# Amazon ECR

Integrate Amazon ECR with OX to centralize security findings alongside container, pipeline, cloud, and runtime signals already in OX.

OX scans Amazon ECR on a schedule and on demand, enriches findings with OX context (application mapping, workflows, and compliance), and presents a unified queue for investigation and reporting.

After you connect, Amazon ECR scan results appear on the Active issues page (use the filter Source tool > Amazon ECR).

## What OX adds

* **Context and correlation:** OX maps findings to applications, services, and teams to show impact and ownership.
* **Prioritization with severity factors:** OX may reprioritize scanner severities when exploitability and environment context reduce risk (for example, Critical → High). Severity factors explain why the priority changed.
* **Evidence at a glance:** When available, OX displays scanner evidence, file locations, and remediation guidance alongside OX analytics to speed triage.

## Terminology mapping

Amazon ECR and OX use different labels for similar concepts.

<table><thead><tr><th width="258.26666259765625" valign="top">OX Security</th><th width="472.13323974609375" valign="top">Amazon ECR</th></tr></thead><tbody><tr><td valign="top">Connector</td><td valign="top">Integration</td></tr><tr><td valign="top">Active issue</td><td valign="top">Finding / Vulnerability</td></tr><tr><td valign="top">Application</td><td valign="top">Repository</td></tr></tbody></table>

## Connection methods

For general information about connection methods, see[ Connection methods](/get-started/onboarding-to-ox/source-control/connection-methods.md).

For OX AWS documentation, see the article[ AWS](https://docs.ox.security/ox-integrations/3rd-party-integrations/cloud-security/aws).

There are 3 options to connect Amazon ECR to OX:

* **Automatic:** A plug-and-play option to connect a single AWS account. OX provides a pre-configured CloudFormation template that creates the required user, role, and policies automatically.
* **Manual:** A more advanced option for organizations that want to create the required IAM policy, role, and permissions themselves.
* **Organization:** For organizations with multiple AWS accounts. Connects your AWS management account so OX can scan all accounts under it. Uses a CloudFormation StackSet to deploy across the organization.

## Prerequisites

**OX**

* Permission to configure connectors

**Amazon ECR**

* Access to the AWS account that contains the ECR registries you want to connect
* Permission to create CloudFormation stacks (Automatic and Organization methods) or IAM policies and roles (Manual method) in the AWS account
* Secure Token Service (STS) activated for the relevant account and region

## Set up the connection

Once you decide on your connection method, there are two main parts:

1. Create credentials and permissions in AWS
2. Connect OX to Amazon ECR

### Step 1: Create credentials and permissions \[AWS]

Open the accordion for your connection method.

<details>

<summary><mark style="color:purple;">Automatic</mark></summary>

The automatic method uses an AWS CloudFormation stack to create the IAM role and policies that OX requires. Everything is pre-configured. Use this method to connect a single AWS account.

1. Verify that the [prerequisites](#prerequisites)[ ](#prerequisites)are in place.
2. Log in to your AWS console.
3. In OX, go to **Connectors > Registry** and select **Amazon ECR**.\ <br>
4. Under the **AUTOMATIC** tab, select the **CLOUD FORMATION ASSUME ROLE** button. This opens the AWS CloudFormation page in your default browser.
5. On the **CloudFormation** page, enable the two acknowledgment checkboxes at the bottom.
6. Select **Create stack**.

> **Note:** If you already created a CloudFormation stack for ox-security, rename the stack. Otherwise AWS returns the error: Stack \[ox-security] already exists.

5. Wait for the stack creation to complete (this may take some time), then select the newly created stack if it is not already selected.
6. Select the **Outputs** tab and copy the **OxRoleArn** value.

</details>

<details>

<summary><mark style="color:purple;">Manual</mark></summary>

The manual method is a more advanced option for organizations that want to create the required IAM policy, role, and permissions themselves.

1. Verify that the [prerequisites](#prerequisites)[ ](#prerequisites)are in place.
2. Log in to your AWS console.
3. Go to A**WS IAM Console > Policies** and select **Create policy**.
4. In **Create policy**, select the **JSON** tab.
5. Go to the[ OX AWS Integration Policy](https://docs.ox.security/ox-integrations/3rd-party-integrations/cloud-security/aws/aws-ox-integration-policy) page and copy the JSON policy object.
6. Paste the JSON object in the **Create policy** page in AWS and select **Next**.
7. Add tags if needed and select **Next**.
8. Name the policy **OxAWSIntegrationPolicy** (or a name of your choice that you can identify later).
9. Add a description if needed and review the summary.
10. Select **Create policy**.
11. In **AWS IAM Console**, create a new role.
    1. **Role type:** Select Another AWS account.
    2. **Account ID:** Enter 351456651185 (OX's account ID). This grants OX read-only access to your AWS data.
12. Select **Require external ID** and enter the value from the AWS External ID field in the OX Amazon ECR connector window. Leave **Require MFA** disabled.
13. Select **Next: Permissions**.
14. In **Attach permissions policies**, search for and select the following policies:
    * ViewOnlyAccess
    * SecurityAudit
    * OxAWSIntegrationPolicy (or the name you gave to the policy you created)
15. Select **Next: Tags** and then **Next: Review**.
16. Name the role OxAWSIntegrationRole (or a name of your choice) and provide an appropriate description.
17. Select **Create role**.
18. Once the role creation is complete, open the role and copy the Role ARN value.

</details>

<details>

<summary><mark style="color:purple;">Organization</mark></summary>

The organization method is for organizations with multiple AWS accounts. By connecting your AWS management account, OX can scan all accounts under it.

This step has two parts.

**Deploy the StackSet**

1. Verify that the [prerequisites](#prerequisites)[ ](#prerequisites)are in place.
2. Log in to your AWS console and go to the **CloudFormation** service.
3. Select **StackSets** and then **Create StackSet**.
4. In the **Choose a template** page:
   * Under **Permissions**, select the **Service-managed permissions** option.
   * Under **Prerequisite - Prepare template**, verify that the **Template is ready** option is selected.
   * Under **Specify template**, select the **Amazon S3 URL** option.
   * Under **Amazon S3 URL**, paste the following link: `https://ox-cloudformation-template.s3.eu-west-1.amazonaws.com/aws/ox_aws_integration_stackset_template_k8s.yml`
   * Select **Next**.
5. In the **Specify StackSet details** page:
   * Set **StackSet name** to `ox-security` (must be unique from other StackSet names).
   * Change the description if needed.
   * Set **ExternalId** — paste the **AWS External ID** value from the OX Amazon ECR connector window.
   * Verify that **IAMRoleName** and **OxAWSAccountId** are already filled.
   * Select **Next**.
6. In the **Configure StackSet options** page:
   * Under **Execution configuration**, verify that **Managed execution** is set to **Inactive**.
   * Select **Next**.
7. In the **Set deployment options** page:
   * Set **Add stacks to stack set** to **Deploy new stacks**.
   * Set **Deployment targets** to **Deploy to organization**.
   * Set **Automatic deployment** to **Enabled**.
   * Set **Account removal behavior** to **Delete stacks**.
   * In the **Specify regions** section, select the region your organization is in. **Important:** Select only one region. Selecting multiple regions causes the deployment to fail.
   * In the **Deployment options** section, set:
     * **Maximum concurrent accounts:** `1`
     * **Failure tolerance:** `0`
     * **Region Concurrency:** **Sequential**
   * Select **Next**.
8. Review the configuration:
   * Verify that the configuration is correct and adjust if necessary.
   * Check the **I acknowledge that AWS CloudFormation...** checkbox under **Capabilities**.
   * Select **Submit**.

The StackSet is now deployed.

When you use service-managed permissions (enabled in AWS Organizations), the parent/admin account receives a StackSet admin role named `AWSServiceRoleForCloudFormationStackSetsOrgAdmin`.

Each child/target account receives a StackSet execution role named `stacksets-exec-<id>`.

The CloudFormation service adds both roles automatically to establish the trust relationship.

* This method only adds the default trust and permission policies (administrative access) and does not allow you to customize the IAM roles at creation time.
* Some CSPM tools may flag the `stacksets-exec-<id>` role as a violation. Consider removing this role from target accounts after the deployment is complete.

**Create the management account stack**

1. Verify that the [prerequisites](#prerequisites)[ ](#prerequisites)are in place.
2. In OX, go to **Connectors** > **Registry** and select **Amazon ECR**.
3. Under the **ORGANIZATION** tab, select the **CLOUD FORMATION ASSUME ROLE** button.
4. On the CloudFormation page:

   * Check the acknowledgment box at the bottom.

   * Select **Create stack**.

   > **Note:** If you already created a CloudFormation stack for ox-security, rename the stack. Otherwise AWS returns the error: *Stack \[ox-security] already exists*.
5. Once the stack is created, open **CloudFormation outputs** and copy the **OxRoleArn** value.

</details>

### Step 2: Connect OX to Amazon ECR \[OX]

Open the accordion for your connection method.

<details>

<summary><mark style="color:purple;">Automatic</mark></summary>

1. Verify that the [prerequisites](#prerequisites)[ ](#prerequisites)are in place.
2. In OX, go to **Connectors > Registry** and select **Amazon ECR**.<br>

   <div align="left"><figure><img src="/files/StCQm7rLVXEYSiNHTVLv" alt="" width="375"><figcaption></figcaption></figure></div>
3. In **Configure your Amazon ECR credentials**, select the **AUTOMATIC** tab.
4. Select the **INSTRUCTIONS: AUTOMATIC - CLOUD FORMATION** link to open an online summary of the connection process.
5. On the same screen, enter the following parameters:

<table><thead><tr><th width="190.5333251953125" valign="top">Parameter</th><th valign="top">Description</th></tr></thead><tbody><tr><td valign="top">AWS External ID</td><td valign="top">Auto-generated by OX. No action required for the Automatic method.</td></tr><tr><td valign="top">AWS Role ARN</td><td valign="top">The OxRoleArn value you copied from the CloudFormation stack Outputs tab.</td></tr><tr><td valign="top">Connection Name</td><td valign="top">A meaningful name for this connection (for example, Production ECR).</td></tr></tbody></table>

5. Select **VERIFY CONNECTIVITY**.
6. A green success message at the bottom of the screen indicates a successful connection. If verification fails, check your credentials and permissions.
7. Select **CONNECT**.

**Optional configurations**

* To change the resources OX scans and monitors, see the section [Change the locations OX scans](#change-the-resources-ox-scans).

</details>

<details>

<summary><mark style="color:purple;">Manual</mark></summary>

1. Verify that the [prerequisites](#prerequisites)[ ](#prerequisites)are in place.
2. In OX, go to **Connectors > Registry** and select **Amazon ECR**.<br>

   <div align="left"><figure><img src="/files/GV0s0bwrCyk5dat05ksu" alt="" width="375"><figcaption></figcaption></figure></div>
3. In **Configure your Amazon ECR credentials**, select the **MANUAL** tab.
4. Select the **INSTRUCTIONS: MANUAL** link to open an online summary of the connection process.
5. On the same screen, enter the following parameters:

<table><thead><tr><th width="210.2667236328125" valign="top">Parameter</th><th valign="top">Description</th></tr></thead><tbody><tr><td valign="top">AWS External ID</td><td valign="top">Auto-generated by OX. Copy this value when creating the IAM role in AWS.</td></tr><tr><td valign="top">AWS Role ARN</td><td valign="top">The Role ARN you copied from the IAM role you created in AWS.</td></tr><tr><td valign="top">Connection Name</td><td valign="top">A meaningful name for this connection (for example, Production ECR Manual).</td></tr></tbody></table>

5. Select **VERIFY CONNECTIVITY**.
6. A green success message at the bottom of the screen indicates a successful connection. If verification fails, check your credentials and permissions.
7. Select **CONNECT**.

**Optional configurations**

* To change the resources OX scans and monitors, see the section [Change the locations OX scans](#change-the-locations-ox-scans).

</details>

<details>

<summary><mark style="color:purple;">Organization</mark></summary>

1. Verify that the [prerequisites](#prerequisites)[ ](#prerequisites)are in place.
2. In OX, go to **Connectors > Registry** and select **Amazon ECR**.<br>

   <div align="left"><figure><img src="/files/RMWOesG30oetm6tdGlch" alt="" width="375"><figcaption></figcaption></figure></div>
3. Select the **ORGANIZATION** tab.
4. In **Configure your Amazon ECR credentials**, select the **INSTRUCTIONS: CONNECT ORGANIZATION** link to open an online summary of the connection process.
5. On the same screen, enter the following parameters:

<table><thead><tr><th width="211.86663818359375" valign="top">Parameter</th><th valign="top">Description</th></tr></thead><tbody><tr><td valign="top">AWS External ID</td><td valign="top">Auto-generated by OX. Copy this value when configuring the StackSet (Step 1, Organization, step 4).</td></tr><tr><td valign="top">AWS Role ARN</td><td valign="top">The OxRoleArn value you copied from the CloudFormation stack Outputs tab.</td></tr><tr><td valign="top">Connection Name</td><td valign="top">A meaningful name for this connection (for example, Organization ECR).</td></tr></tbody></table>

5. Select **VERIFY CONNECTIVITY**.
6. A green success message at the bottom of the screen indicates a successful connection. If verification fails, check your credentials and permissions.
7. Select **CONNECT**.

**Optional configurations**

* To change the resources OX scans and monitors, see the section [Change the locations OX scans](#change-the-locations-ox-scans).

</details>

## Change the locations OX scans

By default, OX scans everything if you did not make a specific selection. Once you have a connection, you can change the locations that OX scans and monitors.

1. Use the **Gear** icon at the bottom of the Configuration screen.
2. OX displays the locations or objects that OX scans and monitors.
3. Change the selection as needed.
4. Select **SAVE**.

<div align="left"><figure><img src="/files/jffnn3K9mCPbTgdiiHHu" alt="" width="375"><figcaption></figcaption></figure></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ox.security/ox-integrations/3rd-party-integrations/registry/amazon-ecr.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.