AWS ECR Guide for ECS Fargate Teams

Originally published at https://fortem.dev/blog/aws-ecr-guide

AWS ECR from the ECS Fargate operator's seat: how pulls work, the execution-role IAM, why private-subnet tasks fail, real pricing, and the lifecycle policy that cuts the bill.

Every ECS Fargate deploy pulls an image from ECR — and ECR is the part nobody owns until it breaks. A task in a private subnet throws ResourceInitializationError, or five years of untagged images quietly push the bill to $400/month. This is ECR from the ECS operator's seat: how pulls actually work, the IAM the execution role needs, what it costs at fleet scale, and the lifecycle, scanning, and replication settings that matter at 10+ environments — with the AWS-verified pricing nobody else itemizes.

TL;DR