Snyk Documentation

ECR—integrate and test

Snyk integrates with AWS Elastic Container Registry (ECR) to enable you to import your projects and monitor your containers for vulnerabilities, as is fully described in our Container vulnerability management documentation. Snyk tests the projects you’ve imported for any known security vulnerabilities found, at a frequency you control.

Integration with AWS ECR is available for all of our pricing plans.

This document describes:

Configure integration for AWS ECR

Enable integration between one AWS ECR registry and a Snyk organization, and start managing your image security. To integrate with multiple registries, create a unique organization for each one.

To enable integration, you must first create a read-only AWS Identity and Access Management (IAM) role. The role delegates read-only access to all repositories in your registry for Snyk per organization by indicating the list of permitted Snyk-assigned organization IDs.

Thereafter, when integrating additional organizations, you can simply add the additional organization IDs as necessary.

This section describes how to:

Enable permissions to access AWS ECR for the first time

  1. Click here to log in to the AWS Management Console, navigate to the IAM service and then to the Policies page to create a policy for the role by updating the related JSON file only, as follows:
    1. Create a new policy.
    2. Navigate to the JSON tab.
    3. Select and delete all of the default text in the JSON file.
    4. Copy script as it is displayed from the UI in your Snyk account and paste it inside the JSON file:
    5. Set AmazonEC2ContainerRegistryReadOnlyForSnyk as the Name.
      Enter "Provides Snyk with read-only access to Amazon EC2 Container Registry repositories" as the Description.
    6. Click Create Policy.
  2. Create a role by which to implement the policy:
    1. From the AWS Management Console again, navigate to the Roles page and create a new role.
    2. Select AWS service as the trusted entity and EC2 as the service for this role.
    3. Click Next: permissions.
    4. From the Policies list that is displayed, search for and select the AmazonEC2ContainerRegistryReadOnlyForSnyk policy you just created.
    5. Skip to the last step (Review) of the process.
    6. Name the role SnykServiceRole, enter "Allows EC2 instances to call Snyk AWS services on your behalf" as the Description and then Create role.
  3. Harden the usability scope for the role:
    1. Again from the Roles page, find and click the link for the role you just created to update its configurations and navigate to the Trust relationships tab.
    2. Click Edit trust relationship.
    3. In the Policy Document, select and delete the entire script and then copy the following script as it is displayed from the UI in your Snyk account and paste:

Add additional organizations to the role

Once you've created an AWS IAM role for Snyk, you can add additional organizations to the same role for repeated use.

  1. In Snyk, retrieve, copy the IDs for any additional Snyk organizations that you want to integrate and save them on the side. You'll need to paste them into a script in the coming steps. See our docs to help you navigate through your organizations.
  2. In AWS,  navigate to the Trust relationships tab for the role you would like to update with additional organizations.
  3. Click Edit trust relationship.
  4. Make sure the value of "sts:ExternalId" is enclosed with square brackets and insert the additional organization ID inside those brackets. Use a comma ( , ) to separate between organization ID values. For example:
    
    "sts:ExternalId": [
     "11111111-1111-1111-1111-111111111111",
     "22222222-2222-2222-2222-222222222222",
     "c2fa1651-601d-41gc-abe9-03691f5287d8"
    ]
              
    Where:
     "11111111-1111-1111-1111-111111111111" = a unique Org ID
     "22222222-2222-2222-2222-222222222222" = another unique Org ID
     "c2fa1651-601d-41gc-abe9-03691f5287d8" = the ID for the Org from which you are currently setting up the integration

Configure your integration with Snyk

Once you create or update an IAM role, allow a few minutes for AWS to update the role on their servers before continuing.

  1. From AWS, copy the Role ARN key that appears at the top of the Summary section (inside the Role area still).
  2. Now, log in to your Snyk account.
  3. Navigate to Integrations from the menu bar at the top, find and click the ECR option:

    The ECR configuration page in the Settings area loads.
  4. Enter credentials as follows:
    AWS Region—use the format region-part-#. For example eu-west-3. You must enter the default region as configured for your AWS account in order for your repositories and images to be available for import.
    Role ARN—copy from your AWS account, in the format arn:aws:iam::<account-id>:role/<newRole>.
    For example:
    arn:aws:iam::881001789406:role/TestSnykIntegration_role
  5. Click Save.
    Snyk tests the connection values and the page reloads, now displaying AWS ECR integration details as you entered them. A confirmation message that the details were saved also appears in green at the top of the screen.

    In addition, if the connection to AWS failed, notification appears under the Connected to AWS ECR section.

Add projects to Snyk

Snyk tests and monitors your AWS ECR container images by evaluating its tags in your ECR repositories.

To add images to Snyk:

  1. Go to Projects and click Add projects.
    From the page that loads, click the + option and then from the Integrations page, find and click the ECR option:
  2. The Which ECR images do you want to test? view appears, displaying all of your AWS ECR images for the account to which you connected, grouped by each of your AWS ECR repositories, similar to the following:
  3. Checkmark the relevant images for import and monitoring.
  4. Click Add selected images to Snyk.
    Snyk tests the images and also imports them to the UI.
    Once repositories and images are imported, a confirmation appears in green at the top of the screen. ECR files are indicated with a unique icon  .
    You can now also filter to view only those projects:
  5. Additionally, you can now connect your Git repo to this project in order to use your Dockerfile for enriched remediation advice. For more info, see Add your Dockerfile for base image remediation.

AWS ECR integration works similar to our other integrations. To continue to monitor, remediate and manage your projects, see the relevant pages, also in our docs.