amazon ecr

Amazon ECR

Amazon Elastic Container Registry (Amazon ECR) is a fully-managed Docker container registry that helps developers to store, manage, and deploy Docker container images, and it is secure, scalable, and reliable. Amazon ECR is integrated with Amazon ECS, which allows AWS customers to store, run, and manage container images for applications running on Amazon ECS.

  • Amazon ECR enables private Docker repositories with resource-based permissions using AWS IAM so that specific users or Amazon EC2 instances can access repositories and images.
  • Amazon ECR hosts clients images in a highly available and scalable architecture, allowing them to deploy containers for their applications.
  • Amazon ECR transfers container images over HTTPS and automatically encrypts those images at rest.

Amazon ECR Features

Amazon ECR supports Docker Registry HTTP API V2, that allows clients to use Docker CLI commands or any preferred Docker tools to interact with Amazon ECR. 

  • Docker is a software platform that allows customers to build, test, and deploy applications quickly. 
  • Docker packages software into standardized units called containers that have everything the software needs to run including libraries, system tools, code, and runtime. 
  • Using Docker, customers can quickly deploy and scale applications into any environment and their code will run smoothly.

AWS Marketplace for Containers enables customers to find container products in AWS Marketplace and the Amazon Elastic Container Service (Amazon ECS) console. They can deploy container products from AWS Marketplace on Amazon Container Services such as Amazon ECS, Amazon Elastic Container Service for Kubernetes (Amazon EKS), and AWS Fargate. 

  • Customers can find software-as-a-service (SaaS) products that help manage, monitor and protect your container applications. 
  • With the new software delivery option in AWS Marketplace, customers can find free, bring-your-own-license (BYOL), and paid container products with both fixed monthly and usage-based pricing.

Amazon ECR automatically encrypts images at rest using S3 server side encryption and transfers customers container images over HTTPS. Customers can configure policies to manage permissions and control access to their images using AWS Identity and Access Management (IAM) users and roles.

  • The Amazon ECR automatically encrypts images at rest using Amazon S3 server-side encryption.
    • Amazon ECR stores customers container images in Amazon S3, then the images redundantly stored across multiple facilities and multiple devices in each facility.

Amazon ECR supports the ability to define and organize repositories in clients registry using namespaces. Which allows them to organize the repositories based on their team’s existing workflows. 

  • Customers can set which API actions another user may perform on their repository including create, list, describe, delete, and get) through resource-level policies.
  • Through IAM customers can define policies to allow users within the same AWS account or other accounts to access your container images.

AWS Container Competency Partners have a technology product or solution on AWS that offers support to run workloads on containers. The product or solution integrates with AWS services in a way that improves the AWS customer’s ability to run workloads using containers on AWS.

  • Customers can integrate Amazon ECR into their continuous integration and delivery process allowing them to maintain the existing development workflow.

Amazon ECR is integrated with third-party developer tools. AWS customers can integrate Amazon ECR into their continuous integration and delivery process allowing them to maintain their existing development workflow. This third party devlopers include:

  • Docker Enterprise: in collaboration with AWS, it has the ability to deliver a highly reliable and cost efficient way to quickly deploy, scale and manage business critical applications with containerization and cloud.
  • HashiCorp: HashiCorp Cloud Infrastructure Automation Consistent workflows to provision, secure, connect, and run any infrastructure for any application.
  • Others include  D2iQ: Mesosphere, Pivotal Cloud Foundry, Red Hat OpenShift, Spotinst Elastigroup, etc
Amazon Elastic Container Registry

Amazon ECR Components

AUTHORIZATION TOKEN

Customers Docker client need authenticate to Amazon ECR registries as an AWS user in order to push and pull images

  • An authorization token represents your IAM authentication credentials and can be used to access any Amazon ECR registry that your IAM principal has access to.
  • An authorization token’s permission scope matches that of the IAM principal used to retrieve the authentication token. 
  • An authentication token is used to access any Amazon ECR registry that your IAM principal has access to and is valid for 12 hours.
  • The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. The AWS CLI offers an get-login-password command that simplifies the login process.

REPOSITORY POLICY

Amazon ECR uses resource-based permissions to control access to repositories. Resource-based permissions let you specify which IAM users or roles have access to a repository and what actions they can perform on it. Customers can control access to the repositories and the images within these repository policies. 

  • Amazon ECR repository policies are a subset of IAM policies that are scoped for, and specifically used for, controlling access to individual Amazon ECR repositories. 
  • IAM policies are generally used to apply permissions for the entire Amazon ECR service but can also be used to control access to specific resources as well.

REGISTRY

Amazon ECR registries host customers container images in a highly available and scalable architecture, allowing them to deploy containers to their applications. By default An Amazon ECR registry is provided to each AWS account; so that customers can create image repositories in the registry and store images in them.

  • It can be used as a registry to manage image repositories consisting of Docker and Open Container Initiative (OCI) images. 
  • Using AWS Management Console, AWS CLI, or the AWS SDKs customers can create and manage repositories. They can use those methods to perform some actions on images, including listing or deleting the images. 
  • Amazon ECR provides a Docker credential helper which allows to store and use Docker credentials when pushing and pulling images to Amazon ECR.

REPOSITORY

An Amazon ECR image repository contains customers Docker or Open Container Initiative (OCI) images.  ECR provides API operations to create, monitor, and delete image repositories and set permissions that control who can access them.  Amazon ECR also integrates with the Docker CLI allowing customers to push and pull images from your development environments to your repositories.

  • Amazon ECR uses resource-based permissions to control access to repositories. Resource-based permissions let customers specify which IAM users or roles have access to a repository and what actions they can perform on it. By default, only the repository owner has access to a repository.
  • Repositories can be controlled with both IAM user access policies and repository policies.
  • Repository names can support namespaces, which you can use to group similar repositories.

Image

AWS customers can push and pull container images to their repositories. They can use these images locally on the development system, or they can use them in Amazon ECS task definitions and Amazon EKS pod specifications. For more information, see Amazon ECR images with Amazon ECS and  Amazon ECR Images with Amazon EKS.

Amazon ECR monitoring

AWS customers can monitor their Amazon ECR API usage with Amazon CloudWatch, which collects and processes raw data from Amazon ECR into readable, near real-time metrics. These statistics are recorded for a period of two weeks, so that they can access historical information and gain perspective on their API usage. Amazon ECR metric data is automatically sent to CloudWatch in one-minute periods.

Amazon ECR provides metrics based on your API usage for authorization, image push, and image pull actions.

Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon ECR and customers AWS solutions. the best practice is collect monitoring data from the resources that make up customers AWS solution so that they can more easily debug a multi-point failure if one occurs.

Security

Cloud security at AWS is the highest priority. As an AWS customer, AWS customers can benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between AWS and its customers. The shared responsibility model describes this as security of the cloud and security in the cloud:

  • Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides customers with services that they can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS compliance programs.
  • Security in the cloud – AWS customers responsibility is determined by the AWS service that they use. They are also responsible for other factors including the sensitivity of their data, their company’s requirements, and applicable laws and regulations.

Data protection

Amazon Elastic Container Registry (Amazon ECR) conforms to the AWS shared responsibility model, which includes regulations and guidelines for data protection. AWS is responsible for protecting the global infrastructure that runs all the AWS services. AWS maintains control over data hosted on this infrastructure, including the security configuration controls for handling customer content and personal data. AWS customers and APN partners, acting either as data controllers or data processors, are responsible for any personal data that they put in the AWS Cloud.

For data protection purposes, the best practice is to protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM), so that each user is given only the permissions necessary to fulfill their job duties.

The best way to secure data :

  • Use multi-factor authentication (MFA) with each account.
  • Use SSL/TLS to communicate with AWS resources.
  • Set up API and user activity logging with AWS CloudTrail.
  • Use AWS encryption solutions, along with all default security controls within AWS services.
  • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.

© 2022