TELCODOCS-1953

Author: rohennes

modules/installation-aws-iam-policies-about.adoc

@@ -8,6 +8,11 @@
 
 By default, the installation program creates instance profiles for the bootstrap, control plane, and compute instances with the necessary permissions for the cluster to operate.
 
+[NOTE]
+====
+To enable pulling images from the Amazon Elastic Container Registry (ECR) as a postinstallation task in a {sno} cluster, you must add the `AmazonEC2ContainerRegistryReadOnly` policy to the IAM role associated with the cluster's control plane role.
+====
+
 However, you can create your own IAM roles and specify them as part of the installation process. You might need to specify your own roles to deploy the cluster or to manage the cluster after installation. For example:
 
 * Your organization's security policies require that you use a more restrictive set of permissions to install the cluster.