コンテナ

Amazon ECR

A fully managed container registry for securely storing, managing, and deploying Docker container images

About 3 min read

Overview

Amazon Elastic Container Registry (ECR) is a fully managed registry for storing and managing Docker container images and OCI artifacts. It integrates natively with AWS container services like ECS, EKS, and Lambda, and supports image push/pull through VPC endpoints without traversing the internet. Features include vulnerability scanning (Amazon Inspector integration), image signing for tamper detection, and lifecycle policies for automatic cleanup of old images.

The Roles of Private and Public Registries

ECR offers two types of registries. Private registries control access via IAM policies and are used for securely managing internal application images. Repository policies can grant cross-account pull access, enabling a shared base image distribution model in multi-account environments. The public registry (ECR Public Gallery) is for distributing open-source project and public tool images, serving as an alternative to Docker Hub. Private registry storage costs $0.10 per GB per month, and data transfer for pulls to AWS services within the same region is free. Unlike Azure Container Registry, which follows a SKU-based pricing model with fixed monthly fees, ECR uses pure pay-per-use billing, making it more cost-efficient for small-scale usage.

Storage Management with Lifecycle Policies

The most important operational task in ECR is configuring lifecycle policies. In environments where CI/CD pipelines frequently push images, untagged and outdated images accumulate and inflate storage costs. Lifecycle policies with rules like 'delete untagged images after 1 day' and 'retain only the latest 10 tagged images' automate cleanup. Priority-based rule ordering lets you combine multiple criteria - for example, keeping the latest 5 production-tagged images while aggressively pruning development builds. Unlike Azure Container Registry, which offers a built-in build feature (ACR Tasks), ECR has no in-registry build capability and relies on external CI/CD services like CodeBuild or GitHub Actions, keeping the registry focused purely on storage and distribution. Container technology books on Amazon cover the fundamentals.

Vulnerability Scanning and Multi-Account Operations

For security, enabling Enhanced Scanning (Amazon Inspector integration) rescans existing images when new CVEs are published, not just at push time, providing continuous vulnerability detection. Scan results are surfaced in the ECR console and can trigger EventBridge rules to block deployments of images with critical findings. Image signing with AWS Signer verifies image integrity and provenance before deployment, preventing tampered images from reaching production. In multi-account environments, a Hub-Spoke architecture that centralizes ECR repositories in a shared services account and grants pull access to workload accounts via repository policies is the standard approach. Replication settings can automatically copy images to repositories in other regions or accounts, ensuring low-latency pulls and disaster recovery readiness.

共有するXB!

Related Terms

Amazon ECSAmazon EKSAWS FargateAWS Lambda

Related Services

Amazon ECSAmazon EKSAWS Fargate

Related Articles

Serverless Container Operations with AWS Fargate - Usage Patterns for ECS and EKSRun serverless containers without managing instances. Learn how to choose between ECS and EKS, and optimize costs through task sizing.Building a Service Mesh with AWS App Mesh - Controlling and Observing Microservice CommunicationLearn how to declaratively configure canary deployments, retry policies, and mTLS encryption using Envoy sidecars, and visualize service dependencies with X-Ray integration.Container-Optimized OS - Strengthening Container Host Security and Operations with BottlerocketLearn how to optimize container hosts with AWS Bottlerocket. Covers the minimal OS design, automatic updates, immutable infrastructure, and integration with ECS/EKS.Container Orchestration with Amazon ECS - Task Definition and Service DesignA comprehensive guide covering task definition design, service deployment strategies, choosing between Fargate and EC2, and Auto Scaling configuration patterns.Breaking Down ECS on Fargate Cost Structure - Practical Combinations of Spot, ARM, and ScalingBreak down ECS on Fargate pricing across CPU, memory, and storage, and learn practical cost optimization techniques combining Fargate Spot, Graviton (ARM), and Service Auto Scaling.

Similar Terms and Articles

Amazon ECRA fully managed registry for securely storing, managing, and distributing Docker container imagesAmazon ECR Container Image Management - Lifecycle Policies and Image ScanningLearn how to automatically clean up old images with private repository lifecycle policies and detect vulnerabilities with image scanning.Amazon InspectorA service that automatically scans EC2 instances, container images, and Lambda functions for vulnerabilitiesAmazon InspectorA security assessment service that automatically and continuously scans EC2 instances, Lambda functions, and container images for vulnerabilitiesAutomated Vulnerability Scanning with Amazon Inspector - Continuous Security Assessment for EC2, Lambda, and ECRAutomatically scan EC2 instances, ECR container images, and Lambda functions for vulnerabilities and prioritize them with CVE-based risk scores. Learn how to achieve agentless scanning through Systems Manager integration.