Creating an Amazon ECR private repository to store images - Amazon ECR
Next steps
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating an Amazon ECR private repository to store images

Important

Dual-layer server-side encryption with Amazon KMS (DSSE-KMS) is only available in the Amazon GovCloud (US) Regions.

Create an Amazon ECR private repository, and then use the repository to store your container images. Use the following steps to create a private repository using the Amazon Web Services Management Console. For steps to create a repository using the Amazon CLI, see Step 2: Create a repository.

To create a repository (Amazon Web Services Management Console)

  1. Open the Amazon ECR console at https://console.amazonaws.cn/ecr/repositories.

  2. From the navigation bar, choose the Region to create your repository in.

  3. On the Repositories page, choose Private repositories, and then choose Create repository.

  4. For Repository name, enter a unique name for your repository. The repository name can be specified on its own (for example nginx-web-app). Alternatively, it can be prepended with a namespace to group the repository into a category (for example project-a/nginx-web-app).

    Note

    The repository name may container a maximum of 256 characters. The name must start with a letter and can only contain lowercase letters, numbers, hyphens, underscores, periods and forward slashes. Using a double hyphen, double underscore, or double forward slash isn't supported.

  5. For Tag immutability, choose the tag mutability setting for the repository. Repositories configured with immutable tags prevent image tags from being overwritten. For more information, see Preventing image tags from being overwritten in Amazon ECR.

  6. For Encryption configuration, choose between AES-256 or Amazon KMS. For more information, see Encryption at rest.

    1. If Amazon KMS is chosen, choose between Single-layer encryption and Dual-layer encryption. There are additional charges for using Amazon KMS or Dual-layer encryption. For more information, see Amazon ECR Service Pricing.

    2. By default, Amazon managed key with the alias aws/ecr is chosen. This key is created in your account the first time that you create a repository with Amazon KMS encryption enabled. Select Customer managed key (advanced) to choose your own Amazon KMS key. The Amazon KMS key must be in the same Region as the cluster. Select Create an Amazon KMS key to navigate to the Amazon KMS console to create your own key.

  7. For Image scanning settings, while you can specify the scan settings at the repository level for basic scanning, it is a best practice to specify the scan configuration at the private registry level. Configuring the scanning settings at the private registry level enables you to choose between enhanced scanning or basic scanning, and also allows you to define filters to specify which repositories should be scanned.

  8. Choose Create.

Next steps

To view the steps to push an image to your repository, select the repository and choose View push commands. For more information about pushing an image to your repository, see Pushing an image to an Amazon ECR private repository.