Skip to content

Enabling SBOM Content Retrieval for a Container Image in AWS ECR


This guide explains how to set up SBOM (Software Bill of Materials) content retrieval for a container image in AWS ECR (Elastic Container Registry) via BoostSecurity integration.

Note

To use this feature, you must be using AWS Inspector.

Follow these steps to enable SBOM content retrieval for a container image in AWS ECR:

  1. Navigate to the Integrations page.
  2. Scroll to the Available section and select Amazon Elastic Container Registry.

    AWS ECR

  3. Click on the Install button.

  4. Click the Generate External ID and Webhook button to receive a randomly generated External ID and Webhook URL and Token.

    Generate ID and WebHook

  5. Create an EventBridge rule for the webhook

    {
        "source": ["aws.ecr"],
        "detail-type": ["ECR Image Action"],
        "detail": {
            "action-type": ["PUSH"],
            "result": ["SUCCESS"]
        }
    }
    
    • Set the target of the rule to be an EventBridge API destination.
    • Set the API destination endpoint to the webhook_url with POST as the http method.
    • The authorization type for the connection is an API key where the key and value are API key name = ApiKey and Value = webhook_secret.
  6. Ensure a proper setup of your IAM role with the provided External ID. Here are the required settings:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "209299908473"
                },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "externalIdProvidedByBoost"
                }
            }
        }
        ]
    }
    
  7. Go to your AWS account and create the necessary resources with appropriate permissions.

    • Inspector permissions: Refer to Inspector Permissions
    • Getting SBOM reports
    • Your IAM Role Policy Policy must include these permissions:
    {
    
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:ListBucket",
                    "s3:GetBucketLocation",
                ],
                "Resource": [
                    "arn:aws:s3:::s3-bucket-name",
                    "arn:aws:s3:::s3-bucket-name/*"
                ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeRegistry",
                "ecr:DescribeImageScanFindings",
                "ecr:BatchGetRepositoryScanningConfiguration",
                "ecr:DescribeImages"
            ],
            "Resource": "*"
        },
            {
                "Effect": "Allow",
                "Action": [
                    "inspector2:CreateSbomExport",
                    "inspector2:GetSbomExport"
                ],
                "Resource": "*"
            },
            {
                "Action": [
                    "kms:Decrypt"
                ],
                "Resource":
                    "arn:aws:kms:*:number-of-the-account:key/rest-of-the-info"
            }
        ]
    }
    

    Note: The created S3 bucket must be in the same region as the scanned ECR repository.

  8. S3 Bucket Policies (1 per region): The S3 bucket should be in the same region as the ECR repository and have this policy applied to it:

    {
    
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "allow-inspector",
                "Effect": "Allow",
                "Principal": {
                    "Service": "inspector2.amazonaws.com"
                },
                "Action": [
                    "s3:PutObject",
                    "s3:PutObjectAcl",
                    "s3:AbortMultipartUpload"
                ],
                "Resource": "arn:aws:s3:::s3-bucket-name/*",
                "Condition": {
                    "StringEquals": {
                        "aws:SourceAccount": "number-of-the-account"
                    }
                }
            }
        ]
    }
    
  9. You need one KMS key per S3 bucket region to use SBOM on ECR repos in different regions, use KMS cross-region replication to accomplish this task:

    {
    
        "Sid": "Allow Amazon Inspector to use the key",
        "Effect": "Allow",
        "Principal": {
            "Service": "inspector2.amazonaws.com"
        },
        "Action": [
            "kms:Decrypt",
            "kms:GenerateDataKey*"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "aws:SourceAccount": "number-of-the-account"
            }
        }
    }
    
  10. Return to BoostSecurity and provide the following information during installation:

    • IAM Role ARN
    • KMS Key ARN
    • S3 Bucket Names: Add bucket names using the + S3 Bucket Name button. Use the delete button to remove or replace bucket names.

SCR Details

  1. Click on Install and the integration is ready.