AWS AmazonECR documentation change
Summary
Updated authentication behavior documentation: clarified that authenticated upstreams use user credentials for initial pulls while unauthenticated upstreams use AWS IP addresses.
Security assessment
The change documents security-relevant authentication mechanisms for pull-through cache operations. It explains credential usage patterns which is security-related documentation, but doesn't indicate any vulnerability being fixed.
Diff
diff --git a/AmazonECR/latest/userguide/pull-through-cache.md b/AmazonECR/latest/userguide/pull-through-cache.md index eb3f2e3d8..bef35f6c4 100644 --- a//AmazonECR/latest/userguide/pull-through-cache.md +++ b//AmazonECR/latest/userguide/pull-through-cache.md @@ -52 +52,3 @@ Consider the following when using Amazon ECR pull through cache rules. - * When a cached image is pulled through the Amazon ECR private registry URI, the image pulls are initiated by AWS IP addresses. This ensures that the image pull doesn't count against any pull rate quotas implemented by the upstream registry. + * For upstream repositories that require authentication, when an image is pulled through the Amazon ECR private registry URI for the first time or to update the cache, the image pulls are initiated by the user associated to the credentials configured in the pull through cache rule. Subsequent pulls will return the image directly from the cache in the customer's private registry. + + * For upstream repositories that do not require authentication, when an image is pulled through the Amazon ECR private registry URI, the image pulls are initiated by AWS IP addresses.