Enterprise Software Supply Chain Manager (ESSCM)IntegrationsContainer Images
Amazon ECR
Connect AWS Elastic Container Registry to generate SBOMs
Amazon ECR Integration
Connect your AWS Elastic Container Registry (ECR) to Safeguard for container image SBOM generation and vulnerability scanning.
Prerequisites
- An AWS account with ECR repositories
- AWS Access Key ID and Secret Access Key with ECR permissions
Public ECR Images
Amazon ECR Public Gallery images can be scanned without authentication.
Step 1: Navigate to Integrations
Go to Integrations from the sidebar and click Connect on the Amazon ECR card.
Step 2: Enter Image Reference
- Select the Public tab
- Enter a Name for this configuration
- Optionally add a Description
- Enter the ECR Public image URI (e.g.,
public.ecr.aws/nginx/nginx:latest) - Click Add
Step 3: Review & Connect
- Configure Project Name and Version
- Click Connect to complete
Private ECR Images
Step 1: Navigate to Integrations
Go to Integrations from the sidebar and click Connect on the Amazon ECR card.
Step 2: Enter AWS Credentials
- Select the Private tab
- Enter a Name for this configuration
- Optionally add a Description
- Enter your AWS credentials:
- AWS Access Key ID
- AWS Secret Access Key
- AWS Region (e.g.,
us-east-1)
- Click Verify Credentials
Step 3: Select Images
- Once verified, browse available repositories
- Select the images you want to scan
- Choose specific tags or digests
Step 4: Configure & Connect
- Set Project Name and Version for each image
- Click Connect to complete
Creating AWS Credentials
Option 1: IAM User with Access Keys
- Go to AWS Console then IAM then Users
- Click Add users
- Enter a username (e.g., "safeguard-ecr-readonly")
- Select Access key - Programmatic access
- Click Next: Permissions
- Attach the
AmazonEC2ContainerRegistryReadOnlypolicy - Click Create user
- Copy the Access Key ID and Secret Access Key
Option 2: Custom IAM Policy
Create a custom policy with minimum required permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages"
],
"Resource": "*"
}
]
}Required IAM Permissions
| Permission | Description |
|---|---|
ecr:GetAuthorizationToken | Get authentication token |
ecr:BatchCheckLayerAvailability | Check layer availability |
ecr:GetDownloadUrlForLayer | Download image layers |
ecr:BatchGetImage | Get image manifests |
ecr:DescribeRepositories | List repositories |
ecr:ListImages | List images in repository |
ecr:DescribeImages | Get image details |
Troubleshooting
"Credentials verification failed"
- Verify the Access Key ID and Secret are correct
- Check that the IAM user has the required permissions
- Ensure the credentials haven't been deactivated
"Repository not found"
- Verify the region is correct
- Check that the IAM user has access to that repository
- Ensure the repository exists in the specified region
"Access denied"
- The IAM policy may be missing required permissions
- Check for any SCPs (Service Control Policies) that might restrict access
- Verify the repository policy allows access