Posted On: Jul 29, 2020

Amazon Elastic Container Registry (ECR) now supports the use of customer master keys (CMK) managed by AWS Key Management Service (KMS) to encrypt container images stored in your ECR repositories. AWS KMS is a simple to use key management service that makes it easy for you to create, manage, and control keys to encrypt and decrypt your data. By choosing KMS-based encryption of your container images at rest, you can meet stronger security and compliance requirements around audit, access control and monitoring of encrypted ECR image access using these keys.

Every image you push to ECR is already encrypted by default using an industry-standard AES-256 encryption algorithm. This often meets your security requirements as it protects data at rest. However, your needs may change if you get new customers that require a different set of standards or the type of content you store in your images changes. Now with AWS KMS encryption, you can choose an AWS managed or your own managed CMK to encrypt your images at rest. This gives you the ability to support PCI-DSS compliance requirements for separate authentication of the storage and cryptography, KMS-based control of your key material and allows you to audit when images are encrypted and decrypted. When this feature is enabled, ECR automatically encrypts your images with a CMK when pushed and decrypts it when pulled.

KMS encryption in ECR is available in all public AWS Regions and AWS GovCloud (US) Regions. Learn more with this blog and get started by following our documentation to use this new ECR feature.