AWS managed policies for Amazon Elastic Container Registry
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
Amazon ECR provides several managed policies that you can attach to IAM identities or to Amazon EC2 instances. These managed policies allow differing levels of control over access to Amazon ECR resources and API operations. For more information about each API operation mentioned in these policies, see Actions in the Amazon Elastic Container Registry API Reference.
Topics
AmazonEC2ContainerRegistryFullAccess
You can attach the AmazonEC2ContainerRegistryFullAccess policy to your
IAM identities.
You can use this managed policy as a starting point to create your own IAM policy
based on your specific requirements. For example, you can create a policy specifically
for providing a user or role with full administrator access to manage the use of Amazon ECR.
With the Amazon ECR Lifecycle
Policies feature, you can specify the lifecycle management of images in a
repository. Lifecycle policy events are reported as CloudTrail events. Amazon ECR is integrated
with AWS CloudTrail so it can display your lifecycle policy events directly in the Amazon ECR
console. The AmazonEC2ContainerRegistryFullAccess managed IAM policy
includes the cloudtrail:LookupEvents permission to facilitate this
behavior.
Permissions details
This policy includes the following permissions:
-
ecr– Allows principals full access to all Amazon ECR APIs. -
cloudtrail– Allows principals to looks up management events or AWS CloudTrail Insights events that are captured by CloudTrail.
The AmazonEC2ContainerRegistryFullAccess policy is as follows.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:*", "cloudtrail:LookupEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "replication.ecr.amazonaws.com" ] } } } ] }
AmazonEC2ContainerRegistryPowerUser
You can attach the AmazonEC2ContainerRegistryPowerUser policy to your
IAM identities.
This policy grants administrative permissions that allow IAM users to read and write to repositories, but doesn't allow them to delete repositories or change the policy documents that are applied to them.
Permissions details
This policy includes the following permissions:
-
ecr– Allows principals to read and write to repositories, as well as read lifecycle policies. Principals aren't granted permission to delete repositories or change the lifecycle policies that are applied to them.
The AmazonEC2ContainerRegistryPowerUser policy is as follows.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:ListTagsForResource", "ecr:DescribeImageScanFindings", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:PutImage" ], "Resource": "*" } ] }
AmazonEC2ContainerRegistryPullOnly
You can attach the AmazonEC2ContainerRegistryPullOnly policy to your
IAM identities.
This policy grants permission to pull container images from Amazon ECR. If the registry is enabled for pull-through cache, it will also allow pulls to import an image from an upstream registry.
Permissions details
This policy includes the following permissions:
-
ecr– Allows principals to read repositories and their respective lifecycle policies.
The AmazonEC2ContainerRegistryPullOnly policy is as follows.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:BatchImportUpstreamImage" ], "Resource": "*" } ] }
AmazonEC2ContainerRegistryReadOnly
You can attach the AmazonEC2ContainerRegistryReadOnly policy to your
IAM identities.
This policy grants read-only permissions to Amazon ECR. This includes the ability to list repositories and images within the repositories. It also includes the ability to pull images from Amazon ECR with the Docker CLI.
Permissions details
This policy includes the following permissions:
-
ecr– Allows principals to read repositories and their respective lifecycle policies.
The AmazonEC2ContainerRegistryReadOnly policy is as follows.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:ListTagsForResource", "ecr:DescribeImageScanFindings" ], "Resource": "*" } ] }
AWSECRPullThroughCache_ServiceRolePolicy
You can't attach the AWSECRPullThroughCache_ServiceRolePolicy managed
IAM policy to your IAM entities. This policy is attached to a service-linked role
that allows Amazon ECR to push images to your repositories through the pull through cache
workflow. For more information, see Amazon ECR service-linked role for pull through
cache.
ECRReplicationServiceRolePolicy
You can't attach the ECRReplicationServiceRolePolicy managed IAM policy
to your IAM entities. This policy is attached to a service-linked role that allows
Amazon ECR to perform actions on your behalf. For more information, see Using service-linked roles for
Amazon ECR.
ECRTemplateServiceRolePolicy
You can't attach the ECRTemplateServiceRolePolicy managed IAM policy
to your IAM entities. This policy is attached to a service-linked role that allows
Amazon ECR to perform actions on your behalf. For more information, see Using service-linked roles for
Amazon ECR.
Amazon ECR updates to AWS managed policies
View details about updates to AWS managed policies for Amazon ECR since the time that this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon ECR Document history page.
| Change | Description | Date |
|---|---|---|
|
Amazon ECR service-linked role for pull through cache – Update to an existing policy |
Amazon ECR added new permissions to the |
March 12, 2025 |
|
AmazonEC2ContainerRegistryPullOnly – New policy |
Amazon ECR added a new policy which grants pull-only permissions to Amazon ECR. |
October 10, 2024 |
|
ECRTemplateServiceRolePolicy – New policy |
Amazon ECR added a new policy. This policy is associated with the
|
June 20, 2024 |
|
AWSECRPullThroughCache_ServiceRolePolicy – Update to an existing policy |
Amazon ECR added new permissions to the
|
November 15, 2023 |
|
AWSECRPullThroughCache_ServiceRolePolicy – New policy |
Amazon ECR added a new policy. This policy is associated with the
|
November 29, 2021 |
|
ECRReplicationServiceRolePolicy – New policy |
Amazon ECR added a new policy. This policy is associated with the
|
December 4, 2020 |
|
AmazonEC2ContainerRegistryFullAccess – Update to an existing policy |
Amazon ECR added new permissions to the
|
December 4, 2020 |
|
AmazonEC2ContainerRegistryReadOnly – Update to an existing policy |
Amazon ECR added new permissions to the
|
December 10, 2019 |
|
AmazonEC2ContainerRegistryPowerUser – Update to an existing policy |
Amazon ECR added new permissions to the
|
December 10, 2019 |
|
AmazonEC2ContainerRegistryFullAccess – Update to an existing policy |
Amazon ECR added new permissions to the
|
November 10, 2017 |
|
AmazonEC2ContainerRegistryReadOnly – Update to an existing policy |
Amazon ECR added new permissions to the
|
October 11, 2016 |
|
AmazonEC2ContainerRegistryPowerUser – Update to an existing policy |
Amazon ECR added new permissions to the
|
October 11, 2016 |
|
AmazonEC2ContainerRegistryReadOnly – New policy |
Amazon ECR added a new policy which grants read-only permissions to Amazon ECR. These permissions include the ability to list repositories and images within the repositories. They also include the ability to pull images from Amazon ECR with the Docker CLI. |
December 21, 2015 |
|
AmazonEC2ContainerRegistryPowerUser – New policy |
Amazon ECR added a new policy which grants administrative permissions that allow users to read and write to repositories but doesn't allow them to delete repositories or change the policy documents that are applied to them. |
December 21, 2015 |
|
AmazonEC2ContainerRegistryFullAccess – New policy |
Amazon ECR added a new policy. This policy grants full access to Amazon ECR. |
December 21, 2015 |
|
Amazon ECR started tracking changes |
Amazon ECR started tracking changes for AWS managed policies. |
June 24, 2021 |
