AWS Security ChangesHomeSearch

AWS solutions medium security documentation change

Service: solutions · 2025-11-22 · Security-related medium

File: solutions/latest/distributed-load-testing-on-aws/developer-guide.md

Summary

Clarified Docker image update policies, added explicit documentation about automatic update controls, and enhanced versioning details

Security assessment

The changes explicitly document how security patches (CVE fixes) are handled through image updates and version tagging. It clarifies security implications of automatic vs manual updates, making users aware of vulnerability management processes. Direct references to CVE resolution and security patching mechanisms constitute concrete security documentation.

Diff

diff --git a/solutions/latest/distributed-load-testing-on-aws/developer-guide.md b/solutions/latest/distributed-load-testing-on-aws/developer-guide.md
index 50bf48870..6c94cef43 100644
--- a//solutions/latest/distributed-load-testing-on-aws/developer-guide.md
+++ b//solutions/latest/distributed-load-testing-on-aws/developer-guide.md
@@ -17 +17,5 @@ Visit our [GitHub repository](https://github.com/aws-solutions/distributed-load-
-This solution uses Docker images with fixed versions that match each solution release if automatic updates is not selected. The AWS Solutions team uses ECR Enhanced Scanning to detect Common Vulnerabilities and Exposures (CVEs) in the base image and installed packages. When possible, the team will publish patched images with the same version tag to resolve CVEs, without breaking compatibility with the released solution version. When images are patched, if they are on the same minor version, the stable tag will be automatically updated, and an additional image tag will be created in the format `<solution-version>_<date-of-fix>` . If a major or minor version is released, a full stack update will be required to get the latest image version as the stable tag will be incremented so that its version matches the version of the solution. If opting-in to automatic updates the changes to the image, including the CVEs and minor bug fixes, will automatically be applied to the image up to the latest matching minor release.
+This solution uses Docker images with fixed versions that correspond to each solution release. By default, automatic updates are disabled, giving you complete control over when and which version updates are applied to your deployment. The AWS Solutions team uses Amazon ECR Enhanced Scanning to detect Common Vulnerabilities and Exposures (CVEs) in the base image and installed packages. When possible, the team publishes patched images with the same version tag to resolve CVEs without breaking compatibility with the released solution version.
+
+When images are patched on the same minor version, the stable tag is automatically updated, and an additional image tag is created in the format `<solution-version>_<date-of-fix>`. If a major or minor version is released, you must perform a full stack update to get the latest image version, as the stable tag is incremented to match the solution version.
+
+If you opt in to automatic updates during deployment, changes to the image, including CVE patches and minor bug fixes, are automatically applied up to the latest matching minor release.
@@ -21 +25,5 @@ This solution uses Docker images with fixed versions that match each solution r
-Customers on the latest solution version will receive security patches and minor, non-breaking, bug fixes automatically if they opt-in to automatic image updates. The image will automatically pull the latest image up to the latest matching minor version. In order to lock the container to a specific version, the task definition can be edited to specify the container to use a specific image version by using the tagged version of the image. Automatic updates can also be turned off by selecting **No** to automatic updates in CloudFormation when launching the stack. This will launch the image version matching the solution version.
+By default, this solution deploys with automatic updates disabled. This means the container image version is locked to the specific version matching your deployed solution version, providing you with full control over version updates.
+
+If you choose to enable automatic updates by selecting **Yes** during CloudFormation deployment, the solution will automatically receive security patches and minor, non-breaking bug fixes up to the latest matching minor version. For example, if you deploy version 4.0.0 with automatic updates enabled, you will receive updates up to 4.0.x, but not 4.1.0 or higher.
+
+To manually control the container image version, you can edit the task definition to specify a particular image version using the tagged version format. This allows you to pin to a specific image version regardless of the automatic updates setting.
@@ -29 +37 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Test cancellation workflow
+MCP server integration