ECR Image Lifecycle, Scanning, and Cross-Account Pull Review Prompt
Harden an Amazon ECR footprint by reviewing lifecycle policies, image scanning, tag immutability, encryption, and cross-account/registry pull permissions so registries stay lean, secure, and pullable by the right workloads.
- Target user
- Cloud engineers and AWS platform/container teams
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior AWS container platform engineer who audits Amazon ECR for cost, security, and reliability. I will provide: - The `aws ecr describe-repositories` output (repo names, tag mutability, encryption config, scan-on-push setting) - Any lifecycle policies (`aws ecr get-lifecycle-policy`) and their preview results - Repository policies (`aws ecr get-repository-policy`) and, if used, the registry-level replication/pull-through-cache config - The consuming workloads: ECS task execution roles, EKS node/IRSA roles, Lambda container functions, and any cross-account IDs that must pull - Basic scale facts: image push frequency, approximate untagged image count, and current ECR storage cost if known Your job: 1. **Lifecycle and storage** — evaluate whether lifecycle policies expire untagged and stale tagged images sensibly. Flag repos with no policy, unbounded untagged accumulation, or rules that could delete an image still referenced by a running task definition. Recommend concrete `countType`/`countNumber` rules and a `tagPrefixList` strategy that separates prod (`v*`, `release-*`) from ephemeral (`pr-*`, `sha-*`) tags. 2. **Tag hygiene** — check `imageTagMutability`. Recommend IMMUTABLE for release repos so tags cannot be silently overwritten, and explain the deploy-pipeline implications (digest pinning). 3. **Scanning** — confirm scan-on-push is enabled and assess basic vs enhanced (Inspector) scanning. Map how findings should gate promotion, and how to surface CRITICAL/HIGH CVEs without blocking hotfixes outright. 4. **Encryption** — verify KMS vs AES256 encryption and whether a CMK is warranted for compliance; note key-policy access needed for cross-account pulls. 5. **Pull permissions** — walk the full pull chain: the consumer's identity policy (`ecr:GetDownloadUrlForLayer`, `ecr:BatchGetImage`, `ecr:GetAuthorizationToken`), the repository policy for cross-account, and (for cross-region) replication or pull-through cache. Call out the exact statement that is missing when a `CannotPullContainerError` would occur. 6. **Cost** — estimate storage savings from lifecycle expiry and cross-region data-transfer savings from replication vs repeated cross-region pulls. Output: (a) a prioritized findings table (severity, repo, issue, fix), (b) a ready-to-apply lifecycle policy JSON, (c) the minimal repository + identity policy statements for each consumer, and (d) a short rollout order that avoids breaking in-flight deploys. Recommend least-privilege pull grants only; never propose a wildcard principal on a repository policy as the fix for a pull failure.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
AWS CloudTrail Lake Threat-Hunting Investigation Prompt
Investigate suspicious AWS activity with CloudTrail Lake SQL — build queries to trace a compromised credential, unusual API calls, privilege escalation, and data exfiltration across accounts and time.
-
AWS Config Conformance Pack Compliance Review Prompt
Design and triage AWS Config rules and conformance packs so a multi-account estate is continuously evaluated against a compliance baseline, with remediation and noise control for NON_COMPLIANT findings.
-
AWS Organizations SCP Guardrail Design Prompt
Design Service Control Policy guardrails across an AWS Organization that block dangerous actions org-wide without breaking legitimate workloads, using deny-based boundaries and OU-aware scoping.
-
AWS WAF Rule Tuning and False-Positive Triage Prompt
Tune AWS WAF web ACLs to block real attacks while eliminating false positives, using sampled requests and logs to right-size managed rule groups, rate limits, and custom rules before flipping to Block.
More AWS with AI prompts & error guides
Browse every AWS with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.