# What is Amazon Elastic Container Registry?
<a name="what-is-ecr"></a>

Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that is secure, scalable, and reliable. Amazon ECR supports private repositories with resource-based permissions using AWS IAM. This is so that specified users or Amazon EC2 instances can access your container repositories and images. You can use your preferred CLI to push, pull, and manage Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.

**Note**  
Amazon ECR supports public container image repositories as well. For more information, see [What is Amazon ECR Public](https://docs.aws.amazon.com/AmazonECR/latest/public/what-is-ecr.html) in the *Amazon ECR Public User Guide*.

The AWS container services team maintains a public roadmap on GitHub. It contains information about what the teams are working on and allows all AWS customers the ability to give direct feedback. For more information, see [AWS Containers Roadmap](https://github.com/aws/containers-roadmap).

# Concepts and components of Amazon ECR
<a name="concept-and-components"></a>

Amazon ECR is a fully managed Docker container registry service provided by AWS. It allows you to store, manage, and deploy Docker container images securely and reliably. These concepts and components work together to provide a secure, scalable, and reliable Docker container registry service within the AWS, enabling you to efficiently manage and deploy your containerized applications. 

Here are some key concepts and components of Amazon ECR: 

**Registry**  
An Amazon ECR registry is a private repository provided to each AWS account, where you can create one or more repositories. These repositories allow you to store and distribute Docker images, Open Container Initiative (OCI) images, and other OCI-compatible artifacts within your AWS environment. For more information, see [Amazon ECR private registry](Registries.md).

**Authorization token**  
Your client must authenticate to an Amazon ECR private registry as an AWS user before it can push and pull images. For more information, see [Private registry authentication in Amazon ECR](registry_auth.md).

**Repository**  
A repository in Amazon ECR is a logical collection where you can store your Docker images, Open Container Initiative (OCI) images, and other OCI-compatible artifacts. Within a single Amazon ECR registry, you can have multiple repositories to organize your container images. For more information, see [Amazon ECR private repositories](Repositories.md).

**Repository policy**  
You can control access to your repositories and the contents within them with repository policies. For more information, see [Private repository policies in Amazon ECR](repository-policies.md).

**Image**  
You can push and pull container images to your repositories. You can use these images locally on your development system, or you can use them in Amazon ECS task definitions and Amazon EKS pod specifications. For more information, see [Using Amazon ECR images with Amazon ECS](ECR_on_ECS.md) and [Using Amazon ECR Images with Amazon EKS](ECR_on_EKS.md).

**Lifecycle Policy**  
 Amazon ECR lifecycle policies allow you to manage the lifecycle of your images by defining rules for pruning and expiring old or unused images. For more information, see [Automate the cleanup of images by using lifecycle policies in Amazon ECR](LifecyclePolicies.md).

**Image Scanning**  
Amazon ECR provides an integrated image scanning capability that helps identify software vulnerabilities in your container images. For more information, see [Scan images for software vulnerabilities in Amazon ECR](image-scanning.md).

**Access Control**  
 Amazon ECR uses IAM to control access to your repositories. You can create IAM users, groups, and roles with specific permissions to push, pull, or manage Amazon ECR repositories. For more information, see [Security in Amazon Elastic Container Registry](security.md).

**Cross-account and Cross-region Replication**  
 Amazon ECR supports replicating images across multiple AWS accounts and regions for increased availability and reduced latency. For more information, see [Private image replication in Amazon ECR](replication.md).

 **Encryption**  
 Amazon ECR supports server-side encryption of your Docker images at rest using AWS KMS. For more information, see [Data protection in Amazon ECR](data-protection.md).

**AWS Command Line Interface Integration**  
The AWS CLI provides commands to interact with Amazon ECR repositories, such as creating, listing, pushing, and pulling images.

**AWS Management Console**  
 Amazon ECR can also be managed through the AWS Management Console, providing a user-friendly web interface for working with your repositories and images. 

**AWS CloudTrail**  
Amazon ECR integrates with AWS CloudTrail, allowing you to log and audit API calls made to Amazon ECR for security and compliance purposes. For more information, see [Logging Amazon ECR actions with AWS CloudTrail](logging-using-cloudtrail.md).

**Amazon CloudWatch**  
Amazon ECR provides metrics and logs that can be monitored using Amazon CloudWatch, enabling you to track the performance and usage of your Amazon ECR repositories. For more information, see [Amazon ECR repository metrics](ecr-repository-metrics.md).

**Managed signing**  
Managed signing automatically generates cryptographic signatures when images are pushed to Amazon ECR, simplifying container image signing. For more information, see [Managed signing](managed-signing.md).

# Common use cases in Amazon ECR
<a name="ecr-use-cases"></a>

Amazon ECR is a fully-managed Docker container registry service offered by AWS. It provides a secure and scalable repository for storing and distributing Docker container images, making it an essential component in containerized application deployments. Amazon ECR simplifies the process of building, distributing, and running containerized applications across various AWS services and on-premises environments. 

Here are some key use cases for Amazon ECR:

**Container Image Storage and Distribution**  
 Amazon ECR serves as a centralized repository for storing and distributing Docker container images within an organization or for public consumption. Developers can push their container images to Amazon ECR and then pull them from any compute environment within AWS, such as Amazon EC2, AWS Fargate, or Amazon EKS. For more information, see [Amazon ECR private repositories](Repositories.md).

**Continuous Integration and Continuous Deployment (CI/CD)**  
Amazon ECR integrates seamlessly with AWS CodeBuild, AWS CodePipeline, and other CI/CD tools, enabling automated building, testing, and deployment of containerized applications. Container images can be automatically pushed to Amazon ECR as part of the CI/CD pipeline, ensuring consistent and reliable deployment across different environments.

**Microservices Architecture**  
Amazon ECR is well suited for microservices architectures, where applications are broken down into smaller, decoupled services packaged as containers. Each microservice can have its own container image stored in Amazon ECR, enabling independent development, deployment, and scaling of individual services.

**Hybrid and Multi-Cloud Deployments**  
 Amazon ECR supports the ability to pull container images from other container registries, such as Docker Hub or third party registries. This allows organizations to maintain a consistent deployment model across hybrid or multi-cloud environments, using Amazon ECR as the central repository for container images.

**Access Control and Security**  
Amazon ECR provides fine-grained access control mechanisms, allowing organizations to control who can push or pull container images from the registry. It also integrates with AWS Identity and Access Management for authentication and authorization, ensuring secure access to container images. For more information, see [Security in Amazon Elastic Container Registry](security.md).

**Image Vulnerability Scanning**  
Amazon ECR offers automatic scanning of container images for software vulnerabilities and potential misconfiguration, helping to maintain a secure and compliant container environment. For more information, see [Scan images for software vulnerabilities in Amazon ECR](image-scanning.md).

**Private Container Registry**  
For organizations with strict security or compliance requirements, Amazon ECR can be used as a private container registry, ensuring that sensitive container images are not exposed to public registries and are accessible only within the organization's AWS environment. For more information, see [Amazon ECR private registry](Registries.md).

**Globally Distributed Application Deployment with Amazon ECR Replication**  
Leveraging Amazon ECR replication capability, you can centralize your containerized web application images in a primary repository, enabling automated distribution across multiple AWS regions, ensuring consistent global deployments with low latency worldwide and reducing operational burden. For more information, see [Private image replication in Amazon ECR](replication.md)

**Automated Cleanup of Stale Container Images**  
Amazon ECR lifecycle policies enable automated cleanup of stale container images based on defined rules such as age, count, or tags, optimizing storage costs, maintaining an organized registry, enhancing security and compliance, and streamlining development workflows through automation. For more information, see [Automate the cleanup of images by using lifecycle policies in Amazon ECR](LifecyclePolicies.md) 

## Features of Amazon ECR
<a name="ecr-features"></a>

Amazon ECR provides the following features:
+ Lifecycle policies help with managing the lifecycle of the images in your repositories. You define rules that result in the cleaning up of unused images. You can test rules before applying them to your repository. For more information, see [Automate the cleanup of images by using lifecycle policies in Amazon ECR](LifecyclePolicies.md).
+ Image scanning helps in identifying software vulnerabilities in your container images. Each repository can be configured to **scan on push**. This ensures that each new image pushed to the repository is scanned. You can then retrieve the results of the image scan. For more information, see [Scan images for software vulnerabilities in Amazon ECR](image-scanning.md).
+ Cross-Region and cross-account replication makes it easier for you to have your images where you need them. This is configured as a registry setting and is on a per-Region basis. For more information, see [Private registry settings in Amazon ECR](registry-settings.md).
+ Pull through cache rules provide a way to cache repositories in an upstream registry in your private Amazon ECR registry. Using a pull through cache rule, Amazon ECR will periodically reach out to the upstream registry to ensure the cached image in your Amazon ECR private registry is up to date. For more information, see [Sync an upstream registry with an Amazon ECR private registry](pull-through-cache.md).
+ Repository creation templates allow you to define the settings for repositories created by Amazon ECR on your behalf during pull through cache, create on push, or replication actions. You can specify tag immutability, encryption configuration, repository policies, lifecycle policies, and resource tags for automatically created repositories. For more information, see [Templates to control repositories created during a pull through cache, create on push, or replication action](repository-creation-templates.md).
+ Managed signing automatically generates cryptographic signatures when images are pushed to Amazon ECR, simplifying container image signing. For more information, see [Managed signing](managed-signing.md).

## How to get started with Amazon ECR
<a name="ecr-get-started"></a>

If you are using Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS), note that the setup for those two services is similar to the setup for Amazon ECR because Amazon ECR is an extension of both services.

When using the AWS Command Line Interface with Amazon ECR, use a version of the AWS CLI that supports the latest Amazon ECR features. If you don't see support for an Amazon ECR feature in the AWS CLI, upgrade to the latest version of the AWS CLI. For information about installing the latest version of the AWS CLI, see [Install or update to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.

To learn how to push a container image to a private Amazon ECR repository using the AWS CLI and Docker, see [Moving an image through its lifecycle in Amazon ECR](getting-started-cli.md).

## Pricing for Amazon ECR
<a name="ecr-pricing"></a>

With Amazon ECR, you pay for the amount of data you store in your repositories, data transfer from your image pushes and pulls, and image actions that you opt in to such as image signing and replication. For more information, see [Amazon ECR pricing](https://aws.amazon.com/ecr/pricing/).