Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway
Ensure you are always under the control of your environment. Always review cross-account attachment requests to your Transit gateway and approve them only if you trust the source.
Risk Level: Medium
Cloud Entity: AWS Transit Gateway
CloudGuard Rule ID: D9.AWS.MON.20
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
TransitGateway should have options.autoAcceptSharedAttachments='disable'
REMEDIATION
From Portal
Perform the following steps in order to set 'Auto accept shared attachments' to disable:
- Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
- Open Transit Gateways.
- Choose relevant gateway and click Actions
- Click Modify transit gateway.
- Uncheck 'Auto-accept shared attachments' under 'Configure cross-account sharing options' section.
From TF
resource "aws_ec2_transit_gateway" "primary_gateway" {
- auto_accept_shared_attachments = "enable"
+ auto_accept_shared_attachments = "disable"
}
From Command Line
aws ec2 modify-transit-gateway --transit-gateway-id Transit_gateway_ID --options AutoAcceptSharedAttachments=disable
References
- https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-transit-gateway.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway
AWS Transit Gateway
AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router ��� each new connection is only mad
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS MITRE ATT&CK Framework v10
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated about 1 year ago