search
Book a demo

Amazon ECR

Integrate Amazon ECR with OX to centralize security findings alongside container, pipeline, cloud, and runtime signals already in OX.

OX scans Amazon ECR on a schedule and on demand, enriches findings with OX context (application mapping, workflows, and compliance), and presents a unified queue for investigation and reporting.

After you connect, Amazon ECR scan results appear on the Active issues page (use the filter Source tool > Amazon ECR).

hashtag
What OX adds

  • Context and correlation: OX maps findings to applications, services, and teams to show impact and ownership.

  • Prioritization with severity factors: OX may reprioritize scanner severities when exploitability and environment context reduce risk (for example, Critical → High). Severity factors explain why the priority changed.

  • Evidence at a glance: When available, OX displays scanner evidence, file locations, and remediation guidance alongside OX analytics to speed triage.

hashtag
Terminology mapping

Amazon ECR and OX use different labels for similar concepts.

OX Security
Amazon ECR

Connector

Integration

Active issue

Finding / Vulnerability

Application

Repository

hashtag
Connection methods

For general information about connection methods, see Connection methods.

For OX AWS documentation, see the article AWSarrow-up-right.

There are 3 options to connect Amazon ECR to OX:

  • Automatic: A plug-and-play option to connect a single AWS account. OX provides a pre-configured CloudFormation template that creates the required user, role, and policies automatically.

  • Manual: A more advanced option for organizations that want to create the required IAM policy, role, and permissions themselves.

  • Organization: For organizations with multiple AWS accounts. Connects your AWS management account so OX can scan all accounts under it. Uses a CloudFormation StackSet to deploy across the organization.

hashtag
Prerequisites

OX

  • Permission to configure connectors

Amazon ECR

  • Access to the AWS account that contains the ECR registries you want to connect

  • Permission to create CloudFormation stacks (Automatic and Organization methods) or IAM policies and roles (Manual method) in the AWS account

  • Secure Token Service (STS) activated for the relevant account and region

hashtag
Set up the connection

Once you decide on your connection method, there are two main parts:

  1. Create credentials and permissions in AWS

  2. Connect OX to Amazon ECR

hashtag
Step 1: Create credentials and permissions [AWS]

Open the accordion for your connection method.

chevron-rightAutomatichashtag

The automatic method uses an AWS CloudFormation stack to create the IAM role and policies that OX requires. Everything is pre-configured. Use this method to connect a single AWS account.

  1. Verify that the prerequisites are in place.

  2. Log in to your AWS console.

  3. In OX, go to Connectors > Registry and select Amazon ECR.

  4. Under the AUTOMATIC tab, select the CLOUD FORMATION ASSUME ROLE button. This opens the AWS CloudFormation page in your default browser.

  5. On the CloudFormation page, enable the two acknowledgment checkboxes at the bottom.

  6. Select Create stack.

Note: If you already created a CloudFormation stack for ox-security, rename the stack. Otherwise AWS returns the error: Stack [ox-security] already exists.

  1. Wait for the stack creation to complete (this may take some time), then select the newly created stack if it is not already selected.

  2. Select the Outputs tab and copy the OxRoleArn value.

chevron-rightManualhashtag

The manual method is a more advanced option for organizations that want to create the required IAM policy, role, and permissions themselves.

  1. Verify that the prerequisites are in place.

  2. Log in to your AWS console.

  3. Go to AWS IAM Console > Policies and select Create policy.

  4. In Create policy, select the JSON tab.

  5. Go to the OX AWS Integration Policyarrow-up-right page and copy the JSON policy object.

  6. Paste the JSON object in the Create policy page in AWS and select Next.

  7. Add tags if needed and select Next.

  8. Name the policy OxAWSIntegrationPolicy (or a name of your choice that you can identify later).

  9. Add a description if needed and review the summary.

  10. Select Create policy.

  11. In AWS IAM Console, create a new role.

    1. Role type: Select Another AWS account.

    2. Account ID: Enter 351456651185 (OX's account ID). This grants OX read-only access to your AWS data.

  12. Select Require external ID and enter the value from the AWS External ID field in the OX Amazon ECR connector window. Leave Require MFA disabled.

  13. Select Next: Permissions.

  14. In Attach permissions policies, search for and select the following policies:

    • ViewOnlyAccess

    • SecurityAudit

    • OxAWSIntegrationPolicy (or the name you gave to the policy you created)

  15. Select Next: Tags and then Next: Review.

  16. Name the role OxAWSIntegrationRole (or a name of your choice) and provide an appropriate description.

  17. Select Create role.

  18. Once the role creation is complete, open the role and copy the Role ARN value.

chevron-rightOrganizationhashtag

The organization method is for organizations with multiple AWS accounts. By connecting your AWS management account, OX can scan all accounts under it.

This step has two parts.

Deploy the StackSet

  1. Verify that the prerequisites are in place.

  2. Log in to your AWS console and go to the CloudFormation service.

  3. Select StackSets and then Create StackSet.

  4. In the Choose a template page:

    • Under Permissions, select the Service-managed permissions option.

    • Under Prerequisite - Prepare template, verify that the Template is ready option is selected.

    • Under Specify template, select the Amazon S3 URL option.

    • Under Amazon S3 URL, paste the following link: https://ox-cloudformation-template.s3.eu-west-1.amazonaws.com/aws/ox_aws_integration_stackset_template_k8s.yml

    • Select Next.

  5. In the Specify StackSet details page:

    • Set StackSet name to ox-security (must be unique from other StackSet names).

    • Change the description if needed.

    • Set ExternalId — paste the AWS External ID value from the OX Amazon ECR connector window.

    • Verify that IAMRoleName and OxAWSAccountId are already filled.

    • Select Next.

  6. In the Configure StackSet options page:

    • Under Execution configuration, verify that Managed execution is set to Inactive.

    • Select Next.

  7. In the Set deployment options page:

    • Set Add stacks to stack set to Deploy new stacks.

    • Set Deployment targets to Deploy to organization.

    • Set Automatic deployment to Enabled.

    • Set Account removal behavior to Delete stacks.

    • In the Specify regions section, select the region your organization is in. Important: Select only one region. Selecting multiple regions causes the deployment to fail.

    • In the Deployment options section, set:

      • Maximum concurrent accounts: 1

      • Failure tolerance: 0

      • Region Concurrency: Sequential

    • Select Next.

  8. Review the configuration:

    • Verify that the configuration is correct and adjust if necessary.

    • Check the I acknowledge that AWS CloudFormation... checkbox under Capabilities.

    • Select Submit.

The StackSet is now deployed.

When you use service-managed permissions (enabled in AWS Organizations), the parent/admin account receives a StackSet admin role named AWSServiceRoleForCloudFormationStackSetsOrgAdmin.

Each child/target account receives a StackSet execution role named stacksets-exec-<id>.

The CloudFormation service adds both roles automatically to establish the trust relationship.

  • This method only adds the default trust and permission policies (administrative access) and does not allow you to customize the IAM roles at creation time.

  • Some CSPM tools may flag the stacksets-exec-<id> role as a violation. Consider removing this role from target accounts after the deployment is complete.

Create the management account stack

  1. Verify that the prerequisites are in place.

  2. In OX, go to Connectors > Registry and select Amazon ECR.

  3. Under the ORGANIZATION tab, select the CLOUD FORMATION ASSUME ROLE button.

  4. On the CloudFormation page:

    • Check the acknowledgment box at the bottom.

    • Select Create stack.

    Note: If you already created a CloudFormation stack for ox-security, rename the stack. Otherwise AWS returns the error: Stack [ox-security] already exists.

  5. Once the stack is created, open CloudFormation outputs and copy the OxRoleArn value.

hashtag
Step 2: Connect OX to Amazon ECR [OX]

Open the accordion for your connection method.

chevron-rightAutomatichashtag

  1. Verify that the prerequisites are in place.

  2. In OX, go to Connectors > Registry and select Amazon ECR.

  3. In Configure your Amazon ECR credentials, select the AUTOMATIC tab.

  4. Select the INSTRUCTIONS: AUTOMATIC - CLOUD FORMATION link to open an online summary of the connection process.

  5. On the same screen, enter the following parameters:

Parameter
Description

AWS External ID

Auto-generated by OX. No action required for the Automatic method.

AWS Role ARN

The OxRoleArn value you copied from the CloudFormation stack Outputs tab.

Connection Name

A meaningful name for this connection (for example, Production ECR).

  1. Select VERIFY CONNECTIVITY.

  2. A green success message at the bottom of the screen indicates a successful connection. If verification fails, check your credentials and permissions.

  3. Select CONNECT.

Optional configurations

chevron-rightManualhashtag

  1. Verify that the prerequisites are in place.

  2. In OX, go to Connectors > Registry and select Amazon ECR.

  3. In Configure your Amazon ECR credentials, select the MANUAL tab.

  4. Select the INSTRUCTIONS: MANUAL link to open an online summary of the connection process.

  5. On the same screen, enter the following parameters:

Parameter
Description

AWS External ID

Auto-generated by OX. Copy this value when creating the IAM role in AWS.

AWS Role ARN

The Role ARN you copied from the IAM role you created in AWS.

Connection Name

A meaningful name for this connection (for example, Production ECR Manual).

  1. Select VERIFY CONNECTIVITY.

  2. A green success message at the bottom of the screen indicates a successful connection. If verification fails, check your credentials and permissions.

  3. Select CONNECT.

Optional configurations

chevron-rightOrganizationhashtag

  1. Verify that the prerequisites are in place.

  2. In OX, go to Connectors > Registry and select Amazon ECR.

  3. Select the ORGANIZATION tab.

  4. In Configure your Amazon ECR credentials, select the INSTRUCTIONS: CONNECT ORGANIZATION link to open an online summary of the connection process.

  5. On the same screen, enter the following parameters:

Parameter
Description

AWS External ID

Auto-generated by OX. Copy this value when configuring the StackSet (Step 1, Organization, step 4).

AWS Role ARN

The OxRoleArn value you copied from the CloudFormation stack Outputs tab.

Connection Name

A meaningful name for this connection (for example, Organization ECR).

  1. Select VERIFY CONNECTIVITY.

  2. A green success message at the bottom of the screen indicates a successful connection. If verification fails, check your credentials and permissions.

  3. Select CONNECT.

Optional configurations

hashtag
Change the locations OX scans

Once you have a connection, you can change the locations that OX scans and monitors.

  1. Use the Gear icon at the bottom of the Configuration screen.

  2. OX displays the locations or objects that OX scans and monitors.

  3. Change the selection as needed.

  4. Select SAVE.

Last updated