A private repository does not offer content search capabilities and requires Amazon IAM-based authentication using AWS account credentials before allowing images to be pulled. A public repository has descriptive content and allows anyone anywhere to pull images without needing an AWS account or using IAM credentials. Public repository images are also available in the Amazon ECR public gallery.
Using Amazon ECR
Q: How do I get started using Amazon ECR?
The best way to get started with Amazon ECR is to use the Docker CLI to push and pull your first image. Visit our Getting Started page for more information.
Q: Can I access Amazon ECR inside a VPC?
Yes. You can set up AWS PrivateLink endpoints to allow your instances to pull images from your private repositories without traversing through the public internet.
Q: What’s the best way to manage my repositories and images?
Amazon ECR provides a command line interface and APIs to create, monitor, and delete repositories and set repository permissions. You can perform the same actions in the Amazon ECR console, which can be accessed via the “Repositories” section of the Amazon ECR console. Amazon ECR also integrates with the Docker CLI, allowing you to push, pull, and tag images on your development machine.
Q: Can I use Amazon ECR within local and on-premises environments?
Yes. You can access Amazon ECR anywhere that Docker runs such as desktops and on-premises environments.
Q: Does the Amazon ECR public gallery provide AWS-published images?
Yes. Services such as Amazon EKS, Amazon SageMaker and AWS Lambda publish their official public use container images and artifacts to Amazon ECR.
Q: Does Amazon ECR work with Amazon ECS?
Yes. Amazon ECR is integrated with Amazon ECS, allowing you to easily store, run, and manage container images for applications running on Amazon ECS. All you need to do is specify the Amazon ECR repository in your task definition and Amazon ECS will retrieve the appropriate images for your applications.
Q: Does Amazon ECR work with AWS Elastic Beanstalk?
Yes. AWS Elastic Beanstalk supports Amazon ECR for both single and multi-container Docker environments, allowing you to easily deploy container images stored in Amazon ECR with AWS Elastic Beanstalk. All you need to do is specify the Amazon ECR repository in your Dockerrun.aws.json configuration and attach the AmazonEC2ContainerRegistryReadOnly policy to your container instance role.
Q: What version of Docker Engine does Amazon ECR support?
Amazon ECR currently supports Docker Engine 1.7.0 and up.
Q: What version of the Docker Registry API does Amazon ECR support?
Amazon ECR supports the Docker Registry V2 API specification.
Q: Will Amazon ECR automatically build images from a Dockerfile?
No. However, Amazon ECR integrates with a number of popular CI/CD solutions to provide this capability. See the Amazon ECR Partners page for more information.
Q: Does Amazon ECR support federated access?
Yes. Amazon ECR is integrated with AWS Identity and Access Management (IAM), which supports identity federation for delegated access to the AWS Management Console or AWS APIs.
Q: What version of the Docker Image Manifest specification does Amazon ECR support?
Amazon ECR supports the Docker Image Manifest V2, Schema 2 format. In order to maintain backwards compatibility with Schema 1 images, Amazon ECR will continue to accept images uploaded in the Schema 1 format. Additionally, Amazon ECR can down-translate from a Schema 2 to a Schema 1 image when pulling with an older version of Docker Engine (1.9 and below).
Q: Does Amazon ECR support the Open Container Initiative (OCI) format?
Yes. Amazon ECR is compatible with the Open Container Initiative (OCI) image specification, letting you push and pull OCI images and artifacts. Amazon ECR can also translate between Docker Image Manifest V2, Schema 2 images and OCI images on pull.
Q: How does Amazon ECR help ensure that container images are secure?
Amazon ECR automatically encrypts images at rest using Amazon S3 server-side encryption or AWS KMS encryption and transfers your container images over HTTPS. You can configure policies to manage permissions and control access to your images using AWS Identity and Access Management (IAM) users and roles without having to manage credentials directly on your EC2 instances.
Q: How can I use AWS Identity and Access Management (IAM) for permissions?
You can use IAM resource-based policies to control and monitor who and what (e.g., EC2 instances) can access your container images, as well as how, when, and where they can access them. To get started, use the AWS Management Console to create resource-based policies for your repositories. Alternatively, you can use sample policies and attach them to your repositories via the Amazon ECR CLI.
Q: Can I share my images across AWS accounts?
Yes. Here is an example of how to create and set a policy for cross-account image sharing.
Q: Does Amazon ECR scan container images for vulnerabilities?
You can enable Amazon ECR to automatically scan your container images for a broad range of operating system vulnerabilities. You can also scan images using an API command, and Amazon ECR will notify you over API and in the console when a scan completes. For enhanced image scanning, you can turn on Amazon Inspector.