---
title: "ECR (Enhanced Scanning)"
slug: "ecr-enhanced-scanning"
updated: 2025-06-24T17:18:11Z
published: 2025-06-24T17:18:11Z
canonical: "help.nucleussec.com/ecr-enhanced-scanning"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ECR (Enhanced Scanning)

After setting up [permissions](/v1/docs/aws-setting-permissions) and [instance sync](/v1/docs/aws-instance-sync), configure the AWS connector to pull data from Inspector 2 (ECR Enhanced Scanning) via SecurityHub into your Nucleus project.

## Connector configuration

1. Log in to your Nucleus project.
2. From the navigation bar on the left, under **Integration Hub**, select **Connector Setup**.
3. Select **Amazon Web Services**.  
![aws-connector-icon.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/aws-connector-icon.png)
4. In the **Name** field, enter a name for the connector.
5. In the **Description** field, enter a description for this connector.
6. In the **Authentication** section click the **green plus button** to add a new AWS role to use when connecting to AWS. Note you can only have one role per AWS account. Alternatively, you can [bulk import credentials using a CSV file](/v1/docs/ecr-enhanced-scanning#bulk-import-credentials-template).  
![aws-connector-authentication-section.png](https://cdn.document360.io/3888970a-6501-459e-acc9-c47b71c6d64c/Images/Documentation/aws-connector-authentication-section.png)
7. In the **Label** field, enter a label for the role.
8. In the **Role ARN** field, enter the Amazon Resource Name (ARN) for the role.
9. Click **Verify Credentials**. If the credentials were entered correctly, a message confirming a successful connection will appear.
10. Do not check **Import all AWS Resource Tags as nested [asset groups](/v1/docs/asset-groups)** as this option is now legacy.
11. Optionally check **Synchronise EC2 and ECR Instance states**.
  - To automatically deactivate the asset in Nucleus when an EC2 or ECR instance is terminated, select **When an EC2 or ECR instance is terminated, deactivate the asset in Nucleus**.
  - To automatically remove the asset from Nucleus when an EC2 or ECR instance is terminated, select **When an EC2 or ECR instance is terminated, remove the asset from Nucleus**.
12. Optionally decide if you want to [upload asset and finding data from your Nucleus project to S3 buckets](/v1/docs/s3-data-upload).
13. Click **Save & Finish**.

### Bulk import credentials template

If your organization has many AWS accounts, you can bulk import role ARNs by clicking **Bulk Import Credentials** and uploading a CSV structured in the following way:

```
label,crossaccountrole 
my label,arn:aws:iam:123456798012:role/myRoleName
```

## Vulnerability scan data ingestion

The AWS connector enables flexibility when you import image scan results from Amazon ECR. To ingest Amazon ECR Image scan results from your AWS connector into a Nucleus project:

1. Log in to your Nucleus project.
2. From the navigation bar on the left, under **Integration Hub**, select **Import via Connector**.
3. Select your AWS connector.
4. Select **Amazon Security Hub (Beta)**.
5. Select **Amazon ECR (Enhanced Scanning)**.
6. Select the region(s) from which to import results.
7. Click **Next**.
8. Select the repositories or accounts to import.
9. Click **Next**.
10. Select a schedule to import scans into the project.
11. Click **Save & Finish**.

          Importing Historical Scans

          

The ECR Scan Ingestion functionality is built to ingest all scan results for all images in a repository. Because of this capability, the first time that you ingest all repositories, images, and scans, there's a large amount of data to fetch and normalize which may result in significantly longer processing times.

## Next steps

You are now finished setting up the AWS connector. If you use other AWS services, see [our other AWS guides](/v1/docs/aws-getting-started#connector-setup-checklist).

You can optionally set the AWS connector to [upload all asset and finding data from your Nucleus project to S3 buckets](/v1/docs/s3-data-upload).