2.2.1. Amazon Elastic Container Registry (ECR)
First Principle: Amazon Elastic Container Registry (ECR) provides a fully managed, secure, and scalable registry for Docker container images, simplifying the storage, management, and deployment of containerized applications.
ECR is your private Docker Hub on AWS ā it stores container images that ECS and Fargate pull during deployment, secured by IAM policies instead of Docker Hub credentials.
Two features matter most for the exam. Lifecycle policies automatically delete old images based on rules you define (keep only the 10 most recent tagged images, expire untagged images after 7 days). Without these, repositories accumulate hundreds of unused images and storage costs grow unbounded. Image scanning checks pushed images against CVE databases ā configure scan-on-push to catch vulnerabilities before deployment reaches production.
ECR integrates directly with CodeBuild (pull base images, push build outputs) and CodePipeline (trigger deploys when new images appear). For multi-region architectures, cross-region replication keeps images available where your containers run.
Scenario: You've built a microservice application and packaged it as a Docker container image. You need a secure and scalable place to store this image, and also want to scan it for vulnerabilities before deployment.
ā ļø Exam Trap: ECR images have lifecycle policies to automatically clean up old images. Without them, storage costs grow unbounded. If a question mentions container storage costs, lifecycle policies are likely the answer.
