AWS AmazonECR documentation change
Summary
Added clarification that resource policies are only required for cross-account pull-through cache configurations, not same-account cross-region setups.
Security assessment
The change clarifies configuration requirements but doesn't address vulnerabilities or security incidents. It helps prevent misconfiguration by specifying when resource policies are needed, but doesn't reference any security flaws or weaknesses.
Diff
diff --git a/AmazonECR/latest/userguide/pull-through-cache-private.md b/AmazonECR/latest/userguide/pull-through-cache-private.md index bbefa28bd..fb28e2217 100644 --- a//AmazonECR/latest/userguide/pull-through-cache-private.md +++ b//AmazonECR/latest/userguide/pull-through-cache-private.md @@ -95,0 +96,4 @@ The upstream Amazon ECR registry owner must also add a registry policy or a repo +###### Note + +The following resource policy is required only for **cross-account** ECR to ECR pull through cache configurations. For **same-account, cross-region** pull through cache, you only need the IAM role policy and trust policy shown in the previous sections. The root account principal permission is not required when the upstream and downstream registries are in the same AWS account. +