AWS VPC Allows Unauthorized Peering

This policy identifies the VPCs which have unauthorized peering. The recommended best practice is to disallow VPC peering between two VPCs from different AWS accounts, as this potentially enables unauthorized access to private resources.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

AWS VPC allows unauthorized peering.
JSON Query:
$.resource[*].aws_vpc_peering_connection[*].*[*].peer_vpc_id does not equal $.resource[*].aws_vpc_peering_connection[*].*[*].vpc_id
Recommendation:
Recommended solution for making sure AWS VPC doesn't allow un-authorized peering.
Ensure that AWS VPC doesn't allow unauthorized peering. Please make sure the value for "peer_vpc_id" is equal to "vpc_id".
For example:
"aws_vpc_peering_connection": [ { "<vpc_peering_connection_name>": [ { "peer_owner_id": "${var.peer_owner_id}", "peer_vpc_id": "${aws_vpc.foo.id}", "vpc_id": "${aws_vpc.foo.id}" } ] } ]

Run Rule Recommendation

  1. Sign in to the AWS Console.
  2. In the left navigation panel, select Peering Connection.
  3. Choose the reported Peering Connection.
  4. Click on Actions and select 'Delete VPC Peering Connection'.
  5. click on Yes, Delete.

Compliance

There are 2 standards that are applicable to this policy:
  • PIPEDA
  • CCPA 2018

Recommended For You