AWS Explained
    Containers & Orchestration
    🐳Containers & Orchestration

    Amazon ECR

    Fully managed Docker container registry

    ECR is like a secure warehouse for your Docker images. When you build Docker images, you need to store them somewhere before deploying to ECS, EKS, or other container platforms. ECR is a private Docker registry: you push images to ECR, and your container services pull them when deploying. It's integrated with IAM for access control, encrypted at rest, and scans images for vulnerabilities. Think of it as Docker Hub, but private, secure, and deeply integrated with AWS services.

    ECR stores Docker images in repositories (one per application/service). You authenticate using AWS CLI (docker login), push images (docker push), and pull images (docker pull). ECR integrates with IAM for access control; use repository policies and IAM policies.

    Key Capabilities

    Key features: image scanning (detect vulnerabilities), lifecycle policies (automatically delete old images), replication (cross-region, cross-account), and encryption (KMS).

    Gotchas & Constraints

    Gotcha #1: ECR charges for storage and data transfer; implement lifecycle policies to delete unused images. Gotcha #2: Image scanning is not automatic; enable scan-on-push or schedule scans. Constraints: Maximum 10,000 repositories per account (request increase), no hard limit on images per repository (use lifecycle policies to manage), and maximum 10GB per image layer.

    A development team builds Docker images for 50 microservices. Storing images in Docker Hub is insecure (public) and slow (external network). They use ECR: create repositories for each service, configure IAM policies (developers can push, ECS can pull), and enable encryption with KMS. They integrate with CodeBuild to build Docker images and push to ECR automatically. They enable image scanning on push. ECR scans for vulnerabilities and sends SNS notifications for critical issues. They create lifecycle policies: keep last 10 images per repository, delete images older than 90 days. For disaster recovery, they enable cross-region replication. Images are automatically replicated to a secondary region. ECS pulls images from ECR when deploying: fast, secure, and no external dependencies.

    The Result

    secure image storage, automated vulnerability scanning, and direct AWS integration.

    Official AWS Documentation