Guides
  1. aws policies
  2. AWS Transit Gateway

Ensure to define VPC associations and propagations yourself to keep track of all routes and connections to and from your Transit gateway

Risk Level: Low
Cloud Entity: AWS Transit Gateway
CloudGuard Rule ID: D9.TF.AWS.NET.59
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

aws_ec2_transit_gateway should have default_route_table_association regexMatch /disable/i and default_route_table_propagation regexMatch /disable/i

REMEDIATION

Perform the following steps in order to set 'Default route table association' and 'Default route table propagation' to disable:
From Portal

  1. Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
  2. Choose Transit Gateways
  3. Choose relevant gateway and click Actions -> Modify.
  4. Uncheck 'Default route table association' and 'Default route table propagation'.
  5. Update route table with the necessary routes.

From CLI
aws ec2 modify-transit-gateway --transit-gateway-id <Transit gateway ID> --options DefaultRouteTableAssociation=disable,DefaultRouteTablePropagation=disable

From TF

resource "aws_ec2_transit_gateway" "example" {
	- default_route_table_propagation  = "enable"
	+ default_route_table_propagation  = "disable"
}

References
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-getting-started.html
CLI: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-transit-gateway.html

AWS Transit Gateway

AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router — each new connection is only made once.

Compliance Frameworks

  • Terraform AWS CIS Foundations

Updated 7 months ago