TalksAWS re:Invent 2025 - Enhancing container security with Amazon ECR (CNS208)

AWS re:Invent 2025 - Enhancing container security with Amazon ECR (CNS208)

Enhancing Container Security with Amazon ECR

Overview

  • Presentation by Liz Duke, a Principal Specialist SA for Containers at AWS
  • Discusses the security challenges of managing container workloads and how AWS services can address them

Container Security Challenges

  • Managing hundreds or thousands of container images, each requiring security checks throughout their lifecycle
  • Rapid pace of container image changes increases the risk of security mistakes
  • Container images are built from multiple layers, each of which needs to be checked for vulnerabilities

Building a Secure Container Supply Chain

  • Automating the container supply chain from code submission to deployment using AWS services:
    • AWS CodePipeline for orchestrating the supply chain
    • AWS CodeBuild for building container images
    • AWS Signer for signing container images
  • Using Amazon Elastic Container Registry (ECR) as the central hub for storing and securing container images

Amazon ECR Security Features

  • Fully managed Docker registry that stores and distributes container images securely
  • Encrypts container images at rest and in transit
  • Integrates with IAM to control access and permissions for pushing and pulling images
  • Provides basic vulnerability scanning using open-source tools
  • Offers enhanced vulnerability scanning through integration with Amazon Inspector
    • Scans for OS and application vulnerabilities
    • Prioritizes findings and sends them to AWS Security Hub
    • Provides continuous scanning to detect new vulnerabilities in running images

Container Image Signing

  • Amazon ECR now offers fully managed container image signing integration with AWS Signer
  • Allows reconfirming the integrity of images before deployment
  • Signatures are stored alongside images in the registry
  • Can be used with Gatekeeper and Ratify/Carvallo in Amazon EKS or lifecycle hooks in Amazon ECS to detect and block unauthorized images

Runtime Monitoring with Amazon GuardDuty

  • Provides runtime detection of unusual or suspicious container behavior, such as:
    • Attempts to connect to known command and control servers
    • Bitcoin mining
    • Data exfiltration

Key Takeaways

  • Amazon ECR provides a secure, centralized hub for storing and managing container images
  • Integrating security throughout the container supply chain, from build to deployment, is crucial
  • Vulnerability scanning, image signing, and runtime monitoring are essential for maintaining container security
  • AWS provides a comprehensive set of services to enhance container security and streamline the container supply chain

Additional Resources

  • AWS training programs for learning about Amazon ECS and Amazon EKS
  • Git repository with additional session resources and materials

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.