Profile Applicability: Level 2


Description:

Route Table: It contains a set of rules called routes which used to determine the network traffic from your gateway. VPC has an implicit router here route tables used to control where network traffic directed. Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.

Note: Route table contains routing policy that limits peering traffic between two specific instances available within the peered VPCs as per the routing policy. Here VPC peering means it is a networking connection between two VPCs that enables you to route traffic between them using IPv4 addresses or IPv6 addresses.


Rationale:

Being highly selective in peering routing tables is a very effective way of minimizing the impact of the breach as resources outside of these routes are inaccessible to the peered VPC.


Impact:

You can face an Overlapping issue if you have VPC peered with multiple VPCs, so that to overcome this issue to ensure that route tables are configured least access and avoid sending response traffic from your VPC to the incorrect VPC.


Default Value:

By default, a VPC peering connection is not created, By default Route Table ID start with rtb-xxxxxxxx in this it contains many tabs


Routes: In this tab, we can see the destination, target status, and propagate. The following diagram shows the default value of Routes.

Subnet association see by default as per below diagram


Audit:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/home?
  2. In the left navigation pane, select Route Tables.
  3. Select the routing table that’s associated with the subnet in which your instance resides.
  4. Go to the Summary tab 
  5. Click on the Routes tab and you can see the status

    As per the above diagram, the routing table is not the least access for VPC peering it contain 0.0.0.0/0



Via CLI


1. List all the route tables from a VPC and check if "GatewayId" is pointing to an (e.g. pcx-1a2b3c4d) and if "DestinationCidrBlock" is as specific as desired.

 aws ec2 describe-route-tables --filter "Name=vpc-id,Values=" \
--query "RouteTables[*].{RouteTableId:RouteTableId,\
VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}"

aws ec2 describe-route-tables --filter "Name=vpc-id,Values=<vpc_id>" \
--query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, \
Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}"

Remediation:

Pre-Requisite

  1. When you create multiple VPC do not overlap CIDR 

  2. When you edit route table you must contain exactly one of gatewayId, natGatewayId, networkInterfaceId, vpcPeeringConnectionId, egressOnlyInternetGatewayId, transitGatewayId, localGatewayId, vpcEndpointId or instanceId.

Implementation Steps

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/home?
  2. Go to Route Tables 
  3. Select the routing table
  4. Choose Routes, Edit, Add Route and ensure that least access VPC peering connection. and give some specific range what you assigned in the subnet or an individual IPv4 address what created
  5. Remove extra network id from the route table then click on Save changes button (remove only those which do not have desire in your policy).


Via CLI

In CLI use the following commands to change the policy

  1. First Delete the non-compliant route

    aws ec2 delete-route  --route-table-id <route_table_id>  \
    --destination-cidrblock <non_compliant_destination_CIDR>


  2. Create a new route policy

    aws ec2 create-route --route-table-id <route_table_id> \
    --destination-cidrblock <compliant_destination_CIDR> \
    --vpc-peering-connection-id <peering_connection_id>
    Note: It is the Security Benchmark of CIS AWS Foundations and it is not supported in AWS Security Hub.


Backout Plan:

If you face any issues after the above implementation step then you change it into its previous configuration follow the same steps as in the implementation steps add 0.0.0.0/0 CIDR with the previous target.


Reference:



CIS Controls:

14.6 Protect Information through Access Control Lists 

  • Protect all information stored on systems with file system, network share, claims, application, or database-specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.