I cannot quite figure it out, what is the Event Pattern required to trigger an EventBridge rule for when an ECR Scan comes back having found vulnerabilities at ANY level. Can anyone share an Event Pattern that would allow this?
Asked
Active
Viewed 924 times
0
-
I have since spoken to AWS Support about this and they confirmed that this is not possible. They have raised a Feature Request to get support added but no ETA. In the mean time the best you can do is have an Event Pattern for every vulnerability type. This could cause multiple events to be triggered but this is the only real work-around right now. – Danny Roberts Dec 21 '20 at 11:59
2 Answers
0
You can find sample ECR Scanning events at https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html#ecr-eventbridge-bus
{
"version": "0",
"id": "85fc3613-e913-7fc4-a80c-a3753e4aa9ae",
"detail-type": "ECR Image Scan",
"source": "aws.ecr",
"account": "123456789012",
"time": "2019-10-29T02:36:48Z",
"region": "us-east-1",
"resources": [
"arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
],
"detail": {
"scan-status": "COMPLETE",
"repository-name": "my-repo",
"finding-severity-counts": {
"CRITICAL": 10,
"MEDIUM": 9
},
"image-digest": "sha256:7f5b2640fe6fb4f46592dfd3410c4a79dac4f89e4782432e0378abcd1234",
"image-tags": []
}
}
You can create a rule to match on values within finding-severity-counts
. You may find this helpful https://docs.aws.amazon.com/eventbridge/latest/userguide/content-filtering-with-event-patterns.html#filtering-exists-matching

blr
- 908
- 4
- 8
-
Yep I've read all of this. It doesn't solve the problem. You cannot currently have a rule that is essentially "if finding-severity-counts exists then match". This has been confirmed by AWS Support (see my own comment on my original question), though it has been raised as a Feature Request. – Danny Roberts Jan 02 '21 at 00:53
-
Ah gotcha, this is because exists-matching only works on leaf-nodes. Alternatively, have you considered just have multiple rules instead of a single rule. one for each severity ? – blr Jan 02 '21 at 18:52
-
Yes, totally considered that but my team is sensitive to alert fatigue. And potentially having multiple alerts fire off for a single report won't go down well. I'll propose it to them regardless, but I'll keep this issue open I think so I can update hopefully when the feature request I mentioned above is completed. – Danny Roberts Jan 04 '21 at 11:09
-
All events the same events have a unique id (called event id). You can de-dupe against it in your code to ensure only a single event is sent downstream. – blr Jan 05 '21 at 14:56
-
In what code? The EventBridge Rule pattern syntax doesn't allow any deduplication of this nature does it? I cannot see any mention of this kind of feature in the docs (and AWS Support themselves didn't mention it to me). Can you provide an example? – Danny Roberts Jan 05 '21 at 18:15
0
I managed to achieve this by using the $or matching content filter.
The following event pattern matches if any of LOW, MEDIUM, HIGH or CRITICAL vulnerabilities are found in the image scan results:
{
"source": ["aws.ecr"],
"detail-type": ["ECR Image Scan"],
"detail": {
"finding-severity-counts": {
"$or": [{
"CRITICAL": [{
"exists": true
}]
}, {
"HIGH": [{
"exists": true
}]
}, {
"MEDIUM": [{
"exists": true
}]
}, {
"LOW": [{
"exists": true
}]
}]
}
}
}
This event pattern will trigger a single match even if multiple types of vulnerabilities are found.

Lsmarsden
- 1
- 2