Containers

Expanding container security and choice with Amazon ECR Public

Amazon Elastic Container Registry Public continues to evolve as a trusted platform for container image discovery and distribution. Our platform provides developers and organizations with a robust, secure, and flexible container registry experience built on AWS infrastructure with seamless integration across AWS container services.

At AWS, we understand that container security and flexibility are paramount for modern cloud-native applications. Amazon ECR Public has been strategically developed to support a diverse ecosystem of container images, enabling customers to find, share, and deploy trusted images with confidence.

Today, we’re excited to announce that Amazon ECR Public now offers the free tier of Chainguard’s trusted container images —security-hardened, minimalist container images that dramatically reduce vulnerabilities in your containerized applications. By combining Chainguard’s security-first approach with ECR Public’s reliability and AWS integration, developers can now access container images that typically maintain zero or near-zero Common Vulnerabilities and Exposures (CVEs), a significant improvement over traditional base and app images that often contain hundreds of vulnerabilities.

Base images form a critical piece to the foundation of any containerized application. They provide the fundamental operating system components, runtime environments, and core libraries that serve as the starting point for application development. Choosing the right base image is more than a technical decision, it’s a security and performance strategy that impacts the entire application lifecycle. Alongside the most popular base images, the free tier of Chainguard Containers also includes popular third party app images, offering drop-in replacements for the latest versions of images like MongoDB and Postgres.

Through our ongoing partnerships and platform capabilities, we’re committed to delivering a registry that meets the most demanding security and compliance requirements across AWS container services. Our latest expansion showcases how we’re broadening the choices available to customers while maintaining the highest standards of image integrity and security.

Why Amazon ECR Public for your container images?

Where you source your images critically impacts security, reliability, and operational efficiency. Amazon ECR Public offers several advantages:

Reliability and Performance

AWS infrastructure powers Amazon ECR Public, and Amazon ECR Public delivers high availability and fast image pulls globally. You can depend on consistent performance without worrying about registry downtime or throttling.

Seamless AWS Integration

Images from Amazon ECR Public integrate seamlessly with AWS container services including Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Kubernetes Service (Amazon EKS), and AWS App Runner. No additional configuration is required—simply reference the image URI in your deployment specifications. For enhanced high availability and resiliency, you can set up Amazon ECR pull-through cache to automatically sync images from ECR Public into your private ECR registry, and then configure replication from your private registry to automatically copy images across multiple AWS Regions. This approach brings images closer to your deployment environments, reduces latency, and provides a resilient, multi-region image distribution strategy.

Cost-Effective

No charges for pulling public images from Amazon ECR Public. This removes bandwidth costs and usage fees, making it an economical choice for development teams and organizations looking to optimize their container infrastructure expenses.

Verified Publishers

Amazon ECR Public features verified publishers, including AWS and trusted partners like Chainguard, ensuring you’re pulling images from authentic, reliable sources.

Chainguard Containers: Trusted container images

Now available in Amazon ECR Public, Chainguard Containers are security-hardened container images. By sourcing Chainguard Containers directly from Amazon ECR Public, AWS customers can leverage these security-focused images with the reliability and integration benefits of ECR Public. Here are the key advantages:

Minimal Attack Surface

Chainguard Containers include only the essential components needed to run your application. By eliminating unnecessary packages, libraries, and utilities, these images dramatically reduce potential security vulnerabilities, and a smaller image means fewer components to patch, scan, and secure.

Significantly Fewer CVEs

Traditional images often contain hundreds of CVEs. Chainguard container images typically have zero or near-zero CVEs in their base layers. Chainguard achieves this through aggressive minimalism and daily rebuilds of system packages from source, accounting for updates in the source code through broad automation. For security-conscious organizations, this reduction in CVEs translates directly to reduced risk and faster security reviews.

Built for Containers

Unlike traditional Linux distributions adapted for containers, Chainguard designed Chainguard OS from the ground up for containerized workloads. This purpose-built approach delivers smaller image sizes, faster startup times, and better resource utilization.

Secure-by-Default 

Daily Rebuilds from Source

Chainguard maintains its container images with the Chainguard Factory, automating the rebuild of container images whenever source code is updated, accounting for the latest patches to ensure you’re always provided zero-CVE container images.

Finding Chainguard Containers in Amazon ECR Public

Discovering Chainguard Containers in Amazon ECR Public is straightforward:

  1. Visit the Amazon ECR Public Gallery: Navigate to https://gallery.ecr.aws.
  2. Search for Chainguard: Use the search bar to find chainguard and browse the verified publishers section.
  3. Explore available images: Chainguard offers images for popular runtimes and applications including:
    • Python
    • git
    • aspnet-runtime
    • node
    • go
    • nginx
    • mongodb
    • redis
    • And many more…
  4. Review image details: Each image page provides the same details available in Amazon ECR Public today, including image URI, description, available tags, and usage information.

You can pull the Chainguard container image directly using the standard Docker command: docker pull public.ecr.aws/chainguard/wolfi-base:latest

Implementation guide: Building and deploying with Chainguard Containers

Let’s walk through a practical example of using Chainguard Containers from Amazon ECR Public to build and deploy a containerized application with your private Amazon ECR repository.

Prerequisites

For this implementation guide, you must have the following prerequisites:

  • AWS CLI installed and configured
  • Docker installed locally
  • An AWS account with permissions to create Amazon ECR repositories

Required IAM Permissions

Following the principle of least privilege, create a custom IAM policy with only the permissions needed for this workflow. For creating private repositories and pushing images, your IAM user or role needs the following minimum permission:

  • ecr:CreateRepository – Create new repositories
  • ecr:PutImageScanningConfiguration – Enable vulnerability scanning (used in Step 1)
  • ecr:DescribeRepositories – View repository details
  • ecr:GetAuthorizationToken – Authenticate Docker to push/pull images (used in Step 3)
  • ecr:BatchCheckLayerAvailability – Check image layers during push
  • ecr:GetDownloadUrlForLayer – Download image layers during pull
  • ecr:BatchGetImage – Pull images
  • ecr:PutImage – Push images to repository

Alternately, for convenience, you can use AWS managed policies such as AmazonEC2ContainerRegistryPowerUser (recommended for developers) or AmazonEC2ContainerRegistryFullAccess (provides full administrative access). However, custom policies following least privilege are recommended for production environments.

For detailed IAM policy examples, including complete JSON policy documents, see the Amazon ECR User Guide.

Step 1: Create an Amazon ECR repository

First, create a private repository in Amazon ECR to store your application image:

aws ecr create-repository \
    --repository-name my-secure-app \
    --region us-east-1 \
    --image-scanning-configuration scanOnPush=true

This command creates a repository with automatic vulnerability scanning enabled. Note the repositoryUri in the response—you’ll need it for pushing your image.

Step 2: Create a Dockerfile with Chainguard Base Image

Create a Dockerfile that uses a Chainguard container image from Amazon ECR Public as the base. Since Chainguard images are minimal, we’ll use a multi-stage build with the dev variant for installing dependencies:

# Use Chainguard Python dev image for building
FROM public.ecr.aws/chainguard/python:latest-dev as builder
WORKDIR /app
# Create virtual environment and install dependencies
RUN python -m venv venv
ENV PATH="/app/venv/bin:$PATH"
COPY requirements.txt .
RUN pip install —no-cache-dir -r requirements.txt
# Use minimal runtime image
FROM public.ecr.aws/chainguard/python:latest
WORKDIR /app
# Copy application and virtual environment from builder
COPY app.py .
COPY —from=builder /app/venv /app/venv
ENV PATH="/app/venv/bin:$PATH"
# Set the entrypoint
ENTRYPOINT ["python", "app.py"]

For this example, create a simple app.py:

from flask import Flask
app = Flask(__name__)
@app.route('/')
def hello():
    return 'Hello from Chainguard on Amazon ECR!'
if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8080)

And a requirements.txt:

flask==3.0.0

Step 3: Build, tag, and push to Amazon ECR

Now, authenticate to Amazon ECR, build your image, and push it to your repository:

# Authenticate Docker to Amazon ECR
aws ecr get-login-password —region us-east-1 | \
    docker login —username AWS —password-stdin \
    <aws-account-id>.dkr.ecr.us-east-1.amazonaws.com
# Build the Docker image
docker build -t my-secure-app .
# Tag the image for Amazon ECR
docker tag my-secure-app:latest \
    <aws-account-id>.dkr.ecr.us-east-1.amazonaws.com/my-secure-app:latest
# Push the image to Amazon ECR
docker push <aws-account-id>.dkr.ecr.us-east-1.amazonaws.com/my-secure-app:latest

Replace <aws-account-id> with your actual AWS account ID.

After pushing, Amazon ECR automatically scans your image for vulnerabilities. The scan may take a few minutes to complete. You can view the scan results in the Amazon ECR console:

  1. Navigate to your repository in the ECR console
  2. Click on the individual image (not the image index with the “latest” tag)
  3. View the “Scanning and vulnerabilities” section

With Chainguard Containers as your base, you can expect dramatically fewer vulnerabilities compared to traditional base images – a stark contrast to traditional base images that often contain dozens or hundreds of CVEs.

Cleaning up

To avoid incurring future charges, delete the resources by running the following commands:

# Delete the repository (this will delete all images)
aws ecr delete-repository \
    --repository-name my-secure-app \
    --region us-east-1 \
    --force

The security advantage: CVE comparison

One of the most compelling reasons to use Chainguard Containers is the dramatic reduction in vulnerabilities. Traditional base images often contain dozens or even hundreds of CVEs, many of which exist in packages your application never uses.

Chainguard Containers typically maintain zero or near-zero CVEs by:

  • Including only essential packages required for the specific runtime
  • Continuous updates of system packages and application code, often within hours of upstream releases
  • Using a modern, security-focused package management approach and maintaining all system packages built from source
  • Eliminating legacy components and unnecessary utilities

This reduction in CVEs means:

  • Faster security reviews: Less time spent triaging and documenting accepted risks
  • Reduced compliance burden: Fewer vulnerabilities to track and report
  • Lower operational overhead: Fewer patches to apply and test
  • Improved security posture: Smaller attack surface for potential exploits

Conclusion

The availability of Chainguard Containers in Amazon ECR Public represents a significant advancement in container security for AWS customers. By combining Chainguard’s security-first approach with Amazon ECR Public’s reliability and AWS integration, developers can build more secure containerized applications with less operational overhead.

The dramatic reduction in CVEs, minimal attack surface, and comprehensive supply chain security features make Chainguard Containers an excellent choice for organizations prioritizing security without sacrificing developer productivity. These secure base images integrate seamlessly with AWS container services including Amazon ECS, Amazon EKS, and AWS App Runner.

Start exploring Chainguard Containers in Amazon ECR Public today and take the first step toward more secure container deployments.

Additional Resources

*By using Chainguard Containers from Amazon ECR Public, you’re not just pulling a base image—you’re adopting a security-first approach to container development that reduces risk, simplifies compliance, and accelerates your path to production.*

About the authors

Sourav Kundu is a DevOps Consultant at AWS. He helps organizations securely migrate to and efficiently build on the AWS cloud using modern software engineering practices. He believes that democratizing cloud knowledge is essential for driving innovation and is committed to helping others succeed in their cloud journey.

Gaurav Gundal is a DevOps consultant with AWS Professional Services, helping customers build solutions on the customer platform. When not building, designing, or developing solutions, Gaurav spends time with his family, plays guitar, and enjoys traveling to different places.

Meg Sarros is a Senior Product Manager for Amazon ECR. She is based in New York City. In her spare time, she enjoys tennis and baking.