> ## Documentation Index
> Fetch the complete documentation index at: https://docs.backline.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Amazon ECR Integration
> Scan container images in Amazon Elastic Container Registry
## Overview
The Amazon ECR (Elastic Container Registry) integration allows Backline to scan your container images for security vulnerabilities. Identify and remediate security issues in your Docker images before they reach production.
## What You Can Do
With the ECR integration, Backline can:
* Scan container images for vulnerabilities
* Analyze image layers and dependencies
* Detect outdated base images
* Track vulnerabilities across image versions
* Monitor container security compliance
## Prerequisites
Before connecting ECR, ensure you have:
* An AWS account with ECR repositories
* Permissions to deploy CloudFormation stacks (requires IAM role creation)
* Your 12-digit AWS Account ID
## Connecting ECR
Navigate to Integrations from the main menu.
Find and click on the Amazon ECR integration card.
Click the CloudFormation link in Backline or use the direct link below to deploy the integration role in your AWS account:
[Deploy CloudFormation Stack](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://backline-integration-templates.s3.amazonaws.com/backline-ecr-integration-role.yaml\&stackName=BacklineECRIntegration)
Enter a unique **External ID** when prompted. This value secures the cross-account trust relationship.
After the stack completes, go to the **Outputs** tab and copy the **Role ARN** and **External ID**.
In Backline, enter:
* **Account ID**: Your 12-digit AWS account ID
* **External ID**: The value you provided during stack creation
* **Role ARN**: The ARN from the CloudFormation outputs
Click **Test Connection** to verify the role can be assumed.
Click **Save** to complete the integration.
## Alternative: Manual Role Creation
If you cannot use CloudFormation or prefer to create IAM resources manually, follow these steps:
We recommend using the CloudFormation template for easier setup and maintenance. Use manual creation only if CloudFormation is not an option in your environment.
In the AWS IAM Console, create a new role named `BacklineECRIntegrationRole` with the following trust policy:
```json theme={null}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::198331734661:role/BacklineIntegrationReadOnlyECR"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": ""
}
}
}
]
}
```
Replace `` with a unique, secure string of at least 8 characters. Save this value—you'll need it when configuring Backline.
Create and attach an inline policy named `CustomerECRReadPolicy` with the following permissions:
```json theme={null}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:DescribeImages",
"ecr:ListImages"
],
"Resource": "arn:aws:ecr:*::repository/*"
}
]
}
```
Replace `` with your 12-digit AWS account ID.
After creating the role, copy its ARN from the role summary page. It will look like:
`arn:aws:iam:::role/BacklineECRIntegrationRole`
Return to the [Enter Integration Details](#enter-integration-details) step above and enter your Account ID, External ID, and Role ARN.
## Required IAM Permissions
The CloudFormation template creates a role with the following permissions:
```
ecr:GetAuthorizationToken (Resource: *)
ecr:BatchGetImage (Resource: arn:aws:ecr:${Region}:${AccountId}:repository/*)
ecr:GetDownloadUrlForLayer (Resource: arn:aws:ecr:${Region}:${AccountId}:repository/*)
ecr:DescribeImages (Resource: arn:aws:ecr:${Region}:${AccountId}:repository/*)
ecr:ListImages (Resource: arn:aws:ecr:${Region}:${AccountId}:repository/*)
```
The CloudFormation template follows the principle of least privilege, granting read-only access scoped to ECR repositories in your account.
## Security Model
Backline uses secure cross-account role assumption to access your ECR:
1. Backline assumes its own integration role
2. That role then assumes the `BacklineECRIntegrationRole` in your account
3. The External ID prevents unauthorized access (confused deputy protection)
Backline never stores long-term AWS credentials. All access uses temporary STS tokens that automatically expire.
## After Connection
Once ECR is connected, Backline will:
1. Discover your ECR repositories
2. Begin scanning container images
3. Identify vulnerabilities in image layers
4. Generate remediation recommendations
## Image Scanning
Backline scans:
* All tagged images in connected repositories
* Base image vulnerabilities
* Package and dependency vulnerabilities within containers
* Configuration issues
Large images may take several minutes to scan initially. Subsequent scans are incremental and faster.
## Managing the Integration
### Updating Configuration
To update the integration settings:
1. Open the Integration Hub
2. Click on the ECR integration
3. Update the Account ID, External ID, or Role ARN as needed
4. Test and save
### Disconnecting
To remove the ECR integration:
1. Go to the Integration Hub
2. Click on the ECR integration
3. Select **Disconnect**
4. Confirm your choice
Disconnecting will stop container image scanning. Existing vulnerability data will remain but won't be updated.
## Additional Configuration
*More detailed configuration options will be available here.*