Skip to main content

How to Find AWS VPCs with Overly Permissive Peering Routing Tables

Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.

Prerequisites​

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions​

  1. Execute the following search command in Fix Inventory Shell:

    > search is(aws_vpc_peering_connection) {/vpc: <-- is(aws_vpc), /route_tables[]: <-- is(aws_vpc) --> is(aws_ec2_route_table)} | jq --no-rewrite 'if [.route_tables[]?.reported.route_table_routes[]? | select(.origin!="CreateRouteTable") | (.destination_cidr_block=="0.0.0.0/0") or (.destination_cidr_block==.reported.connection_accepter_vpc_info.cidr_block) or (.destination_cidr_block==.reported.connection_requester_vpc_info.cidr_block)] | any then [.vpc] else [] end' | flatten
    ​kind=aws_vpc, ..., region=fixinventory-poweruser
    ​kind=aws_vpc, ..., account=poweruser-team
  2. Pipe the search command into the dump command:

    > search is(aws_vpc_peering_connection) {/vpc: <-- is(aws_vpc), /route_tables[]: <-- is(aws_vpc) --> is(aws_ec2_route_table)} | jq --no-rewrite 'if [.route_tables[]?.reported.route_table_routes[]? | select(.origin!="CreateRouteTable") | (.destination_cidr_block=="0.0.0.0/0") or (.destination_cidr_block==.reported.connection_accepter_vpc_info.cidr_block) or (.destination_cidr_block==.reported.connection_requester_vpc_info.cidr_block)] | any then [.vpc] else [] end' | flatten | dump
    ​reported:
    ​ id: /aws/ec2/123
    ​ name: some-name
    ​ ctime: '2022-12-05T22:53:14Z'
    ​ kind: aws_vpc
    ​ age: 2mo28d

    The command output will list the details of all non-compliant aws_vpc resources.

Remediation​

Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.

note

Please refer to the AWS EC2 documentation for details.

Further Reading​