Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: EC2 transit gateways should have auto accept shared attachments disabled

Description

Ensure transit gateways have auto accept shared attachments feature disabled. If this setting is disabled, then any VPC that attempts to attach to a transit gateway will need to request authorization, and the account that owns the transit gateway will need to accept the authorization.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.ec2_transit_gateway_auto_cross_account_attachment_disabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.ec2_transit_gateway_auto_cross_account_attachment_disabled --share

SQL

This control uses a named query:

select
  transit_gateway_arn as resource,
  case
    when auto_accept_shared_attachments = 'enable' then 'alarm'
    else 'ok'
  end as status,
  case
    when auto_accept_shared_attachments = 'enable' then title || ' automatic shared account attachment enabled.'
    else title || ' automatic shared account attachment disabled.'
  end as reason
  
  , region, account_id
from
  aws_ec2_transit_gateway;

Tags

category = Compliance
nist_csf = true
nist_csf_v2 = true
pci_dss_v40 = true
plugin = aws
service = AWS/EC2