Control: 6.6 Ensure routing tables for VPC peering are 'least access'
Description
Once a VPC peering connection is established, routing tables must be updated to enable any connections between the peered VPCs. These routes can be as specific as desired, even allowing for the peering of a VPC to only a single host on the other side of the connection.
Remediation
Remove and add route table entries to ensure that the least number of subnets or hosts required to accomplish the purpose of peering are routable.
From Command Line:
- For each
<route-table-id>that contains routes that are non-compliant with your routing policy (granting more access than desired), delete the non-compliant route:
aws ec2 delete-route --route-table-id <route-table-id> --destination-cidrblock <non-compliant-destination-cidr>
- Create a new compliant route:
aws ec2 create-route --route-table-id <route-table-id> --destination-cidrblock <compliant-destination-cidr> --vpc-peering-connection-id <peeringconnection-id>
Default Value:
By default, AWS allows full routing between peered VPCs once routes are added. There is no automatic restriction to “least access”—administrators must manually scope routes to the minimum required CIDR blocks or hosts.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_6_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_6_6 --shareSQL
This control uses a named query:
select 'arn:' || partition || ':::' || account_id as resource, 'info' as status, 'Manual verification required.' as reason , account_idfrom aws_account;