Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway

Ensure you are always under the control of your environment. Always review cross-account attachment requests to your Transit gateway and approve them only if you trust the source.

Risk Level: Medium
Cloud Entity: AWS Transit Gateway
CloudGuard Rule ID: D9.AWS.MON.20
Covered by Spectral: Yes
Category: Networking & Content Delivery


TransitGateway should have options.autoAcceptSharedAttachments='disable'


From Portal
Perform the following steps in order to set 'Auto accept shared attachments' to disable:

  1. Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
  2. Open Transit Gateways.
  3. Choose relevant gateway and click Actions
  4. Click Modify transit gateway.
  5. Uncheck 'Auto-accept shared attachments' under 'Configure cross-account sharing options' section.

From TF

resource "aws_ec2_transit_gateway" "primary_gateway" {
	- auto_accept_shared_attachments = "enable"
	+ auto_accept_shared_attachments = "disable"

From Command Line

aws ec2 modify-transit-gateway --transit-gateway-id Transit_gateway_ID --options AutoAcceptSharedAttachments=disable


  1. https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-transit-gateway.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway

AWS Transit Gateway

AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router ��� each new connection is only mad

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v10
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset