Skip to content


Elastic Container Registry (ECR)

  • IAM access control for pulling & pushing images
  • Repository policies (e.g., to allow other accounts to pull)
  • Encryption:
    • Images encrypted at rest by default with S3 SSE
    • HTTPS access

Elastic Container Service (ECS)

  • Set of containers that are placed together
  • Configured with an execution role they use to access services
  • Containers run on customer-controlled EC2 instances in a VPC, or are Fargate managed
Networking options:
  • none
  • bridge: docker virtual network
  • host: tasks get the host's network interface
  • awsvpc: task network interfaces are normal ENIs
  • all the VPC properties apply: exist in a subnet, have security groups, have flow logs
  • each container can have its own security group & IP
Fargate launch type:
  • Must use awsvpc network mode, CloudWatch logs
  • Uses Firecracker under the hood