v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 5.6 Ensure routing tables for VPC peering are "least access"

Description

Once a VPC peering connection is established, routing tables must be updated to enable any connections between the peered VPCs. These routes can be as specific as desired, even allowing for the peering of a VPC to only a single host on the other side of the connection.

Being highly selective in peering routing tables is a very effective way to minimize the impact of a breach, as resources outside of these routes are inaccessible to the peered VPC.

Remediation

Remove and add route table entries to ensure that the least number of subnets or hosts required to accomplish the purpose of peering are routable.

From Command Line:

  1. For each <route-table-id> that contains routes that are non-compliant with your routing policy (granting more access than desired), delete the non-compliant route:
aws ec2 delete-route --route-table-id <route_table_id> --destination-cidrblock <non_compliant_destination_CIDR>
  1. Create a new compliant route:
aws ec2 create-route --route-table-id <route_table_id> --destination-cidrblock <compliant_destination_CIDR> --vpc-peering-connection-id <peering_connection_id>

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v400_5_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v400_5_6 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 5.6
cis_level = 2
cis_section_id = 5
cis_type = manual
cis_version = v4.0.0
plugin = aws
service = AWS/VPC