Other Integrations & Connections

Connecting AWS Elastic Container Registry to Vanta

  • Updated

 

To enable Vanta to fetch vulnerabilities surfaced by scans of your ECR container images, add the
ecr:DescribeImageScanFindings, ecr:DescribeImages, and ecr:ListTagsForResource
 permissions to the existing Vanta policy. This lets Vanta access relevant information in ECR.

  • For each AWS account, navigate to the IAM Policies page in the AWS console.
  • Search for the VantaAdditionalPermissions IAM policy you created during AWS credential linking.
  • Click on Edit policy and click on the "JSON" tab.
  • Paste the following policy into the editor (entirely replacing the existing policy).
{
"Version": "2012-10-17",
"Statement": [
  {
      "Effect": "Allow",
      "Action": [
          "ecr:DescribeImageScanFindings",
          "ecr:DescribeImages",
          "dynamodb:ListTagsOfResource",
          "ecr:ListTagsForResource",
          "sqs:ListQueueTags"
      ],
      "Resource": "*"
  },
  {
      "Effect": "Deny",
      "Action": [
          "datapipeline:EvaluateExpression",
          "datapipeline:QueryObjects",
          "rds:DownloadDBLogFilePortion"
      ],
      "Resource": "*"
  }
]
}
  • Click Review policy and Save changes.
  • Double-check that the vanta-auditor IAM role has the VantaAdditionalPermissions policy attached on the IAM Roles page
  • For each ECR Repository, ensure you've enabled vulnerability scanning by choosing the "Scan on push" option. You can do this in the portal by following the instruction from AWS here, or through the CLI.

 

You should see ECR repositories populated on the Inventory page within an hour of updating this policy!