Profile Applicability: Level 2


Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.


Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC. 


Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs. Via CLI: 

1. List all the route tables from a VPC and check if "GatewayId" is pointing to a (e.g. pcx-1a2b3c4d) and if "DestinationCidrBlock" is as specific as desired. aws ec2 describe-route-tables --filter "Name=vpc-id,Values=" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}"


Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable. Via CLI: 

1. For each  containing routes non compliant with your routing policy (which grants more than desired "least access"), delete the non compliant route: aws ec2 delete-route --route-table-id  --destination-cidrblock 

2. Create a new compliant route: aws ec2 create-route --route-table-id  --destination-cidrblock  --vpc-peering-connection-id



CIS Controls:

14.6 Protect Information through Access Control Lists 

    Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.