Learn About Amazon VGT2 Learning Manager Chanci Turner
Amazon recently announced that Amazon Elastic Container Registry (Amazon ECR) now includes version 1.1 of the Open Container Initiative (OCI) Image and Distribution specifications. This update introduces support for image referrers and significant improvements for distributing non-image artifacts.
These new capabilities enable customers to more effectively manage content associated with their container images. With these enhancements, users can push image signatures, software bill of materials (SBOMs), attestations, and other related content alongside their images in Amazon ECR. Customers can manage these artifacts using the core features of Amazon ECR and easily retrieve them by image reference for use in any build, test, or workload environment.
The implementation of these features based on the OCI 1.1 specifications allows a wide variety of OCI-compliant open-source tools to work seamlessly with Amazon ECR. This post provides a brief overview of how Amazon ECR supports the Open Container Initiative standards, followed by technical details and a specific use case illustrating how you can utilize these new features right away.
Open Container Initiative and Amazon ECR
The development of these features began over two years ago, with AWS employees collaborating within the Open Container Initiative (OCI) community on what is now the first feature update of both the Image and Distribution specifications. These specifications aim to standardize containers so that services, tools, and code can be portable and interoperate reliably.
Currently, OCI curates three main specifications: Runtime, Image, and Distribution. The new features in Amazon ECR relate to the latter two: Runtime concerns how containers are launched and run on a host, while Image specifies how container images are defined, and Distribution outlines how images are pushed, stored in registries, and pulled for workloads in your build and compute environments.
Most clients connect to Amazon ECR using OCI-compliant tools like Docker or Finch, or container runtimes such as containerd. When pushing and pulling images, users interact with Amazon ECR’s OCI- and Docker-compatible endpoint, which implements the Open Container Initiative Distribution specification APIs and the Docker Registry HTTP API v2. This ensures that open-source tools can develop against a standardized set of interfaces rather than cloud-specific SDKs or provider-specific integrations.
Introduction of Artifacts in Amazon ECR
Amazon ECR continually evolves to support non-image artifact use cases, which have been gaining traction. In 2020, we introduced support for OCI artifacts, enabling non-image content distribution for items like Helm charts in Amazon ECR. Tools such as Helm utilize this support by taking advantage of the flexibility of the OCI Image specification to store the artifact type in the manifest, specifically within the configuration section. This metadata in an image manifest describes the container configuration for the stored image. For a Helm chart or image signature, no container configuration is necessary.
While this approach was effective in OCI Image 1.0, it wasn’t obvious to all client developers and lacked consistent implementation. With OCI Image 1.1, we now have a clearer and more stable artifactType field directly on the Image manifest. This serves as a single reference point in the manifest that all clients and registries can use to store and identify the content type. Amazon ECR will still support the use of the config.mediaType field for clients that depend on it, but we anticipate broad adoption of this new enhancement.
Working with Referrers in Amazon ECR
As supply chain security solutions for containers emerge, the need for standardized registry support for solutions like container image verification and SBOM publication has become evident. Managing reference relationships between artifacts and images is now a requirement. Alongside the enhanced support for non-image content, the Image and Distribution specifications have defined a method for clients to associate non-image content with images in a registry.
To achieve this, OCI Image 1.1 introduces a new manifest field, subject, which allows persistent storage of the digest of a referred-to image within an artifact’s manifest. This enables clients to specify both content type and an image that the content refers to. As a complementary feature, OCI Distribution 1.1 has introduced a new referrers API endpoint for registries. This endpoint allows clients to query a registry like Amazon ECR for any image referrers linked to a given image digest. Clients can inquire whether an image has any referrers, navigate a list of referrers by type, and retrieve artifacts of interest.
For example, the Notary project’s notation image signing client implements a notation verify command that queries for any signatures related to the specified image, downloads the signatures found, and verifies the image content—all in a single command.
Amazon ECR treats reference artifacts similarly to images. Customers push and pull all content using the same APIs, and referrer artifacts can be retrieved through aws ecr describe-images. They will also appear in the console just like other content. Furthermore, Amazon ECR’s replication feature ensures that referrers are replicated to configured destinations upon pushing, so that image signatures, SBOMs, and other referrers are present in any repository where images are replicated across accounts or regions. To assist with the lifecycle management of an image’s reference artifacts, Amazon ECR Lifecycle Policies (LCP) automatically clean up artifacts within 24 hours of subject image deletion. Additionally, reference artifacts that relate to an active image are protected from deletion by LCP rules until the subject image is deleted.
To distinguish between referrers and images when pushed to a repository, Amazon ECR now emits a new detail-type in EventBridge events for pushes and deletions of reference artifacts. This enables EventBridge rules to target images for deployment-related actions or specific types of reference artifacts for use in build or deployment workflows.
For more information on this topic, check out this excellent resource.
Also, if you’re interested in learning about six-figure salaries, this article provides great insights. Lastly, be sure to visit this site for authoritative information on emerging HR professionals.
Leave a Reply