AWS managed policies for Amazon Elastic Container Registry
Amazon ECR provides several managed policies that you can attach to IAM users or Amazon EC2 instances. These policies allow differing levels of control over access to Amazon ECR resources and API operations. You can apply these policies directly or use them as starting points for creating your own policies. For more information about each API operation mentioned in these policies, see Actions in the Amazon Elastic Container Registry API Reference.
Topics
AmazonEC2ContainerRegistryFullAccess
You can attach the AmazonEC2ContainerRegistryFullAccess
policy to your
IAM identities.
You can use this managed policy as a starting point to create your own IAM policy
based on your specific requirements. For example, you can create a policy specifically
for providing a user or role with full administrator access to manage the use of
Amazon ECR. With the Amazon ECR Lifecycle
Policies feature, you can specify the lifecycle management of images in a
repository. Lifecycle policy events are reported as CloudTrail events. Amazon ECR is integrated
with AWS CloudTrail so it can display your lifecycle policy events directly in the Amazon ECR
console. The AmazonEC2ContainerRegistryFullAccess
managed IAM policy
includes the cloudtrail:LookupEvents
permission to facilitate this
behavior.
Permissions details
This policy includes the following permissions:
-
ecr
– Allows principals full access to all Amazon ECR APIs. -
cloudtrail
– Allows principals to looks up management events or AWS CloudTrail Insights events that are captured by CloudTrail.
The AmazonEC2ContainerRegistryFullAccess
policy is as follows.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:*", "cloudtrail:LookupEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "replication.ecr.amazonaws.com" ] } } } ] }
AmazonEC2ContainerRegistryPowerUser
You can attach the AmazonEC2ContainerRegistryPowerUser
policy to your
IAM identities.
This policy grants administrative permissions that allow IAM users to read and write to repositories, but doesn't allow them to delete repositories or change the policy documents that are applied to them.
Permissions details
This policy includes the following permissions:
-
ecr
– Allows principals to read and write to respositores, as well as read lifecycle policies. Principals aren't granted permission to delete repositories or change the lifecycle policies that are applied to them.
The AmazonEC2ContainerRegistryPowerUser
policy is as follows.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:ListTagsForResource", "ecr:DescribeImageScanFindings", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:PutImage" ], "Resource": "*" } ] }
AmazonEC2ContainerRegistryReadOnly
You can attach the AmazonEC2ContainerRegistryReadOnly
policy to your
IAM identities.
This policy grants read-only permissions to Amazon ECR. This includes the ability to list repositories and images within the repositories. It also includes the ability to pull images from Amazon ECR with the Docker CLI.
Permissions details
This policy includes the following permissions:
-
ecr
– Allows principals to read repositories and their respective lifecycle policies.
The AmazonEC2ContainerRegistryReadOnly
policy is as follows.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:ListTagsForResource", "ecr:DescribeImageScanFindings" ], "Resource": "*" } ] }
AWSECRPullThroughCache_ServiceRolePolicy
You can't attach the AWSECRPullThroughCache_ServiceRolePolicy
managed
IAM policy to your IAM entities. This policy is attached to a service-linked role
that allows Amazon ECR to push images to your repositories through the pull through cache
workflow. For more information, see Using service-linked roles for
Amazon ECR.
ECRReplicationServiceRolePolicy
You can't attach the ECRReplicationServiceRolePolicy
managed IAM policy
to your IAM entities. This policy is attached to a service-linked role that allows
Amazon ECR to perform actions on your behalf. For more information, see Using service-linked roles for
Amazon ECR.
Amazon ECR updates to AWS managed policies
View details about updates to AWS managed policies for Amazon ECR since the time that this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon ECR Document history page.
Change | Description | Date |
---|---|---|
AWSECRPullThroughCache_ServiceRolePolicy – New policy |
Amazon ECR added a new policy. This policy is associated with the
|
November 29, 2021 |
ECRReplicationServiceRolePolicy – New policy |
Amazon ECR added a new policy. This policy is associated with the
|
December 4, 2020 |
AmazonEC2ContainerRegistryFullAccess – Update to an existing policy |
Amazon ECR added new permissions to the
|
December 4, 2020 |
AmazonEC2ContainerRegistryReadOnly – Update to an existing policy |
Amazon ECR added new permissions to the
|
December 10, 2019 |
AmazonEC2ContainerRegistryPowerUser – Update to an existing policy |
Amazon ECR added new permissions to the
|
December 10, 2019 |
AmazonEC2ContainerRegistryFullAccess – Update to an existing policy |
Amazon ECR added new permissions to the
|
November 10, 2017 |
AmazonEC2ContainerRegistryReadOnly – Update to an existing policy |
Amazon ECR added new permissions to the
|
October 11, 2016 |
AmazonEC2ContainerRegistryPowerUser – Update to an existing policy |
Amazon ECR added new permissions to the
|
October 11, 2016 |
AmazonEC2ContainerRegistryReadOnly – New policy |
Amazon ECR added a new policy which grants grants read-only permissions to Amazon ECR. These permissions include the ability to list repositories and images within the repositories. They also include the ability to pull images from Amazon ECR with the Docker CLI. |
December 21, 2015 |
AmazonEC2ContainerRegistryPowerUser – New policy |
Amazon ECR added a new policy which grants administrative permissions that allow usrs to read and write to repositories but doesn't allow them to delete repositories or change the policy documents that are applied to them. |
December 21, 2015 |
AmazonEC2ContainerRegistryFullAccess – New policy |
Amazon ECR added a new policy. This policy grants full access to Amazon ECR. |
December 21, 2015 |
Amazon ECR started tracking changes |
Amazon ECR started tracking changes for AWS managed policies. |
June 24, 2021 |