Containers

Amazon ECR Container Image Management - Lifecycle Policies and Image Scanning

Learn how to automatically clean up old images with private repository lifecycle policies and detect vulnerabilities with image scanning.

約 2 分で読めます

ECR Basics and Repository Management

ECR is a managed registry for Docker container images and OCI artifacts, supporting layers up to 42 GB per image. It provides both private repositories and public repositories (ECR Public). Private repositories use IAM policies for access control, allowing configurations where only specific IAM roles can push and pull images. Images are encrypted at rest with AES-256, and KMS customer managed keys are also available. Enabling image tag immutability prevents overwriting an image with the same tag, ensuring deployment reproducibility.

Lifecycle Policies and Cost Management

Lifecycle policies are rules that automatically clean up images within a repository. You can define rules for tagged image retention count (e.g., keep the latest 10), untagged image retention period (e.g., delete after 7 days), and rules based on specific tag prefixes. In environments where CI/CD pipelines frequently push images, storage costs grow indefinitely without lifecycle policies. A recommended approach is to retain 30 generations of production images (prod-*) while keeping only 5 generations of development images (dev-*).

Image Scanning and Replication

Basic scanning detects OS package vulnerabilities using the Clair engine at push time. Enhanced scanning integrates with Inspector to detect vulnerabilities in programming language packages (npm, pip, Maven) in addition to OS packages. Enhanced scanning runs continuously, and existing images are re-scanned when new CVEs are published. Cross-region replication automatically copies images to specified regions, reducing image pull times for multi-region ECS/EKS deployments. Cross-account replication is also available, enabling architectures where images are distributed from a central repository to workload accounts. To broaden your knowledge of container technologies, specialized books on Amazon can also be helpful.

Summary

ECR is a managed registry that handles the entire container image lifecycle. Lifecycle policies automatically optimize storage costs, and image scanning continuously detects vulnerabilities. Cross-region replication and cross-account sharing streamline container image distribution across multi-region, multi-account environments.

Related Services

Amazon ECRA fully managed registry for securely storing, managing, and distributing Docker container imagesAmazon ECSA container orchestration service for easily running and managing containerized applicationsAmazon InspectorA service that automatically scans EC2 instances, container images, and Lambda functions for vulnerabilities

Related Articles

Serverless Container Operations with AWS Fargate - Usage Patterns for ECS and EKSRun serverless containers without managing instances. Learn how to choose between ECS and EKS, and optimize costs through task sizing.Automated Vulnerability Scanning with Amazon Inspector - Continuous Security Assessment for EC2, Lambda, and ECRAutomatically scan EC2 instances, ECR container images, and Lambda functions for vulnerabilities and prioritize them with CVE-based risk scores. Learn how to achieve agentless scanning through Systems Manager integration.Container Orchestration with Amazon ECS - Task Definition and Service DesignA comprehensive guide covering task definition design, service deployment strategies, choosing between Fargate and EC2, and Auto Scaling configuration patterns.

More on This Topic

Simplifying Container Deployment - Zero-Configuration Deployment with AWS App RunnerLearn how to deploy containerized web applications with AWS App Runner. This guide covers the differences from ECS/Fargate, auto scaling, VPC integration, and CI/CD pipeline connectivity.The Fastest Container Deployment with AWS App Runner - From Source Code to Production in MinutesJust specify source code or a container image to get an HTTPS endpoint up and running. Learn the differences from ECS/Fargate and how to connect to private resources using VPC connectors.Instantly Deploy Container Web Apps with AWS App Runner - Automatic Builds from Source Code and HTTPS PublishingLearn about deploying container applications with App Runner, auto scaling, and custom domain configuration.Container-Optimized OS - Strengthening Container Host Security and Operations with BottlerocketLearn how to optimize container hosts with AWS Bottlerocket. Covers the minimal OS design, automatic updates, immutable infrastructure, and integration with ECS/EKS.Container Orchestration with Amazon ECS - Task Definition and Service DesignA comprehensive guide covering task definition design, service deployment strategies, choosing between Fargate and EC2, and Auto Scaling configuration patterns.Breaking Down ECS on Fargate Cost Structure - Practical Combinations of Spot, ARM, and ScalingBreak down ECS on Fargate pricing across CPU, memory, and storage, and learn practical cost optimization techniques combining Fargate Spot, Graviton (ARM), and Service Auto Scaling.Container Orchestration - Optimizing Kubernetes Operations with Amazon EKSLearn about managed Kubernetes operations with Amazon EKS.Serverless Container Operations with AWS Fargate - Usage Patterns for ECS and EKSRun serverless containers without managing instances. Learn how to choose between ECS and EKS, and optimize costs through task sizing.

Similar Articles and Services

Amazon ECRA fully managed container registry for securely storing, managing, and deploying Docker container imagesAutomated Vulnerability Scanning with Amazon Inspector - Continuous Security Assessment for EC2, Lambda, and ECRAutomatically scan EC2 instances, ECR container images, and Lambda functions for vulnerabilities and prioritize them with CVE-based risk scores. Learn how to achieve agentless scanning through Systems Manager integration.Amazon InspectorA security assessment service that automatically and continuously scans EC2 instances, Lambda functions, and container images for vulnerabilities