Amazon ECR
Amazon Elastic Container Registry (ECR) is AWS's managed private container image registry. We configure ECR repositories with the lifecycle policies, IAM access controls, image scanning, and cross-account policies that production container workflows require.
Capabilities
What we configure with ECR
Access control
Repository Setup and IAM
ECR repository creation with repository policies that grant pull access to EKS node groups or ECS task execution roles and push access to CI/CD pipelines — with least-privilege IAM throughout.
GitHub Actions · GitLab
CI/CD Push Integration
Configuring CI/CD pipelines to build and push Docker images to ECR. For GitHub Actions, we use OIDC to authenticate without storing long-lived AWS credentials as repository secrets.
Image retention
Lifecycle Policies
Lifecycle policies that automatically expire untagged images and old tagged images after a configurable count or age, preventing unbounded storage growth while retaining a useful history of tagged releases.
Enhanced scanning
Image Vulnerability Scanning
ECR enhanced scanning with Amazon Inspector, which continuously scans images after push for OS and language package CVEs rather than scanning only at push time.
Multi-account
Cross-Account Image Sharing
Repository policies that allow EKS clusters in separate AWS accounts to pull images from a central ECR registry, supporting a hub-and-spoke multi-account architecture.
Multi-region
Replication
ECR replication configuration that copies images to registries in additional AWS regions to reduce pull latency for workloads deployed across multiple regions.
Our approach
OIDC for CI authentication
Storing long-lived AWS access keys as CI secrets is a common but avoidable risk. GitHub Actions and GitLab CI both support OIDC token exchange with AWS IAM, allowing the CI job to assume an IAM role without any stored credentials. We configure OIDC authentication as the default for ECR push permissions.
Lifecycle policies prevent storage sprawl
Without lifecycle policies, an active CI pipeline pushes a new image on every commit and ECR storage grows without bound. We configure lifecycle policies to retain a practical number of tagged images and expire untagged intermediates.
Scanning tells you what you have inherited
A base image tagged node:20 today is not the same image tagged node:20 in six months. ECR enhanced scanning with continuous re-scanning surfaces vulnerabilities that were not present when the image was first built, so the team is not discovering a CVE during an incident.
Provisioned with Terraform
ECR repositories, lifecycle policies, repository policies, replication configurations, and pull-through cache rules are all defined in Terraform so that the complete registry configuration is version-controlled and reproducible.
All engineering work is done by US-based engineers. We do not offshore any development or architecture work.
Part of our container practice
FAQ
Common questions
Virginia · United States
Need ECR configuration help?
If you are setting up a container registry or need to improve an existing ECR configuration, reach out and we will assess the requirements.