[09] ECR Flashcards
What type of artifacts can be held in ECR repositories?
Docker images, OCI images, and OCI compatible artifacts e.g. Helm charts
What are used for multi-architecture images in ECR?
Manifest lists
What does ECR integrate with to sign container images?
AWS Signer
Where is the image signature stored when signing with AWS Signer?
In ECR along with the layers
What may ECR do when pulling an image?
Hint: this relates to ensuring the client recieves the correct format.
Translate the image manifest to ensure it is a version supported by the client
When does translation not occur during image pulls?
If the pulled image is referenced by its digest
What do Windows images in ECR include that is restricted by license?
Artifacts which are restricted by license from being distributed
What happens by default with the restricted Windows artifacts?
They are not pushed to ECR
How are the restricted Windows artifacts pulled?
From Azure over the internet
How can you store the restricted Windows artifacts in ECR?
Use the ‘–allow-nondistributable-artifacts’ flag with the Docker CLI
What state will a task be in while ECS is performing additional steps?
PROVISIONING
What are the applicable actions for registry policies in ECR?
ecr:ReplicateImage, ecr:BatchImportUpstreamImage, ecr:CreateRepository
What are repository policies used for in ECR?
Repository policies control access to repositories.
What conditions determine if an IAM identity can perform an action in ECR?
Allowed by either a repository policy or IAM policy, and neither the repository policy nor IAM policy has an explicit deny.
What are repository policies required for in ECR?
Repository policies are required to enable cross-account access.
What is ECR pricing based on?
The amount of data stored and data transfer from image pushes and pulls.
How are repositories encrypted in ECR?
KMS encryption ensures the repository contents are encrypted at rest.
How are namespaces achieved in ECR repository names?
By convention, namespaces are achieved by adding ‘/’ in repository names to form a hierarchical key.
Why might the size of an image reported by ECR be smaller than the output of ‘docker images’?
Docker images are compressed before being pushed, so the size as reported by ECR may be smaller than the output of ‘docker images’.
What does pull through cache in ECR do?
Pull through cache syncs the contents of an upstream registry to an ECR private registry.
What upstreams are supported for pull through cache in ECR?
Docker Hub, Azure Container Registry, Google Artifact Registry, GitHub Container Registry, ECR Public, Kubernetes container image registry, and Quay.
What is the behavior of pull through cache in ECR?
On the first pull, ECR creates a repository and caches that image in your private registry. On subsequent pulls, ECR checks the upstream registry to see if there is a later version of the image. If not, it is pulled from the private registry. If ECR can’t update the image from the upstream, then the latest cached image is pulled. ECR attempts to update the image in the private registry at least every 24 hours.
How are multi-architecture images handled with pull through cache in ECR?
When multi-architecture images are pulled, all images referenced in the manifest list are cached. To only pull a specific architecture, reference a specific image digest.