aws-samples · edtan-caseware · May 28, 2025 · Jun 2, 2025 · Jun 2, 2025
diff --git a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py
@@ -183,7 +183,8 @@ def get_validated_parameters(event: Dict[str, Any]) -> dict:
             pattern=r"(?i)^((ec2|ecr|lambda|lambda_code),?){0,3}(ec2|ecr|lambda|lambda_code){1}$",
         )
     )
-    params.update(parameter_pattern_validator("ECR_SCAN_DURATION", os.environ.get("ECR_SCAN_DURATION"), pattern=r"^(LIFETIME|DAYS_30|DAYS_180){1}$"))
+    params.update(parameter_pattern_validator("ECR_PULL_SCAN_DURATION", os.environ.get("ECR_PULL_SCAN_DURATION"), pattern=r"^(LIFETIME|DAYS_14|DAYS_30|DAYS_60|DAYS_90|DAYS_180){1}$"))
+    params.update(parameter_pattern_validator("ECR_SCAN_DURATION", os.environ.get("ECR_SCAN_DURATION"), pattern=r"^(LIFETIME|DAYS_14|DAYS_30|DAYS_60|DAYS_90|DAYS_180){1}$"))
 
     # Optional Parameters
     params.update(
@@ -374,7 +375,8 @@ def setup_inspector_in_region(
     management_account: str,
     configuration_role_name: str,
     scan_components: list,
-    ecr_scan_duration: Literal["DAYS_180", "DAYS_30", "LIFETIME"],
+    ecr_pull_scan_duration: Literal["DAYS_14", "DAYS_30", "DAYS_60", "DAYS_90", "DAYS_180",  "LIFETIME"],
+    ecr_scan_duration: Literal["DAYS_14", "DAYS_30", "DAYS_60", "DAYS_90", "DAYS_180",  "LIFETIME"],
 ) -> None:
     """Regional setup process of the inspector feature.
 
@@ -411,8 +413,8 @@ def setup_inspector_in_region(
 
     inspector.set_auto_enable_inspector_in_org(region, configuration_role_name, delegated_admin_account, scan_component_dict)
 
-    LOGGER.info(f"setup_inspector_in_region: ECR_SCAN_DURATION - {ecr_scan_duration}")
-    inspector.set_ecr_scan_duration(region, configuration_role_name, delegated_admin_account, ecr_scan_duration)
+    LOGGER.info(f"setup_inspector_in_region: ECR_PULL_SCAN_DURATION (on image pull) - {ecr_pull_scan_duration}, ECR_SCAN_DURATION (on image push) - {ecr_scan_duration}")
+    inspector.set_ecr_scan_duration(region, configuration_role_name, delegated_admin_account, ecr_pull_scan_duration, ecr_scan_duration)
 
     inspector.associate_inspector_member_accounts(configuration_role_name, delegated_admin_account, accounts, region)
 
@@ -539,6 +541,7 @@ def process_event_sns(event: dict) -> None:
                 params["MANAGEMENT_ACCOUNT_ID"],
                 params["CONFIGURATION_ROLE_NAME"],
                 scan_components,
+                params["ECR_PULL_SCAN_DURATION"],
                 params["ECR_SCAN_DURATION"],
             )
 

diff --git a/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py b/aws_sra_examples/solutions/inspector/inspector_org/lambda/src/inspector.py
@@ -421,14 +421,18 @@ def enable_inspector2_in_member_accounts(
 
 
 def set_ecr_scan_duration(
-    region: str, configuration_role_name: str, delegated_admin_account_id: str, ecr_scan_duration: Literal["DAYS_180", "DAYS_30", "LIFETIME"]
+    region: str, configuration_role_name: str,
+    delegated_admin_account_id: str,
+    ecr_pull_scan_duration: Literal["DAYS_14", "DAYS_30", "DAYS_60", "DAYS_90", "DAYS_180",  "LIFETIME"],
+    ecr_scan_duration: Literal["DAYS_14", "DAYS_30", "DAYS_60", "DAYS_90", "DAYS_180",  "LIFETIME"]
 ) -> None:
     """Set the ECR scan duration in the delegated administrator account.
 
     Args:
         configuration_role_name: configuration role name
         delegated_admin_account_id: delegated admin account id
-        ecr_scan_duration: ecr scan duration
+        ecr_pull_scan_duration: ecr scan duration (on image pull)
+        ecr_scan_duration: ecr scan duration (on image push)
         region: AWS region
 
     Returns:
@@ -439,13 +443,16 @@ def set_ecr_scan_duration(
         f"creating delegated admin session with ({configuration_role_name}) in account ({delegated_admin_account_id}) to set ecr scan duration"
     )
     inspector_delegated_admin_region_client: Inspector2Client = delegated_admin_session.client("inspector2", region)
-    LOGGER.info(f"Setting ECR scan duration in delegated admin account to {ecr_scan_duration} in {region}")
+    LOGGER.info(f"In delegated admin account, setting ECR push scan duration to {ecr_scan_duration} and ECR pull scan duration to {ecr_pull_scan_duration} in {region}")
     LOGGER.info(f"delegated admin client region: {inspector_delegated_admin_region_client.meta.region_name}")
     LOGGER.info(f"Region: {delegated_admin_session.region_name}")
     sts_client = delegated_admin_session.client("sts", region_name=region)
     LOGGER.info(f"caller identity: {sts_client.get_caller_identity()}")
     configuration_response: dict = inspector_delegated_admin_region_client.update_configuration(
-        ecrConfiguration={"rescanDuration": ecr_scan_duration}
+        ecrConfiguration={
+            "pullDateRescanDuration": ecr_pull_scan_duration,
+            "rescanDuration": ecr_scan_duration
+            }
     )
     api_call_details = {"API_Call": "inspector:UpdateConfiguration", "API_Response": configuration_response}
     LOGGER.info(api_call_details)

diff --git a/...examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml b/...examples/solutions/inspector/inspector_org/templates/sra-inspector-org-configuration.yaml
@@ -35,6 +35,7 @@ Metadata:
           - pControlTowerRegionsOnly
           - pEnabledRegions
           - pScanComponents
+          - pEcrPullRescanDuration
           - pEcrRescanDuration
 
       - Label:
@@ -89,8 +90,10 @@ Metadata:
         default: Inspector Configuration Role Name
       pScanComponents:
         default: Comma separated list of scan components (EC2, ECR, LAMBDA, LAMBDA_CODE)
+      pEcrPullRescanDuration:
+        default: ECR Rescan Duration on image pull
       pEcrRescanDuration:
-        default: ECR Rescan Duration
+        default: ECR Rescan Duration on image push
 
 Parameters:
   pComplianceFrequency:
@@ -199,10 +202,15 @@ Parameters:
     Default: EC2, ECR, LAMBDA, LAMBDA_CODE
     Description: Lambda Function Logging Level
     Type: CommaDelimitedList
+  pEcrPullRescanDuration:
+    AllowedValues: [LIFETIME, DAYS_14, DAYS_30, DAYS_60, DAYS_90, DAYS_180]
+    Default: LIFETIME
+    Description: ECR Rescan Duration on image pull
+    Type: String
   pEcrRescanDuration:
-    AllowedValues: [LIFETIME, DAYS_30, DAYS_180]
+    AllowedValues: [LIFETIME, DAYS_14, DAYS_30, DAYS_60, DAYS_90, DAYS_180]
     Default: LIFETIME
-    Description: ECR Rescan Duration
+    Description: ECR Rescan Duration on image push
     Type: String
 
 Conditions:
@@ -471,6 +479,7 @@ Resources:
           SCAN_COMPONENTS: !Join 
           - ','
           - !Ref pScanComponents
+          ECR_PULL_SCAN_DURATION: !Ref pEcrPullRescanDuration
           ECR_SCAN_DURATION: !Ref pEcrRescanDuration
       Tags:
         - Key: sra-solution
@@ -482,7 +491,7 @@ Resources:
       Content:
         S3Bucket: !Ref pSRAStagingS3BucketName
         S3Key: !Sub ${pSRASolutionName}/layer_code/${pSRASolutionName}-layer.zip
-      Description: Boto3 version 1.26.24 layer to enable newer API of inspector2
+      Description: Boto3 version 1.38.27 layer to enable newer API of inspector2 with pullDateRescanDuration parameter
       LayerName: !Sub ${pInspectorOrgLambdaFunctionName}-updated-boto3-layer
 
   rInspectorOrgLambdaCustomResource:
@@ -497,6 +506,7 @@ Resources:
       SCAN_COMPONENTS: !Join 
       - ','
       - !Ref pScanComponents
+      ECR_PULL_SCAN_DURATION: !Ref pEcrPullRescanDuration
       ECR_SCAN_DURATION: !Ref pEcrRescanDuration
 
   rInspectorOrgTopic:

diff --git a/aws_sra_examples/terraform/solutions/inspector/configuration/invoke.tf b/aws_sra_examples/terraform/solutions/inspector/configuration/invoke.tf
@@ -20,6 +20,7 @@ resource "aws_lambda_invocation" "lambda_invoke" {
       "MANAGEMENT_ACCOUNT_ID" : "${local.current_account}",
       "SNS_TOPIC_ARN" : "${aws_sns_topic.inspector_org_topic.arn}",
       "SCAN_COMPONENTS" : "${var.scan_components}",
+      "ECR_PULL_SCAN_DURATION" : "${var.ecr_pull_rescan_duration}",
       "ECR_SCAN_DURATION" : "${var.ecr_rescan_duration}",
     }
   })
@@ -45,6 +46,7 @@ resource "aws_lambda_invocation" "lambda_disable_invoke" {
       "MANAGEMENT_ACCOUNT_ID" : "${local.current_account}",
       "SNS_TOPIC_ARN" : "${aws_sns_topic.inspector_org_topic.arn}",
       "SCAN_COMPONENTS" : "${var.scan_components}",
+      "ECR_SCAN_DURATION" : "${var.ecr_pull_rescan_duration}",
       "ECR_SCAN_DURATION" : "${var.ecr_rescan_duration}",
     }
   })

diff --git a/aws_sra_examples/terraform/solutions/inspector/configuration/main.tf b/aws_sra_examples/terraform/solutions/inspector/configuration/main.tf
@@ -395,6 +395,7 @@ resource "aws_lambda_function" "inspector_org_lambda_function" {
       MANAGEMENT_ACCOUNT_ID      = local.current_account
       SNS_TOPIC_ARN              = aws_sns_topic.inspector_org_topic.arn
       SCAN_COMPONENTS            = var.scan_components
+      ECR_PULL_SCAN_DURATION     = var.ecr_pull_rescan_duration
       ECR_SCAN_DURATION          = var.ecr_rescan_duration
     }
   }

diff --git a/aws_sra_examples/terraform/solutions/inspector/configuration/variables.tf b/aws_sra_examples/terraform/solutions/inspector/configuration/variables.tf
@@ -57,8 +57,14 @@ variable "inspector_configuration_role_name" {
   type        = string
 }
 
+variable "ecr_pull_rescan_duration" {
+  description = "ECR Rescan Duration on image pull"
+  type        = string
+  default     = "LIFETIME"
+}
+
 variable "ecr_rescan_duration" {
-  description = "ECR Rescan Duration"
+  description = "ECR Rescan Duration on image push"
   type        = string
   default     = "LIFETIME"
 }