Profile Applicability

  • Level 1

Description:

VPC peering enables networking between two VPCs in the same or different AWS regions. When configuring VPC peering, routing tables determine the traffic flow between the peered VPCs. It is crucial to ensure that routing tables are configured with the principle of least access, meaning that only the necessary routes to specific destinations should be included. This minimizes the exposure of the network and reduces the risk of unauthorized access to resources in the peered VPC.

The least access approach ensures that only required traffic can flow between VPCs, while unnecessary or overly permissive routes are avoided.

Rationale:

Implementing least access in VPC peering routing tables provides the following benefits:

  • Security: Reduces the risk of unintended access to resources across peered VPCs by restricting routing tables to only include necessary destinations.

  • Compliance: Meets security best practices that mandate the limitation of access to only essential network traffic.

  • Network isolation: Ensures that only authorized resources can communicate with one another, enforcing isolation between VPCs where appropriate.

  • Minimized attack surface: Limits the number of potential attack vectors by reducing exposure to unnecessary resources or services.

Without the least access configuration, overly broad or unnecessary routes can lead to unauthorized network communication, exposing sensitive resources or data.

Impact:

Failure to implement least access in VPC peering routing tables can result in:

  • Unauthorized network access: If routing tables allow broader access than necessary, it increases the attack surface.

  • Non-compliance: Failing to follow the least-privilege approach can violate security best practices and regulatory requirements.

  • Increased security risks: Unrestricted or overly permissive routing increases the risk of lateral movement by attackers between peered VPCs.

Ensuring that VPC peering routing tables only permit necessary traffic minimizes these risks and enhances network security.

Default Value:

By default, VPC peering connections allow all traffic between the VPCs unless specifically restricted through routing table configuration. It is essential to configure routing tables with least access principles to limit traffic flow.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • ec2:DescribeRouteTables

    • ec2:ModifyRoute

    • ec2:DescribeVpcPeeringConnections

  • Access to the VPC configuration and routing table details for the VPC peering connection

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the VPC Console.

  2. Select Peering Connections from the left navigation panel.

  3. Identify the VPC peering connections and review the associated routing tables.

  4. Ensure that the routing tables only allow the necessary routes for traffic between the VPCs and block any unnecessary access.

Using AWS CLI :

To view the routing tables for a VPC:

aws ec2 describe-route-tables --query "RouteTables[?VpcId=='<vpc-id>']" --output table

To check if VPC peering routes are configured:

aws ec2 describe-route-tables --query "RouteTables[?Routes[?VpcPeeringConnectionId=='<peering-id>']]" --output table
Implementation Plan:

Using AWS Console:

  1. Review and configure routing tables for VPC peering:

    • Go to the VPC Console.

    • Select Route Tables and choose the routing table associated with the VPC peering connection.

    • Ensure that only the necessary routes are added. Remove any broad or unnecessary routes that allow traffic to destinations that should not be accessible.

    • Modify the routing table to ensure it follows the principle of least access.

  2. Verify the routing configuration:

    • After modifying the routing table, ensure that the changes have been applied correctly and that only the intended traffic is allowed between the peered VPCs.

Using AWS CLI:

  1. Modify routing tables to implement least access:

aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block <cidr-block> --vpc-peering-connection-id <peering-connection-id>

  1. Remove unnecessary routes:

aws ec2 delete-route --route-table-id <route-table-id> --destination-cidr-block <cidr-block>

  1. Verify the routing table configuration:

aws ec2 describe-route-tables --query "RouteTables[?VpcId=='<vpc-id>']" --output table

Backout Plan:

Using AWS Console:

  1. If restricting routing causes connectivity issues:

    • Go to the VPC Console.

    • Modify the routing table to add or restore any routes that were unintentionally removed.

    • Ensure the peering connection is still functional after restoring the routes.

  2. Review security group or NACL settings if access is still restricted, as they may be causing connectivity issues in addition to routing table configurations.

Using AWS CLI:

  1. Re-add necessary routes to the routing table:

aws ec2 create-route --route-table-id <route-table-id> --destination-cidr-block <cidr-block> --vpc-peering-connection-id <peering-connection-id>

  1. Restore deleted routes if necessary:

aws ec2 delete-route --route-table-id <route-table-id> --destination-cidr-block <cidr-block>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services