5.4 Ensure routing tables for VPC peering are 'least access' - least access

Information

Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.

Rationale:

Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.
From Command Line:

For each <route_table_id> containing routes non compliant with your routing policy (which grants more than desired 'least access'), delete the non compliant route:

aws ec2 delete-route --route-table-id <route_table_id> --destination-cidr-block <non_compliant_destination_CIDR>



Create a new compliant route:

aws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block <compliant_destination_CIDR> --vpc-peering-connection-id <peering_connection_id>

See Also

https://workbench.cisecurity.org/files/3416

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|MP-2, CSCv6|14.6, CSCv7|14.6

Plugin: amazon_aws

Control ID: 748b318ed1bb2bb7f9c975891002538cc699f6a5dc80423de7938b4e15ab0d23