AWS Security ChangesHomeSearch

AWS AmazonECR documentation change

Service: AmazonECR · 2025-10-16 · Documentation low

File: AmazonECR/latest/public/public-security-iam-awsmanpol.md

Summary

Replaced inline IAM policy JSON definitions with links to AWS Managed Policy Reference documentation for ECR Public policies

Security assessment

The change updates documentation about IAM security policies (a security feature) but removes explicit policy details in favor of external references. While related to security documentation, there's no evidence of addressing a specific vulnerability or incident.

Diff

diff --git a/AmazonECR/latest/public/public-security-iam-awsmanpol.md b/AmazonECR/latest/public/public-security-iam-awsmanpol.md
index 63ebc3d3f..817b39d6f 100644
--- a//AmazonECR/latest/public/public-security-iam-awsmanpol.md
+++ b//AmazonECR/latest/public/public-security-iam-awsmanpol.md
@@ -26 +26 @@ Amazon ECR Public provides several managed policies that you can attach to users
-You can attach the `AmazonElasticContainerRegistryPublicFullAccess` policy to your IAM identities.
+You can attach the `AmazonElasticContainerRegistryPublicFullAccess` policy to your IAM identities. This policy grants administrative access to Amazon ECR Public resources and allows an IAM identity (such as a user, group, or role) to use all Amazon ECR Public features.
@@ -28,29 +28 @@ You can attach the `AmazonElasticContainerRegistryPublicFullAccess` policy to yo
-This managed policy is a starting point for providing an IAM user or role with full administrator access to manage their use of Amazon ECR Public. 
-
-**Permissions details**
-
-This policy includes the following permissions:
-
-  * `ecr-public` – Provides IAM principals full access to all Amazon ECR APIs.
-
-  * `sts` – Allows IAM principals to acquire a AWS Security Token Service bearer token for an AWS root user, IAM role, or an IAM user.
-
-
-
-
-The `AmazonElasticContainerRegistryPublicFullAccess` policy is as follows.
-    
-    
-    {
-        "Version": "2012-10-17",&TCX5-2025-waiver;
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ecr-public:*",
-                    "sts:GetServiceBearerToken"
-                ],
-                "Resource": "*"
-            }
-        ]
-    }
+To view the permissions for this policy, see [AmazonElasticContainerRegistryPublicFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonElasticContainerRegistryPublicFullAccess.html) in the _AWS Managed Policy Reference_.
@@ -60,11 +32 @@ The `AmazonElasticContainerRegistryPublicFullAccess` policy is as follows.
-You can attach the `AmazonEC2ContainerRegistryPowerUser` policy to your IAM identities.
-
-This policy grants administratice permissions that allow power user access to Amazon ECR Public. This provides write access to public repositories, but it doesn't allow users to delete public repositories or change the policy documents that are applied to them.
-
-**Permissions details**
-
-This policy includes the following permissions:
-
-  * `ecr-public` – Allows IAM principals to read and write to respositores and read lifecycle policies. IAM principals aren't granted permission to delete repositories or change the lifecycle policies that are applied to them.
-
-  * `sts` – Allows IAM principals to acquire a AWS Security Token Service bearer token for an AWS root user, IAM role, or an IAM user.
+You can attach the `AmazonElasticContainerRegistryPublicPowerUser` policy to your IAM identities. This policy grants power user access to Amazon ECR Public resources, providing write access to public repositories without allowing deletion of repositories or modification of policy documents.
@@ -72,31 +34 @@ This policy includes the following permissions:
-
-
-
-The `AmazonElasticContainerRegistryPublicPowerUser` policy is as follows.
-    
-    
-    {
-        "Version": "2012-10-17",&TCX5-2025-waiver;
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ecr-public:GetAuthorizationToken",
-                    "sts:GetServiceBearerToken",
-                    "ecr-public:BatchCheckLayerAvailability",
-                    "ecr-public:GetRepositoryPolicy",
-                    "ecr-public:DescribeRepositories",
-                    "ecr-public:DescribeRegistries",
-                    "ecr-public:DescribeImages",
-                    "ecr-public:DescribeImageTags",
-                    "ecr-public:GetRepositoryCatalogData",
-                    "ecr-public:GetRegistryCatalogData",
-                    "ecr-public:InitiateLayerUpload",
-                    "ecr-public:UploadLayerPart",
-                    "ecr-public:CompleteLayerUpload",
-                    "ecr-public:PutImage"
-                ],
-                "Resource": "*"
-            }
-        ]
-    }
+To view the permissions for this policy, see [AmazonElasticContainerRegistryPublicPowerUser](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonElasticContainerRegistryPublicPowerUser.html) in the _AWS Managed Policy Reference_.
@@ -106,17 +38 @@ The `AmazonElasticContainerRegistryPublicPowerUser` policy is as follows.
-You can attach the `AmazonElasticContainerRegistryPublicReadOnly` policy to your IAM identities.
-
-This policy grants read-only permissions to Amazon ECR Public. These permissions include the ability to describe public registries, to list and describe public repositories, to describe images within a public repository, and to pull images from Amazon ECR Public with the Docker CLI.
-
-**Permissions details**
-
-This policy includes the following permissions:
-
-  * `ecr` – Allows IAM principals to read repositories and their respective lifecycle policies.
-
-  * `sts` – Allows IAM principals to acquire a AWS Security Token Service bearer token for an AWS root user, IAM role, or an IAM user.
-
-
-
-
-The `AmazonElasticContainerRegistryPublicReadOnly` policy is as follows.
-    
+You can attach the `AmazonElasticContainerRegistryPublicReadOnly` policy to your IAM identities. This policy grants read-only permissions to Amazon ECR Public resources, including the ability to describe public registries, list and describe public repositories, describe images, and pull images with the Docker CLI.
@@ -124,19 +40 @@ The `AmazonElasticContainerRegistryPublicReadOnly` policy is as follows.
-    {
-        "Version": "2012-10-17",&TCX5-2025-waiver;
-        "Statement": [{
-            "Effect": "Allow",
-            "Action": [
-                "ecr-public:GetAuthorizationToken",
-                "sts:GetServiceBearerToken",
-                "ecr-public:BatchCheckLayerAvailability",
-                "ecr-public:GetRepositoryPolicy",
-                "ecr-public:DescribeRepositories",
-                "ecr-public:DescribeRegistries",
-                "ecr-public:DescribeImages",
-                "ecr-public:DescribeImageTags",
-                "ecr-public:GetRepositoryCatalogData",
-                "ecr-public:GetRegistryCatalogData"
-            ],
-            "Resource": "*"
-        }]
-    }
+To view the permissions for this policy, see [AmazonElasticContainerRegistryPublicReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonElasticContainerRegistryPublicReadOnly.html) in the _AWS Managed Policy Reference_.