AWS Security ChangesHomeSearch

AWS AmazonECS documentation change

Service: AmazonECS · 2025-10-16 · Documentation low

File: AmazonECS/latest/developerguide/security-tasks-containers.md

Summary

Removed specific vulnerability statistics and external link from container security guidance

Security assessment

The change generalizes a security warning about Docker Hub images (removing 'about a fifth of the top 1000 images' statistic and vulnerablecontainers.org reference). While this updates security documentation, there's no evidence it addresses a specific security issue - it appears to simplify existing security advice.

Diff

diff --git a/AmazonECS/latest/developerguide/security-tasks-containers.md b/AmazonECS/latest/developerguide/security-tasks-containers.md
index b7fc6ca25..841859d9c 100644
--- a//AmazonECS/latest/developerguide/security-tasks-containers.md
+++ b//AmazonECS/latest/developerguide/security-tasks-containers.md
@@ -91 +91 @@ To remove these special permissions from these files, add the following directiv
-Rather than allowing developers to create their own images, create a set of vetted images for the different application stacks in your organization. By doing so, developers can forego learning how to compose Dockerfiles and concentrate on writing code. As changes are merged into your codebase, a CI/CD pipeline can automatically compile the asset and then store it in an artifact repository. And, last, copy the artifact into the appropriate image before pushing it to a Docker registry such as Amazon ECR. At the very least you should create a set of base images that developers can create their own Dockerfiles from. You should avoid pulling images from Docker Hub. You don't always know what is in the image and about a fifth of the top 1000 images have vulnerabilities. A list of those images and their vulnerabilities can be found at [https://vulnerablecontainers.org/](https://vulnerablecontainers.org/).
+Rather than allowing developers to create their own images, create a set of vetted images for the different application stacks in your organization. By doing so, developers can forego learning how to compose Dockerfiles and concentrate on writing code. As changes are merged into your codebase, a CI/CD pipeline can automatically compile the asset and then store it in an artifact repository. And, last, copy the artifact into the appropriate image before pushing it to a Docker registry such as Amazon ECR. At the very least you should create a set of base images that developers can create their own Dockerfiles from. You should avoid pulling images from Docker Hub. You don't always know what is in the image and the images can have vulnerabilities.