# Amazon ECR monitoring
You can monitor your Amazon ECR API usage with Amazon CloudWatch, which collects and processes raw data from Amazon ECR into readable, near real-time metrics. These statistics are recorded for a period of two weeks so that you can access historical information and gain perspective on your API usage. Amazon ECR metric data is automatically sent to CloudWatch in one-minute periods. For more information about CloudWatch, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
Amazon ECR provides metrics based on your API usage for authorization, image push, and image pull actions.
Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon ECR and your AWS solutions. We recommend that you collect monitoring data from the resources that make up your AWS solution so that you can more easily debug a multi-point failure if one occurs. Before you start monitoring Amazon ECR, however, you should create a monitoring plan that includes answers to the following questions:
+ What are your monitoring goals?
+ What resources will you monitor?
+ How often will you monitor these resources?
+ What monitoring tools will you use?
+ Who will perform the monitoring tasks?
+ Who should be notified when something goes wrong?
The next step is to establish a baseline for normal Amazon ECR performance in your environment by measuring performance at various times and under different load conditions. As you monitor Amazon ECR, store historical monitoring data so that you can compare it with new performance data, identify normal performance patterns and performance anomalies, and devise methods to address issues.
**Topics**
+ [Visualizing your service quotas and setting alarms](monitoring-quotas-alarms.md)
+ [Amazon ECR usage metrics](monitoring-usage.md)
+ [Amazon ECR usage reports](usage-reports.md)
+ [Amazon ECR repository metrics](ecr-repository-metrics.md)
+ [Amazon ECR events and EventBridge](ecr-eventbridge.md)
+ [Logging Amazon ECR actions with AWS CloudTrail](logging-using-cloudtrail.md)
# Visualizing your service quotas and setting alarms
You can use the CloudWatch console to visualize your service quotas and see how your current usage compares to service quotas. You can also set alarms so that you will be notified when you approach a quota.
**To visualize a service quota and optionally set an alarm**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Metrics**.
1. On the **All metrics** tab, choose **Usage**, then choose **By AWS Resource**.
The list of service quota usage metrics appears.
1. Select the check box next to one of the metrics.
The graph displays your current usage of that AWS resource.
1. To add your service quota to the graph, do the following:
1. Choose the **Graphed metrics** tab.
1. Choose **Math expression**, **Start with an empty expression**. Then in the new row, under **Details**, enter **SERVICE\$1QUOTA(m1)**.
A new line is added to the graph, displaying the service quota for the resource represented in the metric.
1. To see your current usage as a percentage of the quota, add a new expression or change the current **SERVICE\$1QUOTA** expression. For the new expression, use **m1/60/SERVICE\$1QUOTA(m1)\$1100**.
1. (Optional) To set an alarm that notifies you if you approach the service quota, do the following:
1. On the **m1/60/SERVICE\$1QUOTA(m1)\$1100** row, under **Actions**, choose the alarm icon. It looks like a bell.
The alarm creation page appears.
1. Under **Conditions**, ensure that **Threshold type** is **Static** and **Whenever Expression1 is** is set to **Greater**. Under **than**, enter **80**. This creates an alarm that goes into ALARM state when your usage exceeds 80 percent of the quota.
1. Choose **Next**.
1. On the next page, select an Amazon SNS topic or create a new one. This topic is notified when the alarm goes to ALARM state. Then choose **Next**.
1. On the next page, enter a name and description for the alarm, and then choose **Next**.
1. Choose **Create alarm**.
# Amazon ECR usage metrics
You can use CloudWatch usage metrics to provide visibility into your account's usage of resources. Use these metrics to visualize your current service usage on CloudWatch graphs and dashboards.
Amazon ECR usage metrics correspond to AWS service quotas. You can configure alarms that alert you when your usage approaches a service quota. For more information about Amazon ECR service quotas, see [Amazon ECR service quotas](service-quotas.md).
Amazon ECR publishes the following metrics in the `AWS/Usage` namespace.
| Metric | Description |
| --- | --- |
| `CallCount` | The number of API action calls from your account. The resources are defined by the dimensions associated with the metric. The most useful statistic for this metric is `SUM`, which represents the sum of the values from all contributors during the period defined. |
| `ResourceCount` | The number of the specified resources in your account. The resources are defined by the dimensions associated with the metric. The most useful statistic for this metric is `MAXIMUM`, which represents the maximum number of resources used during the 5-minute period. |
The following dimensions are used to refine the API usage metrics that are published by Amazon ECR.
| Dimension | Description |
| --- | --- |
| `Service` | The name of the AWS service containing the resource. For Amazon ECR usage metrics, the value for this dimension is `ECR`. |
| `Type` | The type of entity that is being reported. Currently, the only valid value for Amazon ECR API usage metrics is `API`. |
| `Resource` | The type of resource that is running. Currently, Amazon ECR returns information on your API usage for the following API actions. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonECR/latest/userguide/monitoring-usage.html) |
| Class | The class of resource being tracked. Currently, Amazon ECR does not use the class dimension. |
The following dimensions are used to refine the Resource usage metrics that are published by Amazon ECR.
| Dimension | Description |
| --- | --- |
| `Service` | The name of the AWS service containing the resource. For Amazon ECR usage metrics, the value for this dimension is `ECR`. |
| `Type` | The type of entity that is being reported. Currently, the only valid value for Amazon ECR resource usage metrics is `RESOURCE`. |
| `Resource` | The type of resource that is running. Currently, Amazon ECR returns information on your resource usage for the following metrics. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/AmazonECR/latest/userguide/monitoring-usage.html) |
| `ResourceId` | The identifier for the resource that incurred the usage. Currently, ResourceId is only relevant to `ImagesPerRepositoryCount` and its value is formatted as repository/your\$1repository\$1name. For example: "repository/my-repo" returns the number of images in repository with name "my-repo". |
# Amazon ECR usage reports
AWS provides a free reporting tool called Cost Explorer that enables you to analyze the cost and usage of your Amazon ECR resources.
Use Cost Explorer to view charts of your usage and costs. You can view data from the previous 13 months and forecast how much you are likely to spend for the next three months. You can use Cost Explorer to see patterns in how much you spend on AWS resources over time, identify areas that need further inquiry, and see trends that you can use to understand your costs. You also can specify time ranges for the data and view time data by day or by month.
The metering data in your Cost and Usage Reports shows usage across all of your Amazon ECR repositories. For more information, see [Tagging your resources for billing](ecr-using-tags.md#tag-resources-for-billing).
For more information about creating an AWS Cost and Usage Report, see [AWS Cost and Usage Report](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-reports-costusage.html) in the *AWS Billing User Guide*.
# Amazon ECR repository metrics
Amazon ECR sends repository pull count metrics to Amazon CloudWatch. Amazon ECR metric data is automatically sent to CloudWatch in 1-minute periods. For more information about CloudWatch, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
**Topics**
+ [Enabling CloudWatch metrics](#enable_cloudwatch)
+ [Available metrics and dimensions](#available_cloudwatch_metrics)
+ [Viewing Amazon ECR metrics using the CloudWatch console](#viewing_metrics_console)
## Enabling CloudWatch metrics
Amazon ECR sends repository metrics automatically for all repositories. There is no need to take any manual steps.
## Available metrics and dimensions
The following sections list the metrics and dimensions that Amazon ECR sends to Amazon CloudWatch.
### Amazon ECR metrics
Amazon ECR provides metrics for you to monitor your repositories. You can measure the pull count.
The `AWS/ECR` namespace includes the following metrics.
`RepositoryPullCount`
The total number of pulls for the images in the repository.
Valid dimensions: `RepositoryName`.
Valid statistics: Average, Minimum, Maximum, Sum, Sample Count. The most useful statistic is Sum.
Unit: Integer.
### Dimensions for Amazon ECR metrics
Amazon ECR metrics use the `AWS/ECR` namespace and provide metrics for the following dimensions.
`RepositoryName`
This dimension filters the data that you request for all container images in a specified repository.
## Viewing Amazon ECR metrics using the CloudWatch console
You can view Amazon ECR repository metrics on the CloudWatch console. The CloudWatch console provides a fine-grained and customizable display of your resources. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
# Amazon ECR events and EventBridge
Amazon EventBridge enables you to automate your AWS services and to respond automatically to system events such as application availability issues or resource changes. Events from AWS services are delivered to EventBridge in near real time. You can write simple rules to indicate which events are of interest to you and include automated actions to take when an event matches a rule. The actions that can be automatically triggered include the following:
+ Adding events to log groups in CloudWatch Logs
+ Invoking an AWS Lambda function
+ Invoking Amazon EC2 Run Command
+ Relaying the event to Amazon Kinesis Data Streams
+ Activating an AWS Step Functions state machine
+ Notifying an Amazon SNS topic or an Amazon SQS queue
For more information, see [Getting Started with Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-getting-set-up.html) in the *Amazon EventBridge User Guide*.
## Sample events from Amazon ECR
The following are example events from Amazon ECR. Events are emitted on a best effort basis.
**Event for a completed image push**
The following event is sent when each image push is completed. For more information, see [Pushing a Docker image to an Amazon ECR private repository](docker-push-ecr-image.md).
```
{
"version": "0",
"id": "13cde686-328b-6117-af20-0e5566167482",
"detail-type": "ECR Image Action",
"source": "aws.ecr",
"account": "123456789012",
"time": "2019-11-16T01:54:34Z",
"region": "us-west-2",
"resources": [],
"detail": {
"result": "SUCCESS",
"repository-name": "my-repository-name",
"image-digest": "sha256:7f5b2640fe6fb4f46592dfd3410c4a79dac4f89e4782432e0378abcd1234",
"action-type": "PUSH",
"image-tag": "latest"
}
}
```
**Event for a pull through cache action**
The following event is sent when a pull through cache action is attempted. For more information, see [Sync an upstream registry with an Amazon ECR private registry](pull-through-cache.md).
```
{
"version": "0",
"id": "85fc3613-e913-7fc4-a80c-a3753e4aa9ae",
"detail-type": "ECR Pull Through Cache Action",
"source": "aws.ecr",
"account": "123456789012",
"time": "2023-02-29T02:36:48Z",
"region": "us-west-2",
"resources": [
"arn:aws:ecr:us-west-2:123456789012:repository/docker-hub/alpine"
],
"detail": {
"rule-version": "1",
"sync-status": "SUCCESS",
"ecr-repository-prefix": "docker-hub",
"repository-name": "docker-hub/alpine",
"upstream-registry-url": "public.ecr.aws",
"image-tag": "3.17.2",
"image-digest": "sha256:4aa08ef415aecc80814cb42fa41b658480779d80c77ab15EXAMPLE",
}
}
```
**Event for a completed image scan (basic scanning)**
When basic scanning is enabled for your registry, the following event is sent when each image scan is completed. The `finding-severity-counts` parameter will only return a value for a severity level if one exists. For example, if the image contains no findings at `CRITICAL` level, then no critical count is returned. For more information, see [Scan images for OS vulnerabilities in Amazon ECR](image-scanning-basic.md).
**Note**
For details about events that Amazon Inspector emits when enhanced scanning is enabled, see [EventBridge events sent for enhanced scanning in Amazon ECR](image-scanning-enhanced-events.md).
```
{
"version": "0",
"id": "85fc3613-e913-7fc4-a80c-a3753e4aa9ae",
"detail-type": "ECR Image Scan",
"source": "aws.ecr",
"account": "123456789012",
"time": "2019-10-29T02:36:48Z",
"region": "us-east-1",
"resources": [
"arn:aws:ecr:us-east-1:123456789012:repository/my-repository-name"
],
"detail": {
"scan-status": "COMPLETE",
"repository-name": "my-repository-name",
"finding-severity-counts": {
"CRITICAL": 10,
"MEDIUM": 9
},
"image-digest": "sha256:7f5b2640fe6fb4f46592dfd3410c4a79dac4f89e4782432e0378abcd1234",
"image-tags": []
}
}
```
**Event for a change notification on a resource with enhanced scanning enabled (enhanced scanning)**
When enhanced scanning is enabled for your registry, the following event is sent by Amazon ECR when there is a change with a resource that has enhanced scanning enabled. This includes new repositories being created, the scan frequency for a repository being changed, or when images are created or deleted in repositories with enhanced scanning enabled. For more information, see [Scan images for software vulnerabilities in Amazon ECR](image-scanning.md).
```
{
"version": "0",
"id": "0c18352a-a4d4-6853-ef53-0ab8638973bf",
"detail-type": "ECR Scan Resource Change",
"source": "aws.ecr",
"account": "123456789012",
"time": "2021-10-14T20:53:46Z",
"region": "us-east-1",
"resources": [],
"detail": {
"action-type": "SCAN_FREQUENCY_CHANGE",
"repositories": [{
"repository-name": "repository-1",
"repository-arn": "arn:aws:ecr:us-east-1:123456789012:repository/repository-1",
"scan-frequency": "SCAN_ON_PUSH",
"previous-scan-frequency": "MANUAL"
},
{
"repository-name": "repository-2",
"repository-arn": "arn:aws:ecr:us-east-1:123456789012:repository/repository-2",
"scan-frequency": "CONTINUOUS_SCAN",
"previous-scan-frequency": "SCAN_ON_PUSH"
},
{
"repository-name": "repository-3",
"repository-arn": "arn:aws:ecr:us-east-1:123456789012:repository/repository-3",
"scan-frequency": "CONTINUOUS_SCAN",
"previous-scan-frequency": "SCAN_ON_PUSH"
}
],
"resource-type": "REPOSITORY",
"scan-type": "ENHANCED"
}
}
```
**Event for an image deletion**
The following event is sent when an image is deleted. For more information, see [Deleting an image in Amazon ECR](delete_image.md).
```
{
"version": "0",
"id": "dd3b46cb-2c74-f49e-393b-28286b67279d",
"detail-type": "ECR Image Action",
"source": "aws.ecr",
"account": "123456789012",
"time": "2019-11-16T02:01:05Z",
"region": "us-west-2",
"resources": [],
"detail": {
"result": "SUCCESS",
"repository-name": "my-repository-name",
"image-digest": "sha256:7f5b2640fe6fb4f46592dfd3410c4a79dac4f89e4782432e0378abcd1234",
"action-type": "DELETE",
"image-tag": "latest"
}
}
```
**Event for an image archival action**
The following event is sent when an image is archived. The `target-storage-class` field will be set to `ARCHIVE`. The event includes the manifest and artifact media types to identify the type of content being archived.
```
{
"version": "0",
"id": "4f5ec4d5-4de4-7aad-a046-EXAMPLE",
"detail-type": "ECR Image Action",
"source": "aws.ecr",
"account": "123456789012",
"time": "2019-08-06T00:58:09Z",
"region": "us-east-1",
"resources": [],
"detail": {
"action-type": "UPDATE_STORAGE_CLASS",
"target-storage-class": "ARCHIVE",
"image-digest": "sha256:f98d67af8e53a536502bfc600de3266556b06ed635a32d60aa7a5fe6d7e609d7",
"repository-name": "ubuntu",
"result": "SUCCESS",
"manifest-media-type": "application/vnd.oci.image.manifest.v1+json",
"artifact-media-type": "application/vnd.oci.image.config.v1+json"
}
}
```
**Event for an image restore action**
The following event is sent when an archived image is restored. The `target-storage-class` field will be set to `STANDARD`. The event includes a `last-activated-at` field showing when the image was last restored.
```
{
"version": "0",
"id": "7b8fc5e6-5ef5-8bbe-b157-EXAMPLE",
"detail-type": "ECR Image Action",
"source": "aws.ecr",
"account": "123456789012",
"time": "2019-08-06T01:15:22Z",
"region": "us-east-1",
"resources": [],
"detail": {
"action-type": "UPDATE_STORAGE_CLASS",
"target-storage-class": "STANDARD",
"image-digest": "sha256:f98d67af8e53a536502bfc600de3266556b06ed635a32d60aa7a5fe6d7e609d7",
"repository-name": "ubuntu",
"result": "SUCCESS",
"manifest-media-type": "application/vnd.oci.image.manifest.v1+json",
"artifact-media-type": "application/vnd.oci.image.config.v1+json",
"last-activated-at": "2025-10-10T19:13:02.74Z"
}
}
```
**Event for a referrer restore action**
The following event is sent when an archived referrer (reference artifact such as an SBOM, signature, or attestation) is restored. Note that the `detail-type` is `ECR Referrer Action` to distinguish it from regular image actions. The `manifest-media-type` and `artifact-media-type` fields identify the specific type of referrer being restored. In this example, an SBOM artifact is being restored.
```
{
"version": "0",
"id": "8c9gd6f7-6fg6-9ccf-c268-EXAMPLE",
"detail-type": "ECR Referrer Action",
"source": "aws.ecr",
"account": "123456789012",
"time": "2019-08-06T01:20:45Z",
"region": "us-east-1",
"resources": [],
"detail": {
"action-type": "UPDATE_STORAGE_CLASS",
"target-storage-class": "STANDARD",
"image-digest": "sha256:f98d67af8e53a536502bfc600de3266556b06ed635a32d60aa7a5fe6d7e609d7",
"repository-name": "sbom",
"result": "SUCCESS",
"manifest-media-type": "application/vnd.cncf.oras.artifact.manifest.v1+json",
"artifact-media-type": "text/sbom+json",
"last-activated-at": "2025-10-10T19:13:02.74Z"
}
}
```
**Event for a completed image replication**
The following event is sent when each image replication is completed. For more information, see [Private image replication in Amazon ECR](replication.md).
```
{
"version": "0",
"id": "c8b133b1-6029-ee73-e2a1-4f466b8ba999",
"detail-type": "ECR Replication Action",
"source": "aws.ecr",
"account": "123456789012",
"time": "2024-05-08T20:44:54Z",
"region": "us-east-1",
"resources": [
"arn:aws:ecr:us-east-1:123456789012:repository/docker-hub/alpine"
],
"detail": {
"result": "SUCCESS",
"repository-name": "docker-hub/alpine",
"image-digest": "sha256:7f5b2640fe6fb4f46592dfd3410c4a79dac4f89e4782432e0378abcd1234",
"source-account": "123456789012",
"action-type": "REPLICATE",
"source-region": "us-west-2",
"image-tag": "3.17.2"
}
}
```
**Event for a failed image replication**
The following event is sent when an image replication fails. The `result` field will contain `FAILED` and additional error information may be included in the event details.
```
{
"version": "0",
"id": "d9c244c2-7130-ff84-f3b2-5g577c9cb000",
"detail-type": "ECR Replication Action",
"source": "aws.ecr",
"account": "123456789012",
"time": "2024-05-08T20:45:12Z",
"region": "us-east-1",
"resources": [
"arn:aws:ecr:us-east-1:123456789012:repository/my-app"
],
"detail": {
"result": "FAILED",
"repository-name": "my-app",
"image-digest": "sha256:8g6c3751gf7gc5g47603ege4511d5a80ead5g90f5893543f1489bde2345",
"source-account": "123456789012",
"action-type": "REPLICATE",
"source-region": "us-west-2",
"image-tag": "latest"
}
}
```
# Logging Amazon ECR actions with AWS CloudTrail
Amazon ECR is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, a role, or an AWS service in Amazon ECR. CloudTrail captures the following Amazon ECR actions as events:
+ All API calls, including calls from the Amazon ECR console
+ All actions taken due to the encryption settings on your repositories
+ All actions taken due to lifecycle policy rules, including both successful and unsuccessful actions
**Important**
Due to the size limitations of individual CloudTrail events, for lifecycle policy actions where 10 or more images are expired Amazon ECR sends multiple events to CloudTrail. Additionally, Amazon ECR includes a maximum of 100 tags per image.
When a trail is created, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Amazon ECR. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using this information, you can determine the request that was made to Amazon ECR, the originating IP address, who made the request, when it was made, and additional details.
For more information, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
## Amazon ECR information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When activity occurs in Amazon ECR, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your AWS account, including events for Amazon ECR, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. When you create a trail in the console, you can apply the trail to a single Region or to all Regions. The trail logs events in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to analyze and act upon the event data collected in CloudTrail logs. For more information, see:
+ [Creating a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [AWS service integrations with CloudTrail logs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail log files from multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
All Amazon ECR API actions are logged by CloudTrail and are documented in the [Amazon Elastic Container Registry API Reference](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/). When you perform common tasks, sections are generated in the CloudTrail log files for each API action that is part of that task. For example, when you create a repository, `GetAuthorizationToken`, `CreateRepository` and `SetRepositoryPolicy` sections are generated in the CloudTrail log files. When you push an image to a repository, `InitiateLayerUpload`, `UploadLayerPart`, `CompleteLayerUpload`, `PutImage`, and, if blob mounting is enabled, `MountLayer` sections are generated. When you pull an image, `GetDownloadUrlForLayer` and `BatchGetImage` sections are generated. When you archive or restore an image `UpdateImageStorageClass` section is generated. When OCI clients that support the OCI 1.1 specification fetch the list of referrers, or reference artifacts, for an image using the Referrers API, a `ListImageReferrers` CloudTrail event is emitted. For examples of these common tasks, see [CloudTrail log entry examples](#cloudtrail-examples).
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root or user credentials
+ Whether the request was made with temporary security credentials for a role or federated user
+ Whether the request was made by another AWS service
For more information, see the [CloudTrail `userIdentity` Element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
## Understanding Amazon ECR log file entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and other information. CloudTrail log files are not an ordered stack trace of the public API calls, so they do not appear in any specific order.
### CloudTrail log entry examples
The following are CloudTrail log entry examples for a few common Amazon ECR tasks.
These examples have been formatted for improved readability. In a CloudTrail log file, all entries and events are concatenated into a single line. In addition, this example has been limited to a single Amazon ECR entry. In a real CloudTrail log file, you see entries and events from multiple AWS services.
**Important**
The **sourceIPAddress** is the IP address that the request was made from. For actions that originate from the service console, the address reported is for your underlying resource, not the console web server. For services in AWS, only the DNS name is displayed. We still evaluate the auth with the client source IP even if it's redacted to AWS service DNS name.
**Topics**
+ [Example: Create repository action](#cloudtrail-examples-create-repository)
+ [Example: AWS KMS `CreateGrant` API action when creating an Amazon ECR repository](#cloudtrail-examples-create-repository-kms)
+ [Example: Image push action](#cloudtrail-examples-push-image)
+ [Example: Image pull action](#cloudtrail-examples-image-pull)
+ [Example: Image lifecycle policy action](#cloudtrail-examples-lcp)
+ [Example: Image archival action](#cloudtrail-examples-image-archive)
+ [Example: Image restore action](#cloudtrail-examples-image-restore)
+ [Example: Image referrers action](#cloudtrail-examples-image-referrers-action)
#### Example: Create repository action
The following example shows a CloudTrail log entry that demonstrates the `CreateRepository` action.
```
{
"eventVersion": "1.04",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:account_name",
"arn": "arn:aws:sts::123456789012:user/Mary_Major",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-07-11T21:54:07Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/Admin",
"accountId": "123456789012",
"userName": "Admin"
}
}
},
"eventTime": "2018-07-11T22:17:43Z",
"eventSource": "ecr.amazonaws.com",
"eventName": "CreateRepository",
"awsRegion": "us-east-2",
"sourceIPAddress": "203.0.113.12",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"repositoryName": "testrepo"
},
"responseElements": {
"repository": {
"repositoryArn": "arn:aws:ecr:us-east-2:123456789012:repository/testrepo",
"repositoryName": "testrepo",
"repositoryUri": "123456789012.dkr.ecr.us-east-2.amazonaws.com/testrepo",
"createdAt": "Jul 11, 2018 10:17:44 PM",
"registryId": "123456789012"
}
},
"requestID": "cb8c167e-EXAMPLE",
"eventID": "e3c6f4ce-EXAMPLE",
"resources": [
{
"ARN": "arn:aws:ecr:us-east-2:123456789012:repository/testrepo",
"accountId": "123456789012"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012"
}
```
#### Example: AWS KMS `CreateGrant` API action when creating an Amazon ECR repository
The following example shows a CloudTrail log entry that demonstrates the AWS KMS `CreateGrant` action when creating an Amazon ECR repository with KMS encryption enabled. For each repository that is created with KMS encryption is enabled, you should see two `CreateGrant` log entries in CloudTrail.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAIEP6W46J43IG7LXAQ",
"arn": "arn:aws:iam::123456789012:user/Mary_Major",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mary_Major",
"sessionContext": {
"sessionIssuer": {
},
"webIdFederationData": {
},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-06-10T19:22:10Z"
}
},
"invokedBy": "AWS Internal"
},
"eventTime": "2020-06-10T19:22:10Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "203.0.113.12",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"keyId": "4b55e5bf-39c8-41ad-b589-18464af7758a",
"granteePrincipal": "ecr.us-west-2.amazonaws.com",
"operations": [
"GenerateDataKey",
"Decrypt"
],
"retiringPrincipal": "ecr.us-west-2.amazonaws.com",
"constraints": {
"encryptionContextSubset": {
"aws:ecr:arn": "arn:aws:ecr:us-west-2:123456789012:repository/testrepo"
}
}
},
"responseElements": {
"grantId": "3636af9adfee1accb67b83941087dcd45e7fadc4e74ff0103bb338422b5055f3"
},
"requestID": "047b7dea-b56b-4013-87e9-a089f0f6602b",
"eventID": "af4c9573-c56a-4886-baca-a77526544469",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:123456789012:key/4b55e5bf-39c8-41ad-b589-18464af7758a"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012"
}
```
#### Example: Image push action
The following example shows a CloudTrail log entry that demonstrates an image push which uses the `PutImage` action.
**Note**
When pushing an image, you will also see `InitiateLayerUpload`, `UploadLayerPart`, and `CompleteLayerUpload` references in the CloudTrail logs.
```
{
"eventVersion": "1.04",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:account_name",
"arn": "arn:aws:sts::123456789012:user/Mary_Major",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mary_Major",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-04-15T16:42:14Z"
}
}
},
"eventTime": "2019-04-15T16:45:00Z",
"eventSource": "ecr.amazonaws.com",
"eventName": "PutImage",
"awsRegion": "us-east-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"repositoryName": "testrepo",
"imageTag": "latest",
"registryId": "123456789012",
"imageManifest": "{\n \"schemaVersion\": 2,\n \"mediaType\": \"application/vnd.docker.distribution.manifest.v2+json\",\n \"config\": {\n \"mediaType\": \"application/vnd.docker.container.image.v1+json\",\n \"size\": 5543,\n \"digest\": \"sha256:000b9b805af1cdb60628898c9f411996301a1c13afd3dbef1d8a16ac6dbf503a\"\n },\n \"layers\": [\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 43252507,\n \"digest\": \"sha256:3b37166ec61459e76e33282dda08f2a9cd698ca7e3d6bc44e6a6e7580cdeff8e\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 846,\n \"digest\": \"sha256:504facff238fde83f1ca8f9f54520b4219c5b8f80be9616ddc52d31448a044bd\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 615,\n \"digest\": \"sha256:ebbcacd28e101968415b0c812b2d2dc60f969e36b0b08c073bf796e12b1bb449\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 850,\n \"digest\": \"sha256:c7fb3351ecad291a88b92b600037e2435c84a347683d540042086fe72c902b8a\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 168,\n \"digest\": \"sha256:2e3debadcbf7e542e2aefbce1b64a358b1931fb403b3e4aeca27cb4d809d56c2\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 37720774,\n \"digest\": \"sha256:f8c9f51ad524d8ae9bf4db69cd3e720ba92373ec265f5c390ffb21bb0c277941\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 30432107,\n \"digest\": \"sha256:813a50b13f61cf1f8d25f19fa96ad3aa5b552896c83e86ce413b48b091d7f01b\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 197,\n \"digest\": \"sha256:7ab043301a6187ea3293d80b30ba06c7bf1a0c3cd4c43d10353b31bc0cecfe7d\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 154,\n \"digest\": \"sha256:67012cca8f31dc3b8ee2305e7762fee20c250513effdedb38a1c37784a5a2e71\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 176,\n \"digest\": \"sha256:3bc892145603fffc9b1c97c94e2985b4cb19ca508750b15845a5d97becbd1a0e\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 183,\n \"digest\": \"sha256:6f1c79518f18251d35977e7e46bfa6c6b9cf50df2a79d4194941d95c54258d18\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 212,\n \"digest\": \"sha256:b7bcfbc2e2888afebede4dd1cd5eebf029bb6315feeaf0b56e425e11a50afe42\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 212,\n \"digest\": \"sha256:2b220f8b0f32b7c2ed8eaafe1c802633bbd94849b9ab73926f0ba46cdae91629\"\n }\n ]\n}"
},
"responseElements": {
"image": {
"repositoryName": "testrepo",
"imageManifest": "{\n \"schemaVersion\": 2,\n \"mediaType\": \"application/vnd.docker.distribution.manifest.v2+json\",\n \"config\": {\n \"mediaType\": \"application/vnd.docker.container.image.v1+json\",\n \"size\": 5543,\n \"digest\": \"sha256:000b9b805af1cdb60628898c9f411996301a1c13afd3dbef1d8a16ac6dbf503a\"\n },\n \"layers\": [\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 43252507,\n \"digest\": \"sha256:3b37166ec61459e76e33282dda08f2a9cd698ca7e3d6bc44e6a6e7580cdeff8e\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 846,\n \"digest\": \"sha256:504facff238fde83f1ca8f9f54520b4219c5b8f80be9616ddc52d31448a044bd\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 615,\n \"digest\": \"sha256:ebbcacd28e101968415b0c812b2d2dc60f969e36b0b08c073bf796e12b1bb449\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 850,\n \"digest\": \"sha256:c7fb3351ecad291a88b92b600037e2435c84a347683d540042086fe72c902b8a\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 168,\n \"digest\": \"sha256:2e3debadcbf7e542e2aefbce1b64a358b1931fb403b3e4aeca27cb4d809d56c2\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 37720774,\n \"digest\": \"sha256:f8c9f51ad524d8ae9bf4db69cd3e720ba92373ec265f5c390ffb21bb0c277941\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 30432107,\n \"digest\": \"sha256:813a50b13f61cf1f8d25f19fa96ad3aa5b552896c83e86ce413b48b091d7f01b\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 197,\n \"digest\": \"sha256:7ab043301a6187ea3293d80b30ba06c7bf1a0c3cd4c43d10353b31bc0cecfe7d\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 154,\n \"digest\": \"sha256:67012cca8f31dc3b8ee2305e7762fee20c250513effdedb38a1c37784a5a2e71\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 176,\n \"digest\": \"sha256:3bc892145603fffc9b1c97c94e2985b4cb19ca508750b15845a5d97becbd1a0e\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 183,\n \"digest\": \"sha256:6f1c79518f18251d35977e7e46bfa6c6b9cf50df2a79d4194941d95c54258d18\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 212,\n \"digest\": \"sha256:b7bcfbc2e2888afebede4dd1cd5eebf029bb6315feeaf0b56e425e11a50afe42\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 212,\n \"digest\": \"sha256:2b220f8b0f32b7c2ed8eaafe1c802633bbd94849b9ab73926f0ba46cdae91629\"\n }\n ]\n}",
"registryId": "123456789012",
"imageId": {
"imageDigest": "sha256:98c8b060c21d9adbb6b8c41b916e95e6307102786973ab93a41e8b86d1fc6d3e",
"imageTag": "latest"
}
}
},
"requestID": "cf044b7d-5f9d-11e9-9b2a-95983139cc57",
"eventID": "2bfd4ee2-2178-4a82-a27d-b12939923f0f",
"resources": [{
"ARN": "arn:aws:ecr:us-east-2:123456789012:repository/testrepo",
"accountId": "123456789012"
}],
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012"
}
```
#### Example: Image pull action
The following example shows a CloudTrail log entry that demonstrates an image pull which uses the `BatchGetImage` action.
**Note**
When pulling an image, if you don't already have the image locally, you will also see `GetDownloadUrlForLayer` references in the CloudTrail logs.
```
{
"eventVersion": "1.04",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:account_name",
"arn": "arn:aws:sts::123456789012:user/Mary_Major",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mary_Major",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-04-15T16:42:14Z"
}
}
},
"eventTime": "2019-04-15T17:23:20Z",
"eventSource": "ecr.amazonaws.com",
"eventName": "BatchGetImage",
"awsRegion": "us-east-2",
"sourceIPAddress": "ecr.amazonaws.com",
"userAgent": "ecr.amazonaws.com",
"requestParameters": {
"imageIds": [{
"imageTag": "latest"
}],
"acceptedMediaTypes": [
"application/json",
"application/vnd.oci.image.manifest.v1+json",
"application/vnd.oci.image.index.v1+json",
"application/vnd.docker.distribution.manifest.v2+json",
"application/vnd.docker.distribution.manifest.list.v2+json",
"application/vnd.docker.distribution.manifest.v1+prettyjws"
],
"repositoryName": "testrepo",
"registryId": "123456789012"
},
"responseElements": null,
"requestID": "2a1b97ee-5fa3-11e9-a8cd-cd2391aeda93",
"eventID": "c84f5880-c2f9-4585-9757-28fa5c1065df",
"resources": [{
"ARN": "arn:aws:ecr:us-east-2:123456789012:repository/testrepo",
"accountId": "123456789012"
}],
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012"
}
```
#### Example: Image lifecycle policy action
The following example shows a CloudTrail log entry that demonstrates when an image is expired due to a lifecycle policy rule. This event type can be located by filtering for `PolicyExecutionEvent` for the event name field.
When you test a lifecycle policy preview, Amazon ECR generates a CloudTrail log entry with the event name field of `DryRunEvent`, with the exact same structure as the `PolicyExecutionEvent`. By changing the event name to `DryRunEvent`, you can filter on dry run events instead.
**Important**
Due to the size limitations of individual CloudTrail events, for lifecycle policy actions where 10 or more images are expired Amazon ECR sends multiple events to CloudTrail. Additionally, Amazon ECR includes a maximum of 100 tags per image.
```
{
"eventVersion": "1.05",
"userIdentity": {
"accountId": "123456789012",
"invokedBy": "AWS Internal"
},
"eventTime": "2020-03-12T20:22:12Z",
"eventSource": "ecr.amazonaws.com",
"eventName": "PolicyExecutionEvent",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "9354dd7f-9aac-4e9d-956d-12561a4923aa",
"readOnly": true,
"resources": [
{
"ARN": "arn:aws:ecr:us-west-2:123456789012:repository/testrepo",
"accountId": "123456789012",
"type": "AWS::ECR::Repository"
}
],
"eventType": "AwsServiceEvent",
"recipientAccountId": "123456789012",
"serviceEventDetails": {
"repositoryName": "testrepo",
"lifecycleEventPolicy": {
"lifecycleEventRules": [
{
"rulePriority": 1,
"description": "remove all images > 2",
"lifecycleEventSelection": {
"tagStatus": "Any",
"tagPrefixList": [],
"countType": "Image count more than",
"countNumber": 2
},
"action": "expire"
}
],
"lastEvaluatedAt": 0,
"policyVersion": 1,
"policyId": "ceb86829-58e7-9498-920c-aa042e33037b"
},
"lifecycleEventImageActions": [
{
"lifecycleEventImage": {
"digest": "sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45",
"tagStatus": "Tagged",
"tagList": [
"alpine"
],
"pushedAt": 1584042813000
},
"rulePriority": 1
},
{
"lifecycleEventImage": {
"digest": "sha256:6ab380c5a5acf71c1b6660d645d2cd79cc8ce91b38e0352cbf9561e050427baf",
"tagStatus": "Tagged",
"tagList": [
"centos"
],
"pushedAt": 1584042842000
},
"rulePriority": 1
}
],
"lifecycleEventFailureDetails": [
{
"lifecycleEventImage": {
"digest": "sha256:9117e1bc28cd20751e584b4ccd19b1178d14cf02d134b04ce6be0cc51bff762a",
"tagStatus": "Untagged",
"tagList": [],
"pushedAt": 1584042844000
},
"rulePriority": 1,
"failureCode": "ImageReferencedByManifestList",
"failureReason": "Requested image referenced by manifest list: [sha256:4b27c83d44a18c31543039d9e8b2786043ec6c8d00804d5800c5148d6b6f65bc]"
}
]
}
}
```
#### Example: Image archival action
The following example shows a CloudTrail log entry that demonstrates an image being archived using the `UpdateImageStorageClass` action with `targetStorageClass` set to `ARCHIVE`.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:account_name",
"arn": "arn:aws:sts::123456789012:user/Mary_Major",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mary_Major",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-04-15T16:42:14Z"
}
}
},
"eventTime": "2019-04-15T16:45:00Z",
"eventSource": "ecr.amazonaws.com",
"eventName": "UpdateImageStorageClass",
"awsRegion": "us-east-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"repositoryName": "testrepo",
"imageId": {
"imageDigest": "sha256:98c8b060c21d9adbb6b8c41b916e95e6307102786973ab93a41e8b86d1fc6d3e"
},
"targetStorageClass": "ARCHIVE",
"registryId": "123456789012"
},
"responseElements": {
"image": {
"registryId": "123456789012",
"repositoryName": "testrepo",
"imageId": {
"imageDigest": "sha256:98c8b060c21d9adbb6b8c41b916e95e6307102786973ab93a41e8b86d1fc6d3e"
},
"imageStatus": "ARCHIVED"
}
},
"requestID": "cf044b7d-EXAMPLE",
"eventID": "2bfd4ee2-EXAMPLE",
"readOnly": false,
"resources": [{
"ARN": "arn:aws:ecr:us-east-2:123456789012:repository/testrepo",
"accountId": "123456789012"
}],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
#### Example: Image restore action
The following examples show CloudTrail log entries that demonstrate an image being restored. When you restore an archived image, two events are generated:
1. An API call event when the restore is initiated
1. A service event when the asynchronous restore operation completes
**API call event (restore initiation)**
The following example shows the initial API call to restore an image using the `UpdateImageStorageClass` action with `targetStorageClass` set to `STANDARD`. The response shows the image status as `ACTIVATING`.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:account_name",
"arn": "arn:aws:sts::123456789012:user/Mary_Major",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mary_Major",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-04-15T16:42:14Z"
}
}
},
"eventTime": "2019-04-15T16:45:00Z",
"eventSource": "ecr.amazonaws.com",
"eventName": "UpdateImageStorageClass",
"awsRegion": "us-east-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": {
"repositoryName": "testrepo",
"imageId": {
"imageDigest": "sha256:98c8b060c21d9adbb6b8c41b916e95e6307102786973ab93a41e8b86d1fc6d3e"
},
"targetStorageClass": "STANDARD",
"registryId": "123456789012"
},
"responseElements": {
"image": {
"registryId": "123456789012",
"repositoryName": "testrepo",
"imageId": {
"imageDigest": "sha256:98c8b060c21d9adbb6b8c41b916e95e6307102786973ab93a41e8b86d1fc6d3e"
},
"imageStatus": "ACTIVATING"
}
},
"requestID": "cf044b7d-EXAMPLE",
"eventID": "2bfd4ee2-EXAMPLE",
"readOnly": false,
"resources": [{
"ARN": "arn:aws:ecr:us-east-2:123456789012:repository/testrepo",
"accountId": "123456789012"
}],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```
**Service event (restore completion)**
The following example shows the service event generated when the asynchronous restore operation completes. This event type can be located by filtering for `ImageActivationEvent` for the event name field. The `serviceEventDetails` section contains the restore result and final image status.
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "123456789012",
"invokedBy": "AWS Internal"
},
"eventTime": "2020-03-12T20:22:12Z",
"eventSource": "ecr.amazonaws.com",
"eventName": "ImageActivationEvent",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "9354dd7f-EXAMPLE",
"readOnly": true,
"resources": [
{
"ARN": "arn:aws:ecr:us-west-2:123456789012:repository/testrepo",
"accountId": "123456789012",
"type": "AWS::ECR::Repository"
}
],
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "123456789012",
"serviceEventDetails": {
"repositoryName": "testrepo",
"imageDigest": "sha256:98c8b060c21d9adbb6b8c41b916e95e6307102786973ab93a41e8b86d1fc6d3e",
"targetStorageClass": "STANDARD",
"result": "SUCCESS",
"imageStatus": "ACTIVE"
},
"eventCategory": "Management"
}
```
#### Example: Image referrers action
The following example shows a AWS CloudTrail log entry that demonstrates when an OCI 1.1 compliant client fetches a list of referrers, or reference artifacts, for an image using the `Referrers` API.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:account_name",
"arn": "arn:aws:sts::123456789012:user/Mary_Major",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/Admin",
"accountId": "123456789012",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2024-10-08T16:38:39Z",
"mfaAuthenticated": "false"
},
"ec2RoleDelivery": "2.0"
},
"invokedBy": "ecr.amazonaws.com"
},
"eventTime": "2024-10-08T17:22:51Z",
"eventSource": "ecr.amazonaws.com",
"eventName": "ListImageReferrers",
"awsRegion": "us-east-2",
"sourceIPAddress": "ecr.amazonaws.com",
"userAgent": "ecr.amazonaws.com",
"requestParameters": {
"registryId": "123456789012",
"repositoryName": "testrepo",
"subjectId": {
"imageDigest": "sha256:000b9b805af1cdb60628898c9f411996301a1c13afd3dbef1d8a16ac6dbf503a"
},
"nextToken": "urD72mdD/mC8b5-EXAMPLE"
},
"responseElements": null,
"requestID": "cb8c167e-EXAMPLE",
"eventID": "e3c6f4ce-EXAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"ARN": "arn:aws:ecr:us-east-2:123456789012:repository/testrepo"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management"
}
```