What Is Amazon ECR? AWS Container Registry
Amazon ECR (Elastic Container Registry) is AWS managed registry for storing, versioning, and pulling container images, integrated with IAM and the rest of AWS.
Once your pipeline builds a container image, it needs somewhere to store it. ECR is that store on AWS: a private (or public) registry that ECS, EKS, and Lambda pull from. Because it is AWS-native, authentication and permissions flow through IAM instead of separate credentials.
Repositories and image tags
Each application gets an ECR repository, and each build produces a tagged image (often the commit SHA or a version). Immutable tags can be enforced so a tag always refers to the same image, which is valuable for reproducible deploys.
Authentication via IAM
You do not store a registry password. Instead, the AWS CLI fetches a short-lived login token tied to your IAM identity, and Docker uses it to push or pull. In a pipeline this means an IAM/OIDC role grants registry access with no static secret.
Built-in features
- Image scanning for known vulnerabilities.
- Lifecycle policies to expire old or untagged images.
- Cross-region and cross-account replication.
- Encryption of images at rest.
ECR vs other registries
ECR competes with Docker Hub, GHCR, and other registries. Its advantage on AWS is tight IAM integration and low-latency pulls from ECS, EKS, and Fargate in the same region, which speeds up container startup.
Role in CI/CD
A pipeline logs in to ECR, builds the image, tags it with the commit SHA, and pushes. The deploy step then references that tag when updating ECS or EKS. Latchkey runners can also cache Docker layers in ECR, so rebuilds reuse unchanged layers and pushes stay fast.
Key takeaways
- ECR is AWS managed container registry, integrated with IAM for auth.
- Pushes and pulls use short-lived IAM tokens, not stored passwords.
- Pipelines push tagged images to ECR before deploying to ECS, EKS, or Lambda.