1. What is Amazon ECR?

Amazon Elastic Container Registry (ECR) is a fully managed Docker container image registry that makes it easy to store, manage, and deploy Docker container images. Think of it as a private Docker Hub hosted on AWS.

Core Concept ECR stores your Docker images. ECS and EKS pull images FROM ECR to run containers. The workflow is: Build image → Push to ECR → Deploy on ECS/EKS. ECR is to containers what S3 is to files — a storage service specifically for container images.

2. ECR Key Features

Private and Public Repositories

Image Storage & Management

  1. Images are stored in repositories (one repository per application/microservice)
  2. Each repository contains multiple image versions identified by tags (e.g., latest, v1.0, production)
  3. Images are stored as layers — shared layers are stored only once (cost-efficient)
  4. Encrypted at rest by default (using AWS KMS)
  5. Stored in S3 behind the scenes (managed by AWS, you don’t see the S3 bucket)


Image Scanning

Automatically scans images for known software vulnerabilities (CVEs)

Lifecycle Policies

  1. Automatically clean up old or unused images to reduce storage costs
  2. Define rules based on: image age, image count, tag status (tagged/untagged)
  3. Example: "Keep only the last 10 images" or "Delete untagged images older than 7 days"
  4. Evaluated once every 24 hours


Cross-Region and Cross-Account Replication

  1. Replicate images automatically to other Regions (for DR, multi-Region deployment)
  2. Replicate to other AWS accounts (for multi-account architectures)
  3. Configured at the registry level with replication rules


Image Tag Immutability

  1. When enabled, it prevents image tags from being overwritten
  2. Ensures that a specific tag (e.g., v1.0) always refers to the same image
  3. Recommended for production to prevent accidental overwrites

3. ECR Authentication & Access

ECR uses IAM for authentication and authorization. To push or pull images, you need to authenticate with ECR.


Authentication Command

# Get login token (valid for 12 hours)
aws ecr get-login-password --region us-east-1 \
  | docker login --username AWS \
    --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com

# Push an image
docker tag my-app:latest 123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
docker push 123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latest

# Pull an image
docker pull 123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:latest


Access Control

  1. IAM policies control who can push, pull, and manage images
  2. Repository policies (resource-based) can grant cross-account access
  3. ECS Task Execution Role needs ecr:GetAuthorizationToken and ecr:BatchGetImage permissions to pull images

4. ECR with ECS and EKS

5. ECR Pricing

  1. Storage: pay per GB/month of stored images
  2. Data Transfer: free within the same Region. Standard rates for cross-Region.
  3. No charge for private image pulls within the same Region
  4. Enhanced scanning: charged per image scan via Amazon Inspector pricing

6. ECR vs Docker Hub vs Other Registries

7. When to use

Use ECR when you need to store, manage, and deploy container images on AWS.

Common scenarios:

  1. Store Docker images — Push and pull container images for your applications.
  2. CI/CD pipelines — Integrate with CodeBuild, CodePipeline, or Jenkins to build and push images automatically.
  3. Run containers on AWS — Store images used by ECS, EKS, Fargate, or Lambda (container image support).
  4. Share images across accounts — Grant cross-account access to container images.
  5. Security scanning — Automatically scan images for known vulnerabilities on push.


Exam Tip ECR questions: "Where to store Docker images for ECS/EKS" = ECR. "Scan images for vulnerabilities" = ECR with Enhanced Scanning (Inspector) or Basic Scanning. "Replicate images across Regions" = ECR cross-Region replication. "Clean up old images automatically" = ECR Lifecycle Policies. "ECS Task Execution Role" is needed to pull images from ECR. Tag immutability = prevent accidental overwrites in production.