Risk Level: Medium
Cloud Entity: AWS Transit Gateway
CloudGuard Rule ID: D9.TF.AWS.MON.20
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

aws_ec2_transit_gateway where auto_accept_shared_attachments should have auto_accept_shared_attachments regexMatch /disable/i

REMEDIATION

Perform the following steps in order to set 'Auto accept shared attachments' to disable:

From Portal

Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
Choose Transit Gateways
Choose relevant gateway and click Actions -> Modify.
Uncheck 'Auto-accept shared attachments'

From CLI
aws ec2 modify-transit-gateway --transit-gateway-id <Transit gateway ID> --options AutoAcceptSharedAttachments=disable

From TF

resource "aws_ec2_transit_gateway" "example" {
	- auto_accept_shared_attachments = "enable"
	+ auto_accept_shared_attachments = "disable"
}

References
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-peering.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-transit-gateway.html

AWS Transit Gateway

AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router — each new connection is only mad

Compliance Frameworks

Terraform AWS CIS Foundations