From 75fa3506db29eb54fd048069ab321f75de46e457 Mon Sep 17 00:00:00 2001 From: staplesn Date: Sat, 20 Sep 2025 14:34:44 +0100 Subject: [PATCH 1/2] Add ECR support proposal. --- docs/ECRSupportProposal.md | 42 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 docs/ECRSupportProposal.md diff --git a/docs/ECRSupportProposal.md b/docs/ECRSupportProposal.md new file mode 100644 index 0000000..9d32cea --- /dev/null +++ b/docs/ECRSupportProposal.md @@ -0,0 +1,42 @@ +# Immutable and Air-Gapped ECR Backup Solution + +This document outlines a robust solution for creating immutable backups of Amazon ECR container images. The approach leverages a combination of custom scripting, Amazon S3, and AWS Backup to provide an air-gapped, cross-account disaster recovery strategy that is resilient to account compromise. + +Why an Immutable ECR Backup? +While Amazon ECR provides image replication, it lacks an immutable, long-term backup solution in a separate security boundary. In a disaster recovery (DR) scenario where a primary AWS account is compromised, standard replication is not sufficient. This solution addresses that by creating an "air-gapped" backup protected by an AWS Backup Vault Lock, which provides a Write-Once-Read-Many (WORM) model. + +## Solution Architecture + +The solution consists of three main stages: + +* Stage 1: ECR-to-S3 Backup: A scheduled process backs up container images from ECR to a source S3 bucket. +* Stage 2: Cross-Account Backup: AWS Backup automates the process of copying the S3 backups to a separate, dedicated "backup account." +* Stage 3: Immutable Vault Lock: An AWS Backup Vault Lock is applied to the destination vault, making the backups immutable for a defined period. + +## Step-by-Step Implementation + +### Stage 1: ECR to S3 Backup + +This stage involves creating a scheduled Lambda function that pulls images from ECR and pushes them to an S3 bucket. The steps are as follows: +1. Schedule event is triggered (e.g., daily) using Amazon EventBridge. +2. The schedule event triggers an AWS Lambda function. +3. The Lambda function lists all repositories in the ECR registry. +4. For each repository, the function lists all image tags. +5. For each image tag (or a subsection of tags), the function pulls the image using the Docker CLI. +6. The function then pushes the image to a designated S3 bucket in the source account, organizing images by repository and tag for easy retrieval. + + +### Stage 2: Cross-Account Backup with AWS Backup + +This functionality already exists in the existing blueprint solution. + +### Stage 3: Enable Immutability with Vault Lock + +This functionality already exists in the existing blueprint solution. + +## Summary of Benefits + +Immutability: The AWS Backup Vault Lock in Compliance mode ensures your backups cannot be tampered with. +Air-Gapped Security: Backups are stored in a separate AWS account, isolating them from any compromise of your production environment. +Centralized Management: AWS Backup handles the scheduling, retention, and lifecycle management of your S3 backups. +Cost-Effective: Only the objects in the S3 bucket are backed up, and AWS Backup automatically transitions older recovery points to a more cost-effective cold storage tier. From de28892b6cb34b07282077c3e40d92dd93cac88e Mon Sep 17 00:00:00 2001 From: staplesn Date: Mon, 22 Sep 2025 18:20:39 +0100 Subject: [PATCH 2/2] Update to include ECR native cross account replication as an alternative solution --- docs/ECRSupportProposal.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/ECRSupportProposal.md b/docs/ECRSupportProposal.md index 9d32cea..12dccce 100644 --- a/docs/ECRSupportProposal.md +++ b/docs/ECRSupportProposal.md @@ -40,3 +40,19 @@ Immutability: The AWS Backup Vault Lock in Compliance mode ensures your backups Air-Gapped Security: Backups are stored in a separate AWS account, isolating them from any compromise of your production environment. Centralized Management: AWS Backup handles the scheduling, retention, and lifecycle management of your S3 backups. Cost-Effective: Only the objects in the S3 bucket are backed up, and AWS Backup automatically transitions older recovery points to a more cost-effective cold storage tier. + + +## Alternative Solution + +ECR does provide cross-account replication, which can be used as a simpler alternative to this solution. However, it does not provide the same level of immutability and air-gapped security as the proposed solution. If you choose to use ECR replication, ensure that you have appropriate lifecycle policies and access controls in place to protect your images. + +### Steps to set up ECR replication: + +1. In the source account, create a replication rule to publish to the vault account. +2. In the destination account, create a repository to receive the replicated images. +3. Ensure that the IAM roles and policies are correctly configured to allow replication between accounts. +4. Implement lifecycle policies to manage the retention and deletion of images in the destination account. + +### Considerations + +* ECR replication does not provide immutability; images can be deleted or overwritten.