AWS Security ChangesHomeSearch

AWS AmazonECR documentation change

Service: AmazonECR · 2025-10-16 · Documentation low

File: AmazonECR/latest/userguide/security_iam_id-based-policy-examples.md

Summary

Replaced inline IAM policy JSON example with reference to AWS managed policy AmazonElasticContainerRegistryPublicReadOnly

Security assessment

The change promotes using AWS-managed policies over custom policies, which is a security best practice but does not indicate a specific security vulnerability being addressed. Managed policies ensure consistent permissions and reduce misconfiguration risks.

Diff

diff --git a/AmazonECR/latest/userguide/security_iam_id-based-policy-examples.md b/AmazonECR/latest/userguide/security_iam_id-based-policy-examples.md
index e0baa3789..8ffda4e46 100644
--- a//AmazonECR/latest/userguide/security_iam_id-based-policy-examples.md
+++ b//AmazonECR/latest/userguide/security_iam_id-based-policy-examples.md
@@ -55,24 +55 @@ To ensure that those entities can still use the Amazon ECR console, add the `Ama
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ecr:GetAuthorizationToken",
-                    "ecr:BatchCheckLayerAvailability",
-                    "ecr:GetDownloadUrlForLayer",
-                    "ecr:GetRepositoryPolicy",
-                    "ecr:DescribeRepositories",
-                    "ecr:ListImages",
-                    "ecr:DescribeImages",
-                    "ecr:BatchGetImage",
-                    "ecr:GetLifecyclePolicy",
-                    "ecr:GetLifecyclePolicyPreview",
-                    "ecr:ListTagsForResource",
-                    "ecr:DescribeImageScanFindings"
-                ],
-                "Resource": "*"
-            }
-        ]
-    }
+To view the permissions for this policy, see [AmazonElasticContainerRegistryPublicReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonElasticContainerRegistryPublicReadOnly.html) in the _AWS Managed Policy Reference_.