Amazon Inspector推出新功能，增强了容器镜像的漏洞管理能力。新功能可以将Amazon ECR镜像映射到正在运行的容器，安全团队可以基于容器的运行状态来确定漏洞的优先级。此外，Amazon Inspector还扩展了漏洞扫描支持，涵盖了minimal base images以及Go toolchain、Oracle JDK & JRE、Amazon Corretto、Apache Tomcat、WordPress等更多生态系统。通过持续监控和跟踪容器上运行的镜像，Amazon Inspector能够帮助团队识别环境中活跃的容器镜像及其部署位置，从而实现集中式的漏洞管理。

📌Amazon Inspector新增ECR镜像到运行容器的映射功能，帮助安全团队根据容器的实际运行状态，如运行时间、部署的EKS Pods或ECS Tasks数量，更精准地进行漏洞优先级排序和修复。

🛡️扩展了漏洞扫描的支持范围，覆盖了包括scratch、distroless和Chainguard images在内的minimal base images，以及Go toolchain、Oracle JDK & JRE等多种生态系统，提升了在高度优化容器环境中的安全性。

⚙️通过配置Amazon Inspector的镜像重扫描模式，可以选择基于“上次使用日期”或“上次拉取日期”来监控镜像，并设置镜像的“上次使用日期”阈值，使得Inspector能够专注于监控在Amazon ECS或Amazon EKS环境中活跃运行的镜像。

🔍在Amazon Inspector控制台中，用户可以在“详情”菜单中查看镜像的上次使用和拉取日期，以及EKS Pods或ECS Tasks的计数。通过选择“已部署的ECS任务/EKS Pods”数量，可以查看集群ARN、上次使用日期和类型等详细信息，从而更好地了解镜像的使用情况。

🌐Amazon Inspector支持跨账户场景和具有委派管理员功能的AWS Organizations，从而实现了基于容器镜像运行模式的集中式漏洞管理，提升了跨多个AWS账户的容器安全可见性。

<section class="blog-post-content lb-rtxt"><table><tbody><tr><td><p></p></td></tr></tbody></table><p>When running container workloads, you need to understand how software vulnerabilities create security risks for your resources. Until now, you could identify vulnerabilities in your <a href="https://aws.amazon.com/ecr/?trk=fccf147c-636d-45bf-bf0a-7ab087d5691a&amp;amp;sc_channel=el&quot;&gt;Amazon Elastic Container Registry (Amazon ECR)</a> images, but couldn’t determine if these images were active in containers or track their usage. With no visibility if these images were being used on running clusters, you had limited ability to prioritize fixes based on actual deployment and usage patterns.</p><p>Starting today, <a href="https://aws.amazon.com/inspector/?trk=fccf147c-636d-45bf-bf0a-7ab087d5691a&amp;amp;sc_channel=el&quot;&gt;Amazon Inspector</a> offers two new features that enhance vulnerability management, giving you a more comprehensive view of your container images. First, Amazon Inspector now maps Amazon ECR images to running containers, enabling security teams to prioritize vulnerabilities based on containers currently running in your environment. With these new capabilities, you can analyze vulnerabilities in your Amazon ECR images and prioritize findings based on whether they are currently running and when they last ran in your container environment. Additionally, you can see the cluster <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html&quot;&gt;Amazon Resource Name (ARN)</a>, number EKS pods or ECS tasks where an image is deployed, helping you prioritize fixes based on usage and severity.</p><p>Second, we’re extending vulnerability scanning support to minimal base images including scratch, distroless, and Chainguard images, and extending support for additional ecosystems including <a href="https://go.dev/doc/toolchain&quot;&gt;Go toolchain</a>, <a href="https://www.oracle.com/java/technologies/&quot;&gt;Oracle JDK &amp; JRE</a>, <a href="https://aws.amazon.com/corretto/&quot;&gt;Amazon Corretto</a>, <a href="https://tomcat.apache.org/&quot;&gt;Apache Tomcat</a>, <a href="https://httpd.apache.org/&quot;&gt;Apache httpd</a>, <a href="https://wordpress.org/&quot;&gt;WordPress&lt;/a&gt; (core, themes, plugins), and <a href="https://pptr.dev/&quot;&gt;Puppeteer&lt;/a&gt;, helping teams maintain robust security even in highly optimized container environments.</p><p>Through continual monitoring and tracking of images running on containers, Amazon Inspector helps teams identify which container images are actively running in their environment and where they’re deployed, detecting Amazon ECR images running on containers in <a href="https://aws.amazon.com/ecs/?trk=fccf147c-636d-45bf-bf0a-7ab087d5691a&amp;amp;sc_channel=el&quot;&gt;Amazon Elastic Container Service (Amazon ECS)</a> and <a href="https://aws.amazon.com/eks/?trk=fccf147c-636d-45bf-bf0a-7ab087d5691a&amp;amp;sc_channel=el&quot;&gt;Amazon Elastic Kubernetes Service (Amazon EKS)</a>, and any associated vulnerabilities. This solution supports teams managing Amazon ECR images across single <a href="https://docs.aws.amazon.com/accounts/latest/reference/accounts-welcome.html&quot;&gt;AWS accounts</a>, cross-account scenarios, and <a href="https://aws.amazon.com/organizations/&quot;&gt;AWS Organizations</a> with delegated administrator capabilities, enabling centralized vulnerability management based on container images running patterns.</p><p><strong>Let’s see it in action</strong><br /><a href="https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html&quot;&gt;Amazon ECR image scanning</a> helps identify vulnerabilities in your container images through <a href="https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html&quot;&gt;enhanced scanning</a>, which integrates with Amazon Inspector to provide automated, continual scanning of your repositories. To use this new feature you have to enable enhanced scanning through the <a href="https://console.aws.amazon.com/ecr/repositories&quot;&gt;Amazon ECR console</a>, you can do it by following the steps in the <a href="https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced-enabling.html&quot;&gt;Configuring enhanced scanning for images in Amazon ECR documentation page.</a> I already have Amazon ECR enhanced scanning, so I don’t have to do any action.</p><p>In the <a href="https://console.aws.amazon.com/inspector/v2/home&quot;&gt;Amazon Inspector console</a>, I navigate to <strong>General settings</strong> and select <strong>ECR scanning settings</strong> from the navigation panel. Here, I can configure the new <strong>Image re-scan mode</strong> settings by choosing between <strong>Last in-use date</strong> and <strong>Last pull date</strong>. I leave it as it is by default with <strong>Last in-use</strong> <strong>date</strong> and set the <strong>Image last in use date</strong> to 14 days. These settings make it so that Inspector monitors my images based on when they were running in the last 14 days in my Amazon ECS or Amazon EKS environments. After applying these settings, Amazon Inspector starts tracking information about images running on containers and incorporating it into vulnerability findings, helping me focus on images actively running in containers in my environment.</p><p><img class="aligncenter wp-image-96275 size-full c4" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/05/16/Screenshot-03.png&quot; alt="" width="2084" height="1252" /></p><p>After it’s configured, I can view information about images running on containers in the <strong>Details</strong> menu, where I can see last in-use and pull dates, along with EKS pods or ECS tasks count.</p><p><img class="aligncenter wp-image-96354 size-large c5" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/05/19/Screenshot-2025-05-19-at-9.30.05%E2%80%AFAM-1024x697.png&quot; alt="" width="1024" height="697" /></p><p>When selecting the number of <strong>Deployed ECS Tasks/EKS Pods</strong>, I can see the cluster ARN, last use dates, and Type for each image.</p><p><img class="aligncenter wp-image-96358 size-large c5" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/05/19/Screenshot-2025-05-19-at-9.51.03%E2%80%AFAM-1024x247.png&quot; alt="" width="1024" height="247" /></p><p>For cross-account visibility demonstration, I have a repository with EKS pods deployed in two accounts. In the <strong>Resources coverage</strong> menu, I navigate to <strong>Container repositories</strong>, select my repository name and choose the <strong>Image tag</strong>. As before, I can see the number of deployed EKS pods/ECS tasks.</p><p>When I select the number of deployed EKS pods/ECS tasks, I can see that it is running in a different account.</p><p><img class="aligncenter wp-image-96368 size-large c5" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/05/19/account_2-1024x210.jpg&quot; alt="" width="1024" height="210" /></p><p>In the <a href="https://docs.aws.amazon.com/inspector/latest/user/findings-understanding.html&quot;&gt;Findings&lt;/a&gt; menu, I can review any vulnerabilities, and by selecting one, I can find the <strong>Last in use</strong> date and <strong>Deployed ECS Tasks/EKS Pods </strong>involved in the vulnerability under <strong>Resource affected</strong> data, helping me prioritize remediation based on actual usage.</p><p><img class="aligncenter wp-image-96370 size-large c5" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/05/19/Screenshot-2025-05-19-at-10.13.58%E2%80%AFAM-1024x476.png&quot; alt="" width="1024" height="476" /></p><p>In the <strong>All Findings</strong> menu, you can now search for vulnerabilities within account management, using filters such as A<strong>ccount ID</strong>, <strong>Image in use count</strong> and <strong>Image last in use at</strong>.</p><table><thead><tr><th><img class="aligncenter wp-image-96320 size-large c4" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/05/17/Screenshot-2025-05-16-at-8.15.11%E2%80%AFPM-1-1024x659.png&quot; alt="" width="1024" height="659" /></th><th><img class="aligncenter wp-image-96321 size-large c4" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/05/17/Screenshot-2025-05-16-at-8.17.11%E2%80%AFPM-1-1024x657.png&quot; alt="" width="1024" height="657" /></th></tr></thead></table><p><strong>Key features and considerations</strong><br /><strong>Monitoring based on container image lifecycle –</strong> Amazon Inspector now determines image activity based on: image push date ranging duration 14, 30, 60, 90, or 180 days or lifetime, image pull date from 14, 30, 60, 90, or 180 days, stopped duration from never to 14, 30, 60, 90, or 180 days and status of image running on the container. This flexibility lets organizations tailor their monitoring strategy based on actual container image usage rather than only repository events. For Amazon EKS and Amazon ECS workloads, last in use, push and pull duration are set to 14 days, which is now the default for new customers.</p><p><strong>Image runtime-aware finding details –</strong> To help prioritize remediation efforts, each finding in Amazon Inspector now includes the lastInUseAt date and InUseCount, indicating when an image was last running on the containers and the number of deployed EKS pods/ ECS tasks currently using it. Amazon Inspector monitors both Amazon ECR last pull date data and images running on Amazon ECS tasks or Amazon EKS pods container data for all accounts, updating this information at least once daily. Amazon Inspector integrates these details into all findings reports and seamlessly works with <a href="https://aws.amazon.com/eventbridge/&quot;&gt;Amazon EventBridge</a>. You can filter findings based on the lastInUseAt field using rolling window or fixed range options, and you can filter images based on their last running date within the last 14, 30, 60, or 90 days.</p><p><strong>Comprehensive security coverage</strong> – Amazon Inspector now provides unified vulnerability assessments for both traditional Linux distributions and minimal base images including scratch, distroless, and Chainguard images through a single service. This extended coverage eliminates the need for multiple scanning solutions while maintaining robust security practices across your entire container ecosystem, from traditional distributions to highly optimized container environments. The service streamlines security operations by providing comprehensive vulnerability management through a centralized platform, enabling efficient assessment of all container types.</p><p><strong>Enhanced cross-account visibility –</strong> Security management across single accounts, cross-account setups, and AWS Organizations is now supported through delegated administrator capabilities. Amazon Inspector shares images running on container information within the same organization, which is particularly valuable for accounts maintaining golden image repositories. Amazon Inspector provides all ARNs for Amazon EKS and Amazon ECS clusters where images are running, if the resource belongs to the account with an API, providing comprehensive visibility across multiple AWS accounts. The system updates deployed EKS pods or ECS tasks information at least one time daily and automatically maintains accuracy as accounts join or leave the organization.</p><p><strong>Availability and pricing – </strong>The new container mapping capabilities are available now in all <a href="https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html#region&quot;&gt;AWS Regions</a> where <a href="https://docs.aws.amazon.com/inspector/latest/user/inspector_regions.html&quot;&gt;Amazon Inspector is offered</a> at no additional cost. To get started, visit the <a href="https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html&quot;&gt;AWS Inspector documentation</a>. For pricing details and Regional availability, refer to the <a href="https://aws.amazon.com/inspector/pricing/&quot;&gt;AWS Inspector pricing page</a>.</p><p>PS: Writing a blog post at AWS is always a team effort, even when you see only one name under the post title. In this case, I want to thank <a href="https://www.linkedin.com/in/niralidesai/&quot;&gt;Nirali Desai</a>, for her generous help with technical guidance, and expertise, which made this overview possible and comprehensive.</p><p>— <a href="https://www.linkedin.com/in/lizfue/&quot;&gt;Eli&lt;/a&gt;&lt;/p&gt;&lt;hr /><p>How is the News Blog doing? Take this <a href="https://amazonmr.au1.qualtrics.com/jfe/form/SV_eyD5tC5xNGCdCmi&quot;&gt;1 minute survey</a>!</p><p><em>(This <a href="https://amazonmr.au1.qualtrics.com/jfe/form/SV_eyD5tC5xNGCdCmi&quot;&gt;survey&lt;/a&gt; is hosted by an external company. AWS handles your information as described in the <a href="https://aws.amazon.com/privacy/&quot;&gt;AWS Privacy Notice</a>. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)</em></p></section><aside class="blog-comments"><div data-lb-comp="aws-blog:cosmic-comments" data-env="prod" data-content-id="5cea9339-071a-4c0d-bab0-8862b15f84bb" data-title="Amazon Inspector enhances container security by mapping Amazon ECR images to running containers" data-url="https://aws.amazon.com/blogs/aws/amazon-inspector-enhances-container-security-by-mapping-amazon-ecr-images-to-running-containers/&quot;&gt;&lt;p data-failed-message="Comments cannot be loaded… Please refresh and try again.">Loading comments…</p></div></aside>