AWS Security ChangesHomeSearch

AWS AmazonECS documentation change

Service: AmazonECS · 2025-06-22 · Documentation low

File: AmazonECS/latest/developerguide/task_execution_IAM_role.md

Summary

Updated documentation for task execution roles with expanded explanations of private registry authentication and required permissions for Secrets Manager/KMS

Security assessment

The changes enhance documentation about secure credential management for private registries, emphasizing proper IAM permissions and KMS usage. This improves security documentation but doesn't indicate a specific security issue being addressed.

Diff

diff --git a/AmazonECS/latest/developerguide/task_execution_IAM_role.md b/AmazonECS/latest/developerguide/task_execution_IAM_role.md
index 31349a13e..708565d5f 100644
--- a//AmazonECS/latest/developerguide/task_execution_IAM_role.md
+++ b//AmazonECS/latest/developerguide/task_execution_IAM_role.md
@@ -120 +120 @@ Feature  |  Additional permissions
-Use Secrets Manager credentials to access your container image private repository |  Private registry authentication permissions  
+Pull container images from private registries outside of AWS (such as Docker Hub, Quay.io, or your own private registry) using Secrets Manager credentials |  Private registry authentication permissions  
@@ -129 +129 @@ View Amazon ECS lifecycle events in Container Insights |  [Permissions required
-To provide access to the secrets that you create, add the following permissions as an inline policy to the task execution role. For more information, see [Adding and Removing IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html).
+Private registry authentication allows your Amazon ECS tasks to pull container images from private registries outside of AWS (such as Docker Hub, Quay.io, or your own private registry) that require authentication credentials. This feature uses Secrets Manager to securely store your registry credentials, which are then referenced in your task definition using the `repositoryCredentials` parameter.
@@ -131 +131 @@ To provide access to the secrets that you create, add the following permissions
-  * `secretsmanager:GetSecretValue`
+For more information about configuring private registry authentication, see [Using non-AWS container images in Amazon ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html).
@@ -133 +133,5 @@ To provide access to the secrets that you create, add the following permissions
-  * `kms:Decrypt`—Required only if your key uses a custom KMS key and not the default key. The Amazon Resource Name (ARN) for your custom key must be added as a resource.
+To provide access to the secrets that contain your private registry credentials, add the following permissions as an inline policy to the task execution role. For more information, see [Adding and Removing IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html).
+
+  * `secretsmanager:GetSecretValue`—Required to retrieve the private registry credentials from Secrets Manager.
+
+  * `kms:Decrypt`—Required only if your secret uses a custom KMS key and not the default key. The Amazon Resource Name (ARN) for your custom key must be added as a resource.