Amazon Elastic Container Registry (ECR) is a fully managed Docker container registry that offers a convenient and secure way to store, manage, and deploy Docker images.

This post will give you a high level overview of the key features of ECR, as well as how to perform some of the most common ECR tasks:

• Creating an Amazon ECR repository

• Connecting to AWS ECR using the AWS CLI

• Pushing a Docker image to ECR

What is AWS ECR?

When working with Docker images, you will often be pushing and pulling them from a container registry, which is used for storage and centralized access. The most popular registry is Docker Hub, which is public, but many cloud providers offer private container registries. AWS’s Elastic Container Registry is one of these, providing your own registry for your AWS account.

ECR is natively integrated with other AWS services like ECS, EKS and App Runner.

ECR Pricing

There are no upfront costs associated with Amazon Elastic Container Registry. ECR pricing is based on the following factors:

• Storage: Images stored in ECR are charged $0.10 per GB / month.

• Egress Traffic: Traffic that is going out of ECR, like pull requests; ingress traffic (traffic entering or uploaded to ECR) is free.

Use the AWS Pricing Calculator to create a custom ECR estimate.

AWS Free Tier - if you are a new AWS customer, you get 500 MB / month of storage for your private repositories for one year. Both new and existing customers get 50 GB / month of always-free storage for their public repositories.

Container Image Security

Amazon ECR image scanning helps to identify security vulnerabilities that may exist in your container images. ECR offers the following scanning types:

• Basic scanning: You can configure your repositories to scan on push or you can perform manual scans. ECR scans your container images for a broad range of operating system vulnerabilities, and provides a list of scan findings. This is repeated every time a new image is pushed to ECR.

• Enhanced scanning with Amazon Inspector: ECR integrates with Amazon Inspector, which is a managed software scanning solution, providing automated, continuous scanning of images that are in your registry. You can scan your images anytime that they are pushed to ECR, as well as scan images that are already in ECR. Amazon Inspector scans the image's operating system and programming language packages. Results are returned in ECR & Inspector console.

By default, Amazon ECR enables basic scanning on all private registries.

Setting Up Amazon ECR

Prerequisites

Before you can use Amazon ECR, make sure you have installed:

1. Docker

2. The AWS CLI. If you need to install or upgrade, see Install AWS CLI.

Create a Private Container Repository Using the AWS Management Console

In ECR, container images are stored inside repositories. Container repositories can be public or private. A public repository is where anyone can push and pull images. With a private registry, our images will be stored privately and only someone with the relevant permissions will be able to pull these images.

The following steps create a private repository using the AWS Management Console.

1. Inside your console search bar, type ECR and select Elastic Container Registry.

2. For Visibility settings, choose Private. Click on Create Repository.

3. Enter a name for your repository. I've called mine my-app

4. Tag Immutablity prevents image tags from being overwritten.

5. Scan on push means an image scan to find software vulnerabilities will be done whenever a new image is pushed to the repository.

6. For KMS encryption, you can choose to enable server-side encryption of images in your repository using AWS Key Management Service.

7. Click on Create Repository. When the repository is created, the output is similar to the following:

Create an IAM User

ECR uses AWS IAM to authenticate and authorize users to push and pull images. To use our newly created repository, we need to create an IAM user that will be allowed to use ECR service.

1. In the console search bar type IAM and pick the first option.

2. In the navigation pane, select Users then click on Add users.

3. Enter a username (in my case ecr-repo) and select the checkbox next to Programmatic Access.

4. Click Next: Permissions.

5. Under Set permissions select Attach existing policies directly. Search for Container. Select AmazonEC2ContainerRegistryFullAccess.

6. Click Next: Tags. This is an optional section where you can add some metadata to the user.

7. Click Next: Review then choose Create User. Download the .csv file containing the user's credentials.

Now in your terminal type:

AWS configure

The above command will prompt you to set your AWS credentials. Use the AWS Acces Key ID and AWS Secret Access Key from the previous step.

Build, Tag, and Push a Docker Image to ECR

In order to push a Docker image into a private repository, we must first login to that repository so that we can authenticate ourselves. AWS provides an aws ecr get-login-password command, which is similar to a docker login command.

Select the repository you created and click View push commands.

1. Copy and paste the provided command from the console into a terminal window. The first command gives you an authorization token that is valid for 12 hours.

aws ecr get-login-password --region region | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com

After this command you should see a Login succeeded message in your terminal.

2. If you haven't already done so, create a docker image locally out of a Dockerfile using the docker build command.

3. Before pushing the Docker image to ECR, you need to tag it with its repository URI. This configures the docker push command to push the image to a specific repository. Tag the image you want to push with your ECR repository URI by pasting the docker tag command from the console into your terminal window.

docker tag e9ae3c220b23 aws_account_id.dkr.ecr.region.amazonaws.com/my-repository:tag

You are now ready to push to ECR!

4. Push the tagged image to your repository by using the docker push command:

docker push aws_account_id.dkr.ecr.region.amazonaws.com/my-app:latest

5.You can view the image you pushed by going to the ECR console.

You can also view your image by visiting where it is stored in Amazon S3. Amazon ECR stores images in Amazon S3 buckets that are managed by ECR for high availability. Currently, ECR has a limit of 10,000 images per repository.

SUMMARY

There are many ways to run containers on AWS - ECS On Fargate, EC2, App Runner, and many more. ECR is at the center of all of these. It allows us to reliably deploy containers for our applications and comes with numerous benefits:

• Full managed

• Secure

• Highly Available

• Scalable

• Simplified Workflow

For your images' security, you have a flexible choice between Basic and enhanced Scanning which is powered by Amazon Inspector modes.

With ECR, there are no upfront fees or commitments. You pay only for the amount of data you store in your repositories and data transferred to the Internet.

If you have any questions or feedback, please feel free to leave a comment.

Thanks for reading!