Skip to main content
Container Development
Technology ServicesContainers · AWSAmazon ECRVirginia · US-Based

Amazon ECR

Amazon Elastic Container Registry (ECR) is AWS's managed private container image registry. We configure ECR repositories with the lifecycle policies, IAM access controls, image scanning, and cross-account policies that production container workflows require.

Amazon ECRLifecycle PoliciesImage ScanningCross-accountECR PublicGitHub ActionsTerraformOIDC

Capabilities

What we configure with ECR

Access control

Repository Setup and IAM

ECR repository creation with repository policies that grant pull access to EKS node groups or ECS task execution roles and push access to CI/CD pipelines — with least-privilege IAM throughout.

GitHub Actions · GitLab

CI/CD Push Integration

Configuring CI/CD pipelines to build and push Docker images to ECR. For GitHub Actions, we use OIDC to authenticate without storing long-lived AWS credentials as repository secrets.

Image retention

Lifecycle Policies

Lifecycle policies that automatically expire untagged images and old tagged images after a configurable count or age, preventing unbounded storage growth while retaining a useful history of tagged releases.

Enhanced scanning

Image Vulnerability Scanning

ECR enhanced scanning with Amazon Inspector, which continuously scans images after push for OS and language package CVEs rather than scanning only at push time.

Multi-account

Cross-Account Image Sharing

Repository policies that allow EKS clusters in separate AWS accounts to pull images from a central ECR registry, supporting a hub-and-spoke multi-account architecture.

Multi-region

Replication

ECR replication configuration that copies images to registries in additional AWS regions to reduce pull latency for workloads deployed across multiple regions.

Our approach

OIDC for CI authentication

Storing long-lived AWS access keys as CI secrets is a common but avoidable risk. GitHub Actions and GitLab CI both support OIDC token exchange with AWS IAM, allowing the CI job to assume an IAM role without any stored credentials. We configure OIDC authentication as the default for ECR push permissions.

Lifecycle policies prevent storage sprawl

Without lifecycle policies, an active CI pipeline pushes a new image on every commit and ECR storage grows without bound. We configure lifecycle policies to retain a practical number of tagged images and expire untagged intermediates.

Scanning tells you what you have inherited

A base image tagged node:20 today is not the same image tagged node:20 in six months. ECR enhanced scanning with continuous re-scanning surfaces vulnerabilities that were not present when the image was first built, so the team is not discovering a CVE during an incident.

Provisioned with Terraform

ECR repositories, lifecycle policies, repository policies, replication configurations, and pull-through cache rules are all defined in Terraform so that the complete registry configuration is version-controlled and reproducible.

ecr_spec.json
service: [
"Amazon ECR Private",
"ECR Public"
]
scanning: [
"Enhanced (Amazon Inspector)",
"Basic"
]
auth: [
"OIDC (GitHub / GitLab)",
"IAM Role"
]
replication: [
"Cross-region",
"Cross-account"
]
infra: [
"Terraform"
]
engineering: [
"Virginia, United States"
]

All engineering work is done by US-based engineers. We do not offshore any development or architecture work.

Part of our container practice

FAQ

Common questions

Virginia · United States

Need ECR configuration help?

If you are setting up a container registry or need to improve an existing ECR configuration, reach out and we will assess the requirements.