DEV Community

Cover image for Amazon ECR - Architecture & Security
On-cloud7
On-cloud7

Posted on

Amazon ECR - Architecture & Security

#containers #ecr #ecs #eks

Introduction:

You can safely store, manage, and deploy container images (Docker or OCI) for your applications with Amazon Elastic Container Registry (ECR), a fully managed container image registry service provided by AWS. By closely integrating with AWS compute services like Amazon ECS, Amazon EKS, AWS Fargate, and more, ECR helps optimize container workflows, whether you're developing microservices, CI/CD pipelines, or scalable cloud-native applications.

What is Amazon Elastic Container Registry?

Amazon Elastic Container Registry (Amazon ECR) is an **AWS managed container image registry service that is secure, scalable, and reliable. **Amazon ECR supports private repositories with resource-based permissions using AWS IAM. This is so that specified users or Amazon EC2 instances can access your container repositories and images. You can use your preferred CLI to push, pull, and manage Docker images, Open Container Initiative (OCI) images, and OCI-compatible artifacts.

Features of Amazon ECR:

1. Image scanning helps in identifying software vulnerabilities in your container images. Each repository can be configured to scan on push. This ensures that each new image pushed to the repository is scanned. You can then retrieve the results of the image scan. For more information, see Scan images for software vulnerabilities in Amazon ECR.

2. Cross-Region and cross-account replication makes it easier for you to have your images where you need them. This is configured as a registry setting and is on a per-Region basis. For more information, see Private registry settings in Amazon ECR.

3. Pull through cache rules provide a way to cache repositories in an upstream registry in your private Amazon ECR registry. Using a pull through cache rule, Amazon ECR will periodically reach out to the upstream registry to ensure the cached image in your Amazon ECR private registry is up to date. For more information, see Sync an upstream registry with an Amazon ECR private registry.

4. Repository creation templates allow you to define the settings for repositories created by Amazon ECR on your behalf during pull through cache, create on push, or replication actions. You can specify tag immutability, encryption configuration, repository policies, lifecycle policies, and resource tags for automatically created repositories. For more information, see Templates to control repositories created during a pull through cache, create on push, or replication action.

Amazon ECR Architecture:

1. Core Components

  1. A registry is a logical collection of one or more repositories.

  2. Repositories: Holds container images that can be versioned and tagged.

  3. Images & Tags: Your application and its dependencies are bundled together in a container image. Versioning them is aided by tags.

  4. Storage: ECR keeps your photos in Amazon S3, where they are highly available and durable.

2. How ECR Works (High-Level Flow):

  1. Authentication: AWS IAM & STS requests a login token from your client (such as Docker CLI).

  2. Push: Images are pushed to an ECR repository using the token.

  3. Store: Amazon S3 is where ECR stores these photos.

  4. Pull: During deployments, images are pulled from ECR by ECS, EKS, or other environments.

3. Integration with AWS Ecosystem:

  1. Amazon ECS
  2. Amazon EKS
  3. AWS Fargate
  4. AWS Lambda

Security in Amazon ECR:

1.Access Control:

_ECR uses AWS Identity and Access Management (IAM) to control access:
Grant permissions at repository level (push/pull actions)
Use resource-based policies for cross-account access
Use temporary security credentials via AWS STS _

2.Encryption:

You can transfer your container images to and from Amazon ECR via HTTPS. Your images are also automatically encrypted at rest using Amazon S3 server-side encryption. Amazon ECR also lets you choose your own key managed by AWS Key Management Service (AWS KMS) to encrypt images at rest.

3.Vulnerability Scanning:

You can enable Amazon ECR to automatically scan your container images for a broad range of operating system vulnerabilities. You can also scan images using an API command, and Amazon ECR will notify you over API and in the console when a scan completes. For enhanced image scanning, you can turn on Amazon Inspector.

4.Network Security:

ECR supports VPC interface endpoints using AWS PrivateLink, so your services can pull images privately without going through the internet.

5.Image Integrity:

*Amazon ECR now supports managed container image signing to enhance your security posture and eliminate the process of setting up signing. Container image signing allows you to verify that images are from trusted sources. With managed signing, ECR simplifies setting up container image signing to just a few clicks in the ECR Console or a single API call. To enable managed signing, you create a signing rule with a signing profile, which is a unique AWS resource that allows you to specify parameters such as signature validity and which IAM principals can sign. *

USE CASES:

  1. Microservices & Cloud apps
  2. CICD pipelines
  3. Hybrid Workloads

Conclusion:

We conclude this blog as Amazon ECR is Elastic Container Registry which is used to store images securely on AWS trusted infrastructure. It also has features like IAM Access Controls,encryption,image scanning and so on with other aws services.

References:

1.https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html?
2.https://aws.amazon.com/ecr/features
3.https://aws.amazon.com/ecr/faqs/
4.https://docs.aws.amazon.com/AmazonECR/latest/userguide/security.html?
5.https://www.certbolt.com/certification/comprehensive-guide-to-containers-on-aws-modernizing-application-deployment/
6.https://docs.aws.amazon.com/config/latest/developerguide/security-best-practices-for-ECR.html?

Top comments (0)