ECR re-scan duration](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_configure_duration_setting_ecr.html). +When you first activate Amazon ECR scanning, and your repository is configured for continuous scanning, Amazon Inspector detects all eligible last-in-use images on a running container or images that were pushed within the last 14 days. Amazon Inspector then scans the detected images and sets their scan status to `active`. Amazon Inspector continues to monitor images as long as they were pushed within 14 days (by default) or the last-in-use date is within 14 days (by default), or within the Amazon ECR rescan duration you configure. For Amazon Inspector accounts that were created prior to May 16th, 2025, the default configuration is for re-scan to monitor images if they were pushed or pulled within the last 90 days. For more information, see [Configuring the Amazon ECR re-scan duration](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_configure_duration_setting_ecr.html). @@ -53 +53,5 @@ Amazon Inspector provides comprehensive container security management by mapping -With this feature, you can prioritize remediation efforts based on operational risks and maintain security coverage across the entire container ecosystem. You can monitor container images currently in use and when container images were last used on an Amazon ECS or Amazon EKS cluster in the past 24 hours. This information will be available in [your findings](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html) through the Amazon Inspector console on the details screen for your container image findings and with the [Amazon Inspector API](https://docs.aws.amazon.com/inspector/v2/APIReference/API_FilterCriteria.html) through the `ecrImageInUseCount` and `ecrImageLastInUseAt` filters. +###### Note + +The managed policy `AWSReadOnlyAccess` alone does not provide sufficient permissions to view the mapping between Amazon ECR images and running containers. You need both the `AWSReadOnlyAccess` and `AWSInspector2ReadOnlyAccess` managed policies to view container image mapping information. + +With this feature, you can prioritize remediation efforts based on operational risks and maintain security coverage across the entire container ecosystem. You can monitor container images currently in use and when container images were last used on an Amazon ECS or Amazon EKS cluster in the past 24 hours. For new images or accounts, it can take up to 36 hours for data to be available. Afterwards, this data is updated once every 24-hours. This information will be available in [your findings](https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html) through the Amazon Inspector console on the details screen for your container image findings and with the [Amazon Inspector API](https://docs.aws.amazon.com/inspector/v2/APIReference/API_FilterCriteria.html) through the `ecrImageInUseCount` and `ecrImageLastInUseAt` filters. @@ -60,0 +65,2 @@ You can also [re-scan container images](https://docs.aws.amazon.com/inspector/la +This feature is also supported on Amazon ECS Amazon EKS Fargate. +