[09] ECR Flashcards
What type of artifacts can be held in ECR repositories?
Docker images, OCI images, and OCI compatible artifacts e.g. Helm charts
What are used for multi-architecture images in ECR?
Manifest lists
What does ECR integrate with to sign container images?
AWS Signer
Where is the image signature stored when signing with AWS Signer?
In ECR along with the layers
What may ECR do when pulling an image?
Hint: this relates to ensuring the client recieves the correct format.
Translate the image manifest to ensure it is a version supported by the client
When does translation not occur during image pulls?
If the pulled image is referenced by its digest
What do Windows images in ECR include that is restricted by license?
Artifacts which are restricted by license from being distributed
What happens by default with the restricted Windows artifacts?
They are not pushed to ECR
How are the restricted Windows artifacts pulled?
From Azure over the internet
How can you store the restricted Windows artifacts in ECR?
Use the ‘–allow-nondistributable-artifacts’ flag with the Docker CLI
What state will a task be in while ECS is performing additional steps?
PROVISIONING
What are the applicable actions for registry policies in ECR?
ecr:ReplicateImage, ecr:BatchImportUpstreamImage, ecr:CreateRepository
What are repository policies used for in ECR?
Repository policies control access to repositories.
What conditions determine if an IAM identity can perform an action in ECR?
Allowed by either a repository policy or IAM policy, and neither the repository policy nor IAM policy has an explicit deny.
What are repository policies required for in ECR?
Repository policies are required to enable cross-account access.
What is ECR pricing based on?
The amount of data stored and data transfer from image pushes and pulls.
How are repositories encrypted in ECR?
KMS encryption ensures the repository contents are encrypted at rest.
How are namespaces achieved in ECR repository names?
By convention, namespaces are achieved by adding ‘/’ in repository names to form a hierarchical key.
Why might the size of an image reported by ECR be smaller than the output of ‘docker images’?
Docker images are compressed before being pushed, so the size as reported by ECR may be smaller than the output of ‘docker images’.
What does pull through cache in ECR do?
Pull through cache syncs the contents of an upstream registry to an ECR private registry.
What upstreams are supported for pull through cache in ECR?
Docker Hub, Azure Container Registry, Google Artifact Registry, GitHub Container Registry, ECR Public, Kubernetes container image registry, and Quay.
What is the behavior of pull through cache in ECR?
On the first pull, ECR creates a repository and caches that image in your private registry. On subsequent pulls, ECR checks the upstream registry to see if there is a later version of the image. If not, it is pulled from the private registry. If ECR can’t update the image from the upstream, then the latest cached image is pulled. ECR attempts to update the image in the private registry at least every 24 hours.
How are multi-architecture images handled with pull through cache in ECR?
When multi-architecture images are pulled, all images referenced in the manifest list are cached. To only pull a specific architecture, reference a specific image digest.
What are repository creation templates used for with pull through cache in ECR?
Repository creation templates define the settings applied to repositories created during cached pulls.
What service-linked role is used for pull through cache actions in ECR?
AWSServiceRoleForECRPullThroughCache
What does replication do in ECR?
Replication synchronises repositories in different accounts or regions.
What aspects of ECR repositories are not replicated?
Delete actions, repository policies, and lifecycle policies aren’t replicated.
How is tag immutability handled during replication in ECR?
Tag immutability is respected during synchronisation, which can lead to the images in the target repository being untagged.
What service-linked role is used for replication actions in ECR?
AWSServiceRoleForECRReplication
What are lifecycle policies used for in ECR?
Lifecycle policies automatically delete old images based on rules configured at the repository level.
At what level is image tag immutability configured in ECR?
Image tag immutability is configured at a repository level to prevent image tags from being overwritten.
At what level is image scanning configured in ECR?
Image scanning is configured at the registry level.
What metrics does ECR publish?
CallCount under the AWS/Usage namespace, and RepositoryPullCount under AWS/ECR.
For what events does ECR emit EventBridge events?
Image push, upstream request is made for pull through caching, image scanning completes, an image is deleted.
What is the PROVISIONING state?
A task will be in the PROVISIONING state while ECS is performing additional steps.
What command should be run to allow the ec2-user to execute Docker commands without using sudo?
sudo usermod -a -G docker ec2-user
What option is required to delete an ECR repository that contains images?
–force
How long are ECR authorization tokens valid for?
12 hours
What permissions do ECR authorization tokens have?
Same permissions as the IAM principal which generated them with the GetAuthorizationToken API call
How can you re-tag an image in ECR without re-uploading the layers?
Use the put-image AWS CLI command with the –image-tag option
What two endpoints must exist to pull or push an image using PrivateLink?
com.amazonaws.com..ecr.dkr and com.amazonaws.com..ecr.api
What S3 bucket are ECR image layers stored in?
prod–starport-layer-bucket
What service logs all ECR API actions?
CloudTrail
What CloudTrail events are generated for image pushes?
InitiateLayerUpload, UploadLayerPart, CompleteLayerUpload & PutImage
What CloudTrail events are generated for image pulls?
GetDownloadUrlForLayer & BatchGetImage
What is the CloudTrail event name for lifecycle policy actions?
PolicyExecutionEvent
How can you optimise the performance of ECR?
Place dependencies that change infrequently near the top of the Dockerfile and chain commands to avoid necessary file storage
What state will a task be in while ECS is performing additional steps?
PROVISIONING
What is the PROVISIONING state?
The state a task will be in while ECS is performing additional steps
What Linux parameters are supported?
None
What region is authentication for ECR Public performed in?
us-east-1
Where are CloudTrail events for ECR Public recorded?
us-east-1
What does the repository catalog contain?
Metadata about a repository e.g. the public-facing description
When is a default alias assigned to your public registry?
When the first public repository is created
What do public repository policies control?
Permissions for mutating actions
Can public access to view or pull an ECR Public repository be restricted?
No
In what state will a task be while ECS is performing additional steps?
PROVISIONING
What is the PROVISIONING state?
A state where a task will be in while ECS is performing additional steps
