AWS AmazonECS medium security documentation change
Summary
Added dedicated section for Amazon ECR permissions in task execution roles, removed standalone lifecycle events permissions section (replaced with link), and updated navigation headers.
Security assessment
The addition of explicit ECR permissions guidance helps ensure proper configuration of the task execution role, which is critical for secure container image management. The documentation now clearly separates ECR access requirements between execution roles and task roles, reducing misconfiguration risks. However, there's no evidence of addressing an active security vulnerability.
Diff
diff --git a/AmazonECS/latest/developerguide/task_execution_IAM_role.md b/AmazonECS/latest/developerguide/task_execution_IAM_role.md index 9c2763ebb..31349a13e 100644 --- a//AmazonECS/latest/developerguide/task_execution_IAM_role.md +++ b//AmazonECS/latest/developerguide/task_execution_IAM_role.md @@ -5 +5 @@ -Creating the task execution rolePrivate registry authentication permissionsSecrets Manager or Systems Manager permissionsFargate tasks pulling Amazon ECR images over interface endpoints permissionsAmazon S3 file storage permissionsPermissions required to configure Container Insights to view Amazon ECS lifecycle eventsPermissions required to view Amazon ECS lifecycle events in Container Insights +Creating the task execution rolePrivate registry authentication permissionsSecrets Manager or Systems Manager permissionsFargate tasks pulling Amazon ECR images over interface endpoints permissionsAmazon ECR permissionsAmazon S3 file storage permissionsPermissions required to configure Container Insights to view Amazon ECS lifecycle events @@ -125 +125 @@ Configure Container Insights to view Amazon ECS lifecycle events | Permissions -View Amazon ECS lifecycle events in Container Insights | Permissions required to view Amazon ECS lifecycle events in Container Insights +View Amazon ECS lifecycle events in Container Insights | [Permissions required to view Amazon ECS lifecycle events in Container Insights](./console-permissions.html#required-permissions-view) @@ -273,0 +274,26 @@ The following task execution role policy provides an example for adding conditio +## Amazon ECR permissions + +The following permissions are required when you need to pull container images from Amazon ECR private repositories. The task execution role should have these permissions to allow the Amazon ECS container and Fargate agents to pull container images on your behalf. For basic ECS implementations, these permissions should be added to the task execution role rather than the task IAM role. + +The Amazon ECS task execution role managed policy (`AmazonECSTaskExecutionRolePolicy`) includes the necessary permissions for pulling images from Amazon ECR. If you're using the managed policy, you don't need to add these permissions separately. + +If you're creating a custom policy, include the following permissions to allow pulling images from Amazon ECR: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer", + "ecr:GetAuthorizationToken" + ], + "Resource": "*" + } + ] + } + +Note that these permissions are different from the permissions that might be required in the task IAM role if your application code needs to interact with Amazon ECR APIs directly. For information about task IAM role permissions for Amazon ECR, see [Amazon ECR permissions](./task-iam-roles.html#ecr-required-iam-permissions). + @@ -334,29 +359,0 @@ The following permissions are required in the task role to configure the lifecyc -## Permissions required to view Amazon ECS lifecycle events in Container Insights - -The following permissions are required to view the lifecycle events. Add the following permissions as an inline policy to the task execution role. For more information, see [Adding and Removing IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html). - - * events:DescribeRule - - * events:ListTargetsByRule - - * logs:DescribeLogGroups - - - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "events:DescribeRule", - "events:ListTargetsByRule", - "logs:DescribeLogGroups" - ], - "Resource": "*" - } - ] - } -