AWS managed policies for Amazon Elastic Container Registry - Amazon ECR

AWS managed policies for Amazon Elastic Container Registry

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

Amazon ECR provides several managed policies that you can attach to IAM identities or to Amazon EC2 instances. These managed policies allow differing levels of control over access to Amazon ECR resources and API operations. For more information about each API operation mentioned in these policies, see Actions in the Amazon Elastic Container Registry API Reference.

AmazonEC2ContainerRegistryFullAccess

You can attach the AmazonEC2ContainerRegistryFullAccess policy to your IAM identities.

You can use this managed policy as a starting point to create your own IAM policy based on your specific requirements. For example, you can create a policy specifically for providing a user or role with full administrator access to manage the use of Amazon ECR. With the Amazon ECR Lifecycle Policies feature, you can specify the lifecycle management of images in a repository. Lifecycle policy events are reported as CloudTrail events. Amazon ECR is integrated with AWS CloudTrail so it can display your lifecycle policy events directly in the Amazon ECR console. The AmazonEC2ContainerRegistryFullAccess managed IAM policy includes the cloudtrail:LookupEvents permission to facilitate this behavior.

Permissions details

This policy includes the following permissions:

  • ecr – Allows principals full access to all Amazon ECR APIs.

  • cloudtrail – Allows principals to looks up management events or AWS CloudTrail Insights events that are captured by CloudTrail.

The AmazonEC2ContainerRegistryFullAccess policy is as follows.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:*", "cloudtrail:LookupEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "replication.ecr.amazonaws.com" ] } } } ] }

AmazonEC2ContainerRegistryPowerUser

You can attach the AmazonEC2ContainerRegistryPowerUser policy to your IAM identities.

This policy grants administrative permissions that allow IAM users to read and write to repositories, but doesn't allow them to delete repositories or change the policy documents that are applied to them.

Permissions details

This policy includes the following permissions:

  • ecr – Allows principals to read and write to repositories, as well as read lifecycle policies. Principals aren't granted permission to delete repositories or change the lifecycle policies that are applied to them.

The AmazonEC2ContainerRegistryPowerUser policy is as follows.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:ListTagsForResource", "ecr:DescribeImageScanFindings", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:PutImage" ], "Resource": "*" } ] }

AmazonEC2ContainerRegistryPullOnly

You can attach the AmazonEC2ContainerRegistryPullOnly policy to your IAM identities.

This policy grants permission to pull container images from Amazon ECR. If the registry is enabled for pull-through cache, it will also allow pulls to import an image from an upstream registry.

Permissions details

This policy includes the following permissions:

  • ecr – Allows principals to read repositories and their respective lifecycle policies.

The AmazonEC2ContainerRegistryPullOnly policy is as follows.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:BatchImportUpstreamImage" ], "Resource": "*" } ] }

AmazonEC2ContainerRegistryReadOnly

You can attach the AmazonEC2ContainerRegistryReadOnly policy to your IAM identities.

This policy grants read-only permissions to Amazon ECR. This includes the ability to list repositories and images within the repositories. It also includes the ability to pull images from Amazon ECR with the Docker CLI.

Permissions details

This policy includes the following permissions:

  • ecr – Allows principals to read repositories and their respective lifecycle policies.

The AmazonEC2ContainerRegistryReadOnly policy is as follows.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:ListTagsForResource", "ecr:DescribeImageScanFindings" ], "Resource": "*" } ] }

AWSECRPullThroughCache_ServiceRolePolicy

You can't attach the AWSECRPullThroughCache_ServiceRolePolicy managed IAM policy to your IAM entities. This policy is attached to a service-linked role that allows Amazon ECR to push images to your repositories through the pull through cache workflow. For more information, see Amazon ECR service-linked role for pull through cache.

ECRReplicationServiceRolePolicy

You can't attach the ECRReplicationServiceRolePolicy managed IAM policy to your IAM entities. This policy is attached to a service-linked role that allows Amazon ECR to perform actions on your behalf. For more information, see Using service-linked roles for Amazon ECR.

ECRTemplateServiceRolePolicy

You can't attach the ECRTemplateServiceRolePolicy managed IAM policy to your IAM entities. This policy is attached to a service-linked role that allows Amazon ECR to perform actions on your behalf. For more information, see Using service-linked roles for Amazon ECR.

Amazon ECR updates to AWS managed policies

View details about updates to AWS managed policies for Amazon ECR since the time that this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon ECR Document history page.

Change Description Date

AmazonEC2ContainerRegistryPullOnly – New policy

Amazon ECR added a new policy which grants grants pull-only permissions to Amazon ECR.

October 10, 2024

ECRTemplateServiceRolePolicy – New policy

Amazon ECR added a new policy. This policy is associated with the ECRTemplateServiceRolePolicy service-linked role for the repository creation template feature.

June 20, 2024

AWSECRPullThroughCache_ServiceRolePolicy – Update to an existing policy

Amazon ECR added new permissions to the AWSECRPullThroughCache_ServiceRolePolicy policy. These permissions allow Amazon ECR to retrieve the encrypted contents of a Secrets Manager secret. This is required when using a pull through cache rule to cache images from an upstream registry that requires authentication.

November 15, 2023

AWSECRPullThroughCache_ServiceRolePolicy – New policy

Amazon ECR added a new policy. This policy is associated with the AWSServiceRoleForECRPullThroughCache service-linked role for the pull through cache feature.

November 29, 2021

ECRReplicationServiceRolePolicy – New policy

Amazon ECR added a new policy. This policy is associated with the AWSServiceRoleForECRReplication service-linked role for the replication feature.

December 4, 2020

AmazonEC2ContainerRegistryFullAccess – Update to an existing policy

Amazon ECR added new permissions to the AmazonEC2ContainerRegistryFullAccess policy. These permissions allow principals to create the Amazon ECR service-linked role.

December 4, 2020

AmazonEC2ContainerRegistryReadOnly – Update to an existing policy

Amazon ECR added new permissions to the AmazonEC2ContainerRegistryReadOnly policy which allow principals to read lifecycle policies, list tags, and describe the scan findings for images.

December 10, 2019

AmazonEC2ContainerRegistryPowerUser – Update to an existing policy

Amazon ECR added new permissions to the AmazonEC2ContainerRegistryPowerUser policy. They allow principals to read lifecycle policies, list tags, and describe the scan findings for images.

December 10, 2019

AmazonEC2ContainerRegistryFullAccess – Update to an existing policy

Amazon ECR added new permissions to the AmazonEC2ContainerRegistryFullAccess policy. They allow principals to look up management events or AWS CloudTrail Insights events that are captured by CloudTrail.

November 10, 2017

AmazonEC2ContainerRegistryReadOnly – Update to an existing policy

Amazon ECR added new permissions to the AmazonEC2ContainerRegistryReadOnly policy. They allow principals to describe Amazon ECR images.

October 11, 2016

AmazonEC2ContainerRegistryPowerUser – Update to an existing policy

Amazon ECR added new permissions to the AmazonEC2ContainerRegistryPowerUser policy. They allow principals to describe Amazon ECR images.

October 11, 2016

AmazonEC2ContainerRegistryReadOnly – New policy

Amazon ECR added a new policy which grants grants read-only permissions to Amazon ECR. These permissions include the ability to list repositories and images within the repositories. They also include the ability to pull images from Amazon ECR with the Docker CLI.

December 21, 2015

AmazonEC2ContainerRegistryPowerUser – New policy

Amazon ECR added a new policy which grants administrative permissions that allow usrs to read and write to repositories but doesn't allow them to delete repositories or change the policy documents that are applied to them.

December 21, 2015

AmazonEC2ContainerRegistryFullAccess – New policy

Amazon ECR added a new policy. This policy grants full access to Amazon ECR.

December 21, 2015

Amazon ECR started tracking changes

Amazon ECR started tracking changes for AWS managed policies.

June 24, 2021