Detecting vulnerabilities in container images using Amazon ECR and Wazuh
Amazon Elastic Container Registry (ECR) is an Amazon Web Services (AWS) managed container image registry service that stores, shares, and deploys container images. Amazon ECR provides an image scanning feature that uses the Common Vulnerabilities and Exposure (CVEs) database from the open source Clair project to detect vulnerabilities in container images. AWS provides a template that uses an AWS Lambda function to send the vulnerability results of the ECR to AWS CloudWatch. Wazuh polls and detects these vulnerabilities from AWS CloudWatch.
Wazuh is a free and open source enterprise security platform that offers protection against security threats in the cloud, on-premises, virtualized, and containerized environments.
This blog post shows how Wazuh integrates with Amazon ECR to detect vulnerabilities in container images.
Infrastructure
We use the following infrastructure to demonstrate how Wazuh integrates with Amazon ECR to detect vulnerabilities in container images:
- A pre-built, ready-to-use Wazuh OVA 4.7.1: Follow this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). This VM has a static IP address of 192.168.33.105.
- An Amazon Web Services (AWS) instance: We set up a free AWS account using this link.
- An Ubuntu 22.04 endpoint: We install the AWS Command Line Interface (CLI) utility and Docker Engine on this endpoint. This endpoint has a static IP address of 192.168.33.106.
Configuration
Amazon Web Services
Create an IAM user
Perform the following steps to create an IAM user wazuh-user with an Access key and a Secret access key on AWS.
1. Navigate to the AWS portal and search for iam in the search bar. Select the IAM service and choose Users from the Dashboard sidebar.
2. Click Create user, and type wazuh-user in the User name field. Then click on Next > Next > Create user.
3. Click the IAM user wazuh-user and then click on Create access key.
4. Select Command Line Interface (CLI), and confirm your selection. Then click on Next > Create access key.
5. Copy and save both Access key and Secret access key. Then click on Done.
wazuh-user.Create an AWS Elastic Container Registry (ECR) repository
Perform the following steps to create an AWS ECR repository wazuh-repo.
1. Navigate to the AWS portal and search for ecr in the search bar. Select Elastic Container Registry service.
2. Click Get Started, and enter wazuh-repo in the Repository name field.
3. Click Create repository.
wazuh-repo.Create and attach an IAM policy to an IAM user
Perform the following steps to create and attach an IAM policy to the IAM user wazuh-user.
1. Navigate to the AWS portal and search for iam in the search bar. Select IAM service and choose Policies from the Dashboard sidebar.
2. Click Create policy and select JSON as your Policy editor.
3. Remove the default policy from the Policy editor workspace.
4. Copy and paste the below policy into the Policy editor workspace.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudFormationStackCreation",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:ValidateTemplate",
"cloudformation:CreateUploadBucket",
"cloudformation:GetTemplateSummary",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResources",
"cloudformation:ListStacks",
"cloudformation:DeleteStack",
"s3:PutObject",
"s3:ListBucket",
"s3:GetObject",
"s3:CreateBucket"
],
"Resource": "*"
},
{
"Sid": "ECRUtilities",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:DescribeRepositories"
],
"Resource": "*"
},
{
"Sid": "ScanPushImage",
"Effect": "Allow",
"Action": [
"ecr:CompleteLayerUpload",
"ecr:UploadLayerPart",
"ecr:InitiateLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:StartImageScan"
],
"Resource": "arn:aws:ecr:<REGION>:<AWS_ACCOUNT_ID>:repository/wazuh-repo"
},
{
"Sid": "TemplateRequired0",
"Effect": "Allow",
"Action": [
"lambda:RemovePermission",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:AddPermission"
],
"Resource": "arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Sid": "TemplateRequired1",
"Effect": "Allow",
"Action": [
"events:RemoveTargets",
"events:DeleteRule",
"events:PutRule",
"events:DescribeRule",
"events:PutTargets"
],
"Resource": "arn:aws:events:<REGION>:<AWS_ACCOUNT_ID>:*"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "logs:DescribeLogStreams",
"Resource": "arn:aws:logs:<REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/ecr/image-scan-findings/wazuh-repo:*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "logs:GetLogEvents",
"Resource": "arn:aws:logs:<REGION>:<AWS_ACCOUNT_ID>:log-group:/aws/ecr/image-scan-findings/wazuh-repo:log-stream:*"
},
{
"Sid": "RoleCreator",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DeleteRole",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:PassRole"
],
"Resource": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/*"
},
{
"Sid": "PassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/*-LambdaExecutionRole*"
}
]
}
Where:
<REGION>represents the region where your AWS account is located.<AWS_ACCOUNT_ID>represents your AWS account ID.
5. Click Next, and enter the wazuh-policy in the Policy name field.
6. Click Create policy.
7. Search for the newly created IAM policy wazuh-policy.
8. Select the wazuh-policy, and click on Actions > Attach.
9. Search for the user wazuh-user, then select the user and click on Attach policy.
wazuh-policy to the user wazuh-userCreate CloudFormation stack
Perform the following steps on AWS to create a CloudFormation stack.
1. Download the ECR Image Scan findings logger template.
2. Navigate to the AWS portal and search for cloudformation in the search bar. Select CloudFormation service.
3. Click Create stack, and select Upload a template file.
4. Click Choose file, and upload the downloaded template.
5. Click Next and enter the name wazuh-stack in the Stack name field.
6. Click Next > Next, then select the option I acknowledge that AWS Cloudformation might create IAM resources.
7. Click Submit.
wazuh-stack.Ubuntu endpoint
AWS CLI
Perform the following steps to install and configure AWS CLI.
1. Update all packages installed on the Ubuntu endpoint, and install cURL utility:
# sudo apt-get update # sudo apt-get install curl
2. Run the following command to download, unzip and install the AWS CLI:
# sudo curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" # sudo unzip awscliv2.zip # sudo ./aws/install
3. Run the following command to configure AWS CLI to access your AWS instance. You will be prompted to enter AWS Access Key ID, AWS Secret Access Key, Default region name and Default output format. When prompted for the Default output format,press the Enter key on your keyboard to accept the default json format.
# sudo aws configure
Where:
AWS Access Key ID: represents the access key of the IAM userwazuh-user.AWS Secret Access Key: represents the secret access key of the IAM userwazuh-user.Default region name: represents the region where your AWS account is located.Default output format: represents the output format of the AWS CLI.
Docker Engine
Perform the following steps to install Docker Engine on the Ubuntu endpoint.
1. Run the following commands to setup Docker apt repository:
# sudo apt-get install ca-certificates curl gnupg # sudo install -m 0755 -d /etc/apt/keyrings # sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg # sudo chmod a+r /etc/apt/keyrings/docker.gpg # echo \ "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null # sudo apt-get update
2. Run the following command to install Docker packages:
# sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
Wazuh server
Perform the following steps on the Wazuh server to poll and detect vulnerabilities from AWS CloudWatch.
1. Enable Amazon AWS module on the Wazuh dashboard by navigating to Settings > Modules.
2. Create the directory /root/.aws on the Wazuh server:
# sudo mkdir /root/.aws
3. Create the file /root/.aws/credentials on the Wazuh server:
# sudo touch /root/.aws/credentials
4. Edit the file /root/.aws/credentials and include the following configuration to allow Wazuh server to access your AWS account:
[default] aws_access_key_id=<AWS_ACCESS_KEY_ID> aws_secret_access_key=<AWS_SECRET_ACCESS_KEY> region=<REGION>
Where:
<AWS_ACCESS_KEY_ID>represents the access key for the IAM userwazuh-user.<AWS_SECRET_ACCESS_KEY>represents the secret access key for the IAM userwazuh-user.<REGION>represents the region where your AWS account is located.
5. Edit the file /var/ossec/etc/ossec.conf on the Wazuh server to include the following configuration:
<wodle name="aws-s3"> <disabled>no</disabled> <interval>5m</interval> <run_on_start>yes</run_on_start> <service type="cloudwatchlogs"> <aws_profile>default</aws_profile> <aws_log_groups>/aws/ecr/image-scan-findings/wazuh-repo</aws_log_groups> <regions><REGION></regions> </service> </wodle>
Where:
<REGION>represents the region where your AWS account is located.
Note: The interval represents how often Wazuh polls logs from the AWS CloudWatch service. You can configure a value that meets your organization needs.
6. Edit the file /var/ossec/etc/rules/local_rules.xml on the Wazuh server and include the following detection rules:
<group name="AWS_Wazuh_Container_Vulnerability_Scan">
<!-- This rule detects a vulnerable container image. No alert is generated by this rule. -->
<rule id="100050" level="0">
<decoded_as>json</decoded_as>
<field name="uri" type="pcre2">http.+</field>
<field name="name" type="pcre2">CVE.+</field>
<description>AWS ECR Alert</description>
</rule>
<!-- This rule detects a low severity vulnerable container image. -->
<rule id="100051" level="3">
<if_sid>100050</if_sid>
<field name="severity" type="pcre2">LOW</field>
<description>A vulnerable package with a $(severity) severity and $(name) is detected. Visit $(uri) to learn about this vulnerability.</description>
</rule>
<!-- This rule detects a medium severity vulnerable container image. -->
<rule id="100052" level="5">
<if_sid>100050</if_sid>
<field name="severity" type="pcre2">MEDIUM</field>
<description>A vulnerable package with a $(severity) severity and $(name) is detected. Visit $(uri) to learn about this vulnerability.</description>
</rule>
<!-- This rule detects a critical severity vulnerable container image. -->
<rule id="100053" level="10">
<if_sid>100050</if_sid>
<field name="severity" type="pcre2">CRITICAL</field>
<description>A vulnerable package with a $(severity) severity and $(name) is detected. Visit $(uri) to learn about this vulnerability.</description>
</rule>
</group>
Where:
- Rule ID
100050is triggered when Wazuh detects a vulnerable container image. This rule does not generate any alert on the Wazuh dashboard. - Rule ID
100051is triggered when Wazuh detects a vulnerable container image with low severity. - Rule ID
100052is triggered when Wazuh detects a vulnerable container image with medium severity. - Rule ID
100053is triggered when Wazuh detects a vulnerable container image with critical severity.
7. Restart the Wazuh manager for the changes to take effect:
$ sudo systemctl restart wazuh-manager
Test the configuration
Ubuntu endpoint
Perform the following steps to pull a container image from the Docker hub, and push the image to AWS ECR repository to scan for vulnerabilities.
1. Run the following command to pull a Damn vulnerable web application (DVWA) image:
# sudo docker pull vulnerables/web-dvwa
2. Run the following command to confirm that the DVWA image is installed:
# sudo docker images
You should have a similar output if DVWA image is installed:
REPOSITORY TAG IMAGE ID CREATED SIZE vulnerables/web-dvwa latest ab0d83586b6e 5 years ago 712MB
3. Authenticate to the ECR repository wazuh-repo by running the following command:
# aws ecr get-login-password --region <REGION> | docker login --username AWS --password-stdin <AWS_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com
Where:
<REGION>represents the region where your AWS account is located.<AWS_ACCOUNT_ID>represents your AWS account ID.
4. Run the command to tag the DVWA image with the image ID:
# docker tag <IMAGE_ID> <AWS_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/<ECR_REPOSITORY>:<TAG>
Where:
<IMAGE_ID>represents the image ID. In this scenario, the value isab0d83586b6e.<TAG>represents the image tag. In this scenario, the value islatest.<ECR_REPOSITORY>represents the ECR repository created. In our case, this value iswazuh-repo.
5. Run the command to push the DVWA image to AWS ECR repository wazuh-repo:
# docker push <AWS_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/<ECR_REPOSITORY>:<TAG>
You should have a similar output if the DVWA image is pushed to wazuh-repo:
The push refers to repository [645474352265.dkr.ecr.us-east-1.amazonaws.com/wazuh-repo] deeea3c4d56f: Pushed 585e40f29c46: Pushed 73e92d5f2a6c: Pushed 9713610e6ec4: Pushed acf8abb873ce: Pushed 97a1040801c3: Pushed 80f9a8427b18: Pushed a75caa09eb1f: Pushed latest: digest: sha256:dae203fe11646a86937bf04db0079adef295f426da68a92b40e3b181f337daa7 size: 1997
Amazon Web Services
Perform the following steps on AWS to scan the DVWA image.
1. Navigate to the AWS portal and search for ecr in the search bar.
2. Click on wazuh-repo.
3. Select the image latest, and click on Scan.
Vulnerability scan alerts on Wazuh dashboard
To view the vulnerability scan alerts on the Wazuh dashboard, navigate to Modules > Security events tab and filter for the rule IDs 100051, 100052 and 100053.
Conclusion
In this blog post, we successfully integrated Wazuh with the Amazon Elastic Container Registry service to detect vulnerabilities in container images. This integration allows organizations to leverage Wazuh to provide visibility into vulnerable container images.
Wazuh is a free and open source enterprise security solution for threat detection, incident response, and compliance. Wazuh integrates with third-party solutions and technologies. Wazuh also has an ever-growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.
References