Amazon Elastic Container Registry (ECR)
Amazon Elastic Container Registry (Amazon ECR) is a managed AWS container image registry service that is secure, scalable, and reliable. Amazon ECR supports private container image repositories with resource-based permissions using AWS IAM so that specific users or Amazon EC2 instances can access repositories and images. Developers can use their preferred CLI to push, pull, and manage Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.
- Amazon ECR enables private Docker repositories with resource-based permissions using AWS IAM so that specific users or Amazon EC2 instances can access repositories and images.
- Amazon ECR hosts clients images in a highly available and scalable architecture, allowing them to deploy containers for their applications.
- Amazon ECR transfers container images over HTTPS and automatically encrypts those images at rest.
- Amazon ECR is integrated with Amazon Elastic Container Service (ECS), simplifying users development to production workflow.
- Amazon ECR eliminates the need to operate own container repositories or worry about scaling the underlying infrastructure.
- Amazon ECR hosts images in a highly available and scalable architecture, that allows to reliably deploy containers for any applications.
- Integration with AWS Identity and Access Management (IAM) provides resource-level control of each repository.
Amazon ECR Benefits
Amazon ECR uses Amazon S3 for storage to make the container images highly available and accessible. Amazon ECR transfers container images over HTTPS and automatically encrypts users images at rest.
AWS clients can configure policies to manage permissions for each repository and restrict access to IAM users, roles, or other AWS accounts. Amazon ECR integrates with Amazon ECS and the Docker CLI, allowing users to simplify the development and production workflows.
Amazon ECR eliminates the need to operate and scale the infrastructure required to power users container registry. Amazon Elastic Container Registry has a highly scalable, redundant, and durable architecture. Users container images are highly available and accessible, which allows them to reliably deploy new containers for the applications.
Amazon Elastic Container Registry eliminates the need to operate and scale the infrastructure required to power the container registry. There is no software to install and manage or infrastructure to scale. By just pushing the container images to Amazon ECR and pull the images using any container management tool when needed to deploy.
Security & Monitoring
Cloud security at AWS is the highest priority. AWS customer can benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and AWS users. The shared responsibility model describes this as security of the cloud and security in the cloud:
Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides customer with services that can be used securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS compliance programs.
Security in the cloud – AWS users responsibility is determined by the AWS service that they use. Users are also responsible for other factors including the sensitivity of the data, the company’s requirements, and applicable laws and regulations.
As a managed service, Amazon Elastic Container Registry is protected by the AWS global network security procedures that are described in the Amazon Web Services.
The AWS shared responsibility model applies to data protection in Amazon Elastic Container Service. While AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud, AWS customers are responsible for maintaining control over their content that is hosted on this infrastructure.
Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon ECR and your AWS solutions. It is the best practice collect monitoring data from the resources that make up the AWS solution so that can be more easily debug a multi-point failure if one occurs. Before start monitoring Amazon ECR, however, create a monitoring plan that includes answers to the following questions:
- What are your monitoring goals?
- What resources will you monitor?
- How often will you monitor these resources?
- What monitoring tools will you use?
- Who will perform the monitoring tasks?
- Who should be notified when something goes wrong?
Amazon ECR is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, a role, or an AWS service in Amazon ECR. CloudTrail captures the following Amazon ECR actions as events:
All API calls, including calls from the Amazon ECR console
All actions taken due to the encryption settings on your repositories
All actions taken due to lifecycle policy rules, including both successful and unsuccessful actions
Amazon ECS Features
Amazon ECR automatically encrypts images at rest using S3 server side encryption and transfers customers container images over HTTPS. Customers can configure policies to manage permissions and control access to their images using AWS Identity and Access Management (IAM) users and roles.
- The Amazon ECR automatically encrypts images at rest using Amazon S3 server-side encryption.
- Amazon ECR stores customers container images in Amazon S3, then the images redundantly stored across multiple facilities and multiple devices in each facility.
Amazon ECR supports Docker Registry HTTP API V2, that allows clients to use Docker CLI commands or any preferred Docker tools to interact with Amazon ECR.
- Docker is a software platform that allows customers to build, test, and deploy applications quickly.
- Docker packages software into standardized units called containers that have everything the software needs to run including libraries, system tools, code, and runtime.
- Using Docker, customers can quickly deploy and scale applications into any environment and their code will run smoothly.
AWS Container Competency Partners have a technology product or solution on AWS that offers support to run workloads on containers. The product or solution integrates with AWS services in a way that improves the AWS customer’s ability to run workloads using containers on AWS.
- Customers can integrate Amazon ECR into their continuous integration and delivery process allowing them to maintain the existing development workflow.
Amazon ECR is integrated with third-party developer tools. AWS customers can integrate Amazon ECR into their continuous integration and delivery process allowing them to maintain their existing development workflow. This third party devlopers include:
- Docker Enterprise: in collaboration with AWS, it has the ability to deliver a highly reliable and cost efficient way to quickly deploy, scale and manage business critical applications with containerization and cloud.
- HashiCorp: HashiCorp Cloud Infrastructure Automation Consistent workflows to provision, secure, connect, and run any infrastructure for any application.
- Others include D2iQ: Mesosphere, Pivotal Cloud Foundry, Red Hat OpenShift, Spotinst Elastigroup, etc
Amazon ECR supports the ability to define and organize repositories in clients registry using namespaces. Which allows them to organize the repositories based on their team’s existing workflows.
- Customers can set which API actions another user may perform on their repository including create, list, describe, delete, and get) through resource-level policies.
- Through IAM customers can define policies to allow users within the same AWS account or other accounts to access your container images.
- Amazon ECR uses AWS Identity and Access Management to control and monitor who and what (e.g., EC2 instances) can access the container images.
AWS Marketplace for Containers enables customers to find container products in AWS Marketplace and the Amazon Elastic Container Service (Amazon ECS) console. They can deploy container products from AWS Marketplace on Amazon Container Services such as Amazon ECS, Amazon Elastic Container Service for Kubernetes (Amazon EKS), and AWS Fargate.
- Customers can find software-as-a-service (SaaS) products that help manage, monitor and protect your container applications.
- With the new software delivery option in AWS Marketplace, customers can find free, bring-your-own-license (BYOL), and paid container products with both fixed monthly and usage-based pricing.
Amazon ECR Components
Amazon ECR registries host customers container images in a highly available and scalable architecture, allowing them to deploy containers to their applications. By default An Amazon ECR registry is provided to each AWS account; so that customers can create image repositories in the registry and store images in them.
- It can be used as a registry to manage image repositories consisting of Docker and Open Container Initiative (OCI) images.
- Using AWS Management Console, AWS CLI, or the AWS SDKs customers can create and manage repositories. They can use those methods to perform some actions on images, including listing or deleting the images.
- Amazon ECR provides a Docker credential helper which allows to store and use Docker credentials when pushing and pulling images to Amazon ECR.
Customers Docker client need authenticate to Amazon ECR registries as an AWS user in order to push and pull images.
- An authorization token represents your IAM authentication credentials and can be used to access any Amazon ECR registry that your IAM principal has access to.
- An authorization token’s permission scope matches that of the IAM principal used to retrieve the authentication token.
- An authentication token is used to access any Amazon ECR registry that your IAM principal has access to and is valid for 12 hours.
authorizationTokenreturned is a base64 encoded string that can be decoded and used in a
docker logincommand to authenticate to a registry. The AWS CLI offers an
get-login-passwordcommand that simplifies the login process.
An Amazon ECR image repository contains customers Docker or Open Container Initiative (OCI) images. ECR provides API operations to create, monitor, and delete image repositories and set permissions that control who can access them. Amazon ECR also integrates with the Docker CLI allowing customers to push and pull images from your development environments to your repositories.
- Amazon ECR uses resource-based permissions to control access to repositories. Resource-based permissions let customers specify which IAM users or roles have access to a repository and what actions they can perform on it. By default, only the repository owner has access to a repository.
- Repositories can be controlled with both IAM user access policies and repository policies.
- Repository names can support namespaces, which you can use to group similar repositories
Amazon ECR uses resource-based permissions to control access to repositories. Resource-based permissions let you specify which IAM users or roles have access to a repository and what actions they can perform on it. Customers can control access to the repositories and the images within these repository policies.
- Amazon ECR repository policies are a subset of IAM policies that are scoped for, and specifically used for, controlling access to individual Amazon ECR repositories.
- IAM policies are generally used to apply permissions for the entire Amazon ECR service but can also be used to control access to specific resources as well.
Amazon Elastic Container Registry (Amazon ECR) stores Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts in repositories. You can use the Docker CLI or your preferred client to push and pull images to and from your repositories.
- Amazon ECR supports pushing Docker images to an Amazon ECR repository with the docker push command.
- Amazon ECR supports creating and pushing Docker manifest lists which are used for multi-architecture images. A manifest list is a list of images that is created by specifying one or more image names. Typically the manifest list is created from images that serve the same function but for different operating systems or architectures, but this is not required.
Amazon ECR supports pushing Open Container Initiative (OCI) artifacts to your repositories. To display this functionality, use the following steps to push a Helm chart to Amazon ECR
With Docker Image Manifest V2 Schema 2 images, users can use the
--image-tagoption of the put-image command to retag an existing image.