# Elastic Container Registry (ECR)

## Overview

[Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) is an AWS managed container image registry service for hosting Docker images, Open Container Initiative (OCI) images and OCI compatible artifacts.&#x20;

***

## Registry Configuration

### URIs

{% code overflow="wrap" %}

```bash
public.ecr.aws/<random_value_set_by_admin>/<name>              # public repo URI
<accountId>.dkr.ecr.<region>.amazonaws.com/<repo_name>         # private repo URI
```

{% endcode %}

### Permissions

Configured with either IAM Policy or ECR Resource Policy.&#x20;

{% hint style="danger" %}
Look for misconfigured policies that allow Private repositories to be exposed!\
This allows all AWS principals in the world the ability to interact with this Private repository.
{% endhint %}

{% code overflow="wrap" %}

```bash
aws --region us-east-1 ecr get-repository-policy --repository-name tyler/my-private-registry --query policyText --output text | jq
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "allow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ecr:PutImage",
        "ecr:DescribeImages",
        "ecr:ListImages",
        "ecr:DescribeRepositories",
        "ecr:GetAuthorizationToken"
      ]
    }
  ]
}
```

{% endcode %}

### Replication

Private repositories support both [cross-region and cross-account replication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html).

***

## Useful CLI Commands

{% code overflow="wrap" %}

```bash
aws ecr-public  # public repos
aws ecr         # private repos
```

{% endcode %}

### Login to Registry

Requires `ecr:GetAuthorizationToken`&#x20;

#### Latest Method

{% code overflow="wrap" %}

```bash
REPO_URI=$(aws --region <region> ecr describe-repositories | jq -r '.repositories[].repositoryUri') \
aws ecr get-login-password --region <region> | \
docker login --username AWS --password-stdin $REPO_URI
```

{% endcode %}

#### Legacy Method

{% code overflow="wrap" %}

```bash
REGISTRY=$(aws --region us-east-1 ecr get-authorization-token --query 'authorizationData[0].proxyEndpoint' --output text) \
PASSWORD=$(echo $(aws --region us-east-1 ecr get-authorization-token --query 'authorizationData[0].authorizationToken' --output text) | base64 --decode | cut -d: -f2) \
echo "$PASSWORD" | docker login --username AWS --password-stdin "$REGISTRY"

Login Succeeded
```

{% endcode %}

### Describe Repositories

{% code overflow="wrap" %}

```bash
aws ecr describe-repositories

{
    "repositories": [
        {
            "repositoryArn": "arn:aws:ecr:us-east-1:111111111111:repository/tyler/my-private-registry",
            "registryId": "111111111111",
            "repositoryName": "tyler/my-private-registry",
            "repositoryUri": "111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry",
            "createdAt": "2025-08-02T11:55:14.300000-06:00",
            "imageTagMutability": "MUTABLE",
            "imageScanningConfiguration": {
                "scanOnPush": false
            },
            "encryptionConfiguration": {
                "encryptionType": "AES256"
            }
        }
    ]
}
```

{% endcode %}

### List Available Images

{% code overflow="wrap" %}

```bash
REPO_NAME=$(aws ecr describe-repositories | jq -r '.repositories[].repositoryName') \
aws list-images --repository-name $REPO_NAME
```

{% endcode %}

### Push Image to Repository

You specify the Registry/Repository path i.e., `111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry`

Then the tag of the image you want to upload i.e., ubuntu-latest

{% code overflow="wrap" %}

```bash
docker tag ubuntu:latest 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry:ubuntu-latest

docker push 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry:ubuntu-latest
```

{% endcode %}

***

## Offensive Security Tactics & Techniques <a href="#offensive-security-tactics-and-techniques" id="offensive-security-tactics-and-techniques"></a>

### Privilege Escalation

{% embed url="<https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-privilege-escalation/elastic-container-registry-ecr>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/aws/aws/containers/elastic-container-registry-ecr.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.