[ECR] [Feature Request]: Support --registry-id flag to retrieve the cross-account image scan findings in describe-image-scan-findings command

[soumyabavirisetti]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
What do you want us to build?

The --registry-id flag in the describe-image-scan-findings command specifies the AWS account ID for the target registry. However, when trying to describe the scan findings for cross-account ECR repository images, the command fails with "ScanNotFoundException" due to limitations in Amazon Inspector's integration with ECR enhanced scanning.

It would be good to support the --registry-id flag to allow the retrieval of image scan findings for cross-account ECR repository images directly.

Which service(s) is this request for?
ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.
Access image scan findings for images in cross account ECR repository directly which is not possible due to limitation from Amazon Inspector end.

Are you currently working around this issue?
How are you currently solving this problem?
The current workaround is to make the Source Account as the Delegated administrator for the Inspector Service or assume an IAM Role/User in the Target Account to be able to describe the image scan findings.

Additional context
Anything else we should know?

Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

[ophintor]

Just to clarify, this is not a feature request but a bug. The documentation states that we can specify an external AWS account with the --registry-id argument, so we can retrieve scan findings cross-account, but it doesn't work.

[bradg-aws]

Hi,
It is possible to do this by using ECR repository policies docs. What steps have you tried?

[ophintor]

Context:

I have account 11111 and 22222. Account 11111 has a ECR repo called repo1 with a resource policy allowing roles role1 from 11111 and role2 from 22222 to get the scan findings. Both roles have appropriate IAM permissions too. Repo repo1 has effectively some scan findings that I can see from the console.

Steps:

• Assume role1

• Run aws ecr describe-image-scan-findings (with or without --registry-id set to 11111 [11111 is the default in this case]) for repo repo1 --> It works

• Assume role2

• Run aws ecr describe-image-scan-findings for repo1 (we need to set --registry-id set to 11111, because we are now going cross-account from 22222 to 11111) --> I get scan not found

@soumyabavirisetti and I spent the best part of one morning trying to figure out the issue, and I believe she was able to reproduce it in her own environment.

I tried this via the CLI and also using the python API - both with the same result.

Many thanks!

[bradg-aws]

Thank you, you're correct, and sorry, I overlooked this in the original post.

the command fails with "ScanNotFoundException" due to limitations in Amazon Inspector's integration with ECR enhanced scanning.

That's exactly it. Don't believe Inspector supports cross account access unless part of an organization.
You can test this behavior directly using the Inspector2 ListCoverage API.

[ophintor]

Ok, that makes sense. The org used to be the delegated admin for Inspector, but this prevented us (as tenants) to view the findings in the console, so it was disabled. I suppose if we were to enable the delegated admin, then we should be able to pull the findings cross account?

[bradg-aws]

Yes, the calling account would need to be the delegated admin (DA). If account A is the DA for an org in which B is a member, and B's repository policy allows DescribeImageScanFindings call from A, you can call DescribeImageScanFindings from account A with --registry-id B to retrieve the findings.

Note that members can only view their own findings.

I've opened a ticket on our side to clarify in the ECR docs.