AWS Security ChangesHomeSearch

AWS AmazonECR documentation change

Service: AmazonECR · 2026-04-19 · Documentation low

File: AmazonECR/latest/userguide/pull-through-cache.md

Summary

Added documentation about ListImageReferrers API behavior for pull-through cache repositories and cache refresh mechanism for referrer artifacts

Security assessment

This change documents API behavior and cache refresh intervals (6-hour window) for OCI referrer artifacts. While cache freshness can impact security by ensuring updated artifacts are available, there's no evidence this addresses a specific security vulnerability or weakness. It's a routine documentation update about system behavior.

Diff

diff --git a/AmazonECR/latest/userguide/pull-through-cache.md b/AmazonECR/latest/userguide/pull-through-cache.md
index f118dc394..3240531f3 100644
--- a//AmazonECR/latest/userguide/pull-through-cache.md
+++ b//AmazonECR/latest/userguide/pull-through-cache.md
@@ -59,0 +60,4 @@ Consider the following when using Amazon ECR pull through cache rules.
+  * Calling the `ListImageReferrers` API to a pull through cache created repository returns the OCI-compliant referrer artifacts to the private cache.
+
+  * Amazon ECR checks whether the referrer artifacts have been updated within the last 6 hours. If the 6-hour window has expired, Amazon ECR sends a request upstream to check for newer versions and updates the cache if they exist.
+