Unexpected AWS API calls indicating ECR repository with automatic scanning disabled
Description
AlphaSOC detected that automatic vulnerability scanning was disabled for an Amazon Elastic Container Registry (ECR) repository. ECR scanning helps identify software vulnerabilities in container images, enabling organizations to address security issues before deployment.
Impact
Disabling ECR scanning reduces the ability to detect known vulnerabilities in container images. This may allow vulnerable containers to be deployed, increasing organizational risk. Attackers could potentially exploit undetected vulnerabilities to gain initial access, execute code, escalate privileges, or move laterally within cloud infrastructure.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review the AWS CloudTrail logs to identify the user or role that disabled automatic scanning and determine whether this change was authorized. If the change was unauthorized, re-enable scanning for affected repositories and manually scan existing images to assess current vulnerabilities. Consider rotating potentially compromised credentials. Implement preventive controls using service control policies (SCPs) or AWS Config rules to enforce scanning requirements. Restrict permissions for modifying scanning settings and document findings for security and compliance purposes.