Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway

Ensure you are always under the control of your environment. Always review cross-account attachment requests to your Transit gateway and approve them only if you trust the source.

Risk Level: Medium
Cloud Entity: AWS Transit Gateway
CloudGuard Rule ID: D9.TF.AWS.MON.20
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

aws_ec2_transit_gateway where auto_accept_shared_attachments  should have auto_accept_shared_attachments regexMatch /disable/i

REMEDIATION

Perform the following steps in order to set 'Auto accept shared attachments' to disable:

From Portal

  1. Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
  2. Choose Transit Gateways
  3. Choose relevant gateway and click Actions -> Modify.
  4. Uncheck 'Auto-accept shared attachments'

From CLI
aws ec2 modify-transit-gateway --transit-gateway-id <Transit gateway ID> --options AutoAcceptSharedAttachments=disable

From TF

resource "aws_ec2_transit_gateway" "example" {
	- auto_accept_shared_attachments = "enable"
	+ auto_accept_shared_attachments = "disable"
}

References
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-peering.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-transit-gateway.html

AWS Transit Gateway

AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router ��� each new connection is only mad

Compliance Frameworks

  • Terraform AWS CIS Foundations