Introduction to Amazon Elastic

Container Registry
Containers Immersion Day: Module 2

© 2020, Amazon Web Services, Inc. or its Affiliates.

 AWS container services landscape

Amazon Elastic
Management Amazon Elastic
Container Service
Deployment, Scheduling, Container Service
for Kubernetes
Scaling & Management of
containerized applications

Hosting Amazon EC2 AWS Fargate

Where the containers run

Image Registry Amazon Elastic

Container Image Repository Container Registry

© 2020, Amazon Web Services, Inc. or its Affiliates.

What are container image registries?

”A container image registry is a service that stores

container images, and is hosted either by a third-
party or as a public/private registry such
as Docker Hub, Quay, and so on [Amazon Elastic
Container Registry].”
https://wiki.aquasec.com/display/containers/Container+Image+Registries
 Amazon Elastic
Container Registry

2020, Amazon Web Services, Inc. or its Affiliates.

© 2019,
 The benefits of using Amazon ECR

Fully Managed Secure Highly Available Simplified Workflow

© 2020, Amazon Web Services, Inc. or its Affiliates.

 Components of Amazon ECR

© 2020, Amazon Web Services, Inc. or its Affiliates.

Amazon ECR Registries

https://205094881157.dkr.ecr.us-west-2.amazonaws.com

Amazon
ECR
Amazon ECR Repositories

https://205094881157.dkr.ecr.us-west-2.amazonaws.com

Amazon
ECR
team-a/web-app team-b/web-app
Container Images

https://205094881157.dkr.ecr.us-west-2.amazonaws.com

Amazon
ECR
team-a/web-app team-b/web-app

My app OCI image

image OCI Artifacts
Container Images: Lifecycle policies

https://205094881157.dkr.ecr.us-west-2.amazonaws.com

My app
Amazon image
:1
ECR
team-a/web-app
My app
image
:<no tag>
My app
image
My app
image :3
Container Images: Lifecycle policies

https://205094881157.dkr.ecr.us-west-2.amazonaws.com

{
"rules": [
My app
{
"rulePriority": 1,
image
:1
"description": "Expire images older thanAmazon
14 days",
"selection": { ECR
team-a/web-app
"tagStatus": "untagged",
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 14
My app
image
:<no tag>
},
My app "action": {
image "type": "expire"
My app
}
}
image :3
]
}
Container Images: Image scanning

https://205094881157.dkr.ecr.us-west-2.amazonaws.com

Amazon
ECR
team-a/web-app

My app
image
Amazon
EventBridge
Security in Amazon Elastic Container Registry

https://205094881157.dkr.ecr.us-west-2.amazonaws.com
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
Amazon "ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
ECR
team-a/web-app "ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
Team B }
]
}
Security in Amazon Elastic Container Registry

https://205094881157.dkr.ecr.us-west-2.amazonaws.com
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": { Amazon
"AWS": [
ECR
"arn:aws:iam::account-id:user/push-pull-user-1",
"arn:aws:iam::account-id:user/push-pull-user-2" team-b/web-app
]
Another AWS Account
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",

]
"ecr:CompleteLayerUpload" Team C
}
]
}
 Questions?
Introduction to Amazon ECR

© 2020, Amazon Web Services, Inc. or its Affiliates.