Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Cross-Region Replication

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Enable Cross-Region Replication to have Amazon ECR copy images pushed to the repositories in a particular (source) region to one or more destination regions. This feature enables you to safely copy your Amazon ECR container images across multiple AWS regions.

Reliability
Performance
efficiency

Storing Amazon ECR container images in-region helps applications start up faster as image download time is reduced due to lower latency, and removes cross-region downloads that helps with region isolation. Geographically dispersed ECR container images also help you meet business continuity, disaster recovery, and compliance requirements for your application. By enabling the Cross-Region Replication feature to replicate images across multiple regions, Amazon ECR makes it even easier to deploy and run highly available applications in AWS.


Audit

To determine if the replication of Amazon ECR container images across AWS cloud regions is enabled, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ECR console at https://console.aws.amazon.com/ecr.

03 In the left navigation panel, under Amazon ECR, select Registries to access the configuration settings available for your private ECR registries. Amazon ECR private registries are used to host your container images in a highly available and scalable environment.

04 On the Registries page, in the Private section, check the Cross-region replication configuration attribute status. If the attribute status is set to Disabled, the Cross-Region Replication feature is not enabled for the container images available within your private Amazon ECR repositories.

05 Change the AWS cloud region from the navigation bar and repeat the audit process for other AWS regions.

Using AWS CLI

01 Run describe-registry command (OSX/Linux/UNIX) to describe the configuration settings (including replication settings) available for your Amazon ECR registry in the selected AWS region:

aws ecr describe-registry
  --region us-east-1

02 Based on your Amazon ECR registry configuration, if the feature is disabled, the command should return one of the following outputs:

  1. If the command output does not describe any rules for the "replicationConfiguration" object, as shown in the example below, the Cross-Region Replication feature is not enabled for the container images available within your private Amazon ECR repositories:
    {
      "registryId": "123456789012",
      "replicationConfiguration": {
        "rules": []
      }
    }
    
  2. If the describe-registry command output returns rules for the "replicationConfiguration" object but the "registryId" values are not identical (i.e. only Cross-Account Replication is enabled), as shown in the example below, the Cross-Region Replication feature is not enabled for your Amazon ECR container images:
    {
      "registryId": "123456789012",
      "replicationConfiguration": {
        "rules": [
          {
            "destinations": [
              {
                "region": "us-west-2",
                "registryId": "123412341234"
              }
            ]
          }
        ]
      }
    }
    

03 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

Enabling Cross-Region Replication feature for your Amazon ECR registries makes copies of the images in one or more destination regions. Only container images pushed to a repository after Cross-Region Replication is configured are copied. To enable and configure the feature for your private Amazon ECR registries, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon ECR console at https://console.aws.amazon.com/ecr.

03 In the left navigation panel, under Amazon ECR, select Registries to access the configuration settings available for your private ECR registries.

04 On the Registries page, select the Private configuration box and choose Edit.

05 On the Edit registry page, in the Replication settings section, perform the following actions:

  1. Toggle Enabled under Cross-region replication to enable the Cross-Region Replication feature for your Amazon ECR registry.
  2. elect one or more AWS regions as destination targets from the Destination regions dropdown list.
  3. Choose Save to apply the changes. From now on, every time you push an image to your private ECR repository (or call the replicate API explicitly) Amazon ECR automatically replicates the image. If the repository does not yet exist in the destination region, Cross-Region Replication automatically creates it.

06 Change the AWS cloud region from the navigation bar to repeat the remediation process for other AWS regions.

Using AWS CLI

01 Define the replication configuration for your Amazon ECR registry by adding the destination account and region(s) where you want Amazon ECR to copy your images to. If Cross-Account Replication is enabled in the selected AWS region, make sure that you add the cross-account destination details as well. Save your configuration document to a JSON file named replication-configuration.json. The following replication configuration example, enable Cross-Region Replication feature to make copies of your private images in the US West (Oregon) region:

{
  "rules": [
    {
      "destinations": [
        {
          "region": "us-west-2",
          "registryId": "123456789012"
        }
      ]
    }
  ]
}

02 Run put-replication-configuration command (OSX/Linux/UNIX) to enable the Cross-Region Replication feature within the selected AWS region by updating the Amazon ECR registry replication configuration with the information defined at the previous step:

aws ecr put-replication-configuration
  --region us-east-1
  --replication-configuration file://replication-configuration.json

03 The command output should return the new replication configuration for Amazon ECR registry:

{
  "replicationConfiguration": {
    "rules": [
      {
        "destinations": [
          {
            "region": "us-west-2",
            "registryId": "123456789012"
          }
        ]
      }
    ]
  }
}

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the remediation process for other regions.

References

Publication date Feb 6, 2021