[09] ECR Flashcards

1
Q

What type of artifacts can be held in ECR repositories?

A

Docker images, OCI images, and OCI compatible artifacts e.g. Helm charts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are used for multi-architecture images in ECR?

A

Manifest lists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does ECR integrate with to sign container images?

A

AWS Signer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Where is the image signature stored when signing with AWS Signer?

A

In ECR along with the layers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What may ECR do when pulling an image?

Hint: this relates to ensuring the client recieves the correct format.

A

Translate the image manifest to ensure it is a version supported by the client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When does translation not occur during image pulls?

A

If the pulled image is referenced by its digest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What do Windows images in ECR include that is restricted by license?

A

Artifacts which are restricted by license from being distributed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What happens by default with the restricted Windows artifacts?

A

They are not pushed to ECR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How are the restricted Windows artifacts pulled?

A

From Azure over the internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How can you store the restricted Windows artifacts in ECR?

A

Use the ‘–allow-nondistributable-artifacts’ flag with the Docker CLI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What state will a task be in while ECS is performing additional steps?

A

PROVISIONING

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the applicable actions for registry policies in ECR?

A

ecr:ReplicateImage, ecr:BatchImportUpstreamImage, ecr:CreateRepository

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are repository policies used for in ECR?

A

Repository policies control access to repositories.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What conditions determine if an IAM identity can perform an action in ECR?

A

Allowed by either a repository policy or IAM policy, and neither the repository policy nor IAM policy has an explicit deny.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are repository policies required for in ECR?

A

Repository policies are required to enable cross-account access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is ECR pricing based on?

A

The amount of data stored and data transfer from image pushes and pulls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How are repositories encrypted in ECR?

A

KMS encryption ensures the repository contents are encrypted at rest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How are namespaces achieved in ECR repository names?

A

By convention, namespaces are achieved by adding ‘/’ in repository names to form a hierarchical key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Why might the size of an image reported by ECR be smaller than the output of ‘docker images’?

A

Docker images are compressed before being pushed, so the size as reported by ECR may be smaller than the output of ‘docker images’.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What does pull through cache in ECR do?

A

Pull through cache syncs the contents of an upstream registry to an ECR private registry.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What upstreams are supported for pull through cache in ECR?

A

Docker Hub, Azure Container Registry, Google Artifact Registry, GitHub Container Registry, ECR Public, Kubernetes container image registry, and Quay.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the behavior of pull through cache in ECR?

A

On the first pull, ECR creates a repository and caches that image in your private registry. On subsequent pulls, ECR checks the upstream registry to see if there is a later version of the image. If not, it is pulled from the private registry. If ECR can’t update the image from the upstream, then the latest cached image is pulled. ECR attempts to update the image in the private registry at least every 24 hours.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How are multi-architecture images handled with pull through cache in ECR?

A

When multi-architecture images are pulled, all images referenced in the manifest list are cached. To only pull a specific architecture, reference a specific image digest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are repository creation templates used for with pull through cache in ECR?

A

Repository creation templates define the settings applied to repositories created during cached pulls.

25
Q

What service-linked role is used for pull through cache actions in ECR?

A

AWSServiceRoleForECRPullThroughCache

26
Q

What does replication do in ECR?

A

Replication synchronises repositories in different accounts or regions.

27
Q

What aspects of ECR repositories are not replicated?

A

Delete actions, repository policies, and lifecycle policies aren’t replicated.

28
Q

How is tag immutability handled during replication in ECR?

A

Tag immutability is respected during synchronisation, which can lead to the images in the target repository being untagged.

29
Q

What service-linked role is used for replication actions in ECR?

A

AWSServiceRoleForECRReplication

30
Q

What are lifecycle policies used for in ECR?

A

Lifecycle policies automatically delete old images based on rules configured at the repository level.

31
Q

At what level is image tag immutability configured in ECR?

A

Image tag immutability is configured at a repository level to prevent image tags from being overwritten.

32
Q

At what level is image scanning configured in ECR?

A

Image scanning is configured at the registry level.

33
Q

What metrics does ECR publish?

A

CallCount under the AWS/Usage namespace, and RepositoryPullCount under AWS/ECR.

34
Q

For what events does ECR emit EventBridge events?

A

Image push, upstream request is made for pull through caching, image scanning completes, an image is deleted.

35
Q

What is the PROVISIONING state?

A

A task will be in the PROVISIONING state while ECS is performing additional steps.

36
Q

What command should be run to allow the ec2-user to execute Docker commands without using sudo?

A

sudo usermod -a -G docker ec2-user

37
Q

What option is required to delete an ECR repository that contains images?

A

–force

38
Q

How long are ECR authorization tokens valid for?

A

12 hours

39
Q

What permissions do ECR authorization tokens have?

A

Same permissions as the IAM principal which generated them with the GetAuthorizationToken API call

40
Q

How can you re-tag an image in ECR without re-uploading the layers?

A

Use the put-image AWS CLI command with the –image-tag option

41
Q

What two endpoints must exist to pull or push an image using PrivateLink?

A

com.amazonaws.com..ecr.dkr and com.amazonaws.com..ecr.api

42
Q

What S3 bucket are ECR image layers stored in?

A

prod–starport-layer-bucket

43
Q

What service logs all ECR API actions?

A

CloudTrail

44
Q

What CloudTrail events are generated for image pushes?

A

InitiateLayerUpload, UploadLayerPart, CompleteLayerUpload & PutImage

45
Q

What CloudTrail events are generated for image pulls?

A

GetDownloadUrlForLayer & BatchGetImage

46
Q

What is the CloudTrail event name for lifecycle policy actions?

A

PolicyExecutionEvent

47
Q

How can you optimise the performance of ECR?

A

Place dependencies that change infrequently near the top of the Dockerfile and chain commands to avoid necessary file storage

48
Q

What state will a task be in while ECS is performing additional steps?

A

PROVISIONING

49
Q

What is the PROVISIONING state?

A

The state a task will be in while ECS is performing additional steps

50
Q

What Linux parameters are supported?

A

None

51
Q

What region is authentication for ECR Public performed in?

A

us-east-1

52
Q

Where are CloudTrail events for ECR Public recorded?

A

us-east-1

53
Q

What does the repository catalog contain?

A

Metadata about a repository e.g. the public-facing description

54
Q

When is a default alias assigned to your public registry?

A

When the first public repository is created

55
Q

What do public repository policies control?

A

Permissions for mutating actions

56
Q

Can public access to view or pull an ECR Public repository be restricted?

A

No

57
Q

In what state will a task be while ECS is performing additional steps?

A

PROVISIONING

58
Q

What is the PROVISIONING state?

A

A state where a task will be in while ECS is performing additional steps