How to Find AWS VPCs with Overly Permissive Peering Routing Tables
Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.
Prerequisites
This guide assumes that you have already installed and configured Resoto to collect your AWS resources.
Directions
Execute the following
searchcommand in Resoto Shell or Resoto UI:> search is(aws_vpc_peering_connection) {/vpc: <-- is(aws_vpc), /route_tables[]: <-- is(aws_vpc) --> is(aws_ec2_route_table)} | jq --no-rewrite 'if [.route_tables[]?.reported.route_table_routes[]? | select(.origin!="CreateRouteTable") | (.destination_cidr_block=="0.0.0.0/0") or (.destination_cidr_block==.reported.connection_accepter_vpc_info.cidr_block) or (.destination_cidr_block==.reported.connection_requester_vpc_info.cidr_block)] | any then [.vpc] else [] end' | flatten
kind=aws_vpc, ..., region=resoto-poweruser
kind=aws_vpc, ..., account=poweruser-teamPipe the
searchcommand into thedumpcommand:> search is(aws_vpc_peering_connection) {/vpc: <-- is(aws_vpc), /route_tables[]: <-- is(aws_vpc) --> is(aws_ec2_route_table)} | jq --no-rewrite 'if [.route_tables[]?.reported.route_table_routes[]? | select(.origin!="CreateRouteTable") | (.destination_cidr_block=="0.0.0.0/0") or (.destination_cidr_block==.reported.connection_accepter_vpc_info.cidr_block) or (.destination_cidr_block==.reported.connection_requester_vpc_info.cidr_block)] | any then [.vpc] else [] end' | flatten | dump
reported:
id: /aws/ec2/123
name: some-name
ctime: '2022-12-05T22:53:14Z'
kind: aws_vpc
age: 2mo28dThe command output will list the details of all non-compliant
aws_vpcresources.
Remediation
Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.
Please refer to the AWS EC2 documentation for details.
