Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway
Ensure you are always under the control of your environment. Always review cross-account attachment requests to your Transit gateway and approve them only if you trust the source.
Risk Level: Medium
Cloud Entity: AWS Transit Gateway
CloudGuard Rule ID: D9.TF.AWS.MON.20
Covered by Spectral: No
Category: Networking & Content Delivery
GSL LOGIC
aws_ec2_transit_gateway where auto_accept_shared_attachments should have auto_accept_shared_attachments regexMatch /disable/i
REMEDIATION
Perform the following steps in order to set 'Auto accept shared attachments' to disable:
From Portal
- Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
- Choose Transit Gateways
- Choose relevant gateway and click Actions -> Modify.
- Uncheck 'Auto-accept shared attachments'
From CLI
aws ec2 modify-transit-gateway --transit-gateway-id <Transit gateway ID> --options AutoAcceptSharedAttachments=disable
From TF
resource "aws_ec2_transit_gateway" "example" {
- auto_accept_shared_attachments = "enable"
+ auto_accept_shared_attachments = "disable"
}
References
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-peering.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-transit-gateway.html
AWS Transit Gateway
AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router ��� each new connection is only mad
Compliance Frameworks
- Terraform AWS CIS Foundations
Updated over 1 year ago