How do we know what ECR images are being used and which are not


Hi, I would like to find a way of knowing what images are being used and which are not by ECS clusters as I have so many clusters so that I can remove the unused images.

Many thanks in advance

asked 2 years ago2516 views
3 Answers

You could write a lambda function to validate which images are currently deployed using the ECS API. However, I recommend shifting left and either 1/ Use an environment tagging strategy prod/staging/dev etc. via image tags or naming convention 2/ Have per environment ECR repos and pushing to the production one during a main branch deployment (or whatever your CICD deployment mechanism is). There are trade off regarding cost and complexity with either option.

answered 2 years ago

I think image tags per environments are horrible unless you maintain the SHA of the image and simply replace the tag value. Otherwise that means you are using different images in dev/stg/prod and the whole point of docker images is to be immutable and have dynamic configuration. But that's my personal opinion

Before the ECR Scan Enhanced came in we had this exact challenge of scanning images continuously, which ECR "Basic" scan does not do.

So I came up with a project, smartly called ECR Scan Reporter, which you can deploy in your own account using AWS SAR. Originally, it would scan all images, regardless of whether they are used or not.

To make it smarter, there is an option to allow scanning task definitions, get the image for each container in the definition, and based on how long ago you last scanned, scan the image again, and report.

If that's more than you needed (i.e. you do not need the scanning), you can feel free to re-use the logic from the source code. Which makes me realize, a little update would do it some good.

Hope this helps,

profile picture
answered 2 years ago


UPDATE on Jan 15th: There is a new flag called lastRecordedPullDate that was released around Dec 2022 which can help on this regards.

As @tim mentioned, you'll need to create a AWS Lambda function to get that information.

Going further on this option, you can use DescribeServices API call to get the services from the cluster (you might need DescribeClusters as well).

With the output of DescribeServices, you'll have 2 important information: desiredCount and taskDefinition.

From it, you can make sure the service is active (desiredCount > 0) and you can call the DescribeTaskDefinition to check the current image used. Now, you'll have the list of all images being used for your ECS Clusters. If you have standalone tasks, you'll need to have a different workflow for it such as checking who is calling the RunTask API and see which task definition is being used for it.

You'll be able to list all the tags and check which one is being used and which is not using ListImages with the repository information from image URI.

Use the description above like a pseudo code and as start point. I always recommend to do tests before implement such solution on production environment.

I really hope this helps you on your task.

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions