In the destination AWS account, create a pull-through cache rule targeting the source ECR registry using aws ecr create-pull-through-cache-rule --ecr-repository-prefix <PREFIX> --upstream-registry-url <SOURCE_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com
In the source ECR registry, create a registry policy (aws ecr put-registry-policy) that grants the destination account ecr:BatchGetImage and ecr:GetDownloadUrlForLayer permissions
In the destination account, create an IAM role or attach an inline policy to the ECR service that permits ecr:CreateRepository and ecr:BatchImportUpstreamImage on the destination registry
Trigger a cache pull by running docker pull <DESTINATION_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/<PREFIX>/<IMAGE>:<TAG>; ECR will fetch the image from the source and cache it automatically
Verify the cached image exists in the destination registry using aws ecr describe-images --repository-name <PREFIX>/<IMAGE>
Known gotchas
ECR-to-ECR pull-through cache was announced in March 2025; ensure the AWS CLI and SDK versions used are recent enough to include the ecr-to-ecr upstream registry type
The destination IAM principal performing the docker pull must have ecr:GetAuthorizationToken and ecr:BatchImportUpstreamImage permissions in addition to standard pull permissions; missing BatchImportUpstreamImage causes silent failures
Pull-through cache rules do not continuously sync images; images are only fetched on demand when a pull is attempted and the image is not yet cached or has expired
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp