iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that routing tables associated with VPC peering connections follow the principle of least privilege, meaning only the necessary routes required for inter-VPC communication are configured. Overly permissive routes can expose unnecessary subnets or resources across VPCs, leading to potential data leakage or unauthorized access.

Rationale:
When two VPCs are peered, routing tables determine which traffic can flow between them. If routing tables include broad CIDR blocks or routes not required for business purposes, they increase the risk of internal lateral movement or data exposure. Limiting routes to only the required CIDRs ensures that communication between VPCs is tightly controlled, minimizing the attack surface and adhering to least-privilege network design principles.

Impact:
Positive Impact:

• Reduces risk of unintended access between VPCs.

• Ensures compliance with security and segmentation policies.

• Supports a zero-trust network model.
  Negative Impact:

• Over-restricting routes may block legitimate traffic if not properly analyzed beforehand.
  
  

Default Value:
By default, a new VPC peering connection does not automatically add routes in the routing tables. Routes must be added manually.

Pre-Requisite:

• IAM permissions required: ec2:DescribeRouteTables, ec2:DescribeVpcPeeringConnections, ec2:CreateRoute, ec2:DeleteRoute.

• Knowledge of subnets, CIDR blocks, and resources requiring peering connectivity.
  
  

Test Plan
Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to VPC → Peering Connections and select the desired VPC peering connection.

3. Review the Requester and Accepter VPC IDs.

4. Go to VPC → Route Tables.

5. Identify route tables associated with both the requester and accepter VPCs.

6. In each routing table, check routes where the Target is the VPC peering connection ID (e.g., pcx-xxxxxx).

7. Verify that each route’s Destination CIDR block matches only the required subnets that need communication.

8. If broader CIDR blocks (e.g., entire VPC range 10.0.0.0/16) are added unnecessarily, the configuration does not meet least-access standards.
   
   

Implementation Plan 
Using AWS Console:

1. Navigate to VPC → Route Tables.

2. Select the routing table associated with the VPC peering connection.

3. Review existing routes and identify those pointing to the VPC peering connection (Target = pcx-...).

4. Remove any routes that allow access to entire VPC CIDR ranges or unused subnets.

5. Add new routes only for the specific subnet ranges required for inter-VPC communication. For example, instead of using 10.0.0.0/16, use 10.0.1.0/24 if only one subnet requires access.

6. Repeat the process on the peered VPC’s route table to ensure bidirectional least-access routes.

7. Test communication between allowed subnets to ensure legitimate traffic is unaffected.
   
   

Backout Plan:

1. If communication between necessary subnets is disrupted after reducing route scope, revert to the previous configuration by re-adding previously removed routes using the Add route option in the VPC console.

2. Document and review why broader access was required and apply fine-grained rules once validated.
   
   

References:

• Amazon VPC Peering Guide

• VPC Route Tables Documentation

• CIS AWS Foundations Benchmark v2.0.0 – Control 3.24

• AWS Security Best Practices for Network Segmentation