[09] ECR

Question 1

What type of artifacts can be held in ECR repositories?

Answer 1

Docker images, OCI images, and OCI compatible artifacts e.g. Helm charts

Question 2

What are used for multi-architecture images in ECR?

Answer 2

Manifest lists

Question 3

What does ECR integrate with to sign container images?

Answer 3

AWS Signer

Question 4

Where is the image signature stored when signing with AWS Signer?

Answer 4

In ECR along with the layers

Question 5

What may ECR do when pulling an image?

Hint: this relates to ensuring the client recieves the correct format.

Answer 5

Translate the image manifest to ensure it is a version supported by the client

Question 6

When does translation not occur during image pulls?

Answer 6

If the pulled image is referenced by its digest

Question 7

What do Windows images in ECR include that is restricted by license?

Answer 7

Artifacts which are restricted by license from being distributed

Question 8

What happens by default with the restricted Windows artifacts?

Answer 8

They are not pushed to ECR

Question 9

How are the restricted Windows artifacts pulled?

Answer 9

From Azure over the internet

Question 10

How can you store the restricted Windows artifacts in ECR?

Answer 10

Use the ‘–allow-nondistributable-artifacts’ flag with the Docker CLI

Question 11

What state will a task be in while ECS is performing additional steps?

Answer 11

PROVISIONING

Question 12

What are the applicable actions for registry policies in ECR?

Answer 12

ecr:ReplicateImage, ecr:BatchImportUpstreamImage, ecr:CreateRepository

Question 13

What are repository policies used for in ECR?

Answer 13

Repository policies control access to repositories.

Question 14

What conditions determine if an IAM identity can perform an action in ECR?

Answer 14

Allowed by either a repository policy or IAM policy, and neither the repository policy nor IAM policy has an explicit deny.

Question 15

What are repository policies required for in ECR?

Answer 15

Repository policies are required to enable cross-account access.

Question 16

What is ECR pricing based on?

Answer 16

The amount of data stored and data transfer from image pushes and pulls.

Question 17

How are repositories encrypted in ECR?

Answer 17

KMS encryption ensures the repository contents are encrypted at rest.

Question 18

How are namespaces achieved in ECR repository names?

Answer 18

By convention, namespaces are achieved by adding ‘/’ in repository names to form a hierarchical key.

Question 19

Why might the size of an image reported by ECR be smaller than the output of ‘docker images’?

Answer 19

Docker images are compressed before being pushed, so the size as reported by ECR may be smaller than the output of ‘docker images’.

Question 20

What does pull through cache in ECR do?

Answer 20

Pull through cache syncs the contents of an upstream registry to an ECR private registry.

Question 21

What upstreams are supported for pull through cache in ECR?

Answer 21

Docker Hub, Azure Container Registry, Google Artifact Registry, GitHub Container Registry, ECR Public, Kubernetes container image registry, and Quay.

Question 22

What is the behavior of pull through cache in ECR?

Answer 22

On the first pull, ECR creates a repository and caches that image in your private registry. On subsequent pulls, ECR checks the upstream registry to see if there is a later version of the image. If not, it is pulled from the private registry. If ECR can’t update the image from the upstream, then the latest cached image is pulled. ECR attempts to update the image in the private registry at least every 24 hours.

Question 23

How are multi-architecture images handled with pull through cache in ECR?

Answer 23

When multi-architecture images are pulled, all images referenced in the manifest list are cached. To only pull a specific architecture, reference a specific image digest.

Question 24

What are repository creation templates used for with pull through cache in ECR?

Answer 24

Repository creation templates define the settings applied to repositories created during cached pulls.

Question 25

What service-linked role is used for pull through cache actions in ECR?

Answer 25

AWSServiceRoleForECRPullThroughCache

Question 26

What does replication do in ECR?

Answer 26

Replication synchronises repositories in different accounts or regions.

Question 27

What aspects of ECR repositories are not replicated?

Answer 27

Delete actions, repository policies, and lifecycle policies aren’t replicated.

Question 28

How is tag immutability handled during replication in ECR?

Answer 28

Tag immutability is respected during synchronisation, which can lead to the images in the target repository being untagged.

Question 29

What service-linked role is used for replication actions in ECR?

Answer 29

AWSServiceRoleForECRReplication

Question 30

What are lifecycle policies used for in ECR?

Answer 30

Lifecycle policies automatically delete old images based on rules configured at the repository level.

Question 31

At what level is image tag immutability configured in ECR?

Answer 31

Image tag immutability is configured at a repository level to prevent image tags from being overwritten.

Question 32

At what level is image scanning configured in ECR?

Answer 32

Image scanning is configured at the registry level.

Question 33

What metrics does ECR publish?

Answer 33

CallCount under the AWS/Usage namespace, and RepositoryPullCount under AWS/ECR.

Question 34

For what events does ECR emit EventBridge events?

Answer 34

Image push, upstream request is made for pull through caching, image scanning completes, an image is deleted.

Question 35

What is the PROVISIONING state?

Answer 35

A task will be in the PROVISIONING state while ECS is performing additional steps.

Question 36

What command should be run to allow the ec2-user to execute Docker commands without using sudo?

Answer 36

sudo usermod -a -G docker ec2-user

Question 37

What option is required to delete an ECR repository that contains images?

Answer 37

–force

Question 38

How long are ECR authorization tokens valid for?

Answer 38

12 hours

Question 39

What permissions do ECR authorization tokens have?

Answer 39

Same permissions as the IAM principal which generated them with the GetAuthorizationToken API call

Question 40

How can you re-tag an image in ECR without re-uploading the layers?

Answer 40

Use the put-image AWS CLI command with the –image-tag option

Question 41

What two endpoints must exist to pull or push an image using PrivateLink?

Answer 41

com.amazonaws.com..ecr.dkr and com.amazonaws.com..ecr.api

Question 42

What S3 bucket are ECR image layers stored in?

Answer 42

prod–starport-layer-bucket

Question 43

What service logs all ECR API actions?

Answer 43

CloudTrail

Question 44

What CloudTrail events are generated for image pushes?

Answer 44

InitiateLayerUpload, UploadLayerPart, CompleteLayerUpload & PutImage

Question 45

What CloudTrail events are generated for image pulls?

Answer 45

GetDownloadUrlForLayer & BatchGetImage

Question 46

What is the CloudTrail event name for lifecycle policy actions?

Answer 46

PolicyExecutionEvent

Question 47

How can you optimise the performance of ECR?

Answer 47

Place dependencies that change infrequently near the top of the Dockerfile and chain commands to avoid necessary file storage

Question 48

What state will a task be in while ECS is performing additional steps?

Answer 48

PROVISIONING

Question 49

What is the PROVISIONING state?

Answer 49

The state a task will be in while ECS is performing additional steps

Question 50

What Linux parameters are supported?

Answer 50

None

Question 51

What region is authentication for ECR Public performed in?

Answer 51

us-east-1

Question 52

Where are CloudTrail events for ECR Public recorded?

Answer 52

us-east-1

Question 53

What does the repository catalog contain?

Answer 53

Metadata about a repository e.g. the public-facing description

Question 54

When is a default alias assigned to your public registry?

Answer 54

When the first public repository is created

Question 55

What do public repository policies control?

Answer 55

Permissions for mutating actions

Question 56

Can public access to view or pull an ECR Public repository be restricted?

Answer 56

No

Question 57

In what state will a task be while ECS is performing additional steps?

Answer 57

PROVISIONING

Question 58

What is the PROVISIONING state?

Answer 58

A state where a task will be in while ECS is performing additional steps