Amazon EC2
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. Amazon EC2

      Cross Organization VPC Peering Connections

      This plugin ensures that VPC peering communication is only between AWS accounts of the same AWS Organization

      Risk Level: Medium

      Description

      This plugin ensures that VPC peering communication is only between AWS accounts of the same AWS Organization. VPC peering communication established between unknown AWS accounts can create a pathway for anonymous attackers to access isolated resources in the VPC.

      About the Service

      Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

      Impact

      An attacker might have sent the peer connection request to gain access to services residing in the VPC. Various services reside in a Virtual Private Cloud (VPC). Exposing VPC to untrusted accounts can allow unsigned requests to be made to the network interface. This can be a security threat to the services in the VPC as the attacker can exploit the vulnerability of any service inside the VPC. This type of attack is known as peer phishing. 

      Steps to Reproduce

      Using AWS Console-

      1. Log In to your AWS Console.
      2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
      3. Move to the Peering Connections in the Virtual Private Cloud section from the left navigation pane.
      4. You will find a list of peering connections available. Check both the accepter and requester owner ID column. If any of the IDs is beyond your organization, the vulnerability exists. 
      5. Repeat steps for all the VPC Peering Connections you want to investigate.

      Steps for Remediation

      Delete the VPC peering connections from untrusted AWS accounts:

      1. Log In to your AWS Console.
      2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
      3. Move to the Peering Connections in the Virtual Private Cloud section from the left navigation pane.
      4. You will find a list of peering connections available. Select the vulnerable connection by clicking on the radio button next to it.
      5. From the Actions menu, click on Delete peering connection.
      6. Repeat steps for all the vulnerable VPC Peering Connections.