π AWS VPC Transit Gateway Auto Accept Shared Attachments is enabled π’
- Contextual name: π Transit Gateway Auto Accept Shared Attachments is enabled π’
- ID:
/ce/ca/aws/vpc/disable-transit-gateway-auto-accept-shared-attachments - Located in: π AWS VPC
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- AWS Security Hub
- [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests]([EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests (https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-23)]
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Ensure that AWS VPC Transit Gateways are not configured to automatically accept cross-account VPC attachments. This requires that all cross-account attachment requests be manually reviewed and approved.
Rationaleβ
Disabling the auto-accept feature enforces administrative control over which external AWS accounts can connect their VPCs to the central transit gateway. Each request must be explicitly reviewed and approved by a network administrator, reducing the risk of unauthorized or accidental attachments from untrusted environments.
Impactβ
If auto-accept is enabled, an untrusted or compromised AWS account could attach a malicious VPC to your core network. This may result in:
- Unauthorized access to internal resources.
- Lateral movement across your environment.
- Data exfiltration.
- Denial-of-service attacks against shared services.
Auditβ
This policy flags an AWS VPC Transit Gateway as
INCOMPLIANTifAuto Accept Shared Attachmentsfield is set to enable.
Remediationβ
Remediationβ
From Command Lineβ
To disable automatic acceptance of cross-account VPC attachments, update the Transit Gateway options:
aws ec2 modify-transit-gateway \
--transit-gateway-id {{transit-gateway-id}} \
--options AutoAcceptSharedAttachments=disable