How many ECRs do you need?

An AWS diagram showing an ECR service in a separate account, consumed by other accounts.

Depending on the size and complexity of your application you may use different strategies for grouping and securing your resources and environments.

Using multiple AWS accounts is a best practice for organizing your environments and defining clear security and billing boundaries.

Each environment requires ECR access for deployments, so the question is: do we create an ECR for each account or do we use one centralized ECR for all environments?

Single ECR for multiple accounts

Customers are adopting multi-account deployments in AWS given the improved security and separation of duties it provides. Some AWS services, like Amazon Elastic Container Registry (ECR), support scalability when a single instance is shared between accounts to reduce management overhead and increase visibility.

Sharing Amazon ECR repositories with multiple accounts using AWS Organizations

The most straightforward approach is to add ECR to your “dev” account. We can also enable ECR access for other accounts using IAM later if needed:

An AWS diagram showing single ECR consumed by multiple environments (accounts).

However, the preferred approach is a custom account dedicated solely to ECR while other accounts get access to images through IAM:

Use a dedicated AWS account for Amazon ECR tasks, and use AWS Identity and Access Management (IAM) to control access to your container images.

Best practices for using Amazon ECR

This approach allows us to have absolutely identical environments, while our images are stored in a single ECR. This is the preferred approach according to Amazon ECR “best practices”:

An AWS diagram showing an ECR service in a separate account, consumed by other accounts.

An ECR per account

For large, distributed organizations with different teams focusing on a single aspect of the application lifecycle (e.g. development, security, platform, devops etc.), there is an option to use a separate ECR for each environment, which would “logically” look like this:

A diagram showing multiple ECR for each environment.

However, this approach is only viable for companies with dozens of dev teams and separate devops/platform teams. You can read more about this approach in the “Amazon ECR in Multi-Account and Multi-Region Architectures” article.

Summary

comments powered by Disqus