AWS Security ChangesHomeSearch

AWS AmazonECR medium security documentation change

Service: AmazonECR · 2026-03-19 · Security-related medium

File: AmazonECR/latest/userguide/pull-through-cache-creating-secret.md

Summary

Added documentation for creating Secrets Manager secrets for Chainguard Registry credentials with specific encryption requirements

Security assessment

Specifies encryption constraints (must use default KMS key), warns against storing sensitive data in tags, and provides credential security guidance. Requires secure handling of Chainguard access tokens.

Diff

diff --git a/AmazonECR/latest/userguide/pull-through-cache-creating-secret.md b/AmazonECR/latest/userguide/pull-through-cache-creating-secret.md
index b586ffecd..a48f08d0d 100644
--- a//AmazonECR/latest/userguide/pull-through-cache-creating-secret.md
+++ b//AmazonECR/latest/userguide/pull-through-cache-creating-secret.md
@@ -180,0 +181,50 @@ GitLab Container Registry
+
+###### Important
+
+You must use the default `aws/secretsmanager` encryption key to encrypt your secret. Amazon ECR doesn't support using a customer managed key (CMK) for this.
+
+  4. On the **Configure secret** page, do the following:
+
+    1. Enter a descriptive **Secret name** and **Description**. Secret names must contain 1-512 Unicode characters and be prefixed with `ecr-pullthroughcache/`.
+
+###### Important
+
+The Amazon ECR AWS Management Console only displays Secrets Manager secrets with names using the `ecr-pullthroughcache/` prefix.
+
+    2. (Optional) In the **Tags** section, add tags to your secret. For tagging strategies, see [Tag Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/managing-secrets_tagging.html) in the _AWS Secrets Manager User Guide_. Don't store sensitive information in tags because they aren't encrypted.
+
+    3. (Optional) In **Resource permissions** , to add a resource policy to your secret, choose **Edit permissions**. For more information, see [Attach a permissions policy to an Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html) in the _AWS Secrets Manager User Guide_.
+
+    4. (Optional) In **Replicate secret** , to replicate your secret to another AWS Region, choose **Replicate secret**. You can replicate your secret now or come back and replicate it later. For more information, see [Replicate a secret to other Regions](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create-manage-multi-region-secrets.html) in the _AWS Secrets Manager User Guide_.
+
+    5. Choose **Next**.
+
+  5. (Optional) On the **Configure rotation** page, you can turn on automatic rotation. You can also keep rotation off for now and then turn it on later. For more information, see [Rotate Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html) in the _AWS Secrets Manager User Guide_. Choose **Next**.
+
+  6. On the **Review** page, review your secret details, and then choose **Store**.
+
+Secrets Manager returns to the list of secrets. If your new secret doesn't appear, choose the refresh button.
+
+
+
+
+Chainguard Registry
+    
+
+###### To create an Secrets Manager secret for your Chainguard credentials (AWS Management Console)
+
+  1. Open the Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).
+
+  2. Choose **Store a new secret**.
+
+  3. On the **Choose secret type** page, do the following.
+
+    1. For **Secret type** , choose **Other type of secret**.
+
+    2. In **Key/value pairs** , create two rows for your Chainguard credentials. You can store up to 65536 bytes in the secret.
+
+      1. For the first key/value pair, specify `username` as the key and your Chainguard Registry username as the value.
+
+      2. For the second key/value pair, specify `accessToken` as the key and your Chainguard Registry access token as the value. For more information on creating a Chainguard Registry pull token, see [Authenticating with a Pull Token ](https://edu.chainguard.dev/chainguard/chainguard-images/chainguard-registry/authenticating/#authenticating-with-a-pull-token) in the Chainguard documentation.
+
+    3. For **Encryption key** , keep the default **aws/secretsmanager** AWS KMS key value and then choose **Next**. There is no cost for using this key. For more information, see [Secret encryption and decryption in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html) in the _AWS Secrets Manager User Guide_.