Security Flaw in AWS Transit Gateway Peering Attachments
Published Thu, Sep 12th, 2024
Platforms
Summary
A security flaw in AWS Transit Gateway Peering attachments allowed unauthorized acceptance of peering requests between regions. The exploit bypassed the approval step, granting potential unauthorized access to networks. AWS patched the issue on August 7, 2024, after being notified on July 25, 2024.
Affected Services
Transit Gateway
Remediation
Implement SCPs to block the AcceptTransitGatewayPeeringAttachment API call for untrusted accounts or use organization ID-based policies to secure the entire organization.
Monitor CloudTrail logs for unauthorized AcceptTransitGatewayPeeringAttachment API calls from external accounts. Implement alerts for unexpected state changes in Transit Gateway peering attachments.