Amazon ECR Private Repository
Overview
The Amazon ECR Private Repository integration with Motadata AIOps collects inventory, configuration, and security telemetry from Amazon Elastic Container Registry (ECR) private repositories. It monitors repository identity, image tag mutability, encryption settings, vulnerability scan results, image pull activity, and lifecycle policy rules.
These metrics help administrators enforce container image security standards, track vulnerability exposure across container images, monitor retention policy compliance, and maintain full visibility over private container registry activity.
Prerequisites
- The AWS account has private ECR repositories configured.
- The IAM role or user used for integration has read access to ECR private repository resources including
ecr:DescribeRepositories, ecr:DescribeImages, and ecr:GetLifecyclePolicy. - Required ECR API endpoints are reachable from Motadata AIOps.
- The AWS account is added in discovery with correct credentials and region configuration.
List of Supported KPIs
Repository Identity & Configuration
| Metric | Description | Type |
|---|
| aws.ecr.name | Name of the ECR private repository. | String |
| aws.ecr.arn | Amazon Resource Name of the ECR private repository. | String |
| aws.ecr.uri | URI used to pull images from this private repository. | String |
| aws.ecr.registry.id | ID of the private registry hosting this repository. | String |
| aws.ecr.image.tag.mutability | Tag mutability setting — MUTABLE or IMMUTABLE. | String |
| aws.ecr.vulnerability.scan.on.push | Indicates whether vulnerability scanning runs automatically on image push. | Boolean |
| aws.ecr.vulnerability.scan.frequency | Frequency at which vulnerability scans are performed on images. | String |
| aws.ecr.encryption.type | Encryption type applied to images in this repository. | String |
| aws.ecr.creation.time | Timestamp when the repository was created. | Timestamp |
Images
| Metric | Description | Type |
|---|
| aws.ecr.images | Total number of images stored in this repository. | Count |
| aws.ecr.image | Identifier of an individual container image. | String |
| aws.ecr.image.uri | Full URI to pull this specific image. | String |
| aws.ecr.image.size.bytes | Size of the container image in bytes. | Bytes |
| aws.ecr.image.push.time | Timestamp when the image was pushed to the repository. | Timestamp |
| aws.ecr.image.last.pull.time | Timestamp of the most recent pull of this image. | Timestamp |
| aws.ecr.image.tags | Tags assigned to this container image. | String |
| aws.ecr.image.artifact.type | Artifact type of the image, for example container or Helm chart. | String |
| aws.ecr.image.pulls | Total number of times this image has been pulled. | Count |
Image Vulnerability Scanning
| Metric | Description | Type |
|---|
| aws.ecr.image.vulnerability.scan.status | Current status of the vulnerability scan for this image. | String |
| aws.ecr.image.critical.vulnerabilities | Number of critical severity vulnerabilities found in this image. | Count |
| aws.ecr.image.high.vulnerabilities | Number of high severity vulnerabilities found in this image. | Count |
| aws.ecr.image.medium.vulnerabilities | Number of medium severity vulnerabilities found in this image. | Count |
| aws.ecr.image.low.vulnerabilities | Number of low severity vulnerabilities found in this image. | Count |
| aws.ecr.image.info.vulnerabilities | Number of informational findings from the vulnerability scan. | Count |
| aws.ecr.image.last.vulnerability.scan.completion.time | Timestamp when the most recent vulnerability scan completed. | Timestamp |
| aws.ecr.image.last.vulnerability.source.update.time | Timestamp when the vulnerability data source was last updated. | Timestamp |
Lifecycle Rules
| Metric | Description | Type |
|---|
| aws.ecr.lifecycle.rules | Total number of lifecycle rules configured for this repository. | Count |
| aws.ecr.lifecycle.rule | Identifier of an individual lifecycle rule. | String |
| aws.ecr.lifecycle.rule.description | Description of the lifecycle rule. | String |
| aws.ecr.lifecycle.rule.tag.status | Tag status filter applied by the lifecycle rule — tagged, untagged, or any. | String |
| aws.ecr.lifecycle.rule.tag | Specific image tag targeted by this lifecycle rule. | String |
| aws.ecr.lifecycle.rule.prefix.tag | Tag prefix used to match images for this lifecycle rule. | String |
| aws.ecr.lifecycle.rule.threshold | Threshold value that triggers this lifecycle rule. | Count |
| aws.ecr.lifecycle.rule.threshold.type | Type of threshold used — imageCountMoreThan or sinceImagePushed. | String |
| aws.ecr.lifecycle.rule.match.criteria | Action taken when images match this lifecycle rule, for example expire. | String |