🛡️ AWS VPC Route Table for VPC Peering does not follow the least privilege principle🟢⚪

Contextual name: 🛡️ Route Table for VPC Peering does not follow the least privilege principle🟢⚪
ID: /ce/ca/aws/vpc/route-table-for-vpc-peering-least-privilege
Tags:
- ⚪ Impossible policy
- 🟢 Policy with categories
- 🟢 Policy with type
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Description

Description

Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.

Rationale

Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.

Audit

Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.

From Command Line

List all the route tables from a VPC and check if GatewayId is pointing to a <peering_connection_id> (e.g. pcx-1a2b3c4d) and if DestinationCidrBlock is as specific as desired:
aws ec2 describe-route-tables --filter "Name=vpc-id,Values=<vpc_id>" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}"

... [see more](description.md)

Remediation

Open File

Remediation

Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.

From Command Line

For each <route_table_id> containing routes non compliant with your routing policy (which grants more than desired least access), delete the non compliant route:
aws ec2 delete-route --route-table-id <route_table_id> --destination-cidr-block <non_compliant_destination_CIDR>
Create a new compliant route:
aws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block <compliant_destination_CIDR> --vpc-peering-connection-id <peering_connection_id>

policy.yaml

Open File

Linked Framework Sections

Section	Policies	Compliance
💼 CIS AWS v1.2.0 → 💼 4.4 Ensure routing tables for VPC peering are "least access"	1	no data
💼 CIS AWS v1.3.0 → 💼 5.4 Ensure routing tables for VPC peering are "least access"	1	no data
💼 CIS AWS v1.4.0 → 💼 5.4 Ensure routing tables for VPC peering are "least access"	1	no data
💼 CIS AWS v1.5.0 → 💼 5.5 Ensure routing tables for VPC peering are "least access" - Level 2 (Manual)	1	no data
💼 CIS AWS v2.0.0 → 💼 5.5 Ensure routing tables for VPC peering are "least access" - Level 2 (Manual)	1	no data
💼 CIS AWS v3.0.0 → 💼 5.5 Ensure routing tables for VPC peering are "least access" - Level 2 (Manual)	1	no data
💼 CIS AWS v4.0.0 → 💼 5.6 Ensure routing tables for VPC peering are "least access" (Manual)	1	no data
💼 CIS AWS v4.0.1 → 💼 5.6 Ensure routing tables for VPC peering are "least access" (Manual)	1	no data
💼 CIS AWS v5.0.0 → 💼 5.6 Ensure routing tables for VPC peering are "least access" (Manual)	1	no data
💼 CIS AWS v6.0.0 → 💼 6.6 Ensure routing tables for VPC peering are "least access" (Manual)	1	no data
💼 Cloudaware Framework → 💼 Secure Access	55	no data

Description​

Description​

Rationale​

Audit​

From Command Line​

Remediation​

Remediation​

From Command Line​

policy.yaml​

Linked Framework Sections​

Description

Description

Rationale

Audit

From Command Line

Remediation

Remediation

From Command Line

policy.yaml

Linked Framework Sections