AWS AmazonECR medium security documentation change
Summary
Modified IAM policy example to restrict resource from wildcard (*) to specific repository ARN pattern
Security assessment
Change demonstrates principle of least privilege by narrowing IAM permissions from wildcard to specific resources, which is a security best practice
Diff
diff --git a/AmazonECR/latest/userguide/image-push-iam.md b/AmazonECR/latest/userguide/image-push-iam.md index 882631e1b..a5974b324 100644 --- a//AmazonECR/latest/userguide/image-push-iam.md +++ b//AmazonECR/latest/userguide/image-push-iam.md @@ -11 +11 @@ A user must authenticate to each Amazon ECR registry they want to push images to -You can also create a your own IAM policies. The following IAM policy grants the required permissions for pushing an image to a specific repository. The repository must be specified as a full Amazon Resource Name (ARN). +You can also create a your own IAM policies. The following IAM policy grants the required permissions for pushing an image to a specific repository. To limit the permissions for a specific repository, use the full Amazon Resource Name (ARN) of the repository. @@ -53 +53 @@ The following IAM policy grants the required permissions for pushing an image to - "Resource": "*" + "Resource": "arn:aws:ecr:region:111122223333:repository/*"