Now use PrivateLink Endpoint Policies to better control Amazon ECR access
Amazon Elastic Container Registry (ECR) now supports PrivateLink Endpoint Policies, a capability that enables customers to better control access to Amazon ECR repositories and images using private endpoints. Previously customers were not able to explicitly define policies to deny or allow access based on IAM resource policies, but now customers can define granular, API level access to container image repositories.
Amazon ECR PrivateLink Endpoint Policies enables customers to ensure only those services which should have access, will, or those services that should not have access, do not. Now customers can explicitly define IAM resource policies, attach them to an endpoint that defines the action (eg. BatchGetImage, Delete Repository, etc), effect (allow or deny) and the principal this applies to. Developers can now enforce stricter policies to align their repository access with the access privileges desired.
You can get started with ECR PrivateLink Endpoint Policies by creating a VPC endpoint for Amazon ECR, or if you have already created one, then selecting an endpoint to add a policy. For more information about using ECR PrivateLink Endpoint Policies, please see the Amazon ECR documentation. Please visit the AWS global region table to see where Amazon ECR and PrivateLink are available.