AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2026-05-22 · Documentation low

File: solutions/latest/distributed-load-testing-on-aws/container-image.md

Summary

Added documentation for web console image in ALB + ECS Fargate template, including instructions for mirroring public images to private ECR repositories and customizing the web console image with Dockerfile, entrypoint script, and Nginx configuration details.

Security assessment

The change documents security headers (X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security) in Nginx configuration and provides guidance for private registry usage in restricted environments, but doesn't address any specific vulnerability. The security headers mitigate common web vulnerabilities like clickjacking and MIME sniffing.

Diff

diff --git a/solutions/latest/distributed-load-testing-on-aws/container-image.md b/solutions/latest/distributed-load-testing-on-aws/container-image.md
index b21a4e990..0aaeefc1d 100644
--- a//solutions/latest/distributed-load-testing-on-aws/container-image.md
+++ b//solutions/latest/distributed-load-testing-on-aws/container-image.md
@@ -6,0 +7,2 @@
+Load tester imageWeb console image (ALB + ECS Fargate template only)
+
@@ -8,0 +11,2 @@
+## Load tester image
+
@@ -301,0 +306,141 @@ In addition to the [Dockerfile](https://docs.docker.com/engine/reference/builder
+## Web console image (ALB + ECS Fargate template only)
+
+The ALB + ECS Fargate template runs the web console as a container on ECS Fargate. By default, the solution pulls the web console image from a public Amazon ECR repository managed by AWS.
+
+In environments where access to public container registries is restricted (for example, VPCs with no internet access or accounts with ECR public access policies), you must mirror the public image to a private Amazon ECR repository and provide the private image URI in the **Web Console Image URI** CloudFormation parameter. You can also use this approach to customize the web console image to fit your needs.
+
+### Mirror the public image to a private ECR repository
+
+To mirror the web console image to a private ECR repository:
+
+  1. Authenticate to the public ECR registry:
+    
+        $ aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+
+  2. Pull the public web console image:
+    
+        $ docker pull public.ecr.aws/aws-solutions/distributed-load-testing-on-aws-web-console:<version>
+
+  3. Create a private ECR repository in your account (if one does not already exist):
+    
+        $ aws ecr create-repository --repository-name <your-repo-name> --region <region> 2>/dev/null || true
+
+  4. Authenticate to your private ECR registry:
+    
+        $ aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com
+
+  5. Tag and push the image to your private repository:
+    
+        $ docker tag public.ecr.aws/aws-solutions/distributed-load-testing-on-aws-web-console:<version> \
+      <account-id>.dkr.ecr.<region>.amazonaws.com/<your-repo-name>:<version>
+    $ docker push <account-id>.dkr.ecr.<region>.amazonaws.com/<your-repo-name>:<version>
+
+  6. When launching the ALB + ECS Fargate stack, enter the private image URI in the **Web Console Image URI** parameter:
+    
+        <account-id>.dkr.ecr.<region>.amazonaws.com/<your-repo-name>:<version>
+
+
+
+
+### Customize the web console image
+
+You can also customize the web console image. The image resources are in the `deployment/ecr/distributed-load-testing-on-aws-web-console` directory, located in the [GitHub repository](https://github.com/aws-solutions/distributed-load-testing-on-aws/tree/main/deployment/ecr/distributed-load-testing-on-aws-web-console). Edit the container files to fit your needs, build the image locally, push it to your private ECR repository, and provide the URI in the **Web Console Image URI** parameter.
+
+The web console container uses Nginx to serve the static web application. At startup, the entrypoint script downloads the web console assets from Amazon S3 and extracts them into the Nginx document root.
+
+The following example shows the container file.
+    
+    
+    FROM public.ecr.aws/nginx/nginx:alpine
+    
+    # Install AWS CLI for S3 operations
+    RUN apk upgrade --no-cache zlib libpng && \
+        apk add --no-cache aws-cli
+    
+    # Copy nginx configuration
+    COPY nginx.conf /etc/nginx/nginx.conf
+    
+    # Copy entrypoint script
+    COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+    RUN chmod +x /usr/local/bin/entrypoint.sh
+    
+    EXPOSE 80
+    
+    ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+
+The entrypoint script downloads the web console assets from S3 and starts Nginx.
+    
+    
+    #!/bin/sh
+    set -e
+    
+    S3_URI="s3://${S3_BUCKET}/${S3_KEY}"
+    
+    echo "[$(date -Iseconds)] Downloading from $S3_URI"
+    
+    # AWS CLI has built-in retry with exponential backoff (standard mode)
+    AWS_MAX_ATTEMPTS=5 aws s3 cp "$S3_URI" /tmp/web-app.zip
+    
+    echo "[$(date -Iseconds)] Download successful"
+    
+    # Extract and cleanup
+    unzip -o /tmp/web-app.zip -d /usr/share/nginx/html/
+    rm -f /tmp/web-app.zip
+    
+    # Start Nginx
+    exec nginx -g 'daemon off;'
+
+The Nginx configuration serves the single-page application (SPA) with health check support for the ALB, gzip compression, static asset caching, and security headers.
+    
+    
+    events {
+      worker_connections 1024;
+    }
+    
+    http {
+      include /etc/nginx/mime.types;
+      default_type application/octet-stream;
+    
+      gzip on;
+      gzip_types text/plain text/css application/json application/javascript text/xml application/xml;
+    
+      server {
+        listen 80;
+        root /usr/share/nginx/html;
+        index index.html;
+    
+        # Health check endpoint for ALB
+        location /healthz {
+          return 200 'OK';
+        }
+    
+        # SPA routing
+        location / {
+          try_files $uri $uri/ /index.html;
+        }
+    
+        # Cache static assets for 1 year
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
+          expires 1y;
+          add_header Cache-Control "public, immutable";
+        }
+    
+        # No cache for index.html (SPA entry point)
+        location = /index.html {
+          add_header Cache-Control "no-cache, no-store, must-revalidate";
+        }
+    
+        # No cache for runtime config
+        location = /aws-exports.json {
+          add_header Cache-Control "no-store, no-cache, must-revalidate";
+        }
+    
+        # Security headers
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+      }
+    }
+
+For more information, refer to [Pushing a Docker image to an Amazon ECR private repository](https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-push-ecr-image.html) in the _Amazon ECR User Guide_.
+