AWS Security ChangesHomeSearch

AWS AmazonECR low security documentation change

Service: AmazonECR · 2025-10-16 · Security-related low

File: AmazonECR/latest/userguide/security-iam-awsmanpol.md

Summary

Restructured managed policy documentation by removing inline JSON policy examples and replacing them with links to AWS Managed Policy Reference. Added clearer descriptions of policy scopes and permissions for AmazonEC2ContainerRegistryFullAccess, PowerUser, PullOnly, and ReadOnly policies.

Security assessment

The changes improve clarity around IAM policy permissions and access controls, which is fundamental for security configuration. Specifically highlighting that PowerUser policy doesn't allow repository deletion or policy modifications helps prevent privilege escalation risks. However, there's no evidence this addresses a specific disclosed vulnerability.

Diff

diff --git a/AmazonECR/latest/userguide/security-iam-awsmanpol.md b/AmazonECR/latest/userguide/security-iam-awsmanpol.md
index e24ff865b..70086e248 100644
--- a//AmazonECR/latest/userguide/security-iam-awsmanpol.md
+++ b//AmazonECR/latest/userguide/security-iam-awsmanpol.md
@@ -40 +40 @@ Amazon ECR provides several managed policies that you can attach to IAM identiti
-## `AmazonEC2ContainerRegistryFullAccess`
+## AmazonEC2ContainerRegistryFullAccess
@@ -42 +42 @@ Amazon ECR provides several managed policies that you can attach to IAM identiti
-You can attach the `AmazonEC2ContainerRegistryFullAccess` policy to your IAM identities.
+You can attach the `AmazonEC2ContainerRegistryFullAccess` policy to your IAM identities. This policy grants administrative access to Amazon ECR resources and grants an IAM identity (such as a user, group, or role) access to the AWS services that Amazon ECR is integrated with to use all of Amazon ECR features. Using this policy allows access to all of Amazon ECR features that are available in the AWS Management Console.
@@ -44 +44 @@ You can attach the `AmazonEC2ContainerRegistryFullAccess` policy to your IAM ide
-You can use this managed policy as a starting point to create your own IAM policy based on your specific requirements. For example, you can create a policy specifically for providing a user or role with full administrator access to manage the use of Amazon ECR. With the [Amazon ECR Lifecycle Policies](https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html) feature, you can specify the lifecycle management of images in a repository. Lifecycle policy events are reported as CloudTrail events. Amazon ECR is integrated with AWS CloudTrail so it can display your lifecycle policy events directly in the Amazon ECR console. The `AmazonEC2ContainerRegistryFullAccess` managed IAM policy includes the `cloudtrail:LookupEvents` permission to facilitate this behavior.
+To view the permissions for this policy, see [AmazonEC2ContainerRegistryFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryFullAccess.html) in the _AWS Managed Policy Reference_.
@@ -46 +46 @@ You can use this managed policy as a starting point to create your own IAM polic
-**Permissions details**
+## AmazonEC2ContainerRegistryPowerUser
@@ -48 +48 @@ You can use this managed policy as a starting point to create your own IAM polic
-This policy includes the following permissions:
+You can attach the `AmazonEC2ContainerRegistryPowerUser` policy to your IAM identities. This policy grants administrative permissions that allow IAM users to read and write to repositories, but doesn't allow them to delete repositories or change the policy documents that are applied to them.
@@ -50 +50 @@ This policy includes the following permissions:
-  * `ecr` – Allows principals full access to all Amazon ECR APIs.
+To view the permissions for this policy, see [AmazonEC2ContainerRegistryPowerUser](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryPowerUser.html) in the _AWS Managed Policy Reference_.
@@ -52 +52 @@ This policy includes the following permissions:
-  * `cloudtrail` – Allows principals to looks up management events or AWS CloudTrail Insights events that are captured by CloudTrail.
+## AmazonEC2ContainerRegistryPullOnly
@@ -53,0 +54 @@ This policy includes the following permissions:
+You can attach the `AmazonEC2ContainerRegistryPullOnly` policy to your IAM identities. This policy grants permission to pull container images from Amazon ECR. If the registry is enabled for pull-through cache, it will also allow pulls to import an image from an upstream registry.
@@ -54,0 +56 @@ This policy includes the following permissions:
+To view the permissions for this policy, see [AmazonEC2ContainerRegistryPullOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryPullOnly.html) in the _AWS Managed Policy Reference_.
@@ -55,0 +58 @@ This policy includes the following permissions:
+## AmazonEC2ContainerRegistryReadOnly
@@ -57 +60 @@ This policy includes the following permissions:
-The `AmazonEC2ContainerRegistryFullAccess` policy is as follows.
+You can attach the `AmazonEC2ContainerRegistryReadOnly` policy to your IAM identities. This policy grants read-only permissions to Amazon ECR. This includes the ability to list repositories and images within the repositories. It also includes the ability to pull images from Amazon ECR with the Docker CLI.
@@ -59,150 +62 @@ The `AmazonEC2ContainerRegistryFullAccess` policy is as follows.
-    
-    {
-        "Version": "2012-10-17",&TCX5-2025-waiver;
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ecr:*",
-                    "cloudtrail:LookupEvents"
-                ],
-                "Resource": "*"
-            },
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "iam:CreateServiceLinkedRole"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "iam:AWSServiceName": [
-                            "replication.ecr.amazonaws.com"
-                        ]
-                    }
-                }
-            }
-        ]
-    }
-
-## `AmazonEC2ContainerRegistryPowerUser`
-
-You can attach the `AmazonEC2ContainerRegistryPowerUser` policy to your IAM identities.
-
-This policy grants administrative permissions that allow IAM users to read and write to repositories, but doesn't allow them to delete repositories or change the policy documents that are applied to them.
-
-**Permissions details**
-
-This policy includes the following permissions:
-
-  * `ecr` – Allows principals to read and write to repositories, as well as read lifecycle policies. Principals aren't granted permission to delete repositories or change the lifecycle policies that are applied to them.
-
-
-
-
-The `AmazonEC2ContainerRegistryPowerUser` policy is as follows.
-    
-    
-    {
-        "Version": "2012-10-17",&TCX5-2025-waiver;
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ecr:GetAuthorizationToken",
-                    "ecr:BatchCheckLayerAvailability",
-                    "ecr:GetDownloadUrlForLayer",
-                    "ecr:GetRepositoryPolicy",
-                    "ecr:DescribeRepositories",
-                    "ecr:ListImages",
-                    "ecr:DescribeImages",
-                    "ecr:BatchGetImage",
-                    "ecr:GetLifecyclePolicy",
-                    "ecr:GetLifecyclePolicyPreview",
-                    "ecr:ListTagsForResource",
-                    "ecr:DescribeImageScanFindings",
-                    "ecr:InitiateLayerUpload",
-                    "ecr:UploadLayerPart",
-                    "ecr:CompleteLayerUpload",
-                    "ecr:PutImage"
-                ],
-                "Resource": "*"
-            }
-        ]
-    }
-
-## `AmazonEC2ContainerRegistryPullOnly`
-
-You can attach the `AmazonEC2ContainerRegistryPullOnly` policy to your IAM identities.
-
-This policy grants permission to pull container images from Amazon ECR. If the registry is enabled for pull-through cache, it will also allow pulls to import an image from an upstream registry.
-
-**Permissions details**
-
-This policy includes the following permissions:
-
-  * `ecr` – Allows principals to read repositories and their respective lifecycle policies.
-
-
-
-
-The `AmazonEC2ContainerRegistryPullOnly` policy is as follows.
-    
-    
-    {
-        "Version": "2012-10-17",&TCX5-2025-waiver;
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ecr:GetAuthorizationToken",
-                    "ecr:BatchGetImage",
-                    "ecr:GetDownloadUrlForLayer",
-                    "ecr:BatchImportUpstreamImage"
-                ],
-                "Resource": "*"
-            }
-        ]
-    }
-
-## `AmazonEC2ContainerRegistryReadOnly`
-
-You can attach the `AmazonEC2ContainerRegistryReadOnly` policy to your IAM identities.
-
-This policy grants read-only permissions to Amazon ECR. This includes the ability to list repositories and images within the repositories. It also includes the ability to pull images from Amazon ECR with the Docker CLI.
-
-**Permissions details**
-
-This policy includes the following permissions:
-
-  * `ecr` – Allows principals to read repositories and their respective lifecycle policies.
-
-
-
-
-The `AmazonEC2ContainerRegistryReadOnly` policy is as follows.
-    
-    
-    {
-        "Version": "2012-10-17",&TCX5-2025-waiver;
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ecr:GetAuthorizationToken",
-                    "ecr:BatchCheckLayerAvailability",
-                    "ecr:GetDownloadUrlForLayer",
-                    "ecr:GetRepositoryPolicy",
-                    "ecr:DescribeRepositories",
-                    "ecr:ListImages",
-                    "ecr:DescribeImages",
-                    "ecr:BatchGetImage",
-                    "ecr:GetLifecyclePolicy",
-                    "ecr:GetLifecyclePolicyPreview",
-                    "ecr:ListTagsForResource",
-                    "ecr:DescribeImageScanFindings"
-                ],
-                "Resource": "*"
-            }
-        ]
-    }
+To view the permissions for this policy, see [AmazonEC2ContainerRegistryReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ContainerRegistryReadOnly.html) in the _AWS Managed Policy Reference_.