Skip to main content
Amazon Elastic Container Registry (ECR) is AWS’s fully managed Docker container registry. CybeDefend integrates with ECR to scan your private container images using AWS IAM authentication, supporting both private and public ECR repositories.
Amazon ECR Integration

Features

  • AWS IAM Authentication: Secure access using AWS access keys or IAM roles
  • Cross-Region Support: Access ECR repositories across all AWS regions
  • Public & Private Registries: Support for both ECR Public and ECR Private
  • Cross-Account Access: Scan images from different AWS accounts with proper permissions
  • AWS Services Integration: Seamless integration with ECS, EKS, and other AWS services

Setup Requirements

To connect your Amazon ECR:
  1. AWS Account: Active AWS account with ECR repositories
  2. IAM Credentials: AWS access keys or IAM role with ECR permissions
  3. ECR Permissions: ecr:GetAuthorizationToken, ecr:BatchGetImage, ecr:GetDownloadUrlForLayer
  4. Region Configuration: Specify the AWS region for your ECR repositories

Required IAM Permissions

Your AWS IAM user or role needs these permissions: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:DescribeRepositories",
        "ecr:DescribeImages"
      ],
      "Resource": "*"
    }
  ]
}

Configuration Steps

1

Create IAM User/Role

Create an IAM user or role with ECR read permissions
2

Generate Access Keys

Create AWS access keys for the IAM user (if not using roles)
3

Configure CybeDefend

Add ECR connection with AWS credentials and region information
4

Verify Access

Test the connection and verify repository access

Registry URL Formats

Amazon ECR uses region-specific URLs: 
# Private ECR
<account-id>.dkr.ecr.<region>.amazonaws.com/<repository>:<tag>

# Examples
123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
123456789012.dkr.ecr.eu-west-1.amazonaws.com/api-server:v1.0

# Public ECR
public.ecr.aws/<alias>/<repository>:<tag>

# Example
public.ecr.aws/lambda/python:3.9

Authentication Methods

  • AWS Access Keys
  • IAM Roles
# Configure AWS credentials
aws configure
AWS Access Key ID: AKIA...
AWS Secret Access Key: ...
Default region name: us-east-1

# Get ECR login token
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com

Cross-Account Access

For scanning images from different AWS accounts: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SCANNER-ACCOUNT:user/scanner-user"
      },
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ]
    }
  ]
}

Integration with AWS Services

Amazon ECS Integration: 
{
  "taskDefinition": {
    "family": "my-app",
    "containerDefinitions": [
      {
        "name": "app",
        "image": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:latest",
        "memory": 512
      }
    ]
  }
}
Amazon EKS Integration: 
# Kubernetes deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      containers:
      - name: app
        image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:latest

ECR Public Registry

Access public ECR repositories without authentication: 
# Pull from ECR Public
docker pull public.ecr.aws/amazonlinux/amazonlinux:latest
docker pull public.ecr.aws/lambda/python:3.9

Repository Management

Lifecycle Policies

Configure image lifecycle policies to manage repository size and costs

Image Scanning

Enable ECR’s built-in vulnerability scanning alongside CybeDefend

Repository Policies

Set up repository-level permissions and access controls

Encryption

Use KMS encryption for images at rest in ECR

Common Issues & Solutions

Authentication Errors:
  • Verify AWS credentials are valid and not expired
  • Check IAM permissions for ECR access
  • Ensure correct region configuration
Repository Not Found:
  • Confirm repository name and region are correct
  • Check if repository exists in the specified account
  • Verify cross-account permissions if applicable
Image Pull Errors:
  • Ensure the image tag exists
  • Check network connectivity to ECR endpoints
  • Verify VPC endpoint configuration if using private subnets
Rate Limiting:
  • ECR has service quotas for API calls
  • Implement exponential backoff for retries
  • Consider using ECR Public for frequently accessed base images
Store AWS credentials securely and follow AWS security best practices. Use IAM roles when possible instead of long-term access keys.
Related: Container Image Scanning · Docker Hub · GitLab Registry
I