Skip to main content

πŸ›‘οΈ AWS VPC Route Table for VPC Peering does not follow the least privilege principle🟒βšͺ

  • Contextual name: πŸ›‘οΈ Route Table for VPC Peering does not follow the least privilege principle🟒βšͺ
  • ID: /ce/ca/aws/vpc/route-table-for-vpc-peering-least-privilege
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Description​

Open File

Description​

Once a VPC peering connection is established, routing tables must be updated to enable connectivity between the peered VPCs. These routes can be as specific as needed, even peering a VPC to a single host on the other side of the connection.

Rationale​

Being highly selective in peering route tables is an effective way to minimize the impact of a breach because resources outside these routes are inaccessible to the peered VPC.

Audit​

Review route tables of peered VPCs to determine whether they route all subnets of each VPC and whether that is necessary for the intended purpose of peering.

From Command Line​
  1. List all the route tables from a VPC and check if GatewayId is pointing to a <peering_connection_id> (e.g. pcx-1a2b3c4d) and if DestinationCidrBlock is as specific as desired:
aws ec2 describe-route-tables --filter "Name=vpc-id,Values=<vpc_id>" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}"

References​

... see more

Remediation​

Open File

Remediation​

Remove and add route table entries to ensure that only the minimum required subnets or hosts are routable for the intended peering purpose.

From Command Line​

  1. For each {{route_table_id}} containing routes that are not compliant with your routing policy (that grant more than the desired least access), delete the non-compliant route:

    aws ec2 delete-route --route-table-id {{route_table_id}} --destination-cidr-block {{non_compliant_destination_CIDR}}

  2. Create a new compliant route:

    aws ec2 create-route \
        --route-table-id {{route_table_id}} \
        --destination-cidr-block {{compliant_destination_CIDR}} \
        --vpc-peering-connection-id {{peering_connection_id}}

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 4.4 Ensure routing tables for VPC peering are "least access"1no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 5.4 Ensure routing tables for VPC peering are "least access"1no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 5.4 Ensure routing tables for VPC peering are "least access"1no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 5.5 Ensure routing tables for VPC peering are "least access" - Level 2 (Manual)1no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 5.5 Ensure routing tables for VPC peering are "least access" - Level 2 (Manual)1no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 5.5 Ensure routing tables for VPC peering are "least access" - Level 2 (Manual)1no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 5.6 Ensure routing tables for VPC peering are "least access" (Manual)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 5.6 Ensure routing tables for VPC peering are "least access" (Manual)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 5.6 Ensure routing tables for VPC peering are "least access" (Manual)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 6.6 Ensure routing tables for VPC peering are "least access" (Manual)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access75no data