AWS AmazonECR medium security documentation change
Summary
Updated examples to clarify IAM principal access instead of root user
Security assessment
Added security consideration note warning about account-level permissions granting broad access. This addresses potential over-permissioning risks by clarifying that account IDs grant access to all IAM principals in the account.
Diff
diff --git a/AmazonECR/latest/userguide/registry-permissions-examples.md b/AmazonECR/latest/userguide/registry-permissions-examples.md index dae0ad1cf..a4753f33b 100644 --- a//AmazonECR/latest/userguide/registry-permissions-examples.md +++ b//AmazonECR/latest/userguide/registry-permissions-examples.md @@ -5 +5 @@ -Example: Allow the root user of a source account to replicate all repositoriesExample: Allow root users from multiple accountsExample: Allow the root user of a source account to replicate all repositories with prefix prod-. +Example: Allow all IAM principals in a source account to replicate all repositoriesExample: Allow IAM principals from multiple accountsExample: Allow all IAM principals in a source account to replicate all repositories with prefix prod-. @@ -15 +15,11 @@ In each example, if the `ecr:CreateRepository` action is removed from your regis -## Example: Allow the root user of a source account to replicate all repositories +## Example: Allow all IAM principals in a source account to replicate all repositories + +The following registry permissions policy allows all IAM principals (users and roles) in a source account to replicate all repositories. + +Note the following: + + * **Important:** When you specify an AWS account ID as a principal in a policy, you grant access to all IAM users and roles within that account, not just the root user. This provides broad access across the entire account. + + * **Security Consideration:** Account-level permissions grant access to all IAM entities in the specified account. For more restrictive access, specify individual IAM users, roles, or use condition statements to limit access further. + + @@ -17 +26,0 @@ In each example, if the `ecr:CreateRepository` action is removed from your regis -The following registry permissions policy allows the root user of a source account to replicate all repositories. @@ -47 +56 @@ JSON -## Example: Allow root users from multiple accounts +## Example: Allow IAM principals from multiple accounts @@ -49 +58 @@ JSON -The following registry permissions policy has two statements. Each statement allows the root user of a source account to replicate all repositories. +The following registry permissions policy has two statements. Each statement allows all IAM principals (users and roles) in a source account to replicate all repositories. @@ -93 +102 @@ JSON -## Example: Allow the root user of a source account to replicate all repositories with prefix `prod-`. +## Example: Allow all IAM principals in a source account to replicate all repositories with prefix `prod-`. @@ -95 +104 @@ JSON -The following registry permissions policy allows the root user of a source account to replicate all repositories that start with `prod-`. +The following registry permissions policy allows all IAM principals (users and roles) in a source account to replicate all repositories that start with `prod-`.