Control: 55 VPCs should be configured with an interface endpoint for ECR API
Description
This control checks whether a virtual private cloud (VPC) that you manage has an interface VPC endpoint for Docker Registry. The control fails if the VPC doesn't have an interface VPC endpoint for Docker Registry. This control evaluates resources in a single account.
AWS PrivateLink enables customers to access services hosted on AWS in a highly available and scalable manner, while keeping all the network traffic within the AWS network. Service users can privately access services powered by PrivateLink from their VPC or their on-premises, without using public IPs, and without requiring traffic to traverse across the internet.
Remediation
To configure a VPC endpoint, see Access an AWS service using an interface VPC endpoint in the AWS PrivateLink Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_ec2_55Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_ec2_55 --shareSQL
This control uses a named query:
with vpc_endpoints as ( select distinct vpc_id from aws_vpc_endpoint where service_name like 'com.amazonaws.' || region || '.ecr.api')select v.arn as resource, case when e.vpc_id is null then 'alarm' else 'ok' end as status, case when e.vpc_id is null then v.title || ' not configured to use interface endpoint for ECR API.' else v.title || ' configured to use interface endpoint for ECR API.' end as reason , region, account_idfrom aws_vpc v left join vpc_endpoints e using (vpc_id);