Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · EC2

EC2.55: VPC is missing an ECR API endpoint

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub EC2.55 check?

EC2.55 fails any in-use VPC that has no interface endpoint for the Amazon ECR API service (com.amazonaws.<region>.ecr.api). It lists VPCs with running ENIs and checks for a matching endpoint in the available state — endpoints that are pending, failed, or deleting still fail the control.

Why does EC2.55 matter?

Without the ECR API endpoint, every registry call — authentication, image manifest lookups, repository describes — exits the VPC through the NAT Gateway, gets NATed to a public IP, and shows up as internet egress on your security dashboards. You pay NAT data-processing (~$0.045/GB) on every byte, and a private-subnet workload that should never touch the internet now does on every image pull.

How do I fix EC2.55?

  1. Run describe-vpc-endpoints per VPC filtered on the ecr.api service name to find the gaps, skipping empty default VPCs.
  2. Create the endpoint multi-AZ with --private-dns-enabled so application code needs no change.
  3. Verify the reroute by resolving api.ecr.<region>.amazonaws.com from inside the VPC and confirming it returns an RFC1918 address.
  4. Enable the AWS Config rule vpc-interface-endpoint-enabled parameterised with the ECR service names so a new VPC without the endpoint is caught.

Remediation script · bash

# Move the highest-impact case first: an RDS instance in a public subnet group.
aws rds create-db-subnet-group \
  --db-subnet-group-name prod-db-subnets-private \
  --db-subnet-group-description "Private subnets only - no IGW route" \
  --subnet-ids subnet-0aa11bb22cc33dd44 subnet-0ee55ff66aa77bb88

aws rds modify-db-instance \
  --db-instance-identifier prod-payments-db \
  --db-subnet-group-name prod-db-subnets-private \
  --apply-immediately

# Provide a private path before moving compute, so it can still reach AWS services.
# A free S3 gateway endpoint, or a narrow interface endpoint instead of a NAT gateway.
aws ec2 create-vpc-endpoint --vpc-id vpc-0a1b2c3d \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.us-east-1.ssm \
  --subnet-ids subnet-0aa11 subnet-0bb22 \
  --security-group-ids sg-0ccfn33 --private-dns-enabled

# Force Redshift bulk traffic through the VPC (confirm an S3 gateway endpoint exists first).
aws redshift modify-cluster \
  --cluster-identifier analytics-prod --enhanced-vpc-routing

Full walkthrough (console steps, edge cases and verification) in the lesson Move resources into private networks (VPC isolation).

Is EC2.55 a false positive?

ECR image pulls usually need both the ECR API endpoint (EC2.55) and the Docker Registry endpoint (EC2.56). Adding one without the other leaves the registry data path still hairpinning through NAT, so the same VPC shows up under both controls.

Full lesson Move resources into private networks (VPC isolation) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for EC2 controls ↗ Check your own account for EC2.55 →
Part of the learning path Tighten your databases

More EC2 controls

  • EC2.1 An EBS snapshot is publicly restorable by any account
  • EC2.2 Default security groups still allow traffic
  • EC2.3 Attached EBS volumes are not encrypted at rest
  • EC2.4 Long-stopped instances are abandoned attack surface
  • EC2.6 No VPC flow logs, so there is no network audit trail
  • EC2.7 New EBS volumes are not encrypted by default
  • EC2.8 IMDSv1 lets an SSRF steal instance credentials
  • EC2.9 Instances are directly reachable on public IPv4
  • EC2.10 EC2 API traffic leaves the VPC over the internet
  • EC2.13 SSH (port 22) is open to the entire internet
  • EC2.14 RDP (port 3389) is open to the entire internet
  • EC2.15 Subnets auto-assign public IPs to new instances