Logo of Trend Micro

AWS VPC Peering Connections Route Tables Access

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: VPC-012

Review the routing tables of your peered AWS Virtual Private Networks (VPCs) to determine if the existing peering connection configuration is compliant with the desired routing policy. For example, a compliant routing policy could be one that limits routing to a specific subnets or EC2 instances instead of allowing routing between the entire CIDR block of each VPC available within the peering connection.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Having the VPC peering connection routing tables well configured to allow traffic only between the desired resources represents an effective way of minimizing the impact of security breaches as AWS resources outside of these routes become inaccessible to the peered VPC.

Note: As example, this conformity rule uses a routing policy that limits peering traffic between two specific instances available within the peered VPCs as the desired (compliant) routing policy.

Audit

To determine if the routing tables associated with your peered VPCs implement the right (compliant) routing policy, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under Virtual Private Cloud section, click Peering Connections.

04 Select the VPC peering connection that you want to examine.

05 Select Route Tables tab from the dashboard bottom panel to access the route tables associated with the VPC peering connection.

06 Choose the VPC route table that you want to examine then click on its ID (link) to open its configuration page.

07 On the selected route table configuration page, select Routes tab from the dashboard bottom panel then verify the value available in the Destination column for the route with the Target set to peering connection ID, e.g.

Routes

If the Destination value is set to the entire IPv4 CIDR block of the peer VPC, e.g. 172.31.0.0/16 or to a specific range, e.g. 172.31.0.0/28, the selected VPC route table policy does not comply with the desired routing policy.

08 Repeat step no. 6 and 7 to verify the routing policy for the second route table associated with the peering connection. If the existing route tables do not comply with the desired routing policy (i.e. one that limits peering traffic to a specific instance such as 172.31.14.203/32), the routing configuration for the selected Amazon VPC peering connection is overly-permissive and should be reconfigured.

09 Repeat steps no. 4 - 8 to verify other VPC peering connections provisioned in the current AWS region.

10 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run describe-vpc-peering-connections command (OSX/Linux/UNIX) using build-in and custom query filters to list the IDs of all active VPC peering connections provisioned in the selected region: 

aws ec2 describe-vpc-peering-connections
	--region us-east-1
	--filters Name=status-code,Values=active
	--query 'VpcPeeringConnections[*].VpcPeeringConnectionId'

02 The command output should return the requested IDs: 

[
    "pcx-00197469",
    "pcx-00195934"
]

03 Run describe-route-tables command (OSX/Linux/UNIX) using the ID of your VPC peering connection returned at the previous step as build-in filter parameter and custom query filters to list the IDs of all route tables associated with the selected VPC peering connection: 

aws ec2 describe-route-tables
	--region us-east-1
	--filter "Name=route.vpc-peering-connection-id,Values=pcx-00197469"
	--query "RouteTables[*].RouteTableId"

04 The command output should return the requested IDs: 

[
    "rtb-6d17e315",
    "rtb-b21eeaca"
]

05 Run again describe-route-tables command (OSX/Linux/UNIX) using the IDs of the route tables returned at the previous step as identifiers and custom query filters to list the defined routes for the selected VPC route tables: 

aws ec2 describe-route-tables
	--region us-east-1
	--route-table-ids rtb-6d17e315 rtb-b21eeaca
	--query "RouteTables[*].{RouteTableId:RouteTableId, Routes:Routes}"

06 The command output should return the existing routes for the selected route tables: 

[
    {
        "Routes": [
            {
                "GatewayId": "local",
                "DestinationCidrBlock": "172.16.0.0/16",
                "State": "active",
                "Origin": "CreateRouteTable"
            },
            {
                "Origin": "CreateRoute",
                "DestinationCidrBlock": "172.31.0.0/16",
                "State": "active",
                "VpcPeeringConnectionId": "pcx-00197469"
            }
        ],
        "RouteTableId": "rtb-6d17e315"
    },
    {
        "Routes": [
            {
                "Origin": "CreateRoute",
                "DestinationCidrBlock": "172.16.0.0/16",
                "State": "active",
                "VpcPeeringConnectionId": "pcx-00197469"
            },
            {
                "GatewayId": "local",
                "DestinationCidrBlock": "172.31.0.0/16",
                "State": "active",
                "Origin": "CreateRouteTable"
            }
        ],
        "RouteTableId": "rtb-b21eeaca"
    }
]

Identify the route objects (routes) with the VpcPeeringConnectionId attribute set to the selected VPC peering connection ID (i.e. pcx-00197469), then verify the value (e.g. 172.16.0.0/16) of the DestinationCidrBlock attribute defined for each selected route (highlighted). If the DestinationCidrBlock values are set to the entire IPv4 CIDR blocks of the peer VPC, e.g. 172.31.0.0/16 or to a specific range, e.g. 172.31.0.0/28, the routing policy applied to the selected VPC route tables does not comply with the desired routing policy (i.e. one that limits peering traffic to a specific instance), therefore the routing configuration for the selected AWS VPC peering connection is overly-permissive and should be reconfigured.

07 Repeat steps no. 3 - 4 to verify the routing policy for other VPC peering connections available in the current AWS region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the process for other regions.

Remediation / Resolution

To implement the compliant routing policy for the selected AWS VPC peering connection, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under Virtual Private Cloud section, click Peering Connections.

04 Select the VPC peering connection that you want to reconfigured (see Audit section part I to identify the right VPC resource).

05 Select Route Tables tab from the dashboard bottom panel to access the route tables associated with the VPC peering connection.

06 Choose the VPC route table that you want to examine then click on its ID (link) to open its configuration page.

07 On the selected route table configuration page, select Routes tab from the dashboard bottom panel then click Edit to reconfigure the required route entry.

08 Replace the IPv4 CIDR block of the peer VPC, e.g. 172.31.0.0/16, with the private IP address of the EC2 instance that you want to limit peer traffic to, provisioned within the accepter VPC, e.g. 172.31.14.203/32, then click Save to save the changes and apply the desired routing policy for the selected route table.

09 Repeat steps no. 6 – 8 to reconfigure the second route table associated with the selected VPC peering connection and limit peer traffic to a specific instance, e.g. 172.16.28.109/32, available in the requester VPC. Once these steps are finished, the compliant routing policy implementation is complete.

10 Repeat steps no. 4 - 9 to reconfigure the routing policy for other VPC peering connections provisioned in the current AWS region.

11 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Replace the existing non-compliant routes from the route tables associated with the selected VPC peering connection by performing the following commands:

  1. Replace the non-compliant route within the first route table, i.e. rtb-6d17e315 (see Audit section part I to identify the right resource ID):
    • Run delete-route command (OSX/Linux/UNIX) to remove the unwanted route entry, identified by the --destination-cidr-block parameter, from the selected VPC route table (the command does not produce an output): 
      aws ec2 delete-route
	--region us-east-1
	--route-table-id rtb-6d17e315
	--destination-cidr-block 172.31.0.0/16
    • Run create-route command (OSX/Linux/UNIX) to create the compliant route entry that will replace the one removed at the previous step: 
      aws ec2 create-route
	--region us-east-1
	--route-table-id rtb-6d17e315
	--destination-cidr-block 172.31.14.203/32
	--vpc-peering-connection-id pcx-00197469
    • The command output should return "true" if the request was successful, otherwise, an error: 
      {
    "Return": true
}
  2. Replace the non-compliant route within the second route table, i.e. rtb-b21eeaca (see Audit section part I to identify the right resource ID):
    • Run delete-route command (OSX/Linux/UNIX) to remove the unwanted route entry, identified by the --destination-cidr-block parameter, from the selected VPC route table (the command does not return an output): 
      aws ec2 delete-route
	--region us-east-1
	--route-table-id rtb-b21eeaca
	--destination-cidr-block 172.16.0.0/16
    • Run create-route command (OSX/Linux/UNIX) to create the compliant route entry that will replace the one removed at the previous step: 
      aws ec2 create-route
	--region us-east-1
	--route-table-id rtb-b21eeaca
	--destination-cidr-block 172.16.28.109/32
	--vpc-peering-connection-id pcx-00197469
    • The command output should return "true" if the request was successful, otherwise, an error: 
      {
    "Return": true
}

02 Repeat step no. 1 to reconfigure the routing policy for other VPC peering connections available in the current AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the remediation/resolution process for other regions.

References

Publication date May 7, 2017

Related VPC rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

AWS VPC Peering Connections Route Tables Access

Risk level: Medium