Amazon Elastic Container Registry (Amazon ECR) is an Amazon Web Service (AWS) product that stores, manages and deploys Docker images, which are managed clusters of Amazon EC2 instances. Amazon ECR allows all AWS developers to save configurations and quickly move them into a production environment, thus reducing overall workloads.
Amazon ECR provides a command-line interface (CLI) and APIs to manage repositories and integrated services, such as Amazon Elastic Container Service (Amazon ECS), which installs and manages the infrastructure for these containers. The primary difference between Amazon ECR and ECS is that while ECR provides the repository that stores all code that has been written and packaged as a Docker image, the ECS takes these files and actively uses them in the deployment of applications.
A developer can use the Docker command line interface to push or pull container images to or from an AWS region. Amazon ECR can be used wherever a Docker container service is running, including on-premises environments. AWS Elastic Beanstalk also supports Amazon ECR for multi-container environments.
How Amazon ECR works
First, Amazon Elastic Container Registry writes and packages code in the form of a Docker image. Next, it compresses, encrypts and manages access to the images -- including all tags and versions -- and controls image lifecycles. Finally, the Amazon ECS pulls the necessary Docker images from the ECR to be used in the deployment of apps and continues to manage containers everywhere -- including Amazon Elastic Kubernetes Service (Amazon EKS), AWS cloud and on premise networks.
Furthermore, Amazon ECR automatically encrypts container images at rest with Amazon Simple Storage Service (Amazon S3) server-side encryption and allows administrators to use AWS Identity and Access Management (AWS IAM) to create restrictions that limit access to each repository. The container registry stores container images in S3 for high availability.
Components of Amazon ECR
Amazon ECR includes:
- Docker images - This is the file that is used to execute code within a Docker container.
- Repository - The Docker images are stored in the Amazon ECR repository. Developers can push and pull images to the repository.
- Repository policy - Developers can use these policies to manage access to the repositories and the images within them.
- Registry - All AWS accounts receive access to Amazon ECR that allows them to create repositories and store images in them.
- Authorization token - Before it can push and pull images, the Docker client must be recognized as an AWS account holder.
Amazon ECR security and other benefits
One of the greatest benefits provided by Amazon ECR is increased security. All images in Amazon ECR are transferred over HTTPS. Images at rest are automatically encrypted to ensure enhanced security. As mentioned before, developers can use AWS IAM to create policies that control permissions and manage access to images. This can be done without altering credentials directly on the EC2 instances. Policies can also be designed to control cross-account image sharing.
AWS security groups can be selected for the interface that control whether each host is allowed to interact with the interface. AWS security groups are virtual firewalls at the instance level that are easily created, attached and deleted. For example, there may be a security group assigned to all the EC2 instances in a cluster using an AWS Auto Scaling group. Developers can create the rule that allows the Amazon Virtual Private Cloud (Amazon VPC) endpoint to be accessed by all instances in this assigned security group.
Other benefits of Amazon ECR include:
- High availability - The Amazon ECR architecture is highly scalable, durable and redundant. As a result, the Docker images are easily available and accessible and users can feasibly and dependably deploy new containers for their applications.
- Streamlines workflow - Integration with Amazon ECS and the Docker CLI allows users to simplify their development and production work processes by facilitating continuous integration (CI) and continuous deployment (CD) in Amazon ECS. Furthermore, container images can be easily pushed to Amazon ECR with the Docker CLI. From there, Amazon ECS can easily pull the images directly and use them for production deployments.
- Completely managed - Amazon ECR does not include any software that will need to be installed and managed or an infrastructure that has to be scaled. Users simply push images to ECR and pull them with any container management tool when they're needed.
Configuration and implementation of Amazon ECR
An AWS account is the first necessity when setting up Amazon ECR. When a user registers for an AWS account, they automatically get signed up for all of the services; they will only pay for the services they use.
Once the user has an AWS account, they can download the AWS Command Line Interface (AWS CLI) and Docker software.
All services in AWS require users to provide credentials in order to determine whether or not the user has permission to access the protected resources. The AWS console requires a password, however, use of AWS credentials is not recommended when accessing AWS. Instead, AWS IAM is recommended for a more secure authentication process. An AWS IAM user can access AWS using a special URL and their unique user credentials.