Detecting vulnerabilities in container images using Amazon ECR and Wazuh

Amazon Elastic Container Registry (ECR) is an Amazon Web Services (AWS) managed container image registry service that stores, shares, and deploys container images. Amazon ECR provides an image scanning feature that uses the Common Vulnerabilities and Exposure (CVEs) database from the open source Clair project to detect vulnerabilities in container images. AWS provides a template that uses an AWS Lambda function to send the vulnerability results of the ECR to AWS CloudWatch. Wazuh polls and detects these vulnerabilities from AWS CloudWatch.

Wazuh is a free and open source enterprise security platform that offers protection against security threats in the cloud, on-premises, virtualized, and containerized environments.

This blog post shows how Wazuh integrates with Amazon ECR to detect vulnerabilities in container images.

Infrastructure

We use the following infrastructure to demonstrate how Wazuh integrates with Amazon ECR to detect vulnerabilities in container images:

• A pre-built, ready-to-use Wazuh OVA 4.7.1: Follow this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). This VM has a static IP address of 192.168.33.105.
• An Amazon Web Services (AWS) instance: We set up a free AWS account using this link. 
• An Ubuntu 22.04 endpoint: We install the AWS Command Line Interface (CLI) utility and Docker Engine on this endpoint. This endpoint has a static IP address of 192.168.33.106.

Configuration

Amazon Web Services

Create an IAM user

Perform the following steps to create an IAM user wazuh-user with an Access key and a Secret access key on AWS.

1. Navigate to the AWS portal and search for iam in the search bar. Select the IAM service and choose Users from the Dashboard sidebar.

2. Click Create user, and type wazuh-user in the User name field. Then click on Next > Next > Create user.

3. Click the IAM user wazuh-user and then click on Create access key. 

4. Select Command Line Interface (CLI), and confirm your selection. Then click on Next > Create access key.

5. Copy and save both Access key and Secret access key. Then click on Done.

Create an AWS Elastic Container Registry (ECR) repository

Perform the following steps to create an AWS ECR repository wazuh-repo.

1. Navigate to the AWS portal and search for ecr in the search bar. Select Elastic Container Registry service.

2. Click Get Started, and enter wazuh-repo in the Repository name field.

3. Click Create repository.

Create and attach an IAM policy to an IAM user

Perform the following steps to create and attach an IAM policy to the IAM user wazuh-user.

1. Navigate to the AWS portal and search for iam in the search bar. Select IAM service and choose Policies from the Dashboard sidebar.

2. Click Create policy and select JSON as your Policy editor.

3. Remove the default policy from the Policy editor workspace.

4. Copy and paste the below policy into the Policy editor workspace.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudFormationStackCreation",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:ValidateTemplate",
                "cloudformation:CreateUploadBucket",
                "cloudformation:GetTemplateSummary",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResources",
                "cloudformation:ListStacks",
                "cloudformation:DeleteStack",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:CreateBucket"
            ],
            "Resource": "*"
        },
		{
            "Sid": "ECRUtilities",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:DescribeRepositories"
            ],
            "Resource": "*"
        },
		   {
            "Sid": "ScanPushImage",
            "Effect": "Allow",
            "Action": [
                "ecr:CompleteLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:InitiateLayerUpload",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:DescribeImageScanFindings",
                "ecr:StartImageScan"
            ],
            "Resource": "arn:aws:ecr:<REGION>:<AWS_ACCOUNT_ID>:repository/wazuh-repo"
        },
		{
            "Sid": "TemplateRequired0",
            "Effect": "Allow",
            "Action": [
                "lambda:RemovePermission",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:CreateFunction",
                "lambda:AddPermission"
            ],
            "Resource": "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:*"
        },
        {
            "Sid": "TemplateRequired1",
            "Effect": "Allow",
            "Action": [
                "events:RemoveTargets",
                "events:DeleteRule",
                "events:PutRule",
                "events:DescribeRule",
                "events:PutTargets"
            ],
            "Resource": "arn:aws:events:<REGION>:<AWS_ACCOUNT_ID>:*"
        },
		{
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "logs:DescribeLogStreams",
            "Resource": "arn:aws:logs:<REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/ecr/image-scan-findings/wazuh-repo:*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "logs:GetLogEvents",
            "Resource": "arn:aws:logs:<REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/ecr/image-scan-findings/wazuh-repo:log-stream:*"
        },
		 {
            "Sid": "RoleCreator",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:DeleteRole",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/*"
        },
        {
            "Sid": "PassRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/*-LambdaExecutionRole*"
        }
		
    ]
}

Where:

• <REGION> represents the region where your AWS account is located. 
• <AWS_ACCOUNT_ID> represents your AWS account ID.

5. Click Next, and enter the wazuh-policy in the Policy name field.

6. Click Create policy.

7. Search for the newly created IAM policy wazuh-policy.

8. Select the wazuh-policy, and click on Actions > Attach.

9. Search for the user wazuh-user, then select the user and click on Attach policy.

Create CloudFormation stack

Perform the following steps on AWS to create a CloudFormation stack.

1. Download the ECR Image Scan findings logger template.

2. Navigate to the AWS portal and search for cloudformation in the search bar. Select CloudFormation service.

3. Click Create stack,  and select Upload a template file.

4. Click Choose file, and upload the downloaded template.

5.  Click Next and enter the name wazuh-stack in the Stack name field.

6. Click Next > Next, then select the option I acknowledge that AWS Cloudformation might create IAM resources.

7. Click Submit.

Ubuntu endpoint

AWS CLI

Perform the following steps to install and configure AWS CLI.

1. Update all packages installed on the Ubuntu endpoint, and install cURL utility:

# sudo apt-get update
# sudo apt-get install curl

2. Run the following command to download, unzip and install the AWS CLI:

# sudo curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
# sudo unzip awscliv2.zip
# sudo ./aws/install

3. Run the following command to configure AWS CLI to access your AWS instance. You will be prompted to enter AWS Access Key ID, AWS Secret Access Key, Default region name and Default output format. When prompted for the Default output format,press the Enter key on your keyboard to accept the default json format.

# sudo aws configure

Where:

• AWS Access Key ID: represents the access key of the IAM user wazuh-user.
• AWS Secret Access Key: represents the secret access key of the IAM user wazuh-user.
• Default region name: represents the region where your AWS account is located.
• Default output format: represents the output format of the AWS CLI.

Docker Engine

Perform the following steps to install Docker Engine on the Ubuntu endpoint.

1. Run the following commands to setup Docker apt repository:

# sudo apt-get install ca-certificates curl gnupg
# sudo install -m 0755 -d /etc/apt/keyrings
# sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
# sudo chmod a+r /etc/apt/keyrings/docker.gpg
# echo \
  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# sudo apt-get update

2. Run the following command to install Docker packages:

# sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y

Wazuh server

Perform the following steps on the Wazuh server to poll and detect vulnerabilities from AWS CloudWatch.

1. Enable Amazon AWS module on the Wazuh dashboard by navigating to Settings > Modules.

2. Create the directory /root/.aws on the Wazuh server:

# sudo mkdir /root/.aws

3. Create the file /root/.aws/credentials on the Wazuh server:

# sudo touch /root/.aws/credentials

4. Edit the file /root/.aws/credentials and include the following configuration to allow Wazuh server to access your AWS account:

[default]
aws_access_key_id=<AWS_ACCESS_KEY_ID>
aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>
region=<REGION>

Where:

• <AWS_ACCESS_KEY_ID> represents the access key for the IAM user wazuh-user.
• <AWS_SECRET_ACCESS_KEY> represents the secret access key for the IAM user wazuh-user.
• <REGION> represents the region where your AWS account is located.

5. Edit the file /var/ossec/etc/ossec.conf on the Wazuh server to include the following configuration:

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>5m</interval>
  <run_on_start>yes</run_on_start>
  <service type="cloudwatchlogs">
  <aws_profile>default</aws_profile>                             
<aws_log_groups>/aws/ecr/image-scan-findings/wazuh-repo</aws_log_groups>
  <regions><REGION></regions>
  </service>
</wodle>

Where:

• <REGION> represents the region where your AWS account is located.

Note: The interval represents how often Wazuh polls logs from the AWS CloudWatch service. You can configure a value that meets your organization needs.

6. Edit the file /var/ossec/etc/rules/local_rules.xml on the Wazuh server and include the following detection rules:

<group name="AWS_Wazuh_Container_Vulnerability_Scan">
<!-- This rule detects a vulnerable container image. No alert is generated by this rule. -->
  <rule id="100050" level="0">
    <decoded_as>json</decoded_as>
    <field name="uri" type="pcre2">http.+</field>
    <field name="name" type="pcre2">CVE.+</field>
    <description>AWS ECR Alert</description>
  </rule>
<!-- This rule detects a low severity vulnerable container image. -->
  <rule id="100051" level="3">
    <if_sid>100050</if_sid>
    <field name="severity" type="pcre2">LOW</field>
    <description>A vulnerable package with a $(severity) severity and $(name) is detected. Visit $(uri) to learn about this vulnerability.</description>
  </rule>
<!-- This rule detects a medium severity vulnerable container image. -->
  <rule id="100052" level="5">
    <if_sid>100050</if_sid>
    <field name="severity" type="pcre2">MEDIUM</field>
    <description>A vulnerable package with a $(severity) severity and $(name) is detected. Visit $(uri) to learn about this vulnerability.</description>
  </rule>
<!-- This rule detects a critical severity vulnerable container image. -->
  <rule id="100053" level="10">
    <if_sid>100050</if_sid>
    <field name="severity" type="pcre2">CRITICAL</field>
    <description>A vulnerable package with a $(severity) severity and $(name) is detected. Visit $(uri) to learn about this vulnerability.</description>
  </rule>
</group>

Where:

• Rule ID 100050 is triggered when Wazuh detects a vulnerable container image. This rule does not generate any alert on the Wazuh dashboard.
• Rule ID 100051 is triggered when Wazuh detects a vulnerable container image with low severity. 
• Rule ID 100052 is triggered when Wazuh detects a vulnerable container image with medium severity. 
• Rule ID 100053 is triggered when Wazuh detects a vulnerable container image with critical severity. 

7. Restart the Wazuh manager for the changes to take effect:

$ sudo systemctl restart wazuh-manager

Test the configuration

Ubuntu endpoint

Perform the following steps to pull a container image from the Docker hub, and push the image to AWS ECR repository to scan for vulnerabilities.

1. Run the following command to pull a Damn vulnerable web application (DVWA) image:

# sudo docker pull vulnerables/web-dvwa

2. Run the following command to confirm that the DVWA image is installed:

# sudo docker images

You should have a similar output if DVWA image is installed:

REPOSITORY             TAG       IMAGE ID       CREATED       SIZE
vulnerables/web-dvwa   latest    ab0d83586b6e   5 years ago   712MB

3. Authenticate to the ECR repository wazuh-repo by running the following command:

# aws ecr get-login-password --region <REGION> | docker login --username AWS --password-stdin <AWS_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com

Where:

• <REGION> represents the region where your AWS account is located.
• <AWS_ACCOUNT_ID> represents your AWS account ID.

4. Run the command to tag the DVWA image with the image ID:

# docker tag <IMAGE_ID> <AWS_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/<ECR_REPOSITORY>:<TAG>

Where:

• <IMAGE_ID> represents the image ID. In this scenario, the value is ab0d83586b6e.
• <TAG> represents the image tag. In this scenario, the value is latest.
• <ECR_REPOSITORY> represents the ECR repository created. In our case, this value is wazuh-repo. 

5. Run the command to push the DVWA image to AWS ECR repository wazuh-repo:

# docker push <AWS_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/<ECR_REPOSITORY>:<TAG>

You should have a similar output if the DVWA image is pushed to wazuh-repo:

The push refers to repository [645474352265.dkr.ecr.us-east-1.amazonaws.com/wazuh-repo]
deeea3c4d56f: Pushed
585e40f29c46: Pushed
73e92d5f2a6c: Pushed
9713610e6ec4: Pushed
acf8abb873ce: Pushed
97a1040801c3: Pushed
80f9a8427b18: Pushed
a75caa09eb1f: Pushed
latest: digest: sha256:dae203fe11646a86937bf04db0079adef295f426da68a92b40e3b181f337daa7 size: 1997

Amazon Web Services

Perform the following steps on AWS to scan the DVWA image.

1.  Navigate to the AWS portal and search for ecr in the search bar.

2. Click on wazuh-repo.

3. Select the image latest, and click on Scan.

Vulnerability scan alerts on Wazuh dashboard

To view the vulnerability scan alerts on the Wazuh dashboard, navigate to Modules > Security events tab and filter for the rule IDs 100051, 100052 and 100053.

Conclusion

In this blog post, we successfully integrated Wazuh with the Amazon Elastic Container Registry service to detect vulnerabilities in container images. This integration allows organizations to leverage Wazuh to provide visibility into vulnerable container images.

Wazuh is a free and open source enterprise security solution for threat detection, incident response, and compliance. Wazuh integrates with third-party solutions and technologies. Wazuh also has an ever-growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.

References

• Amazon Elastic Container Registry
• Using Wazuh to monitor AWS
• Install Docker Engine on Ubuntu