AWS Transit Gateway auto accept vpc attachment is enabled
Description
This policy verifies whether Transit Gateways are configured not to automatically accept Virtual Private Cloud (VPC) attachment requests. Transit Gateways allow for the connection of multiple VPCs and on-premises networks in a single gateway. The issue arises when these gateways are set to automatically accept VPC attachment requests, as this could potentially allow unauthorized or unintended networks to connect to the gateway. This could therefore provide a malicious entity or user with access to all networks connected to the gateway, leading to a potential breach of security and loss of sensitive data. Therefore, Transit Gateways should be securely configured to manually review and accept VPC attachment requests.
Code Example
resource "aws_ec2_transit_gateway" "example" {
description = "example"
auto_accept_shared_attachments = "disable"
}Remediation
Terraform
- Resource: aws_ec2_transit_gateway
- Arguments: auto_accept_shared_attachments
To fix the issue, you need to disable automatic acceptance of VPC attachment requests in your Terraform code. This can be done by setting the `"auto_accept_shared_attachments"` variable to `"disable"` in your AWS Transit Gateways configuration. Here is how to do this:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0378 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_331 |