Description
This policy identifies AWS VPC Transit Gateways that are configured to automatically accept cross-account VPC attachments. Cross-account attachment requests should be manually reviewed and approved.
Rationaleβ
Disabling the auto-accept feature enforces administrative control over which external AWS accounts can connect their VPCs to the central transit gateway. Each request must be explicitly reviewed and approved by a network administrator, reducing the risk of unauthorized or accidental attachments from untrusted environments.
Impactβ
If auto-accept is enabled, an untrusted or compromised AWS account could attach a malicious VPC to your core network. This may result in:
- Unauthorized access to internal resources.
- Lateral movement across your environment.
- Data exfiltration.
- Denial-of-service attacks against shared services.
Auditβ
This policy flags an AWS VPC Transit Gateway as INCOMPLIANT if Auto Accept Shared Attachments is set to enabled.