Containers
Configuring KMS encryption at rest on ECR repositories with ECR replication
Introduction
In this blog post, you’ll learn how to configure AWS Key Management Service (AWS KMS) at rest on HAQM Elastic Container Registry (HAQM ECR) with image replication. By default, repository settings aren’t replicated, and with the information contained in this article, we’ll empower your organization to put security first while using the AWS tools and services that your teams are familiar with.
Customers in environments that are sensitive to compliance and regulatory concerns often want to enable encryption whenever possible. Enterprises want to secure their data footprints in transit and at rest, and container images are no exception to this posture.
With AWS KMS and HAQM ECR image replication, we can transfer the images across AWS Regions or AWS accounts, giving your business high availability while protecting your data in transit within the cloud.
Architecture
For cross-Region replication, below is the diagram for our solution:
The following diagram shows our solution for cross-Region and cross-account replication:
Walkthrough
Time to read | 5 mins |
Time to complete | 10 mins |
Cost to complete | ~$5 per month (for two Regions) AWS Calculator Estimate |
Learning level | Intermediate (200) |
Services used | HAQM Elastic Container Registry (ECR) and AWS Key Management Service (KMS) |
HAQM ECR with AWS KMS encryption cross-Region replication
Following is an example of creating replication between two HAQM ECR repositories in two different Regions with AWS KMS encryption enabled. The order of the steps is crucially important. Please do not run the steps out of order.
To create an AWS KMS key in the primary Region
- Open the AWS KMS console in the desired primary Region (for example, N. Virginia.
- Choose Create Key.
- Select Symmetric key type.
- Select Encrypt and decrypt key usage.
- Choose Next.
- Enter an Alias for your AWS KMS key (for example, “ECR KMS Key”).
- Choose Next.
- In the Define key administrative permissions field, choose an IAM user or role.
- Choose Next.
- In the Define key usage permission field, choose an IAM user and/or role.
- Make sure your IAM user or role is also selected. This will be required for HAQM ECR to encrypt and decrypt the container image.
- Choose Next.
- Choose Finish.
To create an HAQM ECR repository in the primary Region
- Open the HAQM ECR console in the desired primary Region (for example, N. Virginia)
- Choose Get Started.
- Choose Private as visibility settings.
- Enter your Repository Name (i.e., myrepo).
- In the Encryption Settings section, do the following:
- Enable encryption.
- Choose Customize encryption settings (advanced).
- Choose the key we just created in the steps above.
- Choose Create repository.
At this point, you have an HAQM ECR repository created with AWS KMS encryption enabled. Before enabling HAQM ECR replication, let’s create the HAQM ECR repository in the secondary Region.
To create the AWS KMS repository in the second Region
- Open the AWS KMS console in the desired secondary Region (for example, Oregon).
- Choose Create Key.
- Select Symmetric key type.
- Select Encrypt and decrypt key usage.
- Choose Next.
- Enter an Alias for your AWS KMS key (i.e., “ECR KMS Key”).
- Choose Next.
- In the Define key administrative permissions field, choose an IAM user or role.
- Choose Next.
- In the Define key usage permission field, choose an IAM user or role.
- Make sure your IAM User or role is also selected. This will be required for HAQM ECR to encrypt and decrypt the container image.
- Choose Next.
- Choose Finish.
To create an HAQM ECR repository in the primary Region
- Open the HAQM ECR console in the desired secondary Region (for example, Oregon).
- Choose Get Started.
- Choose Private for the visibility settings.
- Enter your Repository Name (for example, myrepo).
- It’s very important that you give the same repository name as in your primary Region. If repository names between primary and replicated Regions do not match, replication will fail.
- In the Encryption settings section, do the following:
- Enable encryption.
- Choose Customize encryption settings (advanced).
- Choose the key we just created in the previous steps.
- Choose Create repository.
If you would like to replicate the HAQM ECR repositories to other Regions, repeat the steps for the secondary Region on the desired Region.
Finally, let’s enable the HAQM ECR replication configuration.
To enable HAQM ECR replication
- Open the HAQM ECR console in the primary Region (for example, N. Virginia.
- In the navigation pane, choose Private registry, then choose Replication configuration and press Edit.
- Choose Add rule.
- Choose Cross-region replication for replications between Regions.
- Choose Next.
- Choose the Destination Regions(s) that you created in your secondary HAQM ECR repository(s) (for example, Oregon).
- Choose Next.
- In the Repository filters, do the following:
- Enter the repository name (for example, myrepo). It needs to match exactly with the repository name you created.
- Choose Add.
- Choose Next.
- Choose Submit rule.
(Optional) HAQM ECR with AWS KMS encryption cross-account replication
(Optional) If you would like to enable cross-account replication, follow all the steps above with the secondary/destination Region to another AWS account, utilizing HAQM ECR replication we will need to create the cross-Region replication. Additionally, you will need to create an HAQM ECR replication rule and permission on the destination account.
(Optional) To enable a cross-account replication rule
- Open the HAQM ECR console in the primary Region (for example, N. Virginia).
- In the navigation pane, choose Private Registry, then choose Replication.
- Choose Add rule.
- Choose Cross-account replication for replications between accounts.
- Choose Next.
- Choose the destination account that you created your secondary HAQM ECR repository(s).
- Choose the destination Regions that you would like HAQM ECR to replicate to the secondary AWS account.
- Choose Next.
- In the Repository filters, do the following:
- Enter the repository name (for example, myrepo). It needs to match exactly with the repository name you created.
- Choose Add.
- Choose Next.
- Choose Submit rule.
(Optional) To enable cross-account replication permission
- Open the HAQM ECR console in the secondary Region (for example, Oregon) in the other AWS account.
- In the navigation pane, choose Private Registry, then choose Permission.
- Choose Cross account replication policy in the Policy type.
- Enter a Statement id (for example, “replication cross-account policy”).
- In the Accounts section, enter the AWS account number where the primary HAQM ECR repository resides.
- Choose Save statement.
- The console will autogenerate a JSON IAM policy similar to the following:
Finally, you should be able to push an image into your primary account HAQM ECR repository, and automatically the image will be replicated to your secondary HAQM ECR account.
CloudFormation automation
The same solution can be achieved by deploying CloudFormation infrastructure-as-code (IaC) templates. These templates with instructions can be found in our GitHub repository
The repository contains two solutions:
- Cross-Region replication (same account)
- Cross-Region and Cross-account replication
Conclusion
In summary, we’ve described how you can enable encryption in transit for container images stored in HAQM ECR by using AWS KMS keys for image transfer between Regions or accounts.
We’ve reviewed the components involved and how they function together for secure transfer of the container image. Furthermore, we have successfully automated the functionality described allowing you to quickly enable the services in your own Regions and accounts.
If you have feedback about this post, please submit it in the comments section below. If you have questions about this post, please start a new thread on the Containers | AWS re:Post forum.