Back to All Checks
Medium EC2 Regional

VPC interface endpoints should be enabled for ECR Docker registry

NIST 800-53

Description

This control checks whether VPC interface endpoints are enabled for Amazon Elastic Container Registry (ECR) Docker registry. The control fails if there is no VPC interface endpoint for ECR Docker registry or if the endpoint is not available. VPC interface endpoints allow you to privately connect your VPC to supported AWS services without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. This helps improve security by keeping traffic within the AWS network and reducing exposure to the public internet.

Remediation

Create a VPC interface endpoint for ECR Docker registry to enable private connectivity to Amazon ECR.

Steps

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose 'Endpoints'.
  3. Choose 'Create endpoint'.
  4. Select 'AWS services' as the service category.
  5. Choose 'com.amazonaws.region.ecr.dkr' as the service.
  6. Select your VPC and subnets.
  7. Choose a security group and policy.
  8. Choose 'Create endpoint'.

Compliance

NIST 800-53
Start Your Free Security Check