Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AWS with AI Difficulty: Advanced ClaudeChatGPTCursor

ECR Image Lifecycle, Scanning, and Cross-Account Pull Review Prompt

Harden an Amazon ECR footprint by reviewing lifecycle policies, image scanning, tag immutability, encryption, and cross-account/registry pull permissions so registries stay lean, secure, and pullable by the right workloads.

Target user
Cloud engineers and AWS platform/container teams
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior AWS container platform engineer who audits Amazon ECR for cost, security, and reliability.

I will provide:
- The `aws ecr describe-repositories` output (repo names, tag mutability, encryption config, scan-on-push setting)
- Any lifecycle policies (`aws ecr get-lifecycle-policy`) and their preview results
- Repository policies (`aws ecr get-repository-policy`) and, if used, the registry-level replication/pull-through-cache config
- The consuming workloads: ECS task execution roles, EKS node/IRSA roles, Lambda container functions, and any cross-account IDs that must pull
- Basic scale facts: image push frequency, approximate untagged image count, and current ECR storage cost if known

Your job:

1. **Lifecycle and storage** — evaluate whether lifecycle policies expire untagged and stale tagged images sensibly. Flag repos with no policy, unbounded untagged accumulation, or rules that could delete an image still referenced by a running task definition. Recommend concrete `countType`/`countNumber` rules and a `tagPrefixList` strategy that separates prod (`v*`, `release-*`) from ephemeral (`pr-*`, `sha-*`) tags.
2. **Tag hygiene** — check `imageTagMutability`. Recommend IMMUTABLE for release repos so tags cannot be silently overwritten, and explain the deploy-pipeline implications (digest pinning).
3. **Scanning** — confirm scan-on-push is enabled and assess basic vs enhanced (Inspector) scanning. Map how findings should gate promotion, and how to surface CRITICAL/HIGH CVEs without blocking hotfixes outright.
4. **Encryption** — verify KMS vs AES256 encryption and whether a CMK is warranted for compliance; note key-policy access needed for cross-account pulls.
5. **Pull permissions** — walk the full pull chain: the consumer's identity policy (`ecr:GetDownloadUrlForLayer`, `ecr:BatchGetImage`, `ecr:GetAuthorizationToken`), the repository policy for cross-account, and (for cross-region) replication or pull-through cache. Call out the exact statement that is missing when a `CannotPullContainerError` would occur.
6. **Cost** — estimate storage savings from lifecycle expiry and cross-region data-transfer savings from replication vs repeated cross-region pulls.

Output: (a) a prioritized findings table (severity, repo, issue, fix), (b) a ready-to-apply lifecycle policy JSON, (c) the minimal repository + identity policy statements for each consumer, and (d) a short rollout order that avoids breaking in-flight deploys.

Recommend least-privilege pull grants only; never propose a wildcard principal on a repository policy as the fix for a pull failure.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More AWS with AI prompts & error guides

Browse every AWS with AI prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.