Control: 20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
Description
A VPN tunnel is an encrypted link where data can pass from the customer network to or from AWS within an AWS Site-to-Site VPN connection. Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability. Ensuring that both VPN tunnels are up for a VPN connection is important for confirming a secure and highly available connection between an AWS VPC and your remote network.
This control checks that both VPN tunnels provided by AWS Site-to-Site VPN are in UP status. The control fails if one or both tunnels are in DOWN status.
Remediation
To modify VPN tunnel options, see Modifying Site-to-Site VPN tunnel options in the AWS Site-to-Site VPN User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_ec2_20Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_ec2_20 --shareSQL
This control uses a named query:
with filter_data as ( select arn, count(t ->> 'Status') from aws_vpc_vpn_connection, jsonb_array_elements(vgw_telemetry) as t where t ->> 'Status' = 'UP' group by arn)select a.arn as resource, case when b.count is null or b.count < 2 then 'alarm' else 'ok' end as status, case when b.count is null then a.title || ' has both tunnels offline.' when b.count = 1 then a.title || ' has one tunnel offline.' else a.title || ' has both tunnels online.' end as reason , region, account_idfrom aws_vpc_vpn_connection as a left join filter_data as b on a.arn = b.arn;