internal

The absence of an Amazon ECR Docker Registry interface endpoint is not a meaningful compliance finding by itself. A VPC only needs this endpoint when workloads in that VPC are expected to pull or push container images privately through ECR. CE does not have a reliable way to prove that such workloads or that requirement actually exist in the account or in the specific VPC.