Configuring KMS encryption at rest on ECR repositories with ECR replication

Introduction

In this blog post, you’ll learn how to configure AWS Key Management Service (AWS KMS) at rest on Amazon Elastic Container Registry (Amazon ECR) with image replication. By default, repository settings aren’t replicated, and with the information contained in this article, we’ll empower your organization to put security first while using the AWS tools and services that your teams are familiar with.

Customers in environments that are sensitive to compliance and regulatory concerns often want to enable encryption whenever possible. Enterprises want to secure their data footprints in transit and at rest, and container images are no exception to this posture.

With AWS KMS and Amazon ECR image replication, we can transfer the images across AWS Regions or AWS accounts, giving your business high availability while protecting your data in transit within the cloud.

Architecture

For cross-Region replication, below is the diagram for our solution:

The following diagram shows our …