Profile Applicability:

Level 2

Description:

When establishing VPC Peering, routing tables must be updated to enable connectivity between the peered VPCs. These routes should be as specific as possible, ensuring that only the required subnets or hosts are accessible to minimize exposure.

Rationale:
Applying "least access" principles to VPC Peering routing tables significantly enhances security by:

  • Restricting access between peered VPCs to only required resources.

  • Limiting the impact of a breach by ensuring that unauthorized subnets or hosts remain inaccessible.

  • Reducing attack surface by avoiding over-permissive routing.

Impact:

  • Failure to restrict routes may lead to unintended access between VPCs, increasing the risk of lateral movement in the event of a compromise.

  • Non-compliant routing can allow unnecessary traffic flow, violating security policies and increasing the risk of data exfiltration.

Default Value:

By default, when VPC Peering is created, no routes are automatically added. Manual configuration is required to define the destination CIDR blocks and determine the scope of peering.

Pre-Requisites:

  1. AWS CLI Installed (for command-line operations).

  2. IAM Permissions Required:

    • ec2:DescribeRouteTables (for auditing).

    • ec2:DeleteRoute (for removing non-compliant routes).

    • ec2:CreateRoute (for adding compliant routes).

  3. Access to AWS Management Console with permissions to modify VPC route tables.

  4. VPC Peering Connections Established before modifying route tables.

Remediation:

Test Plan:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to the VPC Dashboard: AWS VPC Console.

  3. In the left navigation panel, choose Route Tables.

  4. Identify route tables associated with VPC peering connections.

  5. Check if the "Destination CIDR Blocks" are overly permissive (e.g., /16 instead of a more specific /24 or /32).

  6. Verify if routes grant access to unnecessary subnets or entire VPCs.

Implementation Steps:
Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to the VPC Dashboard: AWS VPC Console.


  3. In the left navigation panel, select Route Tables.



  4. Identify the route table associated with the VPC Peering connection.

  5. Click Edit routes and remove unnecessary routes.

  6. Add specific CIDR block routes that are necessary for the intended communication.

  7. Click Save Changes.

  8. Repeat for all applicable VPC Peering connections.

Backout Plan:

If legitimate traffic is blocked:

  • Identify the destination CIDR block that needs to be re-added
  • Restore the original routing table entry:         
aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block <previously-allowed-cidr> --vpc-peering-connection-id <peering-connection-id
  • Validate connectivity between VPCs.
  • Apply a more specific rule to ensure only required communication is allowed.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

13.4

Perform traffic filtering between network segments where appropriate

CIS v7

9.2

Ensure only approved ports, protocols, and services are running