CloudFormation Stack Template and Integrating a Registry

After the integration, Docker Scout automatically pulls and analyzes images that you push to the ECR registry. Metadata about your images are stored on the Docker Scout platform, but Docker Scout doesn't store the container images themselves. For more information about how Docker Scout handles image data, see [Data handling](/manuals/scout/deep-dive/data-handling.md). ### CloudFormation stack template The following table describes the configuration resources. > [!NOTE] > > Creating these resources incurs a small, recurring cost on the AWS account. > The **Cost** column in the table represents an estimated monthly cost of the > resources, when integrating an ECR registry that gets 100 images pushed per day. > > Additionally, an egress cost also applies when Docker Scout pulls the images > from ECR. The egress cost is around $0.09 per GB. | Resource type | Resource name | Description | Cost | | ----------------------------- | ----------------------------- | ------------------------------------------------------------------------------------------ | ----- | | `AWS::SNSTopic::Topic` | `SNSTopic` | SNS topic for notifying Docker Scout when the AWS resources have been created. | Free | | `AWS::SNS::TopicPolicy` | `TopicPolicy` | Defines the topic for the initial setup notification. | Free | | `AWS::SecretsManager::Secret` | `ScoutAPICredentials` | Stores the credentials used by EventBridge to fire events to Scout. | $0.42 | | `AWS::Events::ApiDestination` | `ApiDestination` | Sets up the EventBridge connection to Docker Scout for sending ECR push and delete events. | $0.01 | | `AWS::Events::Connection` | `Connection` | EventBridge connection credentials to Scout. | Free | | `AWS::Events::Rule` | `DockerScoutEcrRule` | Defines the rule to send ECR pushes and deletes to Scout. | Free | | `AWS::Events::Rule` | `DockerScoutRepoDeletedRule` | Defines the rule to send ECR repository deletes to Scout. | Free | | `AWS::IAM::Role` | `InvokeApiRole` | Internal role to grant the event access to `ApiDestination`. | Free | | `AWS::IAM::Role` | `AssumeRoleEcrAccess` | This role has access to `ScoutAPICredentials` for setting up the Docker Scout integration. | Free | ## Integrate your first registry Create the CloudFormation stack in your AWS account to enable the Docker Scout integration. Prerequisites: - You must have access to an AWS account with permission to create resources. - You have be an owner of the Docker organization. To create the stack: 1. Go to the [ECR integration page](https://scout.docker.com/settings/integrations/ecr/) on the Docker Scout Dashboard. 2. Select the **Create on AWS** button. This opens the **Create stack** wizard in the AWS CloudFormation console in a new browser tab. If you're not already signed in to AWS, you're redirected to the sign-in page first. If the button is grayed-out, it means you're lacking the necessary permissions in the Docker organization. 3. Follow the steps in the **Create stack** wizard until the end. Choose the AWS region you want to integrate. Complete the procedure by creating the resources. The fields in the wizard are pre-populated by the CloudFormation template,

This section describes the CloudFormation stack template used for integrating Docker Scout with Amazon ECR and the resources it creates, including SNS topics, Secrets Manager secrets, EventBridge API destinations, and IAM roles. It also provides a step-by-step guide on how to integrate a first registry, including the prerequisites and instructions for creating the CloudFormation stack in an AWS account via the Docker Scout Dashboard.