DEV Community

Cover image for AWS ECR Made Easy: Securely Store and Manage Your Container Images
Koti Vellanki
Koti Vellanki

Posted on

AWS ECR Made Easy: Securely Store and Manage Your Container Images

#awschallenge #aws #devops #containers

Day 4: From Docker Hub to ECR with Confidence

Welcome to Day 4 of our 15-day AWS Containers learning series! In the previous episode on Amazon EKS, you learned how to deploy and scale Kubernetes clusters. Today, we shift gears to focus on another critical aspect of containerized applications—managing container images. Our main star is Amazon Elastic Container Registry (ECR), but we’ll also compare it to Docker Hub, one of the most popular container registries in the world.

Let’s continue with Ovi and her dad’s story as they delve into container image storage!

Table of Contents

  1. The Story: Ovi Organizes Her Toy Collection
  2. What Is Amazon ECR?
  3. Amazon ECR vs. Docker Hub
  4. Key Features of Amazon ECR
  5. Three Implementation Examples
    1. Example 1: Private Repository for Internal Use
    2. Example 2: Public Repository for Open-Source Projects
    3. Example 3: Automated Image Scanning and Lifecycle Policies
  6. Step-by-Step: Pushing and Pulling Images in ECR
    1. Step 1: Create an ECR Repository
    2. Step 2: Push an Image to ECR
    3. Step 3: Pull an Image from ECR
  7. Real-Life Analogy: ECR as a Toy Storage Room
  8. Troubleshooting Tips
  9. Summary: Key Takeaways
  10. References
  11. What’s Next?

The Story: Ovi Organizes Her Toy Collection

It’s another evening, and Ovi notices her beloved toys are scattered all over her room. She turns to her dad and says:

“Dad, how can I keep all my toys in one place so I can find them easily when I need them?”

Her dad smiles and replies:

“Ovi, that’s exactly the challenge we face with container images. We need a special, secure storage room to keep them neat and organized. That’s where a container registry like Amazon ECR or Docker Hub comes into play.”

What Is Amazon ECR?

Amazon Elastic Container Registry (ECR) is a fully managed container registry service by AWS, providing a secure, scalable, and integrated solution for storing and managing container images.

Why Use ECR?

  1. Security:

    Integrates with AWS Identity and Access Management (IAM) to control access to your images.

  2. Scalability:

    Automatically scales to handle any number of container images.

  3. Integration:

    Works seamlessly with AWS services like ECS, EKS, and AWS Fargate.

  4. Reliability:

    Provides high availability and durability for container images.

Amazon ECR vs. Docker Hub

Comparing Amazon ECR with Docker Hub helps you choose the right registry for your needs:

Feature Amazon ECR Docker Hub
Management Fully managed by AWS Managed by Docker, 3rd-party for enterprise needs
Security & IAM Deep AWS IAM integration Basic private repos, advanced security in paid plans
Scalability & Performance Automatically scales with AWS infrastructure Scales globally but might have rate limits
Pricing Pay for usage (storage + data transfer) Free for public repos, limited pulls, paid tiers for private repos
Integration Tight AWS integration (ECS, EKS, Fargate, CodeBuild) Popular with broad ecosystem (CI/CD tools, etc.)
Repository Types Private & Public Public by default, private in paid tiers
Image Scanning Built-in vulnerability scanning Available with Docker Hub’s paid subscription
Use Case Best for AWS-centric workflows Flexible for multi-cloud or smaller personal projects

Key Features of Amazon ECR

  1. Private and Public Repositories

    Store images either privately for internal use or publicly for open-source collaborations.

  2. Image Scanning

    Identify vulnerabilities in your images automatically.

  3. Lifecycle Policies

    Automatically delete or archive old, unused images to optimize storage costs.

  4. Encryption

    Data at rest is encrypted using AWS-managed or customer-managed keys.

  5. Integration with CI/CD Pipelines

    Seamlessly integrate ECR with Jenkins, GitHub Actions, AWS CodePipeline, and more.

Three Implementation Examples

To illustrate ECR’s versatility, here are three different scenarios you can implement.

Example 1: Private Repository for Internal Use

  • Scenario: A medium-sized startup wants to store proprietary microservices images securely.
  • Approach:
    1. Create a private repository in ECR.
    2. Set up IAM roles to restrict who can push and pull images.
    3. Integrate with AWS ECS to auto-deploy images.

Example 2: Public Repository for Open-Source Projects

  • Scenario: An open-source team wants to share a popular Node.js library as a Docker image.
  • Approach:
    1. Create a public repository in ECR.
    2. Configure image scanning to ensure the base image is secure.
    3. Advertise repository URL in the project’s GitHub README to enable easy access.

Example 3: Automated Image Scanning and Lifecycle Policies

  • Scenario: A FinTech company needs to comply with security standards and reduce storage costs.
  • Approach:
    1. Enable image scanning to detect vulnerabilities.
    2. Configure lifecycle policies to remove images older than 30 days.
    3. Automate builds and pushes via AWS CodePipeline, ensuring only scanned, up-to-date images are deployed.

Step-by-Step: Pushing and Pulling Images in ECR

Below is a detailed, hands-on procedure to get you started. Adjust the region, account_id, and repository_name to match your environment.

Step 1: Create an ECR Repository

  1. Via AWS Console

    1. Navigate to Amazon ECR.
    2. Click Create Repository.
    3. Enter a name (e.g., my-app-repo).
    4. Select Private or Public (depending on your use case).
    5. Click Create Repository.

  2. Via AWS CLI

   aws ecr create-repository --repository-name my-app-repo
Enter fullscreen mode Exit fullscreen mode

This command returns a JSON output with details of your newly created repository.

Step 2: Push an Image to ECR

  1. Authenticate Docker to Your ECR Registry 
   aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin <account_id>.dkr.ecr.us-west-2.amazonaws.com
Enter fullscreen mode Exit fullscreen mode
  1. Tag Your Docker Image 
   docker tag my-app:latest <account_id>.dkr.ecr.us-west-2.amazonaws.com/my-app-repo:latest
Enter fullscreen mode Exit fullscreen mode
  1. Push the Image 
   docker push <account_id>.dkr.ecr.us-west-2.amazonaws.com/my-app-repo:latest
Enter fullscreen mode Exit fullscreen mode

You should see upload progress for each layer of the image.

Step 3: Pull an Image from ECR

  1. Authenticate Docker (If Not Already) 
   aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin <account_id>.dkr.ecr.us-west-2.amazonaws.com
Enter fullscreen mode Exit fullscreen mode
  1. Pull the Image 
   docker pull <account_id>.dkr.ecr.us-west-2.amazonaws.com/my-app-repo:latest
Enter fullscreen mode Exit fullscreen mode

Once complete, the image is locally available for container runs.

Real-Life Analogy: ECR as a Toy Storage Room

“Ovi, imagine ECR as a secure storage room for your toys (container images),” her dad says. “Your shelves (repositories) can be private or open to the public, and you can label the boxes (tags) however you want. Because it’s secure, nobody can walk in without permission. It’s the perfect system for organizing everything!”

Troubleshooting Tips

  1. Authentication Issues

    • Double-check you’re using the correct AWS region and account ID.
    • Ensure your IAM user/role has the necessary ECR permissions (ecr:GetAuthorizationToken, ecr:BatchCheckLayerAvailability, etc.).

  2. “Image Not Found” Error

    • Verify the repository name and image tag match exactly.
    • Confirm the repository is in the same region you’re authenticating to.

  3. Access Denied

    • Update your IAM policy to include ecr:GetDownloadUrlForLayer and ecr:BatchGetImage.
    • Check for any restrictive resource-level conditions.

  4. Rate Limits or Timeouts

    • For massive image pushes, consider chunking or verifying network connectivity.
    • If you suspect an issue with your Docker client, ensure you’re using the latest version.

Summary: Key Takeaways

  • Amazon ECR provides a secure, scalable, and highly integrated container registry for AWS-centric workflows.
  • Compared to Docker Hub, ECR offers deeper AWS integration, built-in image scanning, and robust IAM controls.
  • Lifecycle policies and private/public repositories help optimize costs and flexibility.
  • By combining ECR with AWS ECS or EKS, you can streamline your entire container pipeline.

References

  1. Amazon ECR Documentation https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html
  2. Docker Hub Documentation https://docs.docker.com/docker-hub/
  3. AWS CLI Reference https://docs.aws.amazon.com/cli/latest/reference/ecr/index.html
  4. Container Security Best Practices https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html

What’s Next?

Up next is Day 5, where we’ll explore Deploying a Multi-Container App in Amazon ECS and more!

Let’s Connect!

Found this helpful? Share it with your network!

See you in the next episode! 🚀

Top comments (0)

Read next

adnanlatif profile image

From 41 Minutes to 8 Minutes: How I Made Our CI/CD Pipeline 5x Faster

Adnan Latif -

wallacefreitas profile image

Docker Networking: A Comprehensive Guide

Wallace Freitas -

bhatiagirish profile image

AWS CloudWatch Logging and Live Tail using Python/Boto3 SDK!

Girish Bhatia -

yokwejuste profile image

Day 03: Deploying Basic Infrastructure with Terraform

Steve Yonkeu -