HAQM Elastic Container Registry FAQs

HAQM ECR is a fully managed container registry that makes it easy for developers to share and deploy container images and artifacts. HAQM ECR is integrated with HAQM Elastic Container Service (HAQM ECS),  HAQM Elastic Kubernetes Service (HAQM EKS), and AWS Lambda, simplifying your development to production workflow. HAQM ECR eliminates the need to operate your own container repositories or worry about scaling the underlying infrastructure. HAQM ECR hosts your images in a highly available and scalable architecture, allowing you to deploy containers for your applications reliably. Integration with AWS Identity and Access Management (IAM) provides resource-level control of each repository that lets you share images across your organization or with anyone in the world.

HAQM ECR eliminates the need to operate and scale the infrastructure required to power your container registry. HAQM ECR uses HAQM Simple Storage Service (S3) for storage to make your container images highly available and accessible, allowing you to deploy new containers for your applications reliably. HAQM ECR transfers your container images over HTTPS and automatically encrypts your images at rest. You can configure policies to manage permissions for each repository and restrict access to IAM users, roles, or other AWS accounts. HAQM ECR integrates with HAQM ECS, HAQM EKS, AWS Fargate, AWS Lambda, and the Docker CLI, allowing you to simplify your development and production workflows. You can easily push your container images to HAQM ECR using the Docker CLI from your development machine, and HAQM container orchestrators or compute can pull them directly for production deployments.

With HAQM ECR, there are no upfront fees or commitments. You pay only for the amount of data you store in your public or private repositories, and data transferred to the internet. Please see our Pricing page for more details.

HAQM ECR is a Regional service and is designed to give you flexibility in how images are deployed. You have the ability to push/pull images to the same AWS Region where your Docker cluster runs for the best performance. You can also access HAQM ECR anywhere that Docker runs, such as desktops and on-premises environments. Pulling images between Regions or out to the internet will have additional latency and data transfer costs.

Yes. HAQM ECR has a highly available container registry and website that makes it easy for you to share or search for public container software. Anyone with or without an AWS account can use the HAQM ECR public gallery to search for and download commonly used container images such as operating systems, AWS published images, and files, such as Helm charts, for Kubernetes.

A private repository does not offer content search capabilities and requires HAQM IAM-based authentication using AWS account credentials before allowing images to be pulled. A public repository has descriptive content and allows anyone anywhere to pull images without needing an AWS account or using IAM credentials. Public repository images are also available in the HAQM ECR public gallery.
 

You can use AWS CloudTrail on HAQM ECR to provide a history of all API actions such as who pulled an image and when tags were moved between images. Administrators can also find which EC2 instances pulled which images.

The best way to get started with HAQM ECR is to use the Docker CLI to push and pull your first image. Visit our Getting Started page for more information.

Yes. You can set up AWS PrivateLink endpoints to allow your instances to pull images from your private repositories without traversing through the public internet.

HAQM ECR provides a command line interface and APIs to create, monitor, and delete repositories and set repository permissions. You can perform the same actions in the HAQM ECR console, which can be accessed via the “Repositories” section of the HAQM ECR console. HAQM ECR also integrates with the Docker CLI, allowing you to push, pull, and tag images on your development machine.

You publish an image to the HAQM ECR public gallery by signing into your AWS account and pushing to a public repository you create. You are assigned a unique alias per account to use in image URLs that identifies all public images that you publish.

Yes. You can request a custom alias such as your organization or project name, unless it’s a reserved alias. Names that identify AWS services are reserved. Names that identify AWS Marketplace sellers may also be reserved. We will review and approve your custom alias request within a few days unless your alias request violates the AWS Acceptable Use Policy or other AWS policies.

You pull using the familiar ‘docker pull’ command with the URL of the image. You can easily search for this URL by finding images using a publisher alias, image name, or image description using the HAQM ECR public gallery. Image URLs are in the format public.ecr.aws/<alias>/<image>:<tag>, for example public.ecr.aws/eks/aws-alb-ingress-controller:v1.1.5

Yes. HAQM ECR is designed to give you flexibility in where you store and how you deploy your images. You can create deployment pipelines that build images, push them to HAQM ECR in one Region, and HAQM ECR can automatically replicate them to other Regions and accounts for deployment to multi-Region clusters.

Yes. You can access HAQM ECR anywhere that Docker runs such as desktops and on-premises environments.

Yes. Services such as HAQM EKS, HAQM SageMaker and AWS Lambda publish their official public use container images and artifacts to HAQM ECR.  

Yes. HAQM ECR is integrated with HAQM ECS, allowing you to easily store, run, and manage container images for applications running on HAQM ECS. All you need to do is specify the HAQM ECR repository in your task definition and HAQM ECS will retrieve the appropriate images for your applications.

Yes. AWS Elastic Beanstalk supports HAQM ECR for both single and multi-container Docker environments, allowing you to easily deploy container images stored in HAQM ECR with AWS Elastic Beanstalk. All you need to do is specify the HAQM ECR repository in your Dockerrun.aws.json configuration and attach the HAQMEC2ContainerRegistryReadOnly policy to your container instance role.

HAQM ECR currently supports Docker Engine 1.7.0 and up.

HAQM ECR supports the Docker Registry V2 API specification.

No. However, HAQM ECR integrates with a number of popular CI/CD solutions to provide this capability. See the HAQM ECR Partners page for more information.

Yes. HAQM ECR is integrated with AWS Identity and Access Management (IAM), which supports identity federation for delegated access to the AWS Management Console or AWS APIs.

HAQM ECR supports the Docker Image Manifest V2, Schema 2 format. In order to maintain backwards compatibility with Schema 1 images, HAQM ECR will continue to accept images uploaded in the Schema 1 format. Additionally, HAQM ECR can down-translate from a Schema 2 to a Schema 1 image when pulling with an older version of Docker Engine (1.9 and below).

Yes. HAQM ECR is compatible with the Open Container Initiative (OCI) image specification, letting you push and pull OCI images and artifacts. HAQM ECR can also translate between Docker Image Manifest V2, Schema 2 images and OCI images on pull.

HAQM ECR automatically encrypts images at rest using HAQM S3 server-side encryption or AWS KMS encryption and transfers your container images over HTTPS. You can configure policies to manage permissions and control access to your images using AWS Identity and Access Management (IAM) users and roles without having to manage credentials directly on your EC2 instances.

You can use IAM resource-based policies to control and monitor who and what (e.g., EC2 instances) can access your container images, as well as how, when, and where they can access them. To get started, use the AWS Management Console to create resource-based policies for your repositories. Alternatively, you can use sample policies and attach them to your repositories via the HAQM ECR CLI.

Yes. Here is an example of how to create and set a policy for cross-account image sharing.

You can enable HAQM ECR to automatically scan your container images for a broad range of operating system vulnerabilities. You can also scan images using an API command, and HAQM ECR will notify you over API and in the console when a scan completes. For enhanced image scanning, you can turn on HAQM Inspector.