Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dangerous default: auto_accept_shared_attachments #28

Open
nate-selzer opened this issue Aug 1, 2022 · 0 comments
Open

Dangerous default: auto_accept_shared_attachments #28

nate-selzer opened this issue Aug 1, 2022 · 0 comments
Labels
bug 🐛 An issue with the system

Comments

@nate-selzer
Copy link

nate-selzer commented Aug 1, 2022
edited
Loading

Found a bug? Maybe our Slack Community can help.

Slack Community

Describe the Bug

By default, this module deploys a transit gateway that automatically accepts any vpc attachment requests. I believe this default is dangerous, because if an attacker knows your account ID and tgw id, they can send an attachment request and have access to your network.

Expected Behavior

I think this model should instead use the aws_ec2_transit_gateway_vpc_attachment_accepter terraform resource to accept the attachment request, and have the default be to disable automatic attachments.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Deploy a transit gateway.
  2. From a theoretical attackers account, initiate a peering request
  3. The peering request is automatically accepted

Screenshots

N/A

Environment (please complete the following information):

N/A

Additional Context

N/A
@nate-selzer nate-selzer added the bug 🐛 An issue with the system label Aug 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 An issue with the system
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nate-selzer