Central ECR for ECS in multiple accounts

1

A customer would like to have a central ECR. Is there a reference architecture, best practice to share?

AWS
MODERATOR
asked 4 years ago2375 views
2 Answers
0
Accepted Answer

Below are a couple articles you can reference.

https://aws.amazon.com/blogs/devops/how-to-use-cross-account-ecr-images-in-aws-codebuild-for-your-build-environment/

https://aws.amazon.com/premiumsupport/knowledge-center/secondary-account-access-ecr/

For your information, ECR now supports cross account image replication.

https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html

If the customer would like to distribute container images to the individual AWS account instead of using central ECR repository, this feature would be helpful for them.

answered 4 years ago
AWS
EXPERT
reviewed 2 years ago
0

Another alternative -- especially helpful if the ECR Policy get too big -- is to use the AWS:PrincipalOrgID condition to allow every account in the Organization to access the ECR Repository: check out this blog post showing how.

Beware: this allows all accounts in an Organization to access the ECR repository! Double check with your security team if this is allowed!

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions