Monitor Elastic Container Registry
Overview
Amazon Elastic Container Registry (ECR) is a fully managed container image registry. It enables you to store, manage, and deploy Docker container images. To monitor ECR, metrics and logs of ECR are gathered by sfPoller and displayed within SnappyFlow dashboard.
Prerequisites
- To collect metrics and logs of ECR, it is necessary to have an IAM Role with CloudWatch access and sfPoller set up within your AWS environment. Click here to learn more about setting up sfPoller in your AWS environment.
- To monitor stream logs, you have to enable data stream for ECR and send the data stream event to CloudWatch log group through EventBridge.
Create a Policy to collect ECR data from CloudWatch
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
Follow the below steps to create a policy in the IAM console.
Navigate to Access Management > Policies
In the Policies window, click the
Create policy
buttonIn the Create policy window, go to the JSON tab
Copy and paste the below-mentioned JSON code into the policy editor
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
},
],
}Click the
Next: Tags
>Next: Review
buttonIn the Review policy window, give Name:
CloudWatchReadOnlyAccess
and Description (Optional) for the policy and review the list of permissions.Click the
Create policy
button
Attach the
CloudWatchReadOnlyAccess
policy to a dedicated IAM Role for read-only access.
Configure sfPoller to Collect Metrics and Logs
Follow the below step to add endpoints and plugins:
In the Application tab of sfPoller, navigate to your Project > Application.
Click on the Application, it will take you to the
Endpoint
page.
- Click the
Add Endpoint
button, add the following data, and save.- Service Type: Select
AWS Service
- Account Name: Select an account name. Example: aws
- Endpoint Type: Select
ECR
- Name: Give an unique name to the endpoint
- Instance Name: Name of the repository that need be monitored
- Registry ID: Give the 12 digit register id assigned to your repository. Click here to get register id.
- Service Type: Select
In the Plugins window, click the
+Add
button.In the Add Plugin window, add the below details to collect metrics of ECR.
- Plugin Type: Select
Metric
- Plugin: Select
cloudwatch-ecr
- Interval: Choose an interval value. The minimum value for the interval is 300
- Status: By default, the status is
Enabled
- Plugin Type: Select
Select the
Save
button.Again select the
+Add
button and in the Add Plugin window, add below details to collect logs of ECR.- Plugin Type: Select
Logger
- Plugin: Select
cloudwatch-ecr-logs
- Log Group: Give the name of cloudwatch log group to which the stream events are being sent
- Interval: Choose an interval value. The minimum value for the interval is 300
- Status: By default, the status is
Enabled
- Plugin Type: Select
Select the
Save
button.Click the global
Save
button in the window's top right corner to save all the changes made so far.
Get Register ID
Go to Amazon ECR > Repositories.
Copy the register id associated to you repository as shown in the above image.
View Repository Metrics and Logs
Follow the below steps to view the metrics collected from Aurora DB.
Go to the Application tab in SnappyFlow and navigate to your Project > Application > Dashboard.
You can view the repository metrics in the Metrics section.
Once plugins are added to sfPoller, they will be automatically detected within the Metrics section. However, if the plugins are not detected, you can import templates to view the corresponding metrics.
You can view the repository logs in the Log Management section.
To access the unprocessed data gathered from the plugins, navigate to the Browse data section and choose the
Index: Metric
,Instance: Endpoint
,Plugin,
andDocument Type
.
Template Details
Template | Plugin | Document Type | Description |
---|---|---|---|
ECR | cloudwatch-ecr | imageDetails, repositoryDetails, lifeCyclePolicyDetails | Collects metrics from ECR |
- | cloudwatch-ecr-logs | eventStreams | Collects logs from ECR |
Metric List
Image Details
Metric | Description |
---|---|
TotalImageCount | The total number of images in the repository. |
ImageSizeBytes | The size, in bytes, of the image in the repository. |
ImageAge | The age of the image, indicating how long it has been. |
ScanOnPushFindingsCount.high | The number of high image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository. |
ScanOnPushFindingsCount.low | The number of low image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository. |
ScanOnPushFindingsCount.critical | The number of critical image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository |
ScanOnPushFindingsCount.medium | The number of medium image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository |
ScanOnPushFindingsCount.informational | The number of informational image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository |
ScanOnPushFindingsCount.undefined | The number of undefined image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository |
Repository Details
Metric | Description |
---|---|
ImageTagMutability | Mutability of the image. |
RepositoryAgeInDays | The age of the repository. |
RepositorySizeBytes | The size of the repository in bytes. |
RepositoryArn | Arn of the repository. |
RepositoryUri | Uri of the repository. |
Life Cycle Policy Details
Metric | description |
---|---|
Description | Description of the available lifecycle policy. |
countNumber | The image count applicable for the policy. |
countType | Type of the count that is applicable. |
Tagstatus | Tagged image or untagged image that is associated with policy. |
Tags | Tags of the image that are associated with lifecycle policy. |