Profile Applicability:

  • Level 1

Description:

An Amazon EC2 Transit Gateway is a high-performance, fully managed service that acts as a hub for connecting multiple VPCs (Virtual Private Clouds) in a central network. Automatic VPC attachment requests to the Transit Gateway can pose a security risk, as it may inadvertently allow unauthorized VPCs to be attached without approval. Disabling automatic acceptance of these requests ensures that each VPC attachment is reviewed and approved manually, providing better control over network architecture and security.

Rationale:

Disabling the automatic acceptance of VPC attachment requests for EC2 Transit Gateways helps mitigate the risk of unauthorized or unapproved VPC connections. This approach:

  • Improves Security: Prevents unauthorized VPCs from being connected to the Transit Gateway.

  • Enables Controlled Access: Provides better control over who can connect to the central network.

  • Promotes Network Segmentation: Ensures that only trusted VPCs are connected, preventing unintentional exposure of resources.

Impact:

Pros:

  • Increased Security: Provides better control and reduces the risk of unapproved network connections.

  • Network Visibility: Manual approval of VPC connections ensures that each connection is fully understood and intentionally set up.

  • Better Governance: Helps align with security best practices by ensuring that every VPC connection is reviewed.

Cons:

  • Additional Manual Effort: Each VPC attachment request needs to be manually approved, which may increase administrative overhead.

  • Potential Delays: Manual approval could introduce delays in connecting new VPCs if not managed in a timely manner.

Default Value:

By default, EC2 Transit Gateways automatically accept VPC attachment requests. This setting needs to be manually changed to enhance security.

Pre-requisites:

  • IAM Permissions:

    • ec2:DescribeTransitGateways

    • ec2:ModifyTransitGateway

    • ec2:AcceptTransitGatewayVpcAttachment

    • ec2:RejectTransitGatewayVpcAttachment

  • Transit Gateway created and operational.

  • VPCs and VPC attachments that need to be configured.

Remediation:

Test plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to VPC under Services.

  3. In the VPC Dashboard, select Transit Gateways from the left-hand menu.

  4. Select the Transit Gateway for which you want to disable automatic VPC attachment acceptance.

  5. In the Transit Gateway settings, under Attachment settings, uncheck the option Automatically accept VPC attachment requests.

  6. Save changes to apply the setting.

Using AWS CLI:

To check the current attachment settings, run:

aws ec2 describe-transit-gateways --query 'TransitGateways[*].[TransitGatewayId,AutoAcceptSharedAttachments]'

To disable automatic acceptance of VPC attachment requests, run:

aws ec2 modify-transit-gateway --transit-gateway-id <tgw-id> --auto-accept-shared-attachments disable

To verify the update, run:

aws ec2 describe-transit-gateways --query 'TransitGateways[*].[TransitGatewayId,AutoAcceptSharedAttachments]'

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to VPC.

  2. In the VPC Dashboard, click on Transit Gateways.

  3. Select the Transit Gateway and go to the Attachment settings.

  4. Disable the option Automatically accept VPC attachment requests.

  5. Save and confirm the changes.

Using AWS CLI:

To disable automatic acceptance of VPC attachment requests, run:

aws ec2 modify-transit-gateway --transit-gateway-id <tgw-id> --auto-accept-shared-attachments disable

Verify the setting has been updated by describing the transit gateway:

aws ec2 describe-transit-gateways --query 'TransitGateways[*].[TransitGatewayId,AutoAcceptSharedAttachments]'

Backout Plan:

Using AWS Console:

  1. If disabling the automatic acceptance causes issues, you can revert the change by going back to the Transit Gateway settings.

  2. Re-enable Automatic acceptance of VPC attachment requests.

  3. Save changes to apply the setting.

Using AWS CLI:

To re-enable automatic acceptance of VPC attachment requests, run:

aws ec2 modify-transit-gateway --transit-gateway-id <tgw-id> --auto-accept-shared-attachments enable

Verify the setting by describing the transit gateway:

aws ec2 describe-transit-gateways --query 'TransitGateways[*].[TransitGatewayId,AutoAcceptSharedAttachments]'

Note:

  • Manual Approval: When automatic attachment acceptance is disabled, new VPC attachment requests will require manual approval through the AWS Management Console or CLI.

  • Monitoring: Set up CloudWatch Alarms to track VPC attachment requests, ensuring timely manual approval.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

13.3

Configure network segmentation and controlled access for virtual network connections.

v8

14.4

Implement strict access controls for network communication to prevent unauthorized access.

v8

14.6

Protect resources through network-based access controls and segmentation.