Amazon ECR
Amazon ECR (Elastic Container Registry) is the managed container registry from AWS. It stores, versions and scans Docker images that are obtained from ECS, EKS or CI/CD pipelines.
What is Amazon ECR?
Amazon ECR (Elastic Container Registry) is AWS’s managed storage service for container images. A container registry is the central repository where Docker images are stored, versioned and retrieved – similar to Docker Hub, but private and deeply integrated with AWS.
In a modern container architecture, the registry is a central hub: the CI/CD pipeline builds an image from the source code and stores it in ECR. Orchestration services such as ECS or EKS retrieve the image from there to run the application. Without a reliable, secure registry, this workflow does not work.
Features of Amazon ECR
- Private repositories: Images are stored privately and made accessible only to authorised users and services.
- Image scanning: ECR automatically scans images for known vulnerabilities (CVEs) in operating system packages and dependencies.
- Lifecycle rules: Old or unused images are automatically removed to limit storage costs.
- Encryption: Images are encrypted at rest, optionally using your own keys via AWS KMS.
- Replication: Images can be automatically replicated across multiple regions.
ECR and security
Access to ECR is controlled via AWS IAM. Instead of long-lived passwords, services and pipelines are granted temporary, automatically rotating credentials. The integrated image scanning is a key component of a DevSecOps strategy: vulnerabilities are detected before an image goes into production. This prevents an image with a critical security flaw from being rolled out.
Integration into CI/CD pipelines
ECR is a natural part of automated deployment workflows. A typical pipeline builds a new image with every commit, assigns it a unique tag, uploads it to ECR, and then triggers a deployment to ECS or EKS. Thanks to unique tags – for example, based on the commit hash – it is always possible to trace which code version is running in production.
ECR for SMEs
As soon as a business starts using containers in production, a private registry becomes essential. ECR is the obvious choice if the rest of the infrastructure is already running on AWS, as permissions, encryption and network connectivity work together seamlessly without any extra effort. Lifecycle rules should be active from the outset to ensure that unused images do not incur storage costs unnoticed.
Frequently asked questions about Amazon ECR
ECR charges around USD 0.10 per gigabyte of stored images per month as well as data transfer costs. For most medium-sized projects, ECR costs remain in the single-digit or low double-digit range per month, provided that lifecycle rules regularly remove old images.
Docker Hub is a public, vendor-independent registry. ECR is a private registry integrated into AWS with IAM-based access control, automatic vulnerability scanning and encryption. For productive AWS workloads, ECR is usually the more secure and better integrated choice.
Yes, ECR can automatically check images for known vulnerabilities (CVEs) during upload. Vulnerable dependencies are thus recognised before the image is rolled out in production - a central component of a DevSecOps strategy.
Activate lifecycle rules that automatically delete old, untagged images or images that exceed a certain number. Without such rules, new images accumulate with every build and the storage costs increase unnoticed.
Related terms
Related services
Last updated: May 2026