Amazon ECR Image scanning

Amazon ECR image scanning uses the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project to detect software vulnerabilities in container images and provide a list of scan findings, which can be easily integrated into Wazuh thanks to the AWS CloudWatch Logs integration.

Amazon ECR sends an event to Amazon EventBridge when an image scan is completed. The event itself is only a summary and does not contain the details of the scan findings. However, it is possible to configure a Lambda function to request the scan findings details and store them in CloudWatch Logs. Here is a quick summary of what the workflow looks like:

  1. An image scan is triggered.

  2. Once the scan is completed Amazon ECR sends an event to EventBridge.

  3. The "Scan completed" event triggers a Lambda function.

  4. The lambda function takes the data from the "Scan completed" event and requests the scan details.

  5. The Lambda function creates a log group and a log stream in CloudWatch Logs to store the response received.

  6. Wazuh pulls the logs from the CloudWatch log groups using the CloudWatch Logs integration.

The following sections cover how to configure AWS to store the scan findings in CloudWatch Logs and how to ingest them into Wazuh.

AWS configuration

AWS provides a template for creating a stack in CloudFormation that loads the image scan findings from Amazon ECR in CloudWatch using an AWS Lambda function.

How to create the CloudFormation Stack

  1. Download the ECR Image Scan findings logger template from the official aws-samples GitHub repository.

  2. Access CloudFormation and click on Create stack.

  3. Create a new stack using the template from step 1.

  1. Choose a name for the stack and finish the creation process. No additional configuration is required.

  2. Wait until "CREATE_COMPLETE" status is reached. The stack containing the AWS Lambda is now ready to be used.

Once the stack configuration is completed, the Lambda can be tested by manually triggering an image scan. The scan results in the creation of a CloudWatch log group called /aws/ecr/image-scan-findings/<name of the ECR repository> containing the scan results. For every new scan, the corresponding log streams are created inside the log group.

Wazuh configuration

  1. Open the Wazuh configuration file (/var/ossec/etc/ossec.conf) and add the following configuration block:

    <wodle name="aws-s3">
      <service type="cloudwatchlogs">


    Check the AWS CloudWatch Logs integration to learn more about how the CloudWatch Logs integration works.

  2. Restart Wazuh to apply the configuration changes.

    • If you are configuring a Wazuh manager:

      # systemctl restart wazuh-manager
    • If you are configuring a Wazuh agent:

      # systemctl restart wazuh-agent