You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Amazon Elastic Container Registry (ECR) is a fully managed container image registry that makes it easy to store, share, and deploy container images. Think of it as your private Docker Hub, tightly integrated with the rest of the AWS ecosystem.
If you are running containers on AWS, you need somewhere to store your images. While you could use Docker Hub or another third-party registry, ECR offers several advantages:
| Feature | Benefit |
|---|---|
| Fully managed | No infrastructure to operate — AWS handles availability, scaling, and patching |
| IAM integration | Fine-grained access control using AWS IAM policies |
| Encryption | Images are encrypted at rest using AWS KMS |
| Vulnerability scanning | Built-in image scanning to detect security issues |
| High availability | Images are replicated across multiple AZs within a region |
| Tight integration | Seamless with ECS, EKS, Fargate, CodeBuild, and CodePipeline |
Every AWS account has a default private registry in each region. The registry URL follows this pattern:
<account-id>.dkr.ecr.<region>.amazonaws.com
For example:
123456789012.dkr.ecr.eu-west-2.amazonaws.com
A repository holds a collection of related images, typically different versions of the same application:
123456789012.dkr.ecr.eu-west-2.amazonaws.com/my-web-app
123456789012.dkr.ecr.eu-west-2.amazonaws.com/my-api
123456789012.dkr.ecr.eu-west-2.amazonaws.com/my-worker
Each image in a repository is identified by a tag (e.g. v1.2.3, latest) or a digest (a SHA256 hash). Tags are mutable — you can push a new image with the same tag — while digests are immutable.
aws ecr create-repository \
--repository-name my-web-app \
--region eu-west-2 \
--image-scanning-configuration scanOnPush=true \
--encryption-configuration encryptionType=AES256
Pushing a Docker image to ECR involves three steps: authenticate, tag, and push.
aws ecr get-login-password --region eu-west-2 | \
docker login --username AWS \
--password-stdin 123456789012.dkr.ecr.eu-west-2.amazonaws.com
This retrieves a temporary authentication token valid for 12 hours.
docker tag my-web-app:v1.0.0 \
123456789012.dkr.ecr.eu-west-2.amazonaws.com/my-web-app:v1.0.0
docker push 123456789012.dkr.ecr.eu-west-2.amazonaws.com/my-web-app:v1.0.0
After authenticating, pull images just like any Docker registry:
docker pull 123456789012.dkr.ecr.eu-west-2.amazonaws.com/my-web-app:v1.0.0
ECS and EKS tasks authenticate automatically using their task execution role, so no manual login is needed when deploying.
ECR supports two types of vulnerability scanning:
| Scanning Type | Description |
|---|---|
| Basic scanning | Uses the open-source Clair database; scans for OS package vulnerabilities |
| Enhanced scanning | Powered by Amazon Inspector; scans OS packages and programming language packages continuously |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.