Documentation Index

Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt

Use this file to discover all available pages before exploring further.

ECR (Basic Scanning)

  • 2 minute(s) read
Prev Next

After setting up permissions and instance sync, configure the AWS connector to pull data from ECR basic scanning into your Nucleus project.

Connector configuration

  1. Log in to your Nucleus project.
  2. From the navigation bar on the left, under Integration Hub, select Connector Setup.
  3. Select Amazon Web Services.
    aws-connector-icon.png
  4. In the Name field, enter a name for the connector.
  5. In the Description field, enter a description for this connector.
  6. In the Authentication section click the green plus button to add a new AWS role to use when connecting to AWS. Note you can only have one role per AWS account. Alternatively, you can bulk import credentials using a CSV file.
    aws-connector-authentication-section.png
  7. In the Label field, enter a label for the role.
  8. In the Role ARN field, enter the Amazon Resource Name (ARN) for the role.
  9. Click Verify Credentials. If the credentials were entered correctly, a message confirming a successful connection will appear.
  10. Do not check Import all AWS Resource Tags as nested asset groups as this option is now legacy.
  11. Optionally check Synchronise EC2 and ECR Instance states.
    • To automatically deactivate the asset in Nucleus when an EC2 or ECR instance is terminated, select When an EC2 or ECR instance is terminated, deactivate the asset in Nucleus.
    • To automatically remove the asset from Nucleus when an EC2 or ECR instance is terminated, select When an EC2 or ECR instance is terminated, remove the asset from Nucleus.
  12. Optionally decide if you want to upload asset and finding data from your Nucleus project to S3 buckets.
  13. Click Save & Finish.

Bulk import credentials template

If your organization has many AWS accounts, you can bulk import role ARNs by clicking Bulk Import Credentials and uploading a CSV structured in the following way:

label,crossaccountrole 
my label,arn:aws:iam:123456798012:role/myRoleName

Vulnerability scan data ingestion

The AWS connector enables flexibility when you import image scan results from Amazon ECR. To ingest Amazon ECR Image scan results from your AWS connector into a Nucleus project:

  1. Log in to your Nucleus project.
  2. From the navigation bar on the left, under Integration Hub, select Import via Connector.
  3. Select your AWS connector.
  4. Select Amazon ECR (Basic).
  5. Select whether to import by Repositories, Account, or All.
  6. Select the region(s) from which to import results.
  7. Click Next.
  8. Select the repositories or accounts to import.
  9. Click Next.
  10. Select a schedule to import scans into the project.
  11. Click Save & Finish.
Importing Historical Scans

The ECR Scan Ingestion functionality is built to ingest all scan results for all images in a repository. Because of this capability, the first time that you ingest all repositories, images, and scans, there's a large amount of data to fetch and normalize which may result in significantly longer processing times.

Next steps

You are now finished setting up the AWS connector. If you use other AWS services, see our other AWS guides.

You can optionally set the AWS connector to upload all asset and finding data from your Nucleus project to S3 buckets.