• Home
  • About
    • Harshad Ranganathan photo

      Harshad Ranganathan

      Multi-Cloud ☁ | Kubernetes Certified

    • Learn More
    • Email
    • LinkedIn
    • Github
    • StackOverflow
  • Posts
    • All Posts
    • All Tags
  • Projects

ECR Best Practices

05 Jan 2022

Reading time ~4 minutes

Table Of Contents

  • Namespaces
    • Guidance
  • Image Scanning
    • Guidance
  • Lifecycle Policies
    • Guidance
  • Image Tagging
    • Guidance
  • Tag Immutability
    • Guidance
  • CI/CD
    • Option 1
    • Option 2
    • Option 3

Namespaces

Namespaces are a way to group similar repositories together.

It also helps to scope IAM policies in a way that you can restrict pods running in a certain cluster/namespace to be able to pull images only from specific namespaced repositories.

Guidance

Group repositories by using Team/Project names as namespace -

e.g. team-blue/<repository_name>

monitoring/<repository_name>

Image Scanning

Amazon ECR Image Scanning helps in identifying software vulnerabilities in your container images.

It is free of cost.

You can scan on-demand or on image push.

Guidance

Enable scanning as we can leverage below capabilities:

[1] Get event notifications on critical vulnerabilities in images

[2] Set up periodic scans

[3] Reject images having critical vulnerabilities from being pulled in EKS

Note: If you are already performing any image scans as part of your CI/CD e.g. twistlock, contrast etc. discuss with your team to see what suits best - maybe both

Like the content ? 

Lifecycle Policies

Allows the automation of cleaning up unused images, for example, expiring images based on age or count.

You can have multiple lifecycle policy rules with priority.

Guidance

Agree with teams on what suits best.

ECR lifecycle policy rules has some limitations

e.g.

  • Only one rule is allowed to select untagged images.

  • tagPrefixList is mandatory for tagged images.

  • tagPrefixList uses AND logic and not OR

Sample policy you could go with -

Untagged images -> delete after 7 days

Tagged images -> Up to 10 recent images to be maintained

{
  "rules": [
    {
      "rulePriority": 1,
      "description": "Untagged images policy",
      "selection": {
        "tagStatus": "untagged",
        "countType": "sinceImagePushed",
        "countUnit": "days",
        "countNumber": 7
      },
      "action": {
        "type": "expire"
      }
    },
    {
      "rulePriority": 2,
      "description": "Any image policy",
      "selection": {
        "tagStatus": "any",
        "countType": "imageCountMoreThan",
        "countNumber": 10
      },
      "action": {
        "type": "expire"
      }
    }
  ]
}

Lifecycle policy works as follows - if any image fits rule 1 then rule 2 will be ignored. So, if any team frequently pushes untagged images only rule 1 applies and this won’t remove any tagged images to maintain the count as per rule 2.

Also, teams may follow different tagging conventions e.g. SemVer, commit hash etc. so we can’t configure the lifecycle policy with pre-determined values. Hence, we use the any policy.

Image Tagging

There are different tagging approaches

  • Git Commit Hash
  • Semantic Version
  • Date Timestamp
  • Digest
  • Build id
  • Environment name e.g. alpha/stage/prod
  • Stable tags e.g. latest
  • Untagged images

Guidance

There are pros/cons for each approach.

Follow elimination strategy and discuss with your team to see what suits best.

e.g. Using a build id won’t be helpful if you aren’t maintaining all the build details/logs

Like the content ? 

Tag Immutability

You can configure your repository to be immutable to prevent image tags from being overwritten.

This can thwart an attacker from overwriting an image with a malicious version without changing the image tags.

Additionally, it gives you a way to easily and uniquely identify an image.

Guidance

Tag immutability will mean that all your images have unique tags otherwise the image push will fail.

Some teams may feel this is an overhead when they do frequent deployments to test directly in the cluster while others might feel security is more important.

Discuss with your team and see what’s best.

CI/CD

Consider you have different AWS accounts for each of your stages e.g. alpha, stage, prod etc.

Do you use a centralized ECR or have images in each account?

Depending on your organization policies, using an ECR in a centralized account may not be possible.

Option 1

Have your images in one account and provide access for other accounts to pull the image

e.g. Allow your production account to be able to pull images from your non-prod account

Pros:

  • Reduced Cost

Cons:

  • ECR doesn’t have global policy settings - you will have to give cross account permission for each repository
Like the content ? 

Option 2

Cross account replication of ECR images

Pros:

  • Simple setup - no cross account access required

Cons:

  • Image duplication

  • Minor cost addition - $0.10 per GB-month

  • No control over the images being replicated i.e. all the images (untagged/tagged) will be replicated in your prod account

Option 3

Tag and push images using a promotion flow in your CI/CD for each account when needed

Pros:

  • Control over what images get pushed e.g. push only production certified images to production account

Cons:

  • Additional build time for promotion - in your CI/CD you will have to pull and push images from lower account ECR to higher account ECR
Like the content ? 


ecr lifecycle policyaws ecr security best practicesecr versioningecr repositoryecr Share Tweet +1