🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 23 EC2 Transit Gateways should not automatically accept VPC attachment requests

Description

This control checks if EC2 Transit Gateways are automatically accepting shared VPC attachments. This control fails for a Transit Gateway that automatically accepts shared VPC attachment requests.

Turning on AutoAcceptSharedAttachments configures a Transit Gateway to automatically accept any cross-account VPC attachment requests without verifying the request or the account the attachment is originating from. To follow the best practices of authorization and authentication, we recommended turning off this feature to ensure that only authorized VPC attachment requests are accepted.

Remediation

For information about how to modify a Transit Gateway, see Modify a transit gateway in the Amazon VPC Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_23

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_23 --share

SQL

This control uses a named query:

select
  transit_gateway_arn as resource,
  case
    when auto_accept_shared_attachments = 'enable' then 'alarm'
    else 'ok'
  end as status,
  case
    when auto_accept_shared_attachments = 'enable' then title || ' automatic shared account attachment enabled.'
    else title || ' automatic shared account attachment disabled.'
  end as reason
  
  , region, account_id
from
  aws_ec2_transit_gateway;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_network_configuration
foundational_security_item_id = ec2_23
plugin = aws
service = AWS/EC2