This topic explains the configurations to generate required credentials integrate Aqua with Amazon Elastic Container Registry (ECR). Once Aqua integration with Amazon ECR is completed, Aqua users can scan images in this registry either manually by adding them or automatically as per schedule.

Amazon Elastic Container Registry (ECR) is a private, secure V2 registry hosted on the Amazon Web Service (AWS) platform. Each AWS account can have one registry associated with it, located in one of the AWS regions supporting the service.

There are two authentication mechanisms supported by Aqua to integrate with Amazon ECR as explained by the following sections. For the general configurations required to integrate Aqua with Amazon ECR, refer to General Configurations for Image Registries and Repositories.


When you select Connection Type as Credentials, you should enter Access Key and Secret Key for the successful authentication, as shown below.

STS Token Authentication

An STS (Security Token Service) is a third-party web service that authenticates clients by validating credentials and issuing security tokens across different formats. Aqua supports authenticating through STS to integrate with Amazon ECR.


  • Before integrating an ECR using STS token authentication, you should have username, password, and URL of the third-party authentication service.
  • If you use a private AWS STS endpoint, the environment variable AWS_STS_REGIONAL_ENDPOINTS=regional should be setup for your Server(s) and Scanner(s).

When you select Connection Type as STS Token Authentication, you should enter User name, Password, and STS Broker URL for the successful authentication.