Scan Container Images in AWS Fargate (ECS)

Qualys Container Security can be used to secure AWS Fargate. AWS Fargate is a serverless compute engine for containers that works with Amazon Elastic Container Service (ECS). This feature allows you to know the containers running on AWS Fargate, perform vulnerability and compliance scanning on container images launched by Amazon Fargate tasks (ECS), and view the findings to take remediation actions.

Since AWS Fargate is serverless, the solution launches sensor whenever the new Fargate task is being deployed. We will use AWS CloudFormation and a Qualys Lambda function to trigger scanning automatically. You’ll configure a CloudFormation template with your subscription details and a Qualys Lambda function with the Qualys S3 bucket name & S3 bucket key to trigger image scanning of images pulled from Amazon Elastic Container Registry (ECR).

How it Works

We support scanning Docker images pulled from Amazon Elastic Container Registry (Amazon ECR) with x86_64 architecture.

When an AWS ECS Fargate task is launched, the AWS EventBridge rule created during Qualys deployment consumes the event. The EventBridge rule is set in such a way that it triggers the Qualys scanning Lambda function.  The Qualys Lambda function then processes the event received from EventBridge to decide on image scanning. The Qualys Lambda function launches the AWS CodeBuild to run the Qualys sensor, which pulls the image from Amazon ECR and then performs the vulnerability and compliance scan on the image. After a successful image scan, image metadata gets uploaded to the Qualys Cloud Platform for evaluation, and users can view details from the Container Security UI and API.

AWS Fargate

Serverless Configuration

Go to the Serverless tab in the Configurations section. From here, click the Show Instructions button to open the Qualys Container Security Sensor Deployment Guide for configuration steps. After you complete the one-time configuration, all images deployed from Amazon ECS tasks in AWS Fargate will be scanned automatically and the results will be uploaded to your account.

Serverless tab    

View Image Details

You’ll see images listed on the Assets > Images list. To find images that were part of your AWS ECS Fargate task, use the following QQL query.

source: SERVERLESS_FARGATE  

Search Images by Source

Like with other images, you can drill-down into image details by selecting View Details from the Quick Actions menu.

View Container Details

You’ll see containers listed on the Assets > Containers list. To find AWS Fargate containers, use the following QQL query.    

source: SERVERLESS_FARGATE  

Search Containers by Source

Click View Details from the Quick Actions menu to drill-down into container details and you'll see a section with AWS Fargate information.

AWS Fargate in Container Details

View Serverless Fargate Sensors

Go to Configurations > Sensors and use the QQL query below to find sensors for AWS Fargate.

sensorType: SERVERLESS_FARGATE

Search Sensors by Sensor Type

Like with other sensors, you can drill-down into sensor details by selecting View Details from the Quick Actions menu.