Skip to main content

πŸ“ AWS VPC VPN Connection does not have both Tunnels up 🟒

  • Contextual name: πŸ“ VPN Connection does not have both Tunnels up 🟒
  • ID: /ce/ca/aws/vpc/vpn-connection-tunnels-not-up
  • Located in: πŸ“ AWS VPC

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • RELIABILITY

Similar Policies​

Logic​

Description​

Open File

Description​

Ensure that both tunnels of an AWS Site-to-Site VPN Connection are active and in the UP state.

Rationale​

AWS Site-to-Site VPN provides two redundant tunnels to connect your on-premises network with your VPC, ensuring high availability and resilience. If one tunnel becomes unavailable due to maintenance or failure, traffic is automatically redirected to the second tunnel.

However, if only one tunnel is active and it fails (e.g., due to internet connectivity issues, customer gateway device failure, or AWS maintenance), all network connectivity between your on-premises environment and the VPC will be lost. Such outages can cause significant disruptions to applications that depend on this connection.

Audit​

This policy flags an AWS VPC VPN Connection as INCOMPLIANT if fewer than 2 related AWS VPC VPN Gateway Telemetries have a Status of UP.

A VPN Connection is marked as INAPPLICABLE if its State is not available.

Remediation​

Open File

Remediation​

From Command Line​

To remediate a VPN connection with a down tunnel, you typically need to investigate and correct the configuration on your on-premises customer gateway device.

Enabling AWS Site-to-Site VPN tunnel logs can be very helpful for troubleshooting and resolving VPN connectivity issues. Logs are published to Amazon CloudWatch Logs, where you can analyze tunnel negotiations, dropped packets, and configuration mismatches.

  1. Create a CloudWatch Log Group (if one does not already exist)
aws logs create-log-group \
  --log-group-name {{log-group-name}}
  1. Enable VPN Tunnel Logging
aws ec2 modify-vpn-tunnel-options \
    --vpn-connection-id <vpn-connection-id> \
    --vpn-tunnel-outside-ip-address <tunnel-outside-ip> \
    --tunnel-options '{
      "LogOptions": {
        "CloudWatchLogOptions": {
          "LogEnabled": true,
          "LogGroupArn": "arn:aws:logs:{{region}}:{{account-id}}:log-group:{{log-group-name}}",
          "LogOutputFormat": "json"
        }
      }
    }'

Best Practices for Tunnel Stability​

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration34
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-6(2) Recovery Time and Recovery Point Objectives (H)5
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)26
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)6
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)16
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations12
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process6
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed6
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives5
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-10 System Recovery and Reconstitution66
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy5
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-36 Distributed Processing and Storage23
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-13(5) Predictable Failure Prevention _ Failover Capability5