AWS Key management service (AWS KMS) is a service offering from AWS to host and manage master keys, which are used to encrypt your data stored in other AWS services. AWS Elastic Container Registry (AWS ECR), by default, store images in the AWS S3, which uses AES-256 as server side encryption to protect the data stored at rest. However, some compliances such as HIPAA may warrant you to not only encrypt the data at rest, but also using specific encryption protocols. Using AWS KMS in either AWS managed or Customer Managed Keys (CMKs), allow one to be compliant with such regulations. In this blog post, we’ll discuss how we can enable the same for ECR images.

Create ECR with AES-256 Encryption

AWS ECR uses AWS S3 services to store the container image layers. By default, S3 uses ASE-256 as encryption standard to encrypt and store data at rest. So no option needs to be specified to use this feature and it is turned on by default.

To create AWS ECR with AES-256 encryption, we can use AWS CLI:

aws ecr create-repository --repository-name demo-dev --region ap-south-1

or from AWS Portal as below:

Create ECR with AWS Managed CMK

If you create your Amazon ECR repository with KMS encryption and you do not specify a CMK, Amazon ECR uses an AWS-managed CMK with the alias aws/ecr by default. This CMK is created in your account the first time that you create a repository with KMS encryption enabled.

From AWS CLI:

aws ecr create-repository --repository-name demo-dev --region ap-south-1 --encryption-configuration '{"encryptionType":"KMS"}'

From AWS Portal:

Create ECR with Customer Managed CMK

As the name indicates, customer managed CMK has encryption keys, which are managed by the customer itself.

From AWS CLI:

aws ecr create-repository --repository-name demo-dev --region ap-south-1 --encryption-configuration '{"encryptionType":"KMS","kmsKey":"arn:aws:kms:ap-south-1:key/19b4a2d3-0319-4afa-8sd9-f398d9saaas0"}}'

From AWS Portal:

Note that the key should be stored in the same region as the ECR, for this to work properly. AWS KMS enforces a limit of 500 grants per CMK. As a result, there is a limit of 500 Amazon ECR repositories that can be encrypted per CMK.