Skip to main content

Overview

The Amazon ECR (Elastic Container Registry) integration allows Backline to scan your container images for security vulnerabilities. Identify and remediate security issues in your Docker images before they reach production.

What You Can Do

With the ECR integration, Backline can:
  • Scan container images for vulnerabilities
  • Analyze image layers and dependencies
  • Detect outdated base images
  • Track vulnerabilities across image versions
  • Monitor container security compliance

Prerequisites

Before connecting ECR, ensure you have:
  • An AWS account with ECR repositories
  • Permissions to deploy CloudFormation stacks (requires IAM role creation)
  • Your 12-digit AWS Account ID

Connecting ECR

1

Go to Integration Hub

Navigate to Integrations from the main menu.
2

Select ECR

Find and click on the Amazon ECR integration card.
3

Deploy CloudFormation Stack

Click the CloudFormation link in Backline or use the direct link below to deploy the integration role in your AWS account:Deploy CloudFormation StackEnter a unique External ID when prompted. This value secures the cross-account trust relationship.
4

Get Stack Outputs

After the stack completes, go to the Outputs tab and copy the Role ARN and External ID.
5

Enter Integration Details

In Backline, enter:
  • Account ID: Your 12-digit AWS account ID
  • External ID: The value you provided during stack creation
  • Role ARN: The ARN from the CloudFormation outputs
6

Test Connection

Click Test Connection to verify the role can be assumed.
7

Save

Click Save to complete the integration.

Alternative: Manual Role Creation

If you cannot use CloudFormation or prefer to create IAM resources manually, follow these steps:
We recommend using the CloudFormation template for easier setup and maintenance. Use manual creation only if CloudFormation is not an option in your environment.
1

Create the IAM Role

In the AWS IAM Console, create a new role named BacklineECRIntegrationRole with the following trust policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::198331734661:role/BacklineIntegrationReadOnlyECR"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<YOUR_EXTERNAL_ID>"
        }
      }
    }
  ]
}
Replace <YOUR_EXTERNAL_ID> with a unique, secure string of at least 8 characters. Save this value—you’ll need it when configuring Backline.
2

Attach the Permissions Policy

Create and attach an inline policy named CustomerECRReadPolicy with the following permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer",
        "ecr:DescribeImages",
        "ecr:ListImages"
      ],
      "Resource": "arn:aws:ecr:*:<YOUR_ACCOUNT_ID>:repository/*"
    }
  ]
}
Replace <YOUR_ACCOUNT_ID> with your 12-digit AWS account ID.
3

Copy the Role ARN

After creating the role, copy its ARN from the role summary page. It will look like:arn:aws:iam::<YOUR_ACCOUNT_ID>:role/BacklineECRIntegrationRole
4

Complete Integration in Backline

Return to the Enter Integration Details step above and enter your Account ID, External ID, and Role ARN.

Required IAM Permissions

The CloudFormation template creates a role with the following permissions: 
ecr:GetAuthorizationToken    (Resource: *)
ecr:BatchGetImage            (Resource: arn:aws:ecr:${Region}:${AccountId}:repository/*)
ecr:GetDownloadUrlForLayer   (Resource: arn:aws:ecr:${Region}:${AccountId}:repository/*)
ecr:DescribeImages           (Resource: arn:aws:ecr:${Region}:${AccountId}:repository/*)
ecr:ListImages               (Resource: arn:aws:ecr:${Region}:${AccountId}:repository/*)
The CloudFormation template follows the principle of least privilege, granting read-only access scoped to ECR repositories in your account.

Security Model

Backline uses secure cross-account role assumption to access your ECR:
  1. Backline assumes its own integration role
  2. That role then assumes the BacklineECRIntegrationRole in your account
  3. The External ID prevents unauthorized access (confused deputy protection)
Backline never stores long-term AWS credentials. All access uses temporary STS tokens that automatically expire.

After Connection

Once ECR is connected, Backline will:
  1. Discover your ECR repositories
  2. Begin scanning container images
  3. Identify vulnerabilities in image layers
  4. Generate remediation recommendations

Image Scanning

Backline scans:
  • All tagged images in connected repositories
  • Base image vulnerabilities
  • Package and dependency vulnerabilities within containers
  • Configuration issues
Large images may take several minutes to scan initially. Subsequent scans are incremental and faster.

Managing the Integration

Updating Configuration

To update the integration settings:
  1. Open the Integration Hub
  2. Click on the ECR integration
  3. Update the Account ID, External ID, or Role ARN as needed
  4. Test and save

Disconnecting

To remove the ECR integration:
  1. Go to the Integration Hub
  2. Click on the ECR integration
  3. Select Disconnect
  4. Confirm your choice
Disconnecting will stop container image scanning. Existing vulnerability data will remain but won’t be updated.

Additional Configuration

More detailed configuration options will be available here.