AWS Security ChangesHomeSearch

AWS AmazonECR documentation change

Service: AmazonECR · 2026-04-01 · Documentation low

File: AmazonECR/latest/userguide/pull-through-cache.md

Summary

Clarified the behavior of Amazon ECR pull-through cache image updates, specifying that ECR checks the upstream registry within a 24-hour window and serves cached images without upstream contact if the window hasn't expired.

Security assessment

This change provides clearer documentation on cache update mechanics. While it could indirectly impact security by clarifying update frequency, there is no evidence of a security vulnerability being addressed. It's a documentation clarification.

Diff

diff --git a/AmazonECR/latest/userguide/pull-through-cache.md b/AmazonECR/latest/userguide/pull-through-cache.md
index e6fbd93cb..53a821dbc 100644
--- a//AmazonECR/latest/userguide/pull-through-cache.md
+++ b//AmazonECR/latest/userguide/pull-through-cache.md
@@ -56 +56 @@ Consider the following when using Amazon ECR pull through cache rules.
-  * When a cached image is pulled through the Amazon ECR private registry URI, Amazon ECR checks the upstream repository at least once every 24 hours to verify whether the cached image is the latest version. If there is a newer image in the upstream registry, Amazon ECR attempts to update the cached image. This timer is based off the last pull of the cached image.
+  * When a customer pulls a cached image through the Amazon ECR private registry URI, Amazon ECR checks whether it has validated the image against the upstream registry within the last 24 hours. If the 24-hour window has expired, Amazon ECR sends a request upstream to check for a newer version and updates the cache if one exists. If the window has not expired, Amazon ECR serves the cached image without contacting the upstream.