Compute | Amazon Elastic Container Registry

Question 1

What is Amazon Elastic Container Registry (ECR)?

General

Amazon Elastic Container Registry | Compute

Answer 1

Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. Amazon ECR is integrated with Amazon Elastic Container Service (ECS), simplifying your development to production workflow. Amazon ECR eliminates the need to operate your own container repositories or worry about scaling the underlying infrastructure. Amazon ECR hosts your images in a highly available and scalable architecture, allowing you to reliably deploy containers for your applications. Integration with AWS Identity and Access Management (IAM) provides resource-level control of each repository.

Question 2

Why should I use Amazon ECR?

General

Amazon Elastic Container Registry | Compute

Answer 2

Amazon ECR eliminates the need to operate and scale the infrastructure required to power your container registry. Amazon ECR uses Amazon S3 for storage to make your container images highly available and accessible, allowing you to reliably deploy new containers for your applications. Amazon ECR transfers your container images over HTTPS and automatically encrypts your images at rest. You can configure policies to manage permissions for each repository and restrict access to IAM users, roles, or other AWS accounts. Amazon ECR integrates with Amazon ECS and the Docker CLI, allowing you to simplify your development and production workflows. You can easily push your container images to Amazon ECR using the Docker CLI from your development machine, and Amazon ECS can pull them directly for production deployments.

Question 3

What is the pricing for Amazon ECR?

General

Amazon Elastic Container Registry | Compute

Answer 3

With Amazon ECR, there are no upfront fees or commitments. You pay only for the amount of data you store in your repositories and data transferred to the Internet. Please see our Pricing page for more details.

Question 4

Is Amazon ECR a global service?

General

Amazon Elastic Container Registry | Compute

Answer 4

Amazon ECR is a regional service and is designed to give you flexibility in how images are deployed. You have the ability to push/pull images to the same region where your Docker cluster runs for the best performance. You can also access Amazon ECR anywhere that Docker runs such as desktops and on-premises environments. Pulling images between regions or out to the internet will have additional latency and data transfer costs.

Question 5

Can Amazon ECR host public container images?

General

Amazon Elastic Container Registry | Compute

Answer 5

Amazon ECR currently supports private images. However, using IAM resource-based permissions, you can configure policies for each repository to allow access to IAM users, roles, or other AWS accounts.

Question 6

What compliance capabilities can I enable on Amazon ECR?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 6

You can use AWS CloudTrail on Amazon ECR to provide a history of all API actions such as who pulled an image and when tags were moved between images. Administrators can also find which EC2 instances pulled which images.

Question 7

How do I get started using Amazon ECR?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 7

The best way to get started with Amazon ECR is to use the Docker CLI to push and pull and your first image. Visit our Getting Started page for more information.

Question 8

Can I access Amazon ECR inside a VPC?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 8

To use Amazon ECR within a VPC, your instances must be able to communicate with the Internet. You can do this with Amazon VPC NAT Gateway.

Question 9

What’s the best way to manage my repositories and images?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 9

Amazon ECR provides a command line interface and APIs to create, monitor, and delete repositories and set repository permissions. You can perform the same actions in the Amazon ECR Management Console, which can be accessed via the “Repositories” section of the Amazon ECS Console. Amazon ECR also integrates with the Docker CLI allowing you to push, pull, and tag images on your development machine.

Question 10

Does Amazon ECR replicate images across regions?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 10

No. Amazon ECR is designed to give you flexibility in where you store and how you deploy your images. You can create deployment pipelines that build images, push them to Amazon ECR in selected regions, and then deploy the images to your Docker cluster.

Question 11

Can I use Amazon ECR within local and on-premises environments?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 11

Yes. You can access Amazon ECR anywhere that Docker runs such as desktops and on-premises environments.

Question 12

Does Amazon ECR provide an Amazon Linux container image?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 12

Yes. Amazon ECR provides Amazon Linux container images, and detailed steps can be found on the forums. Customers can use these container images to run workloads in their Linux-based Docker environment. The container image has a minimal set of packages and is able to install the full set of Amazon Linux AMI packages. Similar to the Amazon Linux AMI in EC2, Amazon Linux container images will get ongoing updates from Amazon in the form of security updates, rolling releases, and package updates.

Question 13

Does Amazon ECR work with Amazon ECS?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 13

Yes. Amazon ECR is integrated with Amazon ECS allowing you to easily store, run, and manage container images for applications running on Amazon ECS. All you need to do is specify the Amazon ECR repository in your Task Definition and Amazon ECS will retrieve the appropriate images for your applications.

Question 14

Does Amazon ECR work with AWS Elastic Beanstalk?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 14

Yes. AWS Elastic Beanstalk supports Amazon ECR for both single and multi-container Docker environments allowing you to easily deploy container images stored in Amazon ECR with AWS Elastic Beanstalk. All you need to do is specify the Amazon ECR repository in your Dockerrun.aws.json configuration and attach the AmazonEC2ContainerRegistryReadOnly policy to your container instance role.

Question 15

What version of Docker Engine does Amazon ECR support?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 15

Amazon ECR currently supports Docker Engine 1.7.0 and up.

Question 16

What version of the Docker Registry API does Amazon ECR support?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 16

Amazon ECR supports the Docker Registry V2 API specification.

Question 17

Will Amazon ECR automatically build images from a Dockerfile?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 17

No. However, Amazon ECR integrates with a number of popular CI/CD solutions to provide this capability. See the Amazon ECR Partners Page for more information.

Question 18

Does Amazon ECR support federated access?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 18

Yes. Amazon ECR is integrated with AWS Identity and Access Management, which supports identity federation for delegated access to the AWS Management Console or AWS APIs.

Question 19

What version of the Docker Image Manifest specification does Amazon ECR support?

Using Amazon Elastic Container Registry

Amazon Elastic Container Registry | Compute

Answer 19

Amazon ECR supports the Docker Image Manifest V2, Schema 2 format. In order to maintain backwards compatibility with Schema 1 images, Amazon ECR will continue to accept images uploaded in the Schema 1 format. Additionally, Amazon ECR can down-translate from a Schema 2 to a Schema 1 image when pulling with an older version of Docker Engine (1.9 and below).

Question 20

Does Amazon ECR support the Open Container Initiative (OCI) format?

Security

Amazon Elastic Container Registry | Compute

Answer 20

Yes. Amazon ECR is compatible with the Open Container Initiative (OCI) image specification letting you push and pull OCI images. Amazon ECR can also translate between Docker Image Manifest V2, Schema 2 images and OCI images on pull.

Question 21

How does Amazon ECR help ensure that container images are secure?

Security

Amazon Elastic Container Registry | Compute

Answer 21

Amazon ECR automatically encrypts images at rest using S3 server side encryption and transfers your container images over HTTPS. You can configure policies to manage permissions and control access to your images using AWS Identity and Access Management (IAM) users and roles without having to manage credentials directly on your EC2 instances.

Question 22

How can I use AWS Identity and Access Management for permissions?

Security

Amazon Elastic Container Registry | Compute

Answer 22

You can use IAM resource-based policies to control and monitor who and what (e.g., EC2 instances) can access your container images as well as how, when, and where they can access them. To get started, use the Management Console to create resource-based policies for your repositories. Alternatively, you can use sample policies and attach them to your repositories via the Amazon ECR CLI.