Can you configure Amazon ECR containers to be immutable?

Question

Is there a way to configure Amazon ECR containers so that they can't be changed once they're created? Here are our requirements:
* Containers can't be changed after their built.
* Containers can't receive updates.
* Changes in the containerized application must require the building and deployment of a new container image.
* Runtime data and configurations must be stored outside of the container environment.

Accepted Answer

Yes, you can configure Amazon ECR containers to be immutable. Amazon ECR uses resource-based permissions to control access to repositories. The resource-based permissions let you specify which IAM users or roles have access to a repository and what actions they can perform on it. By default, only the repository owner has access to a repository.

For more information, see Repository policies and Image tag mutability in the Amazon ECR user guide.

For more information, see [Repository policies](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html) and [Image tag mutability](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html) in the Amazon ECR user guide.

Can you configure Amazon ECR containers to be immutable?

関連するコンテンツ