Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway

In order to control your VPC environment and Transit gateway, prefer setting the associations and propagations for your transit gateway manually. Note: Default AWS configuration of transit gateway is set to automatically define associations and propagations.

Risk Level: Low
Cloud Entity: AWS Transit Gateway
CloudGuard Rule ID: D9.AWS.NET.59
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

TransitGateway should have options.defaultRouteTableAssociation='disable' and options.defaultRouteTablePropagation='disable'

REMEDIATION

From Portal:
Perform the following steps in order to set 'Default route table association' and 'Default route table propagation' to disable:

  1. Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
  2. Choose Transit Gateways
  3. Choose relevant gateway and click Actions -> Modify.
  4. Uncheck 'Default route table association' and 'Default route table propagation'.
  5. Update route table with the necessary routes.

From TF:

resource "aws_ec2_transit_gateway" "example" {
	- default_route_table_association = "enable"
	- default_route_table_propagation = "enable"
	+ default_route_table_association = "disable"
	+ default_route_table_propagation = "disable"
}

From Command Line:

aws ec2 modify-transit-gateway --transit-gateway-id Transit_gateway_ID --options DefaultRouteTableAssociation=disable,DefaultRouteTablePropagation=disable

References:

  1. https://docs.aws.amazon.com/vpc/latest/tgw/tgw-getting-started.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-transit-gateway.html

AWS Transit Gateway

AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router ��� each new connection is only mad

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset