# Elastic Container Registry (ECR) ## Overview [Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) is an AWS managed container image registry service for hosting Docker images, Open Container Initiative (OCI) images and OCI compatible artifacts. *** ## Registry Configuration ### URIs {% code overflow="wrap" %} ```bash public.ecr.aws// # public repo URI .dkr.ecr..amazonaws.com/ # private repo URI ``` {% endcode %} ### Permissions Configured with either IAM Policy or ECR Resource Policy. {% hint style="danger" %} Look for misconfigured policies that allow Private repositories to be exposed!\ This allows all AWS principals in the world the ability to interact with this Private repository. {% endhint %} {% code overflow="wrap" %} ```bash aws --region us-east-1 ecr get-repository-policy --repository-name tyler/my-private-registry --query policyText --output text | jq { "Version": "2012-10-17", "Statement": [ { "Sid": "allow", "Effect": "Allow", "Principal": "*", "Action": [ "ecr:PutImage", "ecr:DescribeImages", "ecr:ListImages", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken" ] } ] } ``` {% endcode %} ### Replication Private repositories support both [cross-region and cross-account replication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html). *** ## Useful CLI Commands {% code overflow="wrap" %} ```bash aws ecr-public # public repos aws ecr # private repos ``` {% endcode %} ### Login to Registry Requires `ecr:GetAuthorizationToken` #### Latest Method {% code overflow="wrap" %} ```bash REPO_URI=$(aws --region ecr describe-repositories | jq -r '.repositories[].repositoryUri') \ aws ecr get-login-password --region | \ docker login --username AWS --password-stdin $REPO_URI ``` {% endcode %} #### Legacy Method {% code overflow="wrap" %} ```bash REGISTRY=$(aws --region us-east-1 ecr get-authorization-token --query 'authorizationData[0].proxyEndpoint' --output text) \ PASSWORD=$(echo $(aws --region us-east-1 ecr get-authorization-token --query 'authorizationData[0].authorizationToken' --output text) | base64 --decode | cut -d: -f2) \ echo "$PASSWORD" | docker login --username AWS --password-stdin "$REGISTRY" Login Succeeded ``` {% endcode %} ### Describe Repositories {% code overflow="wrap" %} ```bash aws ecr describe-repositories { "repositories": [ { "repositoryArn": "arn:aws:ecr:us-east-1:111111111111:repository/tyler/my-private-registry", "registryId": "111111111111", "repositoryName": "tyler/my-private-registry", "repositoryUri": "111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry", "createdAt": "2025-08-02T11:55:14.300000-06:00", "imageTagMutability": "MUTABLE", "imageScanningConfiguration": { "scanOnPush": false }, "encryptionConfiguration": { "encryptionType": "AES256" } } ] } ``` {% endcode %} ### List Available Images {% code overflow="wrap" %} ```bash REPO_NAME=$(aws ecr describe-repositories | jq -r '.repositories[].repositoryName') \ aws list-images --repository-name $REPO_NAME ``` {% endcode %} ### Push Image to Repository You specify the Registry/Repository path i.e., `111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry` Then the tag of the image you want to upload i.e., ubuntu-latest {% code overflow="wrap" %} ```bash docker tag ubuntu:latest 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry:ubuntu-latest docker push 111111111111.dkr.ecr.us-east-1.amazonaws.com/tyler/my-private-registry:ubuntu-latest ``` {% endcode %} *** ## Offensive Security Tactics & Techniques ### Privilege Escalation {% embed url="" %}