Ingest Amazon ECR vulnerability findings and scan events

Latest Dynatrace

Preview

In the following, you'll learn how to ingest container vulnerability findings and scan events from AWS Elastic Container Registry (ECR) into Grail and analyze them on the Dynatrace platform.

Goal

Get insights from Dynatrace for Amazon ECR vulnerability findings.
Easily work with your data on the Dynatrace platform.

How it works

Be sure to check Prerequisites before getting started.

Amazon ECR - how it works

1. Container images are scanned

Details	Container image vulnerabilities are automatically reported in Amazon ECR.
Action required	Set up the desired Amazon ECR scan type. You have two options: Set up basic scanning Set up enhanced scanning

2. You feed the data into Grail

Details	You feed the data from Amazon ECR into Grail via our security events OpenPipeline ingest endpoint, using an event forwarder that you can easily set up with an AWS CloudFormation template provided by Dynatrace.
Action required	Set up the automatic ingestion with AWS CloudFormation

3. Data is mapped

Details

The OpenPipeline ingest endpoint receives the vulnerability findings and maps (formats) them according to the Semantic Dictionary.

These are stored in a bucket called default_security_custom_events (for details, see: Built-in Grail buckets).

Action required

No action is required from your side.

4. Enjoy the data

After data is ingested into Grail, you can visualize, analyze, and automate data.

Prerequisites

See below for the Amazon ECR and Dynatrace requirements.

Amazon ECR requirements

An AWS account.
Set up the desired Amazon ECR scan type. You have two options:
- Set up basic scanning
- Set up enhanced scanning
To determine which type of scan to choose, see Scan images for software vulnerabilities in Amazon ECR.
Install and configure the latest AWS CLI.
Select the AWS region where you want to create the Amazon ECR event forwarder.
1. In a terminal, run:
```
aws configure
```
1. Set your default region (for example, us-east-1).

Dynatrace requirements

Generate an access token with the openpipeline.events_security scope and save it for later.

Get started

To set up automatic ingestion, select one of the options below, according to the scan type you've set up in Prerequisites:

Download the Dynatrace CloudFormation template from GitHub.
Set up the secret with the OpenPipeline API token.

Run the following command, making sure to replace <your_Api_Token> with your actual access token created in Prerequisites.

optional You can customize the AwsSecretKeyName variable. If not set, it defaults to DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN.
```
aws secretsmanager create-secret \
--name dynatrace-aws-ecr-event-forwarder-open-pipeline-ingest-api-token \
--description "Dynatrace Token, which allows to send data to the Open Pipeline endpoint." \
--secret-string '{"DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN": "<your_Api_Token>"}'
```
Deploy the CloudFormation template and AWS resources.

Run the following command, making sure to replace
- The AwsSecretArn variable with the ARN of the secret created in step 1
- The DynatraceDomain variable with your actual domain name
optional You can customize the DynatraceOpenPipelineEndpointPath variable. If not set, it defaults to /platform/ingest/v1/events.security?type=container_finding&provider_product=aws_ecr.
```
aws cloudformation deploy  \
--template-file ./dynatrace_aws_event_forwarder_template.yaml \
--stack-name dynatrace-aws-ecr-event-forwarder \
--parameter-overrides \
"AwsSecretArn"="arn:aws:secretsmanager:us-east-1:123456789876:secret:dynatrace-aws-ecr-event-forwarder-open-pipeline-ingest-api-token-oTk6Wl" \
"DynatraceDomain"="{your-environment-id}.live.dynatrace.com" \
--capabilities CAPABILITY_NAMED_IAM
```
To stop sending the events to Dynatrace, run the following command, which removes the Dynatrace resources created for this integration.
aws cloudformation delete-stack --stack-name dynatrace-aws-ecr-event-forwarder

Download the Dynatrace CloudFormation template from GitHub.
Set up the secret with the OpenPipeline API token.

Run the following command, making sure to replace <your_Api_Token> with your actual access token created in Prerequisites.

optional You can customize the AwsSecretKeyName variable. If not set, it defaults to DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN.
```
aws secretsmanager create-secret \
--name dynatrace-aws-enhanced-event-forwarder-open-pipeline-ingest-api-token \
--description "Dynatrace Token, which allows to send data to the Open Pipeline endpoint." \
--secret-string '{"DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN": "<your_Api_Token>"}'
```
Deploy the CloudFormation template and AWS resources.

Run the following command, making sure to replace
- The AwsSecretArn variable with the ARN of the secret created in step 1
- The DynatraceDomain variable with your actual domain name
  optional You can customize the following variables:
  DynatraceOpenPipelineEndpointPath: Defines the OpenPipeline endpoint path. If not set, it defaults to /platform/ingest/v1/events.security.
  AwsInspectorResourceTypes: Defines for which resource types the Lambda function sends events to Dynatrace. You can provide multiple resource types with a comma-separated list. If not set, it defaults to AWS_ECR_CONTAINER_IMAGE.
```
aws cloudformation deploy  \
--template-file ./dynatrace_aws_event_forwarder_enhanced_template.yaml \
--stack-name dynatrace-aws-event-forwarder-enhanced \
--parameter-overrides \
"AwsSecretArn"="arn:aws:secretsmanager:us-east-1:12345678:secret:dynatrace-aws-enhanced-event-forwarder-open-pipeline-ingest-api-token-testxyz" \
"DynatraceDomain"="{your-environment-id}.live.dynatrace.com" \
--capabilities CAPABILITY_NAMED_IAM
```
To stop sending the events to Dynatrace, run the following command, which removes the Dynatrace resources created for this integration.
aws cloudformation delete-stack --stack-name dynatrace-aws-event-forwarder-enhanced

Visualize, analyze, and automate data

Once you ingest your Amazon ECR data into Grail, you can

Create your own dashboards or use our sample dashboard to visualize and analyze container findings
- For instructions, see Visualize and analyze container findings
Create your own workflows or use our sample workflows to automate and orchestrate container findings
- For instructions, see Automate and orchestrate container findings
Use our sample dashboard or create specific queries to discover container scanning gaps and eliminate blind spots in your Software Development Lifecycle (SDLC)
- For instructions, see Discover coverage gaps in security scans