• Registry
  • ECR private registry hosts the container images in a highly available and scalable architecture.
  • A default ECR private registry is provided to each AWS account.
  • One or more repositories can be created in the registry and images stored in them.
  • Repositories can be configured for either cross-Region or cross-account replication.
  • Private Registry is enabled for basic scanning, by default.
  • Enhanced scanning can be enabled which provides an automated, continuous scanning mode that scans for both operating system and programming language package vulnerabilities.
  • Registry supports up to 100,000 repositories per Region per account (increased from 10,000 in Nov 2024).
• Repository
  • An ECR repository contains Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.
  • Repositories can be controlled with both user access policies and individual repository policies.
  • Each repository supports up to 100,000 images (increased from 20,000 in Aug 2025).
  • Repositories can be automatically created on image push using repository creation templates.
• Image
  • Images can be pushed and pulled to the repositories.
  • Images can be used locally on the development system, or in ECS task definitions and EKS pod specifications.
  • Images support two storage classes: standard and archive (for rarely accessed images).
• Repository policy
  • Repository policies are resource-based policies that can help control access to the repositories and the images within them.
  • Repository policies are a subset of IAM policies that are scoped for, and specifically used for, controlling access to individual ECR repositories.
  • A user or role only needs to be allowed permission for an action through either a repository policy or an IAM policy but not both for the action to be allowed.
  • Resource-based policies also help grant the usage permission to other accounts on a per-resource basis.
• Authorization token
  • A client must authenticate to the registries as an AWS user before they can push and pull images.
  • An authentication token is used to access any ECR registry that the IAM principal has access to and is valid for 12 hours.
  • Authorization token’s permission scope matches that of the IAM principal used to retrieve the authentication token.

ECR Image Scanning

• ECR provides two scanning modes: Basic Scanning and Enhanced Scanning.
• Basic Scanning
  • Uses AWS native scanning engine (Clair-based scanning was deprecated as of February 2, 2026).
  • Scans for operating system vulnerabilities.
  • Enabled by default for all private registries.
  • Supports scan on push or manual scanning.
  • Scanning configuration is managed at the registry level (repository-level PutImageScanningConfiguration API is deprecated).
• Enhanced Scanning
  • Powered by Amazon Inspector integration.
  • Provides automated, continuous scanning for both OS and programming language package vulnerabilities.
  • Re-evaluates images whenever new vulnerabilities are published, not just at push time.
  • Maps ECR images to running containers in ECS tasks and EKS pods to help prioritize vulnerabilities.
  • Supports minimal and security-focused container base images.
  • Now surfaces image use status to identify which images are actively running.

ECR Managed Signing

• ECR supports managed container image signing (launched Nov 2025) to verify that images are from trusted sources.
• Managed signing automatically signs container images using AWS Signer when images are pushed to ECR.
• Eliminates the need to install and configure client-side signing tools.
• Allows centralized governance of signing as a registry configuration.
• Signatures are stored as OCI referrers in the same repository as the image.
• Manual signing using Notation CLI with AWS Signer is also supported for client-side workflows.

ECR Pull Through Cache

• Pull through cache automatically syncs container images from supported upstream registries into ECR private registry.
• Provides reduced latency of in-region image pulls with built-in ECR security features (lifecycle policies, enhanced scanning).
• Supports multiple upstream registries including Docker Hub, GitHub Container Registry, Quay, ECR Public, Azure Container Registry, GitLab, Chainguard, and other ECR private registries.
• ECR to ECR pull through cache (launched Mar 2025) allows syncing images between ECR registries cross-region and cross-account in a cost-effective way by caching only images that are pulled.
• Automatically creates repositories in the downstream registry for cached images.
• Supports frequent syncs with upstream to keep cached images up to date (at least once every 24 hours).
• Now supports automatic discovery and sync of OCI referrers (signatures, SBOMs, attestations) from upstream registries (Apr 2026).

ECR Repository Creation on Push

• ECR supports automatic repository creation on image push (launched Dec 2025).
• Simplifies container workflows by automatically creating repositories if they don’t exist when an image is pushed.
• Eliminates the need to pre-create repositories before pushing container images.
• New repositories are created according to defined repository creation template settings.
• Repository creation templates allow configuring encryption, lifecycle policies, access permissions, and tag immutability for automatically created repositories.

ECR Cross-Repository Layer Sharing (Blob Mounting)

• ECR supports cross-repository layer sharing through blob mounting (launched Jan 2026).
• Allows sharing common image layers across repositories within a registry.
• Especially valuable for managing multiple microservices or applications built from common base images.
• Reduces storage costs by deduplicating common layers.
• Improves push performance by avoiding re-uploading layers that already exist in the registry.
• When enabled, ECR automatically checks for existing layers in the registry during push operations.

ECR Archive Storage Class

• ECR supports an archive storage class for rarely accessed container images (launched Nov 2025).
• Images can be archived based on criteria such as image age, count, or last pull time via lifecycle policies.
• Images can also be archived individually using the ECR Console or API.
• Archived images do not count against the image per repository limit.
• An unlimited number of images can be archived.
• Archived images are not accessible for pulls but can be restored via Console, CLI, or API within 20 minutes.
• A 90-day minimum storage duration applies for archived images.
• Lifecycle policies cannot delete images archived for less than 90 days.

ECR Lifecycle Policies

• Lifecycle policies help manage the lifecycle of images in repositories.
• Define rules to automatically expire or archive unused images based on criteria such as image age, image count, or last pull time.
• Support tag pattern matching (e.g., prod*) to target specific images.
• Affected images are expired or archived within 24 hours of policy creation.
• Support referring artifacts – references are deleted when a subject image is deleted by a lifecycle policy rule.
• Preview rules to see exactly which container images are affected before the rule runs.

ECR CloudWatch Metrics

• ECR metric data is automatically sent to CloudWatch in one-minute periods.
• Supports repository-level metrics including image pull counts.
• New metrics (Feb 2026): RepositoryCount and ImagesPerRepositoryCount help identify growth trends and monitor usage patterns.
• Can be used to set up alarms for anomalous behavior in image storage growth.

ECR with VPC Endpoints

• ECR can be configured to use an Interface VPC endpoint, that enables you to privately access Amazon ECR APIs through private IP addresses.
• AWS PrivateLink restricts all network traffic between the VPC and ECR to the Amazon network. You don’t need an internet gateway, a NAT device, or a virtual private gateway.
• VPC endpoints currently don’t support cross-Region requests.
• VPC endpoints currently don’t support ECR Public repositories.
• VPC endpoints only support AWS provided DNS through Route 53.

1. A company is using Amazon Elastic Container Service (Amazon ECS) to run its container-based application on AWS. The company needs to ensure that the container images contain no severe vulnerabilities. Which solution will meet these requirements with the LEAST management overhead?
   1. Pull images from the public container registry. Publish the images to Amazon ECR repositories with scan on push configured.
   2. Pull images from the public container registry. Publish the images to a private container registry hosted on Amazon EC2 instances. Deploy host-based container scanning tools to EC2 instances that run ECS.
   3. Pull images from the public container registry. Publish the images to Amazon ECR repositories with scan on push configured.
   4. Pull images from the public container registry. Publish the images to AWS CodeArtifact repositories in a centralized AWS account.
2. A company wants to ensure that only signed and verified container images are deployed to their Amazon EKS clusters. They want minimal operational overhead for the signing process. Which approach should they use?
   1. Use a third-party signing tool integrated with their CI/CD pipeline.
   2. Enable ECR managed signing with AWS Signer on their ECR repositories.
   3. Manually sign images using Notation CLI before pushing to ECR.
   4. Use AWS Lambda to sign images after they are pushed to ECR.
3. A company manages hundreds of microservices using Amazon ECS and stores container images in Amazon ECR. They want to reduce storage costs for images that share common base layers across multiple repositories. Which ECR feature should they enable?
   1. ECR image replication
   2. ECR lifecycle policies
   3. ECR cross-repository layer sharing (blob mounting)
   4. ECR pull through cache
4. A development team wants to avoid pre-creating ECR repositories for every new microservice. They want repositories to be automatically created with consistent settings when images are pushed. What should they configure?
   1. An AWS Lambda function triggered by CloudTrail events.
   2. An AWS Config rule to auto-remediate missing repositories.
   3. ECR repository creation templates with create-on-push enabled.
   4. An AWS CloudFormation stack with dynamic resource creation.
5. A company has container images in ECR that are only needed for compliance audits and are rarely pulled. They want to reduce storage costs while keeping the images available if needed. Which ECR feature should they use?
   1. ECR lifecycle policies to delete old images
   2. Move images to S3 Glacier manually
   3. ECR archive storage class
   4. ECR cross-region replication to a cheaper region
6. A company uses multiple third-party container registries (Docker Hub, GitHub Container Registry) and wants to reduce latency and improve security when pulling images. Which ECR feature should they implement?
   1. ECR cross-region replication
   2. ECR pull through cache with upstream registry rules
   3. ECR public repositories
   4. ECR lifecycle policies
7. An organization wants continuous vulnerability scanning of their container images that also identifies which vulnerable images are actively running in their ECS and EKS environments. Which scanning configuration should they use?
   1. ECR basic scanning with scan on push
   2. Third-party vulnerability scanner integrated with CI/CD
   3. ECR enhanced scanning with Amazon Inspector
   4. AWS Config rules for container compliance