turbot/steampipe-mod-aws-compliance

Control: 55 VPCs should be configured with an interface endpoint for ECR API

Description

This control checks whether a virtual private cloud (VPC) that you manage has an interface VPC endpoint for Docker Registry. The control fails if the VPC doesn't have an interface VPC endpoint for Docker Registry. This control evaluates resources in a single account.

AWS PrivateLink enables customers to access services hosted on AWS in a highly available and scalable manner, while keeping all the network traffic within the AWS network. Service users can privately access services powered by PrivateLink from their VPC or their on-premises, without using public IPs, and without requiring traffic to traverse across the internet.

Remediation

To configure a VPC endpoint, see Access an AWS service using an interface VPC endpoint in the AWS PrivateLink Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_55

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_55 --share

SQL

This control uses a named query:

with vpc_endpoints as (
select distinct
vpc_id
from
aws_vpc_endpoint
where
service_name like 'com.amazonaws.' || region || '.ecr.api'
)
select
v.arn as resource,
case
when e.vpc_id is null then 'alarm'
else 'ok'
end as status,
case
when e.vpc_id is null then v.title || ' not configured to use interface endpoint for ECR API.'
else v.title || ' configured to use interface endpoint for ECR API.'
end as reason
, region, account_id
from
aws_vpc v left join vpc_endpoints e using (vpc_id);

Tags