Skip to main content

πŸ›‘οΈ AWS VPC VPN Connection does not have both Tunnels up🟒

  • Contextual name: πŸ›‘οΈ VPN Connection does not have both Tunnels up🟒
  • ID: /ce/ca/aws/vpc/vpn-connection-tunnels-not-up
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

Ensure that both tunnels of an AWS Site-to-Site VPN Connection are active and in the UP state.

Rationale​

AWS Site-to-Site VPN provides two redundant tunnels to connect your on-premises network with your VPC, ensuring high availability and resilience. If one tunnel becomes unavailable due to maintenance or failure, traffic is automatically redirected to the second tunnel.

However, if only one tunnel is active and it fails (e.g., due to internet connectivity issues, customer gateway device failure, or AWS maintenance), all network connectivity between your on-premises environment and the VPC will be lost. Such outages can cause significant disruptions to applications that depend on this connection.

Audit​

This policy flags an AWS VPC VPN Connection as INCOMPLIANT if fewer than 2 related AWS VPC VPN Gateway Telemetries have a Status of UP.

A VPN Connection is marked as INAPPLICABLE if its State is not available.

Remediation​

Open File

Remediation​

From Command Line​

To remediate a VPN connection with a down tunnel, you typically need to investigate and correct the configuration on your on-premises customer gateway device.

Enabling AWS Site-to-Site VPN tunnel logs can be very helpful for troubleshooting and resolving VPN connectivity issues. Logs are published to Amazon CloudWatch Logs, where you can analyze tunnel negotiations, dropped packets, and configuration mismatches.

  1. Create a CloudWatch Log Group (if one does not already exist)
aws logs create-log-group \
  --log-group-name {{log-group-name}}
  1. Enable VPN Tunnel Logging
aws ec2 modify-vpn-tunnel-options \
    --vpn-connection-id <vpn-connection-id> \
    --vpn-tunnel-outside-ip-address <tunnel-outside-ip> \
    --tunnel-options '{
      "LogOptions": {
        "CloudWatchLogOptions": {
          "LogEnabled": true,
          "LogGroupArn": "arn:aws:logs:{{region}}:{{account-id}}:log-group:{{log-group-name}}",
          "LogOutputFormat": "json"
        }
      }
    }'

Best Practices for Tunnel Stability​

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration38no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-6(2) Recovery Time and Recovery Point Objectives (H)7no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)28no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)8no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)18no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations14no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process8no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed8no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed8no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives7no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-10 System Recovery and Reconstitution68no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy7no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-36 Distributed Processing and Storage25no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-13(5) Predictable Failure Prevention _ Failover Capability7no data