Amazon Elastic Container Registry (ECR) Cheat Sheet
Amazon Elastic Container Registry (ECR) is a fully managed Docker container registry service provided by AWS. It allows developers to securely store, manage, share, and deploy their container images and artifacts.
Core Concepts of Amazon ECR
- What it is: A private and public container image registry. It eliminates the need to operate your own container repositories or worry about scaling the underlying infrastructure.
- Integration: ECR is deeply integrated with other AWS services, most notably Amazon Elastic Container Service (ECS), Amazon Elastic Kubernetes Service (EKS), and AWS Lambda (for container-based functions).
- High Availability and Durability: ECR stores container images in Amazon S3, providing a highly durable and available storage backend.
Key Terminology
- Registry: Each AWS account has a single private Amazon ECR registry. The registry's URL format is
aws_account_id.dkr.ecr.region.amazonaws.com. You can also create public registries. - Repository: A repository is where you store your Docker images in ECR. It's a collection of different versions (tags) of a specific image (e.g., a repository named
my-appwould holdmy-app:latest,my-app:v1.1, etc.). - Image: A specific version of a container, identified by a tag (e.g.,
:latest,:prod,:dev) or an image digest. - Authentication Token: ECR uses temporary authentication tokens for security. You must get a token using the AWS CLI or SDK and use it to authenticate your Docker client to the ECR registry. These tokens are valid for 12 hours.
Key Features and Operations
Image Pushing and Pulling
- Pushing an Image:
- Authenticate: Get an authentication token and configure your Docker client to use it.
- Tag: Tag your local Docker image with the ECR repository URI.
docker tag my-image:latest <aws_account_id>.dkr.ecr.<region>.amazonaws.com/my-repo:latest - Push: Push the tagged image to your ECR repository.
docker push <aws_account_id>.dkr.ecr.<region>.amazonaws.com/my-repo:latest
- Pulling an Image:
- Authenticate: Ensure your Docker client is authenticated to the ECR registry.
- Pull: Pull the image using its URI. This is done automatically by services like ECS and EKS when they start a task or pod.
Security Features
- IAM Integration: Use IAM users and roles to control who can push, pull, or manage images and repositories. Fine-grained permissions can be defined.
- Repository Policies: Similar to S3 bucket policies, these are resource-based policies that let you define cross-account access or grant permissions to other AWS services.
- Image Scanning: ECR can automatically scan your container images for common vulnerabilities and exposures (CVEs). It provides a list of findings and their severity, helping you improve the security of your applications.
- Scan on Push: You can configure a repository to automatically scan images when they are pushed.
- Manual Scan: You can also trigger scans manually.
- Encryption: Images at rest in ECR repositories are encrypted by default using server-side encryption with AWS-managed keys (SSE-S3). You can also use customer-managed keys (SSE-KMS) for more control.
Lifecycle Policies
- Purpose: Lifecycle policies help you manage the lifecycle of your images to save on storage costs. They allow you to automate the cleanup of old or unused images.
- How it works: You create rules that specify which images to clean up.
- Example Rule 1: Expire images that are older than 30 days.
- Example Rule 2: Keep only the last 5 pushed images.
- You can perform a dry run of a lifecycle policy to see which images it would affect before applying it.
Public Registry (ECR Public Gallery)
- ECR also provides a public registry for sharing container images with the world.
- It's designed to be a highly available and fast way to distribute public software.
- The ECR Public Gallery website (
gallery.ecr.aws) allows anyone to browse and search for public images.