Amazon ECR Popular2015年〜
A fully managed registry for securely storing, managing, and distributing Docker container images
What It Does
Amazon ECR (Elastic Container Registry) is a fully managed container registry service for storing, managing, and deploying Docker container images. It provides image encryption, access control, and vulnerability scanning as standard features, and integrates seamlessly with AWS services like ECS, EKS, and Lambda. Built on a highly available and durable storage infrastructure, it handles image push and pull operations at high speed.
Use Cases
It is used for building and storing container images in CI/CD pipelines, managing images for ECS and EKS application deployments, multi-region image replication, container image vulnerability scanning and security management, and sharing and standardizing base images across teams - covering the full container image lifecycle.
Everyday Analogy
Think of it like a library's book storage. It organizes and stores books (container images) so they can be retrieved instantly when needed. The storage has locks (access control) so only authorized people can check books in and out. It also regularly checks the condition of books (vulnerabilities) and alerts you if any are damaged.
What Is ECR?
Amazon Elastic Container Registry (ECR) is a fully managed Docker container registry provided by AWS. Unlike public registries like Docker Hub, it specializes in private image management. Images are stored on Amazon S3, ensuring high durability and availability. Fine-grained access control integrated with IAM lets you strictly manage who can access which images.
Key Features
ECR's key features are security and operational automation. Stored images are protected with AWS KMS encryption. The image scanning feature automatically detects vulnerabilities in container images on push or on a schedule. Lifecycle policies can be configured to automatically delete old or unused images, optimizing storage costs. Cross-region replication automatically copies images to multiple regions, speeding up global deployments.
Private and Public Registries
ECR offers two types of registries: private and public. Private registries are accessible only to IAM-authenticated users, suitable for managing enterprise application images. Public registries (ECR Public) allow anyone to pull images, useful for distributing open-source projects and shared libraries. The ECR Public Gallery lets you search and use official AWS images and community-published images. For the latest trends and practical techniques on private and public registries, related books on Amazon are also available.
Pricing
ECR pricing is based on the amount of stored image data and data transfer. For private registries, storage costs $0.10 per GB per month. Image pulls to ECS or EKS within the same region are free, while cross-region transfers incur data transfer charges. For public registries, anonymous users get 500 GB of free data transfer per month, and AWS-authenticated users get unlimited free transfers. Using lifecycle policies to auto-delete unnecessary images effectively controls storage costs.
Getting Started
To get started with ECR, create a repository using the AWS Management Console or AWS CLI. A repository is a logical unit for storing images, typically created per application. After building a Docker image locally, obtain an authentication token with the aws ecr get-login-password command and push the image with docker push. Specify the ECR image URI in your ECS task definitions or EKS Pod definitions, and images are automatically pulled during deployment.
Things to Watch Out For
- Without lifecycle policies, old images accumulate and increase storage costs. Always configure auto-deletion rules for unnecessary images
- Enable image scanning and establish operational rules to prevent deploying images with detected vulnerabilities to production
