Containers

Elastic Container Registry (ECR)

• IAM access control for pulling & pushing images
• Repository policies (e.g., to allow other accounts to pull)
• Encryption:
  • Images encrypted at rest by default with S3 SSE
  • HTTPS access

---

Elastic Container Service (ECS)

Tasks:

• Set of containers that are placed together
• Configured with an execution role they use to access services
• Containers run on customer-controlled EC2 instances in a VPC, or are Fargate managed

Networking options:

• none
• bridge: docker virtual network
• host: tasks get the host's network interface
• awsvpc: task network interfaces are normal ENIs
• all the VPC properties apply: exist in a subnet, have security groups, have flow logs
• each container can have its own security group & IP

Fargate launch type:

• Must use awsvpc network mode, CloudWatch logs
• Uses Firecracker under the hood