Guides

Ensure 'Auto accept shared attachments' is disabled, to avoid unknown cross account attachments to your Transit Gateway

Ensure you are always under the control of your environment. Always review cross-account attachment requests to your Transit gateway and approve them only if you trust the source.

Suggest Edits

Risk Level: Medium
Cloud Entity: AWS Transit Gateway
CloudGuard Rule ID: D9.TF.AWS.MON.20
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

aws_ec2_transit_gateway where auto_accept_shared_attachments  should have auto_accept_shared_attachments regexMatch /disable/i

REMEDIATION

Perform the following steps in order to set 'Auto accept shared attachments' to disable:

From Portal

  1. Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
  2. Choose Transit Gateways
  3. Choose relevant gateway and click Actions -> Modify.
  4. Uncheck 'Auto-accept shared attachments'

From CLI
aws ec2 modify-transit-gateway --transit-gateway-id <Transit gateway ID> --options AutoAcceptSharedAttachments=disable

From TF

resource "aws_ec2_transit_gateway" "example" {
	- auto_accept_shared_attachments = "enable"
	+ auto_accept_shared_attachments = "disable"
}

References
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-peering.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-transit-gateway.html

AWS Transit Gateway

AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router ��� each new connection is only mad

Compliance Frameworks

  • Terraform AWS CIS Foundations

Updated about 1 year ago