AWS Security ChangesHomeSearch

AWS AmazonECR documentation change

Service: AmazonECR · 2026-02-13 · Documentation low

File: AmazonECR/latest/userguide/pull-through-cache-private.md

Summary

Added clarification that resource policies are only required for cross-account pull-through cache configurations, not same-account cross-region setups.

Security assessment

The change clarifies configuration requirements but doesn't address vulnerabilities or security incidents. It helps prevent misconfiguration by specifying when resource policies are needed, but doesn't reference any security flaws or weaknesses.

Diff

diff --git a/AmazonECR/latest/userguide/pull-through-cache-private.md b/AmazonECR/latest/userguide/pull-through-cache-private.md
index bbefa28bd..fb28e2217 100644
--- a//AmazonECR/latest/userguide/pull-through-cache-private.md
+++ b//AmazonECR/latest/userguide/pull-through-cache-private.md
@@ -95,0 +96,4 @@ The upstream Amazon ECR registry owner must also add a registry policy or a repo
+###### Note
+
+The following resource policy is required only for **cross-account** ECR to ECR pull through cache configurations. For **same-account, cross-region** pull through cache, you only need the IAM role policy and trust policy shown in the previous sections. The root account principal permission is not required when the upstream and downstream registries are in the same AWS account.
+