For AWS ECR you’ll need to create a connector to connect to your AWS account.
You can delete misconfigured or unused connectors from the Connector list if they are not associated with any registries.
On the Connector Details page, give your connector a name, and provide a description.
Your selection will determine the Qualys AWS Account ID and External ID that will be used.
The steps you need also appear in the UI, on the right side of the Connector Details screen.
To use a custom policy and to match all repositories that belong to a specific account, you can use a wildcard (*) when defining the Resource JSON policy element. See the proper formatting for the JSON below. Note that there are two statements defined inside the Statement element. Both statements must be present. You’ll also need to replace the region and account number (shown in bold red) with appropriate values.
Define your policy first and then follow the steps outlined above to create a role for cross-account access using the Qualys AWS Account ID and External ID from the connector details in the Container Security UI. In Step 5, pick your custom policy instead of “AmazonEC2ContainerRegistryReadOnly”.
After creating the custom policy, finish the role creation with step 6 and 7.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:ListImages",
"ecr:GetRepositoryPolicy"
],
"Resource": "arn:aws:ecr:us-west-1:123456789012:repository/*"
},
{
"Sid": "Statement2",
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}
]
}
Was this topic helpful?