Ensure the number of private gateways is within the AWS limit for each region

Checks the number of private gateways in each AWS region in your account is not close to the AWS imposed limit. If the number of gateways approaches the limit in a particular VPC, you will receive an alert. As per AWS recommendation Virtual private gateway per region limit is 5. This policy will trigger an alert if Virtual private gateway per region reached 80% (i.e. 4) of resource availability limit allocated.

Risk Level: Low
Cloud Entity: Amazon VPC
CloudGuard Rule ID: D9.AWS.OPE.09
Covered by Spectral: No
Category: Compute

GSL LOGIC

VPC should not have vpnGateways length()>3

REMEDIATION

From Portal

  1. Log in to the AWS console.
  2. In the console, select the specific region.
  3. Navigate to VPC Dashboard.
  4. Click 'Virtual Private Gateways'.
  5. Select the Virtual Private Gateway you want to delete, which is not used or required.
  6. Click 'Actions' dropdown.
  7. Click 'Virtual Private Gateway'.
  8. In the 'Delete Virtual Private Gateway' popup dialog, click 'Yes, Delete'

NOTE: If Virtual Private Gateway is already in use it can not be deleted. Make sure to un-associate VPC gateways before deleting it. If existing Virtual Private Gateways are properly associated and exhausted your VPC Virtual Private Gateway limit allocation, you can contact AWS for a service limit increase.

From Command Line
Use following command to delete a VPC gateway:

aws ec2 delete-vpn-gateway --vpn-gateway-id gateway_id

Note: You must first detach the virtual private gateway from the VPC. Note that you don't need to delete the virtual private gateway if you plan to delete and recreate the VPN connection between your VPC and your network.

References

  1. http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html
  2. https://docs.aws.amazon.com/general/latest/gr/vpc-service.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-vpn-gateway.html

Amazon VPC

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MAS TRM Framework
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset