AWS ECR Security: Image Scanning and Access Control

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Elastic Container Registry is where your container images live before they hit ECS, EKS, or Fargate. If an attacker can push a malicious image or your pipeline pulls a vulnerable one, everything downstream is compromised. ECR has solid security features, but most teams only use half of them.

Image Scanning

ECR offers two scanning modes: basic scanning (powered by Clair) and enhanced scanning (powered by Inspector). Use enhanced scanning. It covers OS packages and application dependencies (Java, Python, Node.js, Go), and it continuously rescans images as new CVEs are published. Basic scanning only runs on push and only covers OS packages.

Configure scan-on-push for every repository. Then set up EventBridge rules to catch ECR Image Scan Finding events with CRITICAL or HIGH severity and route them to your security team. Do not let vulnerable images sit in your registry without anyone knowing.

In your CI/CD pipeline, add a gate that checks scan results before allowing deployment. If a CRITICAL vulnerability exists and a fix is available, block the deployment. Use the ecr:DescribeImageScanFindings API to automate this check.

Immutable Tags

Enable immutable tags on every repository. Without this, anyone with push access can overwrite the latest tag or even a specific version tag with a different image. Immutable tags mean that once v1.2.3 is pushed, it cannot be replaced. This prevents supply chain attacks through tag manipulation and ensures your deployment references are stable.

Lifecycle Policies

Lifecycle policies clean up old images automatically. Define rules to expire untagged images after a set number of days and to keep only the last N tagged images. This reduces your attack surface by removing old, unpatched images that someone might accidentally deploy.

A practical policy: keep the last 30 tagged images and expire untagged images after 7 days. Adjust based on your rollback requirements.

Cross-Account Access

When multiple AWS accounts need to pull images from a central ECR registry, use repository policies with ecr:BatchGetImage and ecr:GetDownloadUrlForLayer permissions scoped to specific account IDs. Do not use wildcard principals.

For cross-account replication, use ECR replication configuration rather than building custom Lambda functions. It supports cross-region and cross-account replication with a few lines of configuration.

Repository Policies and IAM

Apply repository-level policies that restrict who can push images. Your CI/CD service role should have push access; developers generally should not push directly. Use IAM conditions like aws:PrincipalOrgID to ensure only accounts within your organization can interact with your repositories.

Enable AWS PrivateLink for ECR so image pulls never traverse the public internet. This is especially important for production workloads running in private subnets.

Next Steps

• Review container security topics in the skills library
• Take a skills assessment to gauge your container security knowledge
• Use the coaching tool to build a learning path covering ECR, ECS, EKS, and Fargate security together

Related Guides in This Series

• Active Directory Security: Attack Paths and Hardening — HADESS | 2026
• AWS ALB Security: TLS, Authentication, and Access Controls — HADESS | 2026
• AWS CloudTrail: Log Analysis and Security Monitoring — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.