🚀 Automating Image Cleanup in Amazon ECR Using Lifecycle Policies

🎉 Introduction: Say Goodbye to Container Clutter!

If you're using Amazon ECR, chances are your repositories are stuffed with image tags like v1.0-final-final-FINAL, hotfix-now-really, and a dozen variations of latest. Sound familiar?

Just like that overstuffed downloads folder on your desktop, your container registry gets messy fast — especially with CI/CD pipelines pushing fresh builds every hour. Without proper cleanup, this bloats storage, increases costs, and clutters your CI/CD pipelines.

That’s where ECR Lifecycle Policies come to the rescue! 🦸‍♂️

Thankfully, Amazon ECR lifecycle policies allow you to automate image cleanup by defining rules for retaining or expiring images based on tag status, push time, or tag patterns. These policies act like an auto-cleaning bot for your image repo — sweeping out the old, dusty images and keeping only what you really need (like the latest stable builds or critical hotfixes).

🔧 Why Use ECR Lifecycle Policies?

• ✅ Reduce storage costs by removing stale images.

• ✅ Keep repositories clean and manageable.

• ✅ Automate image retention for CI/CD workflows.

• ✅ Control cleanup per tag pattern, such as release-, hotfix-, etc.

In this article, i ’ll show you how to set up lifecycle rules to:

• Automatically delete old or untagged images,

• Retain only your freshest builds,

• And keep your ECR lean, clean, and ready for deployment.

Let’s container-clean like pros! 💪🐳

📌 Key Concepts of ECR Lifecycle Policies

🛠️ Step-by-Step: Creating Lifecycle Policies with multiple scenarios :

Scenario 1 : ✅ Lifecycle Policy to Keep Only the Most Recent 10 Images (Any Tags)

🔹 Step 1: Open ECR Console

Go to: o https://console.aws.amazon.com/ecr/

🔹 Step 2: Select Your Repository

Click the repository where you want to apply the policy.

🔹 Step 3 :On the Private repositories page, select a repository and that use the Actions drop down to choose Lifecycle policies.

🔹 Step 4: On the lifecycle policy rules page for the repository, choose Edit test rules, Create rule

🔹 Step 5: Add the Following Rule:

policy in json:

{
  "rules": [
    {
      "rulePriority": 1,
      "description": "Keep only the latest 10 images",
      "selection": {
        "tagStatus": "any",
        "countType": "imageCountMoreThan",
        "countNumber": 10
      },
      "action": {
        "type": "expire"
      }
    }
  ]
}

🔹 Step 6: Run test

🔹 Step 6: verify the dry run test result

If you feel rule is correct then Apply as lifecycle policy

Post apply life cycle policy - verify life cycle events

🕒 How It Works: Amazon ECR will automatically evaluate this rule periodically and remove older images when there are more than 10 in the repository.

✅ How AWS Determines "Latest" Images ECR lifecycle policies sort images by push timestamp (i.e., the time they were pushed to the repository). So: • The "most recently pushed" images are considered the latest. • The policy:

"countType": "imageCountMoreThan",
"countNumber": 10

📌Can we test policy immediately post apply ?

You cannot force an immediate execution of ECR lifecycle policies — AWS ECR evaluates them periodically in the background, typically within 24 hours, but there's no official SLA or manual trigger.

🔍 Test Lifecycle Rules: Dry Run

✅ 1. Use the "Test lifecycle rules" feature (Console):

• When creating/editing a lifecycle policy in the ECR console, click “Test lifecycle rules”.

• This shows which images would be deleted if the policy ran now.

• It’s a dry run, so no images are actually removed.

🏷️ Scenario 2: Filtering on image age: Expire images older than 14 days having image tag prefix prod

Policy :

{
  "rules": [
    {
      "action": {
        "type": "expire"
      },
      "selection": {
        "countType": "sinceImagePushed",
        "countUnit": "days",
        "countNumber": 15,
        "tagStatus": "tagged",
        "tagPrefixList": [
          "PROD"
        ]
      },
      "rulePriority": 1
    }
  ]
}

Dry Run result :

🏷️ Scenario 3: The following example shows the lifecycle policy syntax for a policy that keeps only one untagged image and expires all others.

Life Cycle Policy :

{
  "rules": [
    {
      "action": {
        "type": "expire"
      },
      "selection": {
        "countType": "sinceImagePushed",
        "countUnit": "days",
        "countNumber": 15,
        "tagStatus": "untagged"
      },
      "rulePriority": 1
    }
  ]
}

Dry Run Result :

🏷️ Scenario 4: Lifecycle Policy with Multiple Tag Prefixes

This example shows how to:

• Keep only the last 10 images with tag prefix (release-)

• Keep only the last 5 images with tag prefix (hotfix-)

• Expire all untagged images

{
  "rules": [
    {
      "rulePriority": 1,
      "description": "Keep last 10 images with tag prefix 'release-'",
      "selection": {
        "tagStatus": "tagged",
        "tagPrefixList": [
          "release-"
        ],
        "countType": "imageCountMoreThan",
        "countNumber": 10
      },
      "action": {
        "type": "expire"
      }
    },
    {
      "rulePriority": 2,
      "description": "Keep last 5 images with tag prefix 'hotfix-'",
      "selection": {
        "tagStatus": "tagged",
        "tagPrefixList": [
          "hotfix-"
        ],
        "countType": "imageCountMoreThan",
        "countNumber": 5
      },
      "action": {
        "type": "expire"
      }
    },
    {
      "rulePriority": 3,
      "description": "Remove all untagged images",
      "selection": {
        "tagStatus": "untagged",
        "countType": "sinceImagePushed",
        "countUnit": "days",
        "countNumber": 1
      },
      "action": {
        "type": "expire"
      }
    }
  ]
}

Dry Run Result :

✅ Note : In Amazon ECR lifecycle policies, unfortunately, you cannot filter multiple different tag patterns in a single rule using tagPrefixList. The field only accepts a single list of prefixes, and it matches OR logic, not AND.

✅ How tagPrefixList Works This is allowed:

"tagPrefixList": ["release-", "hotfix-"]

It will match any tag that starts with either release- OR hotfix-. But you cannot use regex or conditions like: • Contains "v1" and ends with "-stable"

• Exact matches for arbitrary tag names like "v1.2.3", "prod-latest" together

Policy :

{
  "rules": [
    {
      "rulePriority": 1,
      "description": "Keep last 10 images for tags starting with release- or hotfix-",
      "selection": {
        "tagStatus": "tagged",
        "tagPrefixList": [
          "release-",
          "hotfix-"
        ],
        "countType": "imageCountMoreThan",
        "countNumber": 10
      },
      "action": {
        "type": "expire"
      }
    }
  ]
}

Dry Run Result :

📝 Summary

Amazon ECR lifecycle policies are a simple yet powerful tool to automate image retention, reduce costs, and simplify DevOps workflows. By carefully crafting your policy rules, you can manage your container image repositories with precision and ease.