Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · EC2

EC2.56: VPC is missing a Docker Registry endpoint

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub EC2.56 check?

EC2.56 fails any in-use VPC missing an interface endpoint for the Amazon ECR Docker Registry service (com.amazonaws.<region>.ecr.dkr). It checks every VPC with running ENIs for a matching endpoint in the available state.

Why does EC2.56 matter?

The ecr.dkr endpoint carries the actual image layer pulls — the bulk of registry traffic by volume. Without it, every layer download from a private subnet routes out through the NAT Gateway over the public internet, accumulating NAT data-processing charges and forcing an internet path on workloads that should stay private. ECR.dkr almost always exceeds the NAT cost crossover, so the endpoint pays for itself quickly.

How do I fix EC2.56?

  1. Identify VPCs running container workloads with no ecr.dkr endpoint via describe-vpc-endpoints filtered on the service name.
  2. Create the endpoint in every AZ the workload spans with --private-dns-enabled, alongside the ECR API endpoint.
  3. Confirm a dig of dkr.ecr.<region>.amazonaws.com from inside the VPC resolves to the endpoint's private IPs, then watch a pull stop hitting NAT.
  4. Add the AWS Config rule vpc-interface-endpoint-enabled covering the ECR service names to prevent regressions.

Remediation script · bash

# Move the highest-impact case first: an RDS instance in a public subnet group.
aws rds create-db-subnet-group \
  --db-subnet-group-name prod-db-subnets-private \
  --db-subnet-group-description "Private subnets only - no IGW route" \
  --subnet-ids subnet-0aa11bb22cc33dd44 subnet-0ee55ff66aa77bb88

aws rds modify-db-instance \
  --db-instance-identifier prod-payments-db \
  --db-subnet-group-name prod-db-subnets-private \
  --apply-immediately

# Provide a private path before moving compute, so it can still reach AWS services.
# A free S3 gateway endpoint, or a narrow interface endpoint instead of a NAT gateway.
aws ec2 create-vpc-endpoint --vpc-id vpc-0a1b2c3d \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.us-east-1.ssm \
  --subnet-ids subnet-0aa11 subnet-0bb22 \
  --security-group-ids sg-0ccfn33 --private-dns-enabled

# Force Redshift bulk traffic through the VPC (confirm an S3 gateway endpoint exists first).
aws redshift modify-cluster \
  --cluster-identifier analytics-prod --enhanced-vpc-routing

Full walkthrough (console steps, edge cases and verification) in the lesson Move resources into private networks (VPC isolation).

Is EC2.56 a false positive?

The Docker Registry endpoint only delivers private pulls if the ECR API endpoint (EC2.55) is also present — they work as a pair. A single-AZ endpoint also passes the control but makes every pull in the other AZs a hard dependency on one zone.

Full lesson Move resources into private networks (VPC isolation) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for EC2 controls ↗ Check your own account for EC2.56 →
Part of the learning path Tighten your databases

More EC2 controls

  • EC2.1 An EBS snapshot is publicly restorable by any account
  • EC2.2 Default security groups still allow traffic
  • EC2.3 Attached EBS volumes are not encrypted at rest
  • EC2.4 Long-stopped instances are abandoned attack surface
  • EC2.6 No VPC flow logs, so there is no network audit trail
  • EC2.7 New EBS volumes are not encrypted by default
  • EC2.8 IMDSv1 lets an SSRF steal instance credentials
  • EC2.9 Instances are directly reachable on public IPv4
  • EC2.10 EC2 API traffic leaves the VPC over the internet
  • EC2.13 SSH (port 22) is open to the entire internet
  • EC2.14 RDP (port 3389) is open to the entire internet
  • EC2.15 Subnets auto-assign public IPs to new instances