In the ECR Dashboard, click on Repositories in the left-hand menu to see a list of repositories.
Select a repository to explore its details, including URI, Image scanning settings, Tag immutability, Encryption, and Permissions.
Images:
Within the selected repository, click on View images to see a list of images stored in the repository. Here, you can see image tags, sizes, and scan results if vulnerability scanning is enabled.
3. Exploring the AWS Well-Architected Framework Pillars
Under the Repositories section, review the Image tags in each repository. Ensure that a consistent image-tagging strategy (e.g., latest, v1.0.0) is used for clarity and operational control.
Image Scanning:
Select a repository and check if Image scanning is enabled. Regular vulnerability scans help identify issues in container images, ensuring that they meet security and compliance requirements.
Tag Immutability:
In the repository's details, review the Tag immutability setting. Enabling tag immutability prevents image tags from being overwritten, ensuring consistent deployments and reducing the risk of using outdated or insecure images.
Lifecycle Policies:
In the repository's Lifecycle policies section, verify if policies are in place to automatically remove old or unused images. Proper lifecycle management helps maintain a clean repository and supports efficient operational practices.
Within the repository's settings, check if Encryption is enabled. By default, ECR encrypts images at rest using AWS-managed keys in AWS KMS, but you can also configure it to use customer-managed keys for enhanced security.
Repository Policies:
Under the Permissions tab for each repository, examine the repository policies that control access to images. Ensure that policies follow the principle of least privilege, granting permissions only to necessary users and services.
IAM Roles:
While you can’t modify IAM roles in read-only mode, navigate to the IAM service to review the roles and policies associated with ECR access. Ensure roles have the minimal required permissions to interact with the ECR repositories.
Image Scanning:
Check the Image scanning section to ensure that Enhanced scanning (using Amazon Inspector) or Basic scanning (for Common Vulnerabilities and Exposures - CVEs) is enabled. Regular scanning ensures images do not contain known security vulnerabilities.
In the Permissions section of a repository, review the repository policies to confirm they are correctly set up to restrict access. Incorrect permissions can lead to accidental or unauthorized changes, affecting the reliability of deployments.
Tag Immutability:
Enable Tag immutability to prevent the overwrite of images with the same tag. This practice ensures that deployments reference the correct, unchanged versions of images, supporting reliability.
Backup and Disaster Recovery:
While ECR itself doesn’t have a specific "backup" feature, ensure that you have processes in place to periodically push critical images to alternative repositories or regions. This can provide an additional layer of reliability in case of regional outages.
In the Lifecycle policies section of each repository, review policies that define rules for automatically deleting untagged or old images. Implementing these policies helps reduce storage costs by retaining only the necessary images.
Storage and Image Size:
In the Images section, review the size of stored images. Identify large images that may contribute to high storage costs and optimize them by using multi-stage builds or reducing unnecessary layers.
Repository Usage:
Use CloudWatch (accessible from the left-hand menu) to monitor ECR usage metrics such as storage size and pull requests. Analyzing these metrics can help identify ways to optimize repository usage and potentially lower costs.
While not directly managed in the ECR console, consider implementing image caching in your build and deployment processes to reduce image pull times. This helps improve application deployment speed and overall performance.
Image Size:
In the Images section, review the size of your container images. Smaller images are quicker to pull and start, which can enhance the performance of containerized applications. Use lightweight base images or multi-stage builds to optimize image sizes.
Repository Design:
Organize repositories by application, environment, or versioning strategy to streamline access and retrieval times. Proper repository organization helps improve the efficiency of your CI/CD processes.
Use CloudWatch to monitor ECR metrics such as storage size and image pull counts. In addition, CloudTrail (accessible under the Management & Governance services) allows you to review audit logs for actions performed on ECR, providing visibility into repository access and modifications.
Log in to the AWS Management Console of securitytooling account.
AWS Config and Security Hub:
If AWS Config and Security Hub are enabled, review compliance rules and security findings related to ECR configurations, such as ensuring that repositories have image scanning enabled and are encrypted.