Skip to main content
Version: Self Hosted Turbo

Monitor Elastic Container Registry

Overview

Amazon Elastic Container Registry (ECR) is a fully managed container image registry. It enables you to store, manage, and deploy Docker container images. To monitor ECR, metrics and logs of ECR are gathered by sfPoller and displayed within SnappyFlow dashboard.

Prerequisites

  1. To collect metrics and logs of ECR, it is necessary to have an IAM Role with CloudWatch access and sfPoller set up within your AWS environment. Click here to learn more about setting up sfPoller in your AWS environment.
  2. To monitor stream logs, you have to enable data stream for ECR and send the data stream event to CloudWatch log group through services such as Lambda, EventBridge, etc.

Create a Policy to collect ECR data from CloudWatch

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Follow the below steps to create a policy in the IAM console.

    • Navigate to Access Management > Policies

    • In the Policies window, click the Create policy button

    • In the Create policy window, go to the JSON tab

    • Copy and paste the below-mentioned JSON code into the policy editor

      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
      "ecr:GetAuthorizationToken",
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:GetRepositoryPolicy",
      "ecr:DescribeRepositories",
      "ecr:ListImages",
      "ecr:DescribeImages",
      "ecr:BatchGetImage",
      "ecr:GetLifecyclePolicy",
      "ecr:GetLifecyclePolicyPreview",
      "ecr:ListTagsForResource",
      "ecr:DescribeImageScanFindings"
      ],
      },
      ],
      }
    • Click the Next: Tags > Next: Review button

    • In the Review policy window, give Name: CloudWatchReadOnlyAccess and Description (Optional) for the policy and review the list of permissions.

    • Click the Create policy button

  3. Attach the CloudWatchReadOnlyAccess policy to a dedicated IAM Role for read-only access.

Configure sfPoller to Collect Metrics and Logs

Follow the below step to add endpoints and plugins:

  1. In the Application tab of sfPoller, navigate to your Project > Application.

  2. Click on the Application, it will take you to the Endpoint page.

  3. Click the Add Endpoint button, add the following data, and save.

    • Service Type: Select AWS Service
    • Account Name: Select an account name. Example: aws
    • Endpoint Type: Select ECR
    • Name: Give an unique name to the endpoint
    • Instance Name: Name of the repository that need be monitored
    • Registry ID: Give the 12 digit register id assigned to your repository. Click here to get register id.
  1. In the Plugins window, click the +Add button.

  2. In the Add Plugin window, add the below details to collect metrics of ECR.

    • Plugin Type: Select Metric
    • Plugin: Select cloudwatch-ecr
    • Interval: Choose an interval value. The minimum value for the interval is 300
    • Status: By default, the status is Enabled
  3. Select the Save button.

  4. Again select the +Add button and in the Add Plugin window, add below details to collect logs of ECR.

    • Plugin Type: Select Logger
    • Plugin: Select cloudwatch-ecr-logs
    • Log Group: Give the name of cloudwatch log group to which the stream events are being sent
    • Interval: Choose an interval value. The minimum value for the interval is 300
    • Status: By default, the status is Enabled
  5. Select the Save button.

  6. Click the global Save button in the window's top right corner to save all the changes made so far.

Get Register ID

  1. Go to Amazon ECR > Repositories.

  2. Copy the register id associated to you repository as shown in the above image.

View Repository Metrics and Logs

Follow the below steps to view the metrics collected from Aurora DB.

  1. Go to the Application tab in SnappyFlow and navigate to your Project > Application > Dashboard.


  2. You can view the repository metrics in the Metrics section.

note

Once plugins are added to sfPoller, they will be automatically detected within the Metrics section. However, if the plugins are not detected, you can import templates to view the corresponding metrics.

  1. You can view the repository logs in the Log Management section.

  2. To access the unprocessed data gathered from the plugins, navigate to the Browse data section and choose the Index: Metric, Instance: Endpoint, Plugin, and Document Type.

Template Details

TemplatePluginDocument TypeDescription
ECRcloudwatch-ecrimageDetails, repositoryDetails, lifeCyclePolicyDetailsCollects metrics from ECR
-cloudwatch-ecr-logseventStreamsCollects logs from ECR

Metric List

Image Details

MetricDescription
TotalImageCountThe total number of images in the repository.
ImageSizeBytesThe size, in bytes, of the image in the repository.
ImageAgeThe age of the image, indicating how long it has been.
ScanOnPushFindingsCount.highThe number of high image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository.
ScanOnPushFindingsCount.lowThe number of low image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository.
ScanOnPushFindingsCount.criticalThe number of critical image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository
ScanOnPushFindingsCount.mediumThe number of medium image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository
ScanOnPushFindingsCount.informationalThe number of informational image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository
ScanOnPushFindingsCount.undefinedThe number of undefined image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository

Repository Details

MetricDescription
ImageTagMutabilityMutability of the image.
RepositoryAgeInDaysThe age of the repository.
RepositorySizeBytesThe size of the repository in bytes.
RepositoryArnArn of the repository.
RepositoryUriUri of the repository.

Life Cycle Policy Details

Metricdescription
DescriptionDescription of the available lifecycle policy.
countNumberThe image count applicable for the policy.
countTypeType of the count that is applicable.
TagstatusTagged image or untagged image that is associated with policy.
TagsTags of the image that are associated with lifecycle policy.