AWS AmazonECS documentation change
Summary
Added section about Amazon ECR permissions requirements for private repositories with example IAM policy
Security assessment
Documents security-related IAM permissions required for accessing private ECR repositories. While this adds security documentation, there's no indication it addresses a specific vulnerability or incident.
Diff
diff --git a/AmazonECS/latest/developerguide/task-iam-roles.md b/AmazonECS/latest/developerguide/task-iam-roles.md index 2371b392f..822edcbe3 100644 --- a//AmazonECS/latest/developerguide/task-iam-roles.md +++ b//AmazonECS/latest/developerguide/task-iam-roles.md @@ -5 +5 @@ -Creating the task IAM roleECS Exec permissions Amazon EC2 instances additional configurationExternal instance additional configuration Amazon EC2 Windows instance additional configuration +Creating the task IAM roleAmazon ECR permissionsECS Exec permissions Amazon EC2 instances additional configurationExternal instance additional configuration Amazon EC2 Windows instance additional configuration @@ -249,0 +250 @@ Use ECS Exec | ECS Exec permissions +Use an image from a private Amazon ECR repository | Amazon ECR permissions @@ -253,0 +255,22 @@ Use Windows EC2 instances | Amazon EC2 Windows instance additional configuratio +## Amazon ECR permissions + +The following permissions are require when you want to use an image in a private repository. You should add the following permissions to a task IAM role and include the task IAM role in your task definition. For more information, see [Adding and Removing IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the _IAM User Guide_. + +Use the following policy for your task IAM role to add the required Amazon ECR permissions. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer", + "ecr:GetAuthorizationToken" + ], + "Resource": "*" + } + ] + } +