Amazon ECR for Container Images
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Lesson: Amazon Elastic Container Registry (ECR) for Container Images
Introduction: The Backbone of Modern Deployment
In the modern software development lifecycle, the transition from local development to production environments has been fundamentally transformed by containerization. When you package an application into a container, you are essentially creating a portable unit of software that includes everything needed to run: code, runtime, system tools, libraries, and settings. However, creating these containers is only half the battle. Once you have built a container image, you need a secure, reliable, and scalable place to store it so that your deployment systems—whether they are Kubernetes clusters, Amazon ECS tasks, or CI/CD pipelines—can retrieve them efficiently.
This is where Amazon Elastic Container Registry (ECR) comes into play. Amazon ECR is a fully managed container registry service provided by AWS. It allows developers to store, manage, share, and deploy container images and artifacts anywhere. Think of ECR as a private, high-performance vault for your container images. It integrates deeply with the AWS ecosystem, providing fine-grained access control through AWS Identity and Access Management (IAM), automatic image scanning for vulnerabilities, and lifecycle policies to keep your storage costs under control.
Understanding ECR is critical because it sits at the heart of your deployment pipeline. If your registry is slow, your deployments are slow. If your registry is insecure, your entire production environment is at risk. If your registry is disorganized, your team will struggle to track which versions of your software are running where. This lesson will guide you through the architecture, configuration, best practices, and operational realities of using Amazon ECR effectively.
Core Concepts of Amazon ECR
To use ECR effectively, you must understand the relationship between repositories, images, and registries. A registry is the top-level container for your images, and every AWS account has a default registry. Within this registry, you create repositories. A repository is where you store all versions of a specific application or service. For example, if you have a microservices architecture, you might have a repository for your "frontend" service, another for your "auth-service," and a third for your "payment-gateway."
Within each repository, you store images. Each image is identified by a tag, such as latest, v1.0.1, or a Git commit hash like a1b2c3d. When you push an image to ECR, you are uploading the layers that make up that image. ECR is intelligent enough to deduplicate these layers. If multiple images share the same base operating system layers, ECR only stores those layers once, which significantly reduces your storage costs and speeds up pull operations.
Callout: ECR vs. Docker Hub Many developers start with Docker Hub because it is the default registry for many tutorials. While Docker Hub is excellent for public images, ECR offers superior integration within the AWS ecosystem. ECR uses IAM roles for authentication, meaning you do not need to manage long-lived credentials like usernames and passwords inside your CI/CD pipelines. Furthermore, ECR keeps your images within the AWS network, reducing latency and avoiding data transfer costs when deploying to AWS-based services like ECS or EKS.
Setting Up Your First ECR Repository
Before you can push an image, you need to create a repository. You can do this through the AWS Management Console, the AWS CLI, or Infrastructure as Code (IaC) tools like Terraform or AWS CloudFormation.
Using the AWS CLI
The CLI is often the fastest way to provision resources for automation. To create a repository named my-app in the us-east-1 region, you would run the following command:
aws ecr create-repository \
--repository-name my-app \
--image-scanning-configuration scanOnPush=true \
--region us-east-1
In this command, we explicitly enable scanOnPush. This is a best practice. By enabling this, ECR automatically triggers a security scan the moment an image is pushed to the repository. This scan checks for known vulnerabilities (CVEs) in the operating system packages and libraries included in your image, providing you with a report that helps you identify and patch security flaws before they reach production.
Authenticating with ECR
Unlike a standard Docker registry where you might run docker login with a password, ECR requires you to authenticate your Docker client using the AWS CLI. This process generates a temporary authorization token that is valid for 12 hours.
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin <your-aws-account-id>.dkr.ecr.us-east-1.amazonaws.com
This command pipes the output of the get-login-password command directly into the docker login command. The --password-stdin flag ensures that your credentials are never exposed in your shell history or process logs. Once this command succeeds, your local Docker daemon is authorized to push and pull images from your private registry.
Managing Image Lifecycles
One of the most common mistakes teams make is allowing their registries to grow indefinitely. Over time, you might push hundreds or thousands of images, leading to excessive storage costs and a cluttered management interface. ECR provides Lifecycle Policies to automate the cleanup of old images.
A lifecycle policy allows you to define rules for when images should be deleted. For example, you might want to keep the last 10 images tagged with production but delete any untagged images that are more than 30 days old.
Example Lifecycle Policy
You define these policies using a JSON document. Here is a practical example:
{
"rules": [
{
"rulePriority": 1,
"description": "Keep only the last 10 images",
"selection": {
"tagStatus": "any",
"countType": "imageCountMoreThan",
"countNumber": 10
},
"action": {
"type": "expire"
}
}
]
}
By applying this policy to your repository, ECR will automatically monitor your image count. If you push an 11th image, the oldest one will be marked for deletion. This ensures that your storage footprint remains predictable and manageable without manual intervention.
Note: Lifecycle policies are permanent and destructive. Once an image is deleted by a lifecycle policy, it cannot be recovered. Always test your policies on a non-production repository first to ensure they behave as expected.
Security Best Practices
Security is the primary reason organizations choose ECR over public registries. However, simply using ECR is not enough; you must configure it correctly to maintain a strong security posture.
IAM Policies and Least Privilege
The most important security control is the IAM policy. You should never grant broad access to your registries. Instead, create specific IAM users or roles for your CI/CD systems that only have the permissions necessary to push images. Similarly, your production runtime environments (like an ECS cluster) should only have ecr:GetDownloadUrlForLayer and ecr:BatchGetImage permissions.
Here is an example of a policy that grants permission to push to a specific repository:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
],
"Resource": "arn:aws:ecr:us-east-1:123456789012:repository/my-app"
}
]
}
Private Registry Access
By default, ECR repositories are private. This means no one outside of your AWS account can access them. However, you can also create public repositories if you are building open-source software. For internal applications, always ensure your repository is set to private. Furthermore, you can implement VPC Endpoints (AWS PrivateLink) to ensure that traffic between your VPC and ECR never travels over the public internet. This is a common requirement for highly regulated industries like finance or healthcare.
Image Scanning
As mentioned earlier, enabling scanOnPush is a non-negotiable best practice. You should also regularly review the scan reports in the ECR console. If a scan reveals a vulnerability with a "High" or "Critical" severity rating, your pipeline should ideally fail, preventing that image from ever being deployed to a production environment.
Advanced Features: Replication and Cross-Region Availability
For global applications, you may need to deploy your services in multiple AWS regions to reduce latency for users or to ensure high availability. ECR supports cross-region and cross-account replication. This feature automatically copies your images from one registry to another whenever a new image is pushed.
To configure replication, you define a replication configuration in your registry settings. You can specify one or more destination regions. ECR handles the background synchronization, ensuring that your images are available in every region where your compute resources reside.
Callout: Why Replication Matters Imagine your primary application is hosted in
us-east-1. If you decide to expand your deployment toeu-central-1to serve European users, your ECS tasks in that region will need to pull images. If you do not replicate, those tasks would have to pull images across the Atlantic fromus-east-1, leading to slow startup times and increased data transfer costs. Replication ensures the images are local to your compute, leading to faster cold-start times.
Common Pitfalls and Troubleshooting
Even with a managed service, things can go wrong. Here are the most common issues developers face when working with ECR.
1. Authentication Timeouts
Because the ECR authorization token expires after 12 hours, your CI/CD pipelines might fail if they run long-duration tasks or if the token has expired.
- The Fix: Always run the
aws ecr get-login-passwordcommand immediately before yourdocker buildordocker pushsteps in your pipeline script. Do not rely on saved credentials.
2. "Repository Not Found" Errors
This often happens due to region mismatches. You might be logged into us-east-1 but trying to push to a repository that exists only in us-west-2.
- The Fix: Always verify your AWS CLI region configuration and the full URI of your ECR repository. The URI format is
<account-id>.dkr.ecr.<region>.amazonaws.com/<repository-name>.
3. Permission Denied (AccessDeniedException)
This is almost always an IAM issue. If you can log in, but cannot push, check the repository policy. Sometimes, a repository-level policy might explicitly deny access or be missing the necessary ecr:PutImage permission.
- The Fix: Use the IAM Policy Simulator to test your permissions against the specific ECR actions.
4. Bloated Repositories
If you do not set up lifecycle policies, you will eventually hit your storage quota, or simply incur unnecessary costs.
- The Fix: Treat lifecycle policies as a mandatory part of your repository creation script. Never create a repository without a corresponding cleanup rule.
Comparison: ECR vs. Other Storage Options
| Feature | Amazon ECR | S3 (Manual Storage) | Docker Hub |
|---|---|---|---|
| IAM Integration | Native | Native | None |
| Performance | High (Local to AWS) | Low (Not optimized) | Medium |
| Vulnerability Scanning | Automatic | None | Limited |
| Lifecycle Management | Built-in | Via S3 Lifecycle Rules | Limited |
| Cost | Storage + Data Transfer | Storage + Request Fees | Tiered Subscription |
Step-by-Step: Automating Image Pushes in a CI/CD Pipeline
To tie everything together, let’s look at how you would integrate ECR into a standard GitHub Actions workflow. This is a common pattern for modern development teams.
- Configure IAM User: Create an IAM user with
AmazonEC2ContainerRegistryPowerUserpermissions. Store theAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYas GitHub Secrets. - Define the Workflow: Create a file at
.github/workflows/deploy.yml. - Authentication Step: Use the
aws-actions/configure-aws-credentialsaction to set up your environment. - Login Step: Use the
aws-actions/amazon-ecr-loginaction. - Build and Push: Build your Docker image and push it to the ECR URI.
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: my-app
IMAGE_TAG: ${{ github.sha }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
This workflow is efficient and secure. It uses the github.sha as the image tag, ensuring that every single deployment is uniquely traceable back to the exact Git commit that produced it. This is a fundamental principle of "Infrastructure as Code" and "Immutable Infrastructure."
Best Practices Checklist
To ensure your ECR implementation remains efficient and secure, follow these industry-standard practices:
- Use Immutable Tags: Configure your repositories to prevent tags from being overwritten. This prevents a scenario where a developer accidentally pushes a broken image with the
latesttag, breaking production. - Tagging Strategy: Use semantic versioning (e.g.,
v1.2.3) alongside Git commit hashes. Never rely solely onlatestfor production deployments. - Scan Frequently: Even if you have
scanOnPush, consider setting up a periodic scan for long-lived images. Vulnerability databases are updated daily; an image that was "clean" last week might have a newly discovered vulnerability today. - Monitor Costs: Use AWS Cost Explorer to track your ECR storage costs. If you see a spike, check for large, un-pruned repositories.
- Use IAM Roles for Tasks: When your applications running on ECS need to pull images, ensure the ECS task execution role has the minimum required permissions. Do not use the same credentials for build-time and run-time.
- Automate Everything: Use Terraform, Pulumi, or CloudFormation to manage your ECR repositories. Manual creation in the console leads to configuration drift and inconsistent security policies.
Key Takeaways
- Centralized Management: Amazon ECR serves as the secure, centralized hub for all your container images, providing deep integration with AWS IAM for granular access control.
- Security First: Always enable
scanOnPushand utilize ECR’s vulnerability scanning to ensure that your images meet security compliance standards before they reach production. - Lifecycle Automation: Never manually delete images. Implement lifecycle policies to automatically prune old or unnecessary images, keeping your storage costs and registry clutter under control.
- Operational Efficiency: Leverage cross-region replication for global deployments to improve image pull times and ensure high availability across different AWS regions.
- Immutable Deployments: Use unique tags (like Git commit hashes) rather than mutable tags like
latestto ensure that your deployments are predictable, repeatable, and easily roll-backable. - Pipeline Integration: Authenticate your CI/CD pipelines using temporary credentials via the AWS CLI or official GitHub Actions, avoiding the risk of long-lived access key exposure.
- Infrastructure as Code: Treat your ECR repositories as infrastructure. Define them in code, apply consistent policies, and manage them through your standard CI/CD deployment processes to prevent configuration drift.
By following these principles, you turn your container registry from a simple storage bin into a high-performance, secure component of your software delivery pipeline. As you continue to build and scale your containerized applications, remember that the quality of your deployment process is often determined by the reliability of your artifacts. ECR is designed to be the foundation of that reliability.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons