How to Build a Complete CI/CD Pipeline on AWS Using CodePipeline, CodeBuild, ECS, and ECR

Modern software teams deploy faster than ever, and the pressure to ship reliably has never been higher. When releases slow down, businesses slow down. When deployments break, customer trust breaks. That’s why CI/CD has become the backbone of every engineering team small or large.

But building a truly scalable, automated, and production-ready CI/CD pipeline is not just about connecting GitHub to a server. It’s about automating everything from code validation to container image building, security checks, artifact storage, and zero-downtime deployments.

AWS gives us all the building blocks to do this cleanly.

This article walks you through how to design a complete CI/CD pipeline using AWS CodePipeline, CodeBuild, Amazon ECR, and Amazon ECS, explaining concepts, architecture, and best practices along the way.

Why CI/CD on AWS?

While tools like GitHub Actions, GitLab CI, and Jenkins are popular, AWS offers an advantage:
everything is tightly integrated, managed, scalable, secure, and pay-as-you-go.

With AWS DevOps services you get:

No infrastructure to manage
Fast build and deploy times
Built-in IAM security
Native integration with containers and microservices
Smooth deployments to ECS, EKS, Lambda, and EC2
Clear audit trails and logs for compliance

For teams already running workloads on AWS, using AWS-native CI/CD creates a clean, cohesive workflow.

High-Level Architecture

Here’s the pipeline we’re building:

Developer → GitHub/CodeCommit

→ AWS CodePipeline

→ CodeBuild (build + tests)

→ Amazon ECR (push Docker image)

→ CodePipeline Deploy Stage

→ ECS (rolling or blue/green deployment)

Flow Explanation

Developer pushes code → CodePipeline triggers.
CodeBuild pulls repo, installs dependencies, runs tests, and builds a Docker image.
After building the image, CodeBuild tags it and pushes to Amazon ECR.
CodePipeline updates the task definition.
ECS pulls the new image and deploys with zero downtime using a rolling update or blue-green strategy.

By the end, everything from commit → production is automated.

Step 1: Preparing Your Container Repository (ECR)

Before building anything, your code must have a place to store the Docker images.

Amazon ECR is:

Fully managed
Secure by default
Fast pulling
Perfect for ECS, EKS, Lambda, and Fargate

Create a repository:

Open ECR → Create Repository
Name it e.g., myapp-backend
Enable scan on push (optional but recommended)
Click Create

You now have a secure image registry.

Step 2: Setting Up AWS CodePipeline

CodePipeline is the orchestrator it connects all the stages together.

Create a new pipeline:

Open CodePipeline → Create Pipeline
Connect your repo (GitHub or CodeCommit)
Adjust trigger settings (Webhook or manual)
Add the first stage: Source

Your pipeline begins with your code. Let’s move to building it.

Step 3: Building the Application with CodeBuild

Every serious CI/CD pipeline needs these steps:

Install dependencies
Run tests
Build a Docker image
Tag it
Push it to ECR

CodeBuild handles all of that using a buildspec.yml file placed in your repository root.

Sample `buildspec.yml` for ECS + Docker

version: 0.2

phases:

pre_build:

commands:

- echo Logging into Amazon ECR...

- aws ecr get-login-password --region $AWS_REGION \

| docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com

- REPOSITORY_URI=$ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/myapp-backend

- IMAGE_TAG=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7)

build:

commands:

- echo Building the Docker image...

- docker build -t $REPOSITORY_URI:$IMAGE_TAG .

post_build:

commands:

- echo Pushing the Docker image...

- docker push $REPOSITORY_URI:$IMAGE_TAG

- printf '{"ImageURI":"%s"}' $REPOSITORY_URI:$IMAGE_TAG > imageDetail.json

artifacts:

files:

- imageDetail.json

This config does four powerful things:

Logs into ECR
Builds the Docker image
Tags the image with the commit hash (clean for rollbacks)
Outputs metadata for the deploy stage

Your build stage is ready.

Step 4: Deployment to Amazon ECS

ECS is where your containerized application actually runs.

You can deploy using:

Rolling Updates
Blue-Green Deployments with CodeDeploy

Most production workloads start with rolling, then move to blue-green as they scale.

How Deployment Works

CodePipeline takes the new image information.
It injects the new image URI into the ECS task definition.
ECS launches new tasks with the new version.
Old tasks are drained once new ones become healthy.

No downtime. No manual intervention.

Step 5: IAM, Secrets, and Security Best Practices

A production-grade pipeline must be secure.

Here’s what you must enforce:

1. Least Privilege IAM Roles

CodeBuild only accesses S3 artifacts, CloudWatch logs, and ECR.
CodePipeline only updates ECS and pulls from the repo.
ECS tasks only access what they need (DynamoDB? Secrets Manager? etc.)

2. Store Secrets the Right Way

Never put credentials in the repo. Use:

AWS Secrets Manager
Parameter Store (SecureString)

3. Image Scanning

Enable "Scan on Push" for ECR.

4. VPC Security

Run ECS and CodeBuild inside private subnets if possible.

Step 6: Cost Optimization Strategies

AWS CI/CD is cheap, but can silently scale.

Here’s how to cut costs:

Use Fargate Spot for non-critical ECS workloads.
Configure CodeBuild with smaller compute unless builds are very large.
Use S3 lifecycle policies for CodePipeline artifacts.
Clear unused old Docker image tags from ECR.

Step 7: Troubleshooting Common Failures and Fixes

Problem: CodeBuild can’t push to ECR

Fix: Missing ecr:PutImage or ecr:BatchCheckLayerAvailability in IAM policy.

Problem: ECS fails deployment

Fix:

Wrong container port
Task cannot pull the new image
Load balancer health check misconfigured

Problem: Pipeline does not trigger from GitHub

Fix:
Reconnect OAuth or recreate webhook.

Troubleshooting builds your DevOps instincts always check logs in CloudWatch.

Final Thoughts

A well-designed CI/CD pipeline is more than automation it becomes your team’s engine for reliability, speed, and confidence.

Using AWS-native tools like CodePipeline, CodeBuild, ECS, and ECR gives you a stack that scales naturally with your workload, stays secure, and integrates neatly without complex third-party dependencies.

With this architecture, every commit becomes a clean, traceable path to production.

Why CI/CD on AWS?

While tools like GitHub Actions, GitLab CI, and Jenkins are popular, AWS offers an advantage:
everything is tightly integrated, managed, scalable, secure, and pay-as-you-go.

With AWS DevOps services you get:

No infrastructure to manage
Fast build and deploy times
Built-in IAM security
Native integration with containers and microservices
Smooth deployments to ECS, EKS, Lambda, and EC2
Clear audit trails and logs for compliance

For teams already running workloads on AWS, using AWS-native CI/CD creates a clean, cohesive workflow.

High-Level Architecture

Here’s the pipeline we’re building:

Developer → GitHub/CodeCommit

→ AWS CodePipeline

→ CodeBuild (build + tests)

→ Amazon ECR (push Docker image)

→ CodePipeline Deploy Stage

→ ECS (rolling or blue/green deployment)

Flow Explanation

Developer pushes code → CodePipeline triggers.
CodeBuild pulls repo, installs dependencies, runs tests, and builds a Docker image.
After building the image, CodeBuild tags it and pushes to Amazon ECR.
CodePipeline updates the task definition.
ECS pulls the new image and deploys with zero downtime using a rolling update or blue-green strategy.

By the end, everything from commit → production is automated.

Step 1: Preparing Your Container Repository (ECR)

Before building anything, your code must have a place to store the Docker images.

Amazon ECR is:

Fully managed
Secure by default
Fast pulling
Perfect for ECS, EKS, Lambda, and Fargate

Create a repository:

Open ECR → Create Repository
Name it e.g., myapp-backend
Enable scan on push (optional but recommended)
Click Create

You now have a secure image registry.

Step 2: Setting Up AWS CodePipeline

CodePipeline is the orchestrator it connects all the stages together.

Create a new pipeline:

Open CodePipeline → Create Pipeline
Connect your repo (GitHub or CodeCommit)
Adjust trigger settings (Webhook or manual)
Add the first stage: Source

Your pipeline begins with your code. Let’s move to building it.

Step 3: Building the Application with CodeBuild

Every serious CI/CD pipeline needs these steps:

Install dependencies
Run tests
Build a Docker image
Tag it
Push it to ECR

CodeBuild handles all of that using a buildspec.yml file placed in your repository root.

Sample `buildspec.yml` for ECS + Docker

version: 0.2

phases:

pre_build:

commands:

- echo Logging into Amazon ECR...

- aws ecr get-login-password --region $AWS_REGION \

| docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com

- REPOSITORY_URI=$ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/myapp-backend

- IMAGE_TAG=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7)

build:

commands:

- echo Building the Docker image...

- docker build -t $REPOSITORY_URI:$IMAGE_TAG .

post_build:

commands:

- echo Pushing the Docker image...

- docker push $REPOSITORY_URI:$IMAGE_TAG

- printf '{"ImageURI":"%s"}' $REPOSITORY_URI:$IMAGE_TAG > imageDetail.json

artifacts:

files:

- imageDetail.json

This config does four powerful things:

Logs into ECR
Builds the Docker image
Tags the image with the commit hash (clean for rollbacks)
Outputs metadata for the deploy stage

Your build stage is ready.

Step 4: Deployment to Amazon ECS

ECS is where your containerized application actually runs.

You can deploy using:

Rolling Updates
Blue-Green Deployments with CodeDeploy

Most production workloads start with rolling, then move to blue-green as they scale.

How Deployment Works

CodePipeline takes the new image information.
It injects the new image URI into the ECS task definition.
ECS launches new tasks with the new version.
Old tasks are drained once new ones become healthy.

No downtime. No manual intervention.

Step 5: IAM, Secrets, and Security Best Practices

A production-grade pipeline must be secure.

Here’s what you must enforce:

1. Least Privilege IAM Roles

CodeBuild only accesses S3 artifacts, CloudWatch logs, and ECR.
CodePipeline only updates ECS and pulls from the repo.
ECS tasks only access what they need (DynamoDB? Secrets Manager? etc.)

2. Store Secrets the Right Way

Never put credentials in the repo. Use:

AWS Secrets Manager
Parameter Store (SecureString)

3. Image Scanning

Enable "Scan on Push" for ECR.

4. VPC Security

Run ECS and CodeBuild inside private subnets if possible.

Step 6: Cost Optimization Strategies

AWS CI/CD is cheap, but can silently scale.

Here’s how to cut costs:

Use Fargate Spot for non-critical ECS workloads.
Configure CodeBuild with smaller compute unless builds are very large.
Use S3 lifecycle policies for CodePipeline artifacts.
Clear unused old Docker image tags from ECR.

Step 7: Troubleshooting Common Failures and Fixes

Problem: CodeBuild can’t push to ECR

Fix: Missing ecr:PutImage or ecr:BatchCheckLayerAvailability in IAM policy.

Problem: ECS fails deployment

Fix:

Wrong container port
Task cannot pull the new image
Load balancer health check misconfigured

Problem: Pipeline does not trigger from GitHub

Fix:
Reconnect OAuth or recreate webhook.

Troubleshooting builds your DevOps instincts always check logs in CloudWatch.

Final Thoughts

A well-designed CI/CD pipeline is more than automation it becomes your team’s engine for reliability, speed, and confidence.

With this architecture, every commit becomes a clean, traceable path to production.

Why CI/CD on AWS?

High-Level Architecture

Flow Explanation

Step 1: Preparing Your Container Repository (ECR)

Step 2: Setting Up AWS CodePipeline

Step 3: Building the Application with CodeBuild

Sample buildspec.yml for ECS + Docker

Step 4: Deployment to Amazon ECS

How Deployment Works

Step 5: IAM, Secrets, and Security Best Practices

1. Least Privilege IAM Roles

2. Store Secrets the Right Way

3. Image Scanning

4. VPC Security

Step 6: Cost Optimization Strategies

Step 7: Troubleshooting Common Failures and Fixes

Problem: CodeBuild can’t push to ECR

Problem: ECS fails deployment

Problem: Pipeline does not trigger from GitHub

Final Thoughts

Further reading

Level Up Your Tech Knowledge

Comments

Explore related posts

Docker: The Backbone of Modern DevOps—From Origins to Impact

What is DevOps, and how does AWS supports it?

How Can I Implement Infrastructure as Code (IaC) Using AWS

Why CI/CD on AWS?

High-Level Architecture

Flow Explanation

Step 1: Preparing Your Container Repository (ECR)

Step 2: Setting Up AWS CodePipeline

Step 3: Building the Application with CodeBuild

Sample buildspec.yml for ECS + Docker

Step 4: Deployment to Amazon ECS

How Deployment Works

Step 5: IAM, Secrets, and Security Best Practices

1. Least Privilege IAM Roles

2. Store Secrets the Right Way

3. Image Scanning

4. VPC Security

Step 6: Cost Optimization Strategies

Step 7: Troubleshooting Common Failures and Fixes

Problem: CodeBuild can’t push to ECR

Problem: ECS fails deployment

Problem: Pipeline does not trigger from GitHub

Final Thoughts

Further reading

Level Up Your Tech Knowledge

Comments

Explore related posts

Docker: The Backbone of Modern DevOps—From Origins to Impact

What is DevOps, and how does AWS supports it?

How Can I Implement Infrastructure as Code (IaC) Using AWS

Sample `buildspec.yml` for ECS + Docker

Sample `buildspec.yml` for ECS + Docker