Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure CSPM for Amazon ECR

To enable Skyhigh CASB for use with Amazon ECR, make the following configurations in the Amazon Console and Skyhigh CASB. 

NOTE: If you already have an AWS instance set up in Skyhigh CASB, nothing will change until you import ECR policies, after which you will need to provide necessary permissions for configuration audit. 

Configure Amazon ECR

  1. In the AWS Console, go to ECR. 
  2. Create an ECR cluster to use with Skyhigh CASB detection. 
  3. Provide permissions to the Skyhigh CASB for ECR policies. 

Configure Skyhigh CASB IAM Roles for AWS

Skyhigh CASB uses AWS CloudFormation Templates to create the IAM roles required to configure AWS accounts. Permissions for all Skyhigh CASB features are consolidated in CloudFormation Templates, so you do not have to track and provide permissions separately for each feature. 

Use one of three options:

  1. AWS Managed Policy SecurityAudit. This is the recommended option. 
  2. Read-Only Access
  3. Minimum Permissions

Configure Skyhigh CASB

Configure a New AWS Instance

If you haven't configured an AWS instance in Skyhigh CASB yet, use the following steps.

NOTE: Permissions against all the pre-defined policy templates are checked during authentication.

  1. Go to Settings > Service Management
  2. Select the AWS service instance and click the Setup tab. 
  3. Enable API access, then click Edit
  4. For Enabled Features, make sure Security Configuration Audit is enabled. Click Next
  5. In the Review Prerequisites screen, review permissions and click I have reviewed all prerequisites for enablement and completed any that are mandatory. Click Next
  6. For Accounts, enter your Role ARN. Click Add
  7. Click Authenticate Accounts
  8. Click Save

Configure an Existing AWS Instance

If you already have an AWS instance configured in Skyhigh CASB, use the following steps.

NOTE: Permissions against imported policies are checked during authentication and On-Demand Scans. 

  1. Go to Policy > Policy Templates
  2. In the Table view, filter by Business Requirement > Container Security. (For details about policy templates for ECR, see Policy Templates for Container Security.)

NOTE: In the Filters > Usage section, you can also choose Not Used to list all un-imported templates.

  1. Select all the templates you want to create policies for and click Actions > Create Policy. Click Create Policies
  2. All the imported policies will appear under Policy > Configuration Audit page
  3. Select the policies and click Actions > Activate Policies.

The policies are activated.


After activating the policies, subsequent AWS configuration audit scans discover AWS ECR resources and registries, and also evaluate these policies and report any incidents.

For more information, see About Configuration Audit Policies

You may also choose to manually trigger the scan from the Policy > On-Demand Scan. For details, see On-Demand Scans for Container Security

  • Was this article helpful?