[ECR] [Image Users]: Build a service to allow users to check whether root user is enabled on images in ECR.

[SKHinga]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Enhance Amazon ECR with a built-in capability to detect if container images have the root user enabled.

Which service(s) is this request for?
ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Currently, there's no direct method to determine if a container image in ECR uses the root user. While tools like image scanners can provide insights, they often require additional configuration and don't offer a comprehensive solution.

The challenge lies in the static nature of container images. ECR primarily focuses on storage and distribution, lacking the capacity to analyze image content for security implications like root user usage.

Are you currently working around this issue?
To mitigate this issue, we're currently implementing a combination of approaches:

Dockerfile analysis: Manually reviewing Dockerfiles to ensure non-root user configuration.
Runtime checks: Monitoring running containers for root user activity.
However, these methods are time-consuming, error-prone, and lack a centralized view of root user usage across our ECR repositories.

Additional context
Having a built-in root user detection feature in ECR would significantly enhance container image security. It would streamline the process of identifying potential vulnerabilities, improve compliance efforts, and reduce the risk of unauthorized actions.

By providing actionable insights into image configuration, AWS can help customers strengthen their container security posture and prevent potential security breaches.

Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)