AWS Security ChangesHomeSearch

AWS AmazonECR medium security documentation change

Service: AmazonECR · 2025-10-25 · Security-related medium

File: AmazonECR/latest/userguide/registry-permissions-examples.md

Summary

Updated examples to clarify IAM principal access instead of root user

Security assessment

Added security consideration note warning about account-level permissions granting broad access. This addresses potential over-permissioning risks by clarifying that account IDs grant access to all IAM principals in the account.

Diff

diff --git a/AmazonECR/latest/userguide/registry-permissions-examples.md b/AmazonECR/latest/userguide/registry-permissions-examples.md
index dae0ad1cf..a4753f33b 100644
--- a//AmazonECR/latest/userguide/registry-permissions-examples.md
+++ b//AmazonECR/latest/userguide/registry-permissions-examples.md
@@ -5 +5 @@
-Example: Allow the root user of a source account to replicate all repositoriesExample: Allow root users from multiple accountsExample: Allow the root user of a source account to replicate all repositories with prefix prod-.
+Example: Allow all IAM principals in a source account to replicate all repositoriesExample: Allow IAM principals from multiple accountsExample: Allow all IAM principals in a source account to replicate all repositories with prefix prod-.
@@ -15 +15,11 @@ In each example, if the `ecr:CreateRepository` action is removed from your regis
-## Example: Allow the root user of a source account to replicate all repositories
+## Example: Allow all IAM principals in a source account to replicate all repositories
+
+The following registry permissions policy allows all IAM principals (users and roles) in a source account to replicate all repositories.
+
+Note the following:
+
+  * **Important:** When you specify an AWS account ID as a principal in a policy, you grant access to all IAM users and roles within that account, not just the root user. This provides broad access across the entire account.
+
+  * **Security Consideration:** Account-level permissions grant access to all IAM entities in the specified account. For more restrictive access, specify individual IAM users, roles, or use condition statements to limit access further.
+
+
@@ -17 +26,0 @@ In each example, if the `ecr:CreateRepository` action is removed from your regis
-The following registry permissions policy allows the root user of a source account to replicate all repositories.
@@ -47 +56 @@ JSON
-## Example: Allow root users from multiple accounts
+## Example: Allow IAM principals from multiple accounts
@@ -49 +58 @@ JSON
-The following registry permissions policy has two statements. Each statement allows the root user of a source account to replicate all repositories.
+The following registry permissions policy has two statements. Each statement allows all IAM principals (users and roles) in a source account to replicate all repositories.
@@ -93 +102 @@ JSON
-## Example: Allow the root user of a source account to replicate all repositories with prefix `prod-`.
+## Example: Allow all IAM principals in a source account to replicate all repositories with prefix `prod-`.
@@ -95 +104 @@ JSON
-The following registry permissions policy allows the root user of a source account to replicate all repositories that start with `prod-`.
+The following registry permissions policy allows all IAM principals (users and roles) in a source account to replicate all repositories that start with `prod-`.