Ingest AWS ECR vulnerability findings
Latest Dynatrace
Preview
In the following, you'll learn how to ingest container vulnerability findings from AWS Elastic Container Registry (ECR) into Grail and analyze them on the Dynatrace platform.
Goal
- Get insights from Dynatrace for AWS ECR vulnerability findings.
- Easily work with your data on the Dynatrace platform.
How it works
Be sure to check Prerequisites before getting started.
1. Container images are scanned
Details | Container image vulnerabilities are automatically reported in AWS. |
Action required | Set up the desired AWS scan type. You have two options: |
2. You feed the data into Grail
Details | You feed the data from AWS into Grail via our security events OpenPipeline ingest endpoint, using an event forwarder that you can easily set up with an AWS CloudFormation template provided by Dynatrace. |
Action required |
3. Data is mapped
Details | The OpenPipeline ingest endpoint receives the vulnerability findings and maps (formats) them according to the Semantic Dictionary. These are stored in a bucket called |
Action required | No action is required from your side. |
4. Enjoy the data
After data is ingested into Grail, you can Analyze and automate data.
Prerequisites
See below for the AWS and Dynatrace requirements.
AWS requirements
-
Set up the desired AWS scan type. You have two options:
To determine which type of scan to choose, see Scan images for software vulnerabilities in Amazon ECR.
-
Install and configure the latest AWS CLI.
-
Select the AWS region where you want to create the AWS ECR event forwarder.
- In a terminal, run:
aws configure- Set your default region (for example,
us-east-1).
Dynatrace requirements
- Generate an access token with the
openpipeline.events_securityscope and save it for later.
Get started
Select one of the options below, according to the scan type you've set up in Prerequisites:
Set up automatic ingestion for basic scanning
Download the CloudFormation template
Set up the secret with the OpenPipeline API token
Deploy the CloudFormation template and AWS resources
Download the CloudFormation template
Download the Dynatrace CloudFormation template from GitHub.
Set up the secret with the OpenPipeline API token
Run the following command, making sure to replace <your_Api_Token> with your actual access token created in Prerequisites.
optional You can customize the AwsSecretKeyName variable. If not set, it defaults to DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN.
aws secretsmanager create-secret \--name dynatrace-aws-ecr-event-forwarder-open-pipeline-ingest-api-token \--description "Dynatrace Token, which allows to send data to the Open Pipeline endpoint." \--secret-string '{"DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN": "<your_Api_Token>"}'
Deploy the CloudFormation template and AWS resources
Run the following command, making sure to replace
-
The
AwsSecretArnvariable with the ARN of the secret created in step 1 -
The
DynatraceDomainvariable with your actual domain nameoptional You can customize the
DynatraceOpenPipelineEndpointPathvariable. If not set, it defaults to/platform/ingest/v1/events.security?type=container_finding&provider_product=aws_ecr.
aws cloudformation deploy \--template-file ./dynatrace_aws_event_forwarder_template.yaml \--stack-name dynatrace-aws-ecr-event-forwarder \--parameter-overrides \"AwsSecretArn"="arn:aws:secretsmanager:us-east-1:123456789876:secret:dynatrace-aws-ecr-event-forwarder-open-pipeline-ingest-api-token-oTk6Wl" \"DynatraceDomain"="{your-environment-id}.live.dynatrace.com" \--capabilities CAPABILITY_NAMED_IAM
To stop sending the events to Dynatrace, run the following command, which removes the Dynatrace resources created for this integration.
aws cloudformation delete-stack --stack-name dynatrace-aws-ecr-event-forwarder
Set up automatic ingestion for enhanced scanning
Download the CloudFormation template
Set up the secret with the OpenPipeline API token
Deploy the CloudFormation template and AWS resources
Download the CloudFormation template
Download the Dynatrace CloudFormation template from GitHub.
Set up the secret with the OpenPipeline API token
Run the following command, making sure to replace <your_Api_Token> with your actual access token created in Prerequisites.
optional You can customize the AwsSecretKeyName variable. If not set, it defaults to DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN.
aws secretsmanager create-secret \--name dynatrace-aws-enhanced-event-forwarder-open-pipeline-ingest-api-token \--description "Dynatrace Token, which allows to send data to the Open Pipeline endpoint." \--secret-string '{"DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN": "<your_Api_Token>"}'
Deploy the CloudFormation template and AWS resources
Run the following command, making sure to replace
-
The
AwsSecretArnvariable with the ARN of the secret created in step 1 -
The
DynatraceDomainvariable with your actual domain nameoptional You can customize the following variables:
DynatraceOpenPipelineEndpointPath: Defines the OpenPipeline endpoint path. If not set, it defaults to/platform/ingest/v1/events.security.AwsInspectorResourceTypes: Defines for which resource types the Lambda function sends events to Dynatrace. You can provide multiple resource types with a comma-separated list. If not set, it defaults toAWS_ECR_CONTAINER_IMAGE.
aws cloudformation deploy \--template-file ./dynatrace_aws_event_forwarder_enhanced_template.yaml \--stack-name dynatrace-aws-event-forwarder-enhanced \--parameter-overrides \"AwsSecretArn"="arn:aws:secretsmanager:us-east-1:12345678:secret:dynatrace-aws-enhanced-event-forwarder-open-pipeline-ingest-api-token-testxyz" \"DynatraceDomain"="{your-environment-id}.live.dynatrace.com" \--capabilities CAPABILITY_NAMED_IAM
To stop sending the events to Dynatrace, run the following command, which removes the Dynatrace resources created for this integration.
aws cloudformation delete-stack --stack-name dynatrace-aws-event-forwarder-enhanced
Analyze and automate data
Once you ingest your AWS ECR data into Grail, you can
Visualize
You can create your own dashboards or use our sample dashboard to
-
Visualize your ingested container findings and get an answer to questions like:
- How many vulnerabilities do we have? How many of those critical or high vulnerabilities?
- What are the top vulnerabilities in terms of severity and impact?
- Which registries and repositories have the most vulnerabilities? Which have critical or high vulnerabilities?
-
Prioritize your ingested container findings based on
- Risk level
- Affected entity identification (for example, container image digest)
- Vulnerability information
- Download our sample dashboard from GitHub.
- Open Dashboards, select
Upload, then select the downloaded file.
Automate
You can create your own workflows or use our sample workflows to automatically receive tickets in your notification system (for example, Jira) or notifications on your preferred channels (for example, Slack) for new critical vulnerability findings in your scanned container images.
Query
Using the data format in Semantic Dictionary, you can query data in Notebooks or via Security Investigator 
.
Example queries:
Consumption
For billing information, see Events powered by Grail.