Ensure Routing Tables for VPC Peering are "Least Access"
A rule to verify that the routing tables for VPC peering are set to "least access", promoting network security.
| Rule | Ensure routing tables for VPC peering are "least access" |
| Framework | cis_v150 |
| Severity | ✔ Medium |
Rule Description:
The rule "least access for routing tables in VPC peering" enforces the principle of granting only the minimum required access in regards to the routing tables used for VPC peering within a cloud environment. It ensures that routing tables are configured to only allow necessary network traffic between the peered VPCs and does not permit any unnecessary or unauthorized access to resources.
This rule is based on the CIS Amazon Web Services Foundations v1.5.0 benchmark.
Remediation:
To remediate this rule, the routing tables associated with VPC peering connections need to be modified to adhere to the "least access" principle. Follow the step-by-step guide below to ensure compliance:
Step 1: Identify VPC Peering Connections
Identify all existing VPC peering connections in your AWS account. Take note of the VPCs involved in each peering connection, as this information will be necessary for the following steps.
Step 2: Review Existing Routing Tables
Review the existing routing tables associated with each VPC involved in a peering connection. Identify which routing tables are used for VPC peering.
Step 3: Remove Unnecessary Routes
For each routing table used in a VPC peering connection, remove any unnecessary routes that allow access to resources not required for the specific peering connection. These routes should be identified and removed to adhere to the "least access" principle.
Step 4: Add Required Routes
Ensure that only the necessary routes to allow traffic between the peered VPCs are present in the routing tables. Add routes as needed to enable communication between the peered VPCs. Verify that no additional routes exist that would permit unauthorized access.
Step 5: Testing and Monitoring
After making the above changes, thoroughly test the connectivity between the peered VPCs to ensure that communication is still functional. Additionally, regularly monitor the routing tables to detect any unauthorized routes or changes that might occur.
Troubleshooting Steps (if applicable):
Here are some troubleshooting steps to consider if connectivity between peered VPCs is not functioning correctly:
- 1.Verify that the routing tables in each VPC correctly reflect the appropriate routes for peering.
- 2.Confirm that both VPC peering connections are in an active state.
- 3.Check if any network ACLs or security groups block the required traffic.
- 4.Review the flow logs to identify any potential network traffic issues.
- 5.Ensure that the VPCs have matching CIDR blocks for successful peering.
- 6.Double-check that the appropriate Internet Gateways or NAT Gateways are correctly configured if external internet access is necessary.
If the issue persists, consider reviewing AWS documentation or contacting AWS Support for further assistance.
Conclusion:
By adopting a "least access" approach for routing tables in VPC peering connections, you can enhance the security of your AWS environment while allowing only the necessary network traffic between the peered VPCs. Remember to regularly review and update the routing tables as needed to maintain the principle of least privilege access.