Containers

Introducing Amazon ECR server-side encryption using AWS Key Management System

Today, we introduced Amazon Elastic Container Registry (Amazon ECR) server-side encryption at rest using AWS managed and customer managed master keys stored in AWS Key Management System (AWS KMS). This feature allows you to select the appropriate key management configuration to meet your security and compliance requirements, and meet the level of control required for your encryption implementation. Customers building applications using images stored in AWS KMS encryption-enabled repositories allows control over encryption through key material origin, key policies, IAM policies and grants, creating aliases, and scheduling key deletion.

Customers building services using Amazon ECR might require encryption of image data at rest that meets a specific classification or security and compliance requirement that is associated with a particular application, workload, or environment. Encrypting data at rest is vital for regulatory compliance to ensure that sensitive data saved on disks is protected against unauthorized access or modifications. Some compliance regulations, such as PCI DSS and HIPAA, require that data at rest be encrypted throughout the data lifecycle. To gather input from our customers for encrypting image at rest for Amazon ECR, we sought feedback last year through AWS containers roadmap issue #52.

Previously, customers benefited from default encryption at rest using Amazon S3 server-side encryption using industry-standard AES-256 encryption algorithm. We learned from several customers that to meet your security and compliance baselines, you wanted to use AWS KMS to benefit from AWS managed or customer managed Customer Master Keys (CMKs) that you created or owned to encrypt images in Amazon ECR at rest. Some customers prefer the audit, access control, and monitoring features using these keys with control over key material origin. With this feature, customers now have the ability to select key material origin for their CMKs from KMS, external provider or custom key store (using AWS CloudHSM).

Figure 1: Amazon ECR server-side encryption using AWS KMS

Each Amazon ECR container image layer and manifest is encrypted with a unique data encryption key (DEK) using envelope encryption as shown in Figure 1 above. The DEK is generated using the AWS managed CMK or customer managed CMK, which is based on the configuration specified during creation of the repository.

In the examples below, we explore the three options available for key management in Amazon ECR repositories using the console and AWS CLI.

Examples: To create Amazon ECR repository with available server-side encryption configurations

Default server-side (SSE-S3) encryption:

Console:

AWS CLI:

 aws ecr create-repository --repository-name default_sse_s3_aes256 \
  --region us-west-2

AWS managed KMS CMK

Console:

AWS CLI:

aws ecr create-repository --repository-name aws_managed_key_kms \ 
--region us-west-2 
--encryption-configuration '{"encryptionType":"KMS"}'

Customer managed KMS CMK

Console:

AWS CLI:

aws ecr create-repository --repository-name customer_managed_key_kms \
--region us-west-2 
--encryption-configuration '{"encryptionType":"KMS", 
"kmsKey":"arn:aws:kms:us-west-2:123456789012:key/32aaa6ba-994d-4afa-8909-f35d97d24eb2"}'

Customers with existing Amazon ECR repositories are not impacted with this feature announcement and can continue using their existing repositories.

Documentation and next steps

We have included Amazon ECR document references below that may be useful for you:

  1. Security in Amazon ECR
  2. Amazon ECR encryption at rest
  3. AWS Key Management Service Cryptographic Details Whitepaper [pdf]
  4. AWS KMS custom key store

You can start using server-side encryption at rest feature today on Amazon ECR. This feature is available in public AWS Regions and AWS GovCloud (US). We welcome your feedback through our AWS containers roadmap and we’re excited for you to use this feature to build secure and compliant applications for your customers!

If you are new to Amazon ECR, this is a good starting point to learn the key Amazon ECR features and get set up.

Lahiru Dissanayake

Lahiru Dissanayake

Lahiru is a Software Development Engineer on the Amazon ECR team.

Paavan Mistry

Paavan Mistry

Paavan is a Senior Developer Advocate at AWS with the container service team. He helps customers adopt container technologies through blogs, demos, open source contributions, and public speaking engagements. Paavan has previously worked at AWS as a Specialist Solutions Architect in Security. You can find him on Twitter as @98pm and GitHub as @paavan98pm.