Monitor Elastic Container Registry

Overview

Amazon Elastic Container Registry (ECR) is a fully managed container image registry. It enables you to store, manage, and deploy Docker container images. To monitor ECR, metrics and logs of ECR are gathered by sfPoller and displayed within SnappyFlow dashboard.

Prerequisites

1. To collect metrics and logs of ECR, it is necessary to have an IAM Role with CloudWatch access and sfPoller set up within your AWS environment. Click here to learn more about setting up sfPoller in your AWS environment.
2. To monitor stream logs, you have to enable data stream for ECR and send the data stream event to CloudWatch log group through services such as Lambda, EventBridge, etc.

Create a Policy to collect ECR data from CloudWatch

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

2. Follow the below steps to create a policy in the IAM console.

   

   • Navigate to Access Management > Policies

   • In the Policies window, click the Create policy button

   • In the Create policy window, go to the JSON tab

   • Copy and paste the below-mentioned JSON code into the policy editor

     {
       "Version": "2012-10-17",
       "Statement": [
           {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                        "ecr:GetAuthorizationToken",
                        "ecr:BatchCheckLayerAvailability",
                        "ecr:GetDownloadUrlForLayer",
                        "ecr:GetRepositoryPolicy",
                        "ecr:DescribeRepositories",
                        "ecr:ListImages",
                        "ecr:DescribeImages",
                        "ecr:BatchGetImage",
                        "ecr:GetLifecyclePolicy",
                        "ecr:GetLifecyclePolicyPreview",
                        "ecr:ListTagsForResource",
                        "ecr:DescribeImageScanFindings"
                        ],
             },
         ],
     }

   • Click the Next: Tags > Next: Review button

   • In the Review policy window, give Name: CloudWatchReadOnlyAccess and Description (Optional) for the policy and review the list of permissions.

   • Click the Create policy button

3. Attach the CloudWatchReadOnlyAccess policy to a dedicated IAM Role for read-only access.

Configure sfPoller to Collect Metrics and Logs

Follow the below step to add endpoints and plugins:

1. In the Application tab of sfPoller, navigate to your Project > Application.

2. Click on the Application, it will take you to the Endpoint page.

   

3. Click the Add Endpoint button, add the following data, and save.

   • Service Type: Select AWS Service
   • Account Name: Select an account name. Example: aws
   • Endpoint Type: Select ECR
   • Name: Give an unique name to the endpoint
   • Instance Name: Name of the repository that need be monitored
   • Registry ID: Give the 12 digit register id assigned to your repository. Click here to get register id.

4. In the Plugins window, click the +Add button.

   

5. In the Add Plugin window, add the below details to collect metrics of ECR.

   • Plugin Type: Select Metric
   • Plugin: Select cloudwatch-ecr
   • Interval: Choose an interval value. The minimum value for the interval is 300
   • Status: By default, the status is Enabled

6. Select the Save button.

   

7. Again select the +Add button and in the Add Plugin window, add below details to collect logs of ECR.

   • Plugin Type: Select Logger
   • Plugin: Select cloudwatch-ecr-logs
   • Log Group: Give the name of cloudwatch log group to which the stream events are being sent
   • Interval: Choose an interval value. The minimum value for the interval is 300
   • Status: By default, the status is Enabled

8. Select the Save button.

9. Click the global Save button in the window's top right corner to save all the changes made so far.

Get Register ID

1. Go to Amazon ECR > Repositories.

   

2. Copy the register id associated to you repository as shown in the above image.

View Repository Metrics and Logs

Follow the below steps to view the metrics collected from Aurora DB.

1. Go to the Application tab in SnappyFlow and navigate to your Project > Application > Dashboard.

   
   

2. You can view the repository metrics in the Metrics section.

note

Once plugins are added to sfPoller, they will be automatically detected within the Metrics section. However, if the plugins are not detected, you can import templates to view the corresponding metrics.

​

3. You can view the repository logs in the Log Management section.

4. To access the unprocessed data gathered from the plugins, navigate to the Browse data section and choose the Index: Metric, Instance: Endpoint, Plugin, and Document Type.

Template Details

Template	Plugin	Document Type	Description
ECR	cloudwatch-ecr	imageDetails, repositoryDetails, lifeCyclePolicyDetails	Collects metrics from ECR
-	cloudwatch-ecr-logs	eventStreams	Collects logs from ECR

Metric List

Image Details

Metric	Description
TotalImageCount	The total number of images in the repository.
ImageSizeBytes	The size, in bytes, of the image in the repository.
ImageAge	The age of the image, indicating how long it has been.
ScanOnPushFindingsCount.high	The number of high image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository.
ScanOnPushFindingsCount.low	The number of low image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository.
ScanOnPushFindingsCount.critical	The number of critical image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository
ScanOnPushFindingsCount.medium	The number of medium image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository
ScanOnPushFindingsCount.informational	The number of informational image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository
ScanOnPushFindingsCount.undefined	The number of undefined image vulnerability findings generated by the automatic vulnerability scan when pushing images to the ECR repository

Repository Details

Metric	Description
ImageTagMutability	Mutability of the image.
RepositoryAgeInDays	The age of the repository.
RepositorySizeBytes	The size of the repository in bytes.
RepositoryArn	Arn of the repository.
RepositoryUri	Uri of the repository.

Life Cycle Policy Details

Metric	description
Description	Description of the available lifecycle policy.
countNumber	The image count applicable for the policy.
countType	Type of the count that is applicable.
Tagstatus	Tagged image or untagged image that is associated with policy.
Tags	Tags of the image that are associated with lifecycle policy.