ECR (Elastic Container Registry)
Amazon ECR is a fully managed container image registry that makes it easy to store, manage, and deploy container images.
More Information
Key Conceptsโ
- Registry: provided to each AWS account; you can create repositories in your registry and store images in them
- Repository: contains a collection of container images (similar to a Docker Hub repository)
- Image: a container image stored in a repository; identified by tag or digest
Repository Typesโ
Private Repositoryโ
- Images are accessible only within your account or to accounts and services you explicitly grant access
- Access controlled via IAM and repository policies
Public Repository (ECR Public)โ
- Images are publicly available to anyone on the internet
- Hosted on the ECR Public Gallery (gallery.ecr.aws)
Authenticationโ
- Docker CLI must be authenticated to an ECR registry before pushing or pulling images
- Authentication tokens are valid for 12 hours
- Login command:
aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <account_id>.dkr.ecr.<region>.amazonaws.com
Image Lifecycle Policiesโ
- Automate the cleanup of unused or old images
- Rules can be based on image age or count
- Helps reduce storage costs by removing images that are no longer needed
- Rules are evaluated in priority order
Image Scanningโ
- Identifies software vulnerabilities in container images
- Two scanning types:
- Basic scanning: uses the Common Vulnerabilities and Exposures (CVE) database; can be triggered on push or manually
- Enhanced scanning: uses Amazon Inspector for continuous and automated scanning
- Scan findings are reported with severity levels
Cross-Region and Cross-Account Replicationโ
- Automatically replicate images across regions and accounts
- Configured at the registry level with replication rules
- Useful for multi-region deployments and disaster recovery
Encryptionโ
- Images are encrypted at rest by default using Amazon S3-managed encryption keys
- Optionally, you can use AWS KMS keys for encryption