Overview
Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.
Rationale
Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.
Remediation guidance
Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable.
From Command Line
- For each <route_table_id> containing routes non compliant with your routing policy (which grants more than desired "least access"), delete the non compliant route:
aws ec2 delete-route --route-table-id <route_table_id> --destination-cidr-block <non_compliant_destination_CIDR>```
2. Create a new compliant route:
```bash
aws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block <compliant_destination_CIDR> --vpc-peering-connection-id <peering_connection_id>```
**References**
1. https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html
2. https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html
## Multiple Remediation Paths
### AWS
**SERVICE-WIDE (RECOMMENDED when many resources are affected):**
Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.
~~~bash
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
~~~
**ASSET-LEVEL:**
Apply the resource-specific remediation steps above to only the affected assets.
**PREVENTIVE:**
Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.
### References for Service-Wide Patterns
- AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
## Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
### 1. Contain at Service-Wide Scope First (Recommended)
- AWS: deploy/adjust organization conformance packs and policy guardrails.
~~~bash
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
~~~
### 2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
### 3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
No stored query bodies are attached to this entry.
