AWS Security ChangesHomeSearch

AWS AmazonECR medium security documentation change

Service: AmazonECR · 2025-11-19 · Security-related medium

File: AmazonECR/latest/userguide/vpc-endpoints.md

Summary

Added documentation for FIPS 140-3 compliant VPC endpoints including endpoint names and example commands

Security assessment

The changes explicitly add support for FIPS 140-3 validated cryptographic modules, which is a U.S. government security standard. This helps customers meet compliance requirements for cryptographic security in sensitive workloads.

Diff

diff --git a/AmazonECR/latest/userguide/vpc-endpoints.md b/AmazonECR/latest/userguide/vpc-endpoints.md
index f7635f6ab..304d748e0 100644
--- a//AmazonECR/latest/userguide/vpc-endpoints.md
+++ b//AmazonECR/latest/userguide/vpc-endpoints.md
@@ -30,0 +31,2 @@ Before you configure VPC endpoints for Amazon ECR, be aware of the following con
+  * For workloads requiring FIPS 140-3 validated cryptographic modules, Amazon ECR supports FIPS endpoints for VPC endpoints.
+
@@ -81,0 +84,2 @@ When you create this endpoint, you must enable a private DNS hostname. To do thi
+For FIPS 140-3 compliant connections, use the FIPS endpoint name **com.amazonaws.`region`.ecr-fips.dkr**
+
@@ -88,0 +93,2 @@ The specified `region` represents the Region identifier for an AWS Region suppor
+For FIPS 140-3 compliant connections, use the FIPS endpoint names: **com.amazonaws.`region`.ecr-fips.dkr** and **com.amazonaws.`region`.ecr-fips.api**.
+
@@ -92,0 +99,2 @@ When this endpoint is created, you have the option to enable a private DNS hostn
+For FIPS 140-3 compliant connections, use the FIPS endpoint name **com.amazonaws.`region`.ecr-fips.api**.
+
@@ -102,0 +111,5 @@ If you don't enable a private DNS hostname for the VPC endpoint, you must use th
+For FIPS 140-3 compliant connections, use the FIPS endpoint URL:
+    
+    
+    aws ecr create-repository --repository-name name --endpoint-url https://api.ecr-fips.region.amazonaws.com
+