AWS Security ChangesHomeSearch

AWS AmazonECR documentation change

Service: AmazonECR · 2025-04-11 · Documentation low

File: AmazonECR/latest/userguide/security_iam_service-with-iam.md

Summary

Clarified cross-account access requirements for identity-based policies

Security assessment

The change clarifies existing security documentation about IAM policies but does not introduce new security features or address specific vulnerabilities. It improves accuracy of permission requirements.

Diff

diff --git a/AmazonECR/latest/userguide/security_iam_service-with-iam.md b/AmazonECR/latest/userguide/security_iam_service-with-iam.md
index e221dbf44..ac129ce3e 100644
--- a//AmazonECR/latest/userguide/security_iam_service-with-iam.md
+++ b//AmazonECR/latest/userguide/security_iam_service-with-iam.md
@@ -115 +115 @@ Resource-based policies are JSON policy documents that specify what actions a sp
-To enable cross-account access, you can specify an entire account or IAM entities in another account as the [principal in a resource-based policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html). Adding a cross-account principal to a resource-based policy is only half of establishing the trust relationship. When the principal and the resource are in different AWS accounts, you must also grant the principal entity permission to access the resource. Grant permission by attaching an identity-based policy to the entity. However, if a resource-based policy grants access to a principal in the same account, no additional identity-based policy is required. For more information, see [How IAM Roles Differ from Resource-based Policies ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_compare-resource-policies.html)in the _IAM User Guide_.
+To enable cross-account access, you can specify an entire account or IAM entities in another account as the [principal in a resource-based policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html). Adding a cross-account principal to a resource-based policy is only half of establishing the trust relationship. When the principal and the resource are in different AWS accounts, you must also grant the principal entity permission to access the resource. Grant permission by attaching an identity-based policy to the entity. However, if a resource-based policy grants access to a principal in the same account, you don't need additional Amazon ECR repository permissions in the identity-based policy. For more information, see [How IAM Roles Differ from Resource-based Policies ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_compare-resource-policies.html)in the _IAM User Guide_.