Use the Conformity Knowledge Base AI to help improve your Cloud Posture

VPC Peering Connections To Accounts Outside AWS Organization

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: VPC-014

Ensure there are no VPC peering connections established with AWS accounts outside your AWS Organization in order to secure the peered VPC traffic to member AWS accounts only.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Having the VPC peering communication well configured to allow traffic only between the member accounts of your AWS Organization represents an effective way of keeping the organization resources private and isolated, and meet regulatory compliance. For example, if the cloud applications running in your AWS Organization are regulated by the healthcare industry, you may want to process and store any protected health information using only compliant AWS resources limited to your organization.


Audit

To determine if there are VPC peering connections established with AWS accounts outside your AWS Organization, perform the following:

Using AWS Console

01 Sign in to your AWS Organization master account using the account root credentials.

02 Navigate to AWS Organizations dashboard at https://console.aws.amazon.com/organizations/.

03 Select the Accounts tab to access the list of AWS accounts, members of the selected AWS Organization.

04 On the Accounts panel, identify the member account IDs (e.g. 123456789012), listed in the Account ID column.

05 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

06 In the left navigation panel, under Virtual Private Cloud section, click Peering Connections.

07 Select the active VPC peering connection that you want to examine. An active VPC peering connection has its status set to Active.

08 Select the Description tab from the dashboard bottom panel and check the value (i.e. account ID) set for the Accepter VPC owner attribute. Compare the Accepter VPC owner ID with each 12-digit AWS account ID listed at step no. 4. If the Accepter VPC owner ID does not match any member account IDs, the selected VPC peering connection is linked to a VPC created within an AWS accounts outside your AWS Organization.

09 Repeat step no. 7 and 8 to verify other VPC peering connections provisioned in the current AWS region.

10 Change the AWS region from the navigation bar and repeat steps no. 7 – 9 for other regions.

11 Sign in to each member account of your AWS Organization and repeat steps no. 5 – 10.

Using AWS CLI

01 Run list-accounts command (OSX/Linux/UNIX) using custom query filters to list the IDs of all the accounts (master and member accounts) available in your AWS Organization. This command can be called only from your organization's master account:

aws organizations list-accounts 
	--query 'Accounts[*].Id'

02 The command output should return an array with the requested AWS account IDs:

[
    "123456789012",
    "123412341234",
    "111222333444"
]

03 Run describe-vpc-peering-connections command (OSX/Linux/UNIX) using build-in and custom query filters to list the IDs of all active VPC peering connections provisioned in the selected region:

aws ec2 describe-vpc-peering-connections
	--region us-east-1
	--filters Name=status-code,Values=active
	--query 'VpcPeeringConnections[*].VpcPeeringConnectionId'    

04 The command output should return the VPC peering connections identifiers:

[
    "pcx-01234abcd1234abcd",
    "pcx-0abcd1234abcd1234"
]

05 Execute again describe-vpc-peering-connections command (OSX/Linux/UNIX) using the ID of the VPC peering connection that you want to examine as identifier and build-in filters to list the AWS account IDs for the owners of the VPC connection requester and accepter available for the selected connection:

aws ec2 describe-vpc-peering-connections
	--region us-east-1
	--filters Name=status-code,Values=active
	--query 'VpcPeeringConnections[*].{RequesterId: RequesterVpcInfo.OwnerId, AccepterId:AccepterVpcInfo.OwnerId}'

06 The command output should return the requester and accepter account owner IDs:

[
    "RequesterId": "123456789012",
    "AccepterId": "123123123123"
]   

Compare the RequesterId/AccepterId value with each 12-digit AWS account ID returned at step no. 2. If RequesterId and AccepterId IDs do not match any of the member account IDs, the selected VPC peering connection is linked to a Virtual Private Cloud (VPC) available within an AWS accounts outside your AWS Organization.

07 Repeat step no. 5 and 6 to verify other VPC peering connections created in the current AWS region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 3 – 7 for other regions.

09 Sign in to each member account of your AWS Organization and repeat steps no. 1 – 8.

Remediation / Resolution

To remove any VPC peering connections established with AWS accounts outside your AWS Organization, perform the following:

Using AWS Console

01 Sign in to the AWS account, member of your AWS Organization, that holds the non-compliant VPC peering connection. Either the account of the requester VPC owner or the account of accepter VPC owner can delete the VPC peering connection.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under Virtual Private Cloud section, click Peering Connections.

04 Select the VPC peering connection that you want to remove (see Audit section part I to identify the right resource).

05 Click on the Actions dropdown button from the dashboard top menu and select Delete VPC peering connection to initiate the removal process.

06 Inside Delete VPC peering connection dialog box, review the connection details, check Delete related route table entries checkbox to remove the necessary routes, then click Yes, Delete to delete the selected VPC peering connection. The status of the peering connection in both the requester and accepter AWS accounts, should become Deleted, indicating that the selected connection has been terminated.

07 Repeat steps no. 4 – 6 to delete other non-compliant VPC peering connections available in the current AWS region.

08 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 for other regions.

09 If applicable, sign in to each member account of your AWS Organization and repeat the entire remediation/resolution process.

Using AWS CLI

01 Run delete-vpc-peering-connection command (OSX/Linux/UNIX) using the ID of the non-compliant VPC peering connection that you want to delete as identifier (see Audit section part II to identify the right VPC resource) to terminate the selected peering connection. This command can be called only from a member AWS account. Note that either the account of the requester VPC owner or the account of accepter VPC owner can delete this VPC peering connection:

aws ec2 delete-vpc-peering-connection
	--region us-east-1
	--vpc-peering-connection-id pcx-01234abcd1234abcd

02 If successful, the command output should return true, as shown in the example below:

{
    "Return": true
}

03 Repeat step no. 1 and 2 to delete other non-compliant VPC peering connections available in the selected AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.

05 Sign in to each member account of your AWS Organization and repeat the entire process.

References

Publication date Mar 4, 2019