lacework-global-806

Amazon EC2 Transit Gateways should not automatically accept Virtual Private Cloud (VPC) attachment requests (Automated)

Description

This policy checks if EC2 transit gateways are automatically accepting shared VPC attachments. This policy fails for a transit gateway that automatically accepts shared VPC attachment requests.

Turning on AutoAcceptSharedAttachments configures a transit gateway to automatically accept any cross-account VPC attachment requests without verifying the request or the account the attachment is originating from.

To follow the best practices of authorization and authentication turn off this feature, only accepting authorized VPC attachment requests.

Remediation

From the AWS console:

1. Log in to the AWS Management Console.
2. Click Services.
3. Select Networking & Content Delivery > VPC.
4. In the left pane, under Transit gateways, click Transit gateways.
5. Click the transit gateway to update.
6. Click Actions -> Modify transit gateway.
7. Under Configure cross-account sharing options, clear Auto accept shared attachments.
8. Click Modify transit gateway.

From CLI:

For each transit gateway in violation, run the following command:

aws ec2 modify-transit-gateway --transit-gateway-id <transit_gateway_id> --options AutoAcceptSharedAttachments=disable

References

https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-23
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#tgw-modifying
https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-transit-gateway.html