AWS ECR in 2026: Pull, Inspect, Scan & Automate Docker Images: Complete Guide

AWS Elastic Container Registry (ECR) is the default private Docker registry for AWS workloads. Teams interact with it dozens of times a day, but most only know the basics. This guide covers the full workflow: authenticate securely, pull and inspect images, extract filesystem layers without running a container, scan for CVEs with Amazon Inspector v2, manage costs through lifecycle policies, and automate everything with GitHub Actions OIDC. Prerequisites AWS CLI v2 installed and configured ( aws configure ) Docker Engine ≥ 24 running locally IAM user or role with ECR read permissions Step 1: Authenticate to ECR ECR uses short-lived tokens (12-hour TTL) tied to your AWS identity. Authenticate before any pull or push: # Replace <region> and <account-id> with your actual values aws ecr get-login-password --region us-east-1 \ | docker login --username AWS --password-stdin \ 123456789012.dkr.ecr.us-east-1.amazonaws.com In automation, use the aws-actions/amazon-ecr-login GitHub Action (Step 7)