Unused ECR Images

Amazon Elastic Container Registry (ECR) is a fully managed container image registry. While ECR provides essential infrastructure for container workloads, unused images can accumulate over time, leading to unnecessary storage costs.

The Problem

Organizations often accumulate ECR images due to:

• CI/CD pipelines that push images on every build without cleanup
• Development and testing images that are never deployed to production
• Legacy application versions kept "just in case"
• Deprecated services with images still stored in the registry
• Tag immutability preventing cleanup of old images

These unused images continue to incur storage charges even when they're never pulled or deployed.

Detection Method

unusd.cloud leverages ECR enhanced scanning integration with Amazon Inspector to identify unused images. This integration provides:

1. Last used date - When the image was last pulled or used in EKS/ECS
2. Cluster usage count - Number of EKS/ECS clusters currently using the image
3. Cluster ARNs - Specific clusters where the image is deployed

What We Flag

Images are flagged as unused when:

• Never used in EKS/ECS - Images pushed more than 90 days ago that have never been used to run containers in EKS or ECS clusters
• Stale images - Images not used in EKS/ECS clusters for more than 90 days
• Untagged images - Images without tags that were pushed more than 90 days ago (when enhanced scanning data is unavailable)

Requirements

For full detection capabilities, you should have:

1. ECR Enhanced Scanning enabled - This provides image usage data via Amazon Inspector
2. Amazon Inspector activated - Required for the enhanced scanning integration

If enhanced scanning is not enabled, unusd.cloud falls back to basic detection based on image push dates and tag status.

Potential Savings

ECR storage costs are calculated based on image size:

• ECR Storage pricing: ~$0.10 per GB-month (varies by region)
• Data Transfer: Additional charges apply for cross-region or internet data transfer

For example, a 500 MB container image costs approximately $0.05/month in storage fees. With hundreds of unused images, costs add up quickly.

Cleanup Recommendations

Before deleting ECR images, consider:

1. Check active deployments - Verify the image is not used in any EKS, ECS, or Kubernetes deployments
2. Review CI/CD pipelines - Ensure pipelines don't reference the image for rollbacks
3. Check container registries - Some organizations mirror images across registries
4. Verify base image usage - The image might be a base layer for other images

How to Clean Up

Using AWS Console

1. Navigate to ECR > Repositories
2. Select the repository containing unused images
3. Select the unused images (by tag or digest)
4. Choose Actions > Delete

Using AWS CLI

# Delete a specific image by tag
aws ecr batch-delete-image \
    --repository-name my-repo \
    --image-ids imageTag=v1.0.0 \
    --region us-east-1

# Delete a specific image by digest
aws ecr batch-delete-image \
    --repository-name my-repo \
    --image-ids imageDigest=sha256:abc123... \
    --region us-east-1

Implementing Lifecycle Policies

For automated cleanup, configure ECR lifecycle policies:

{
  "rules": [
    {
      "rulePriority": 1,
      "description": "Expire untagged images older than 14 days",
      "selection": {
        "tagStatus": "untagged",
        "countType": "sinceImagePushed",
        "countUnit": "days",
        "countNumber": 14
      },
      "action": {
        "type": "expire"
      }
    },
    {
      "rulePriority": 2,
      "description": "Keep only last 10 images",
      "selection": {
        "tagStatus": "any",
        "countType": "imageCountMoreThan",
        "countNumber": 10
      },
      "action": {
        "type": "expire"
      }
    }
  ]
}

Apply with:

aws ecr put-lifecycle-policy \
    --repository-name my-repo \
    --lifecycle-policy-text file://lifecycle-policy.json \
    --region us-east-1

Exception Handling

To exclude an ECR repository from detection, add the configured exception tag to the repository:

aws ecr tag-resource \
    --resource-arn arn:aws:ecr:us-east-1:123456789012:repository/my-repo \
    --tags Key=unusd,Value=true \
    --region us-east-1

Required Permissions

This feature uses the following IAM permissions (already included in the standard spoke role):

- ecr:DescribeImages
- ecr:DescribeRepositories
- ecr:ListImages
- ecr:ListTagsForResource
- inspector2:ListFindings

Related Resources

• AWS Documentation: ECR Lifecycle Policies
• AWS Documentation: ECR Enhanced Scanning
• AWS Blog: ECR Enhanced Scanning Image Usage Status

Keep on chasing 🧡