Ensure Transit Gateways Have Auto Accept Shared Attachments Disabled

Overview

This check verifies that your AWS Transit Gateways do not automatically accept VPC attachment requests from other AWS accounts. When auto-accept is enabled, any account that shares a VPC attachment request with your Transit Gateway will be connected automatically without your approval.

Risk

Auto-accepting VPC attachments can connect untrusted VPCs to your network infrastructure without any review process. This creates several security concerns:

• Unauthorized access: Untrusted accounts could gain network connectivity to your resources
• Data exposure: Sensitive data could become visible to unintended parties
• Route manipulation: Malicious actors could inject routes or tamper with traffic
• Lateral movement: Attackers could use the connection to move between environments

Remediation Steps

Prerequisites

You need permission to modify Transit Gateways in your AWS account. This typically requires the ec2:ModifyTransitGateway permission.

AWS Console Method

1. Open the Amazon VPC Console
2. In the left navigation, click Transit gateways
3. Select the Transit Gateway you want to modify
4. Click Actions, then Modify transit gateway
5. Under Cross-account sharing options, uncheck Auto accept shared attachments
6. Click Modify transit gateway to save your changes

Repeat these steps for each Transit Gateway in your account.

AWS CLI

First, list all Transit Gateways to find those with auto-accept enabled:

aws ec2 describe-transit-gateways \
    --region us-east-1 \
    --query 'TransitGateways[?Options.AutoAcceptSharedAttachments==`enable`].[TransitGatewayId,Options.AutoAcceptSharedAttachments]' \
    --output table

To disable auto-accept on a specific Transit Gateway:

aws ec2 modify-transit-gateway \
    --region us-east-1 \
    --transit-gateway-id tgw-0123456789abcdef0 \
    --options AutoAcceptSharedAttachments=disable

Replace tgw-0123456789abcdef0 with your actual Transit Gateway ID.

To disable auto-accept on all Transit Gateways in your account:

for tgw_id in $(aws ec2 describe-transit-gateways \
    --region us-east-1 \
    --query 'TransitGateways[?Options.AutoAcceptSharedAttachments==`enable`].TransitGatewayId' \
    --output text); do
    echo "Disabling auto-accept on $tgw_id"
    aws ec2 modify-transit-gateway \
        --region us-east-1 \
        --transit-gateway-id "$tgw_id" \
        --options AutoAcceptSharedAttachments=disable
done

CloudFormation

When creating a new Transit Gateway, set AutoAcceptSharedAttachments to disable:

AWSTemplateFormatVersion: '2010-09-09'
Description: Transit Gateway with auto accept shared attachments disabled

Parameters:
  TransitGatewayName:
    Type: String
    Default: example-transit-gateway
    Description: Name for the Transit Gateway

Resources:
  TransitGateway:
    Type: AWS::EC2::TransitGateway
    Properties:
      Description: !Sub '${TransitGatewayName} - Transit Gateway'
      AutoAcceptSharedAttachments: disable
      DefaultRouteTableAssociation: enable
      DefaultRouteTablePropagation: enable
      DnsSupport: enable
      VpnEcmpSupport: enable
      Tags:
        - Key: Name
          Value: !Ref TransitGatewayName

Outputs:
  TransitGatewayId:
    Description: Transit Gateway ID
    Value: !Ref TransitGateway
    Export:
      Name: !Sub '${AWS::StackName}-TransitGatewayId'

Note: CloudFormation cannot modify an existing Transit Gateway's auto-accept setting directly. You must either recreate the Transit Gateway or use the AWS CLI/Console to modify the existing one.

Terraform

When creating a new Transit Gateway, set auto_accept_shared_attachments to "disable":

resource "aws_ec2_transit_gateway" "example" {
  description                     = "Example Transit Gateway"
  auto_accept_shared_attachments  = "disable"
  default_route_table_association = "enable"
  default_route_table_propagation = "enable"
  dns_support                     = "enable"
  vpn_ecmp_support                = "enable"

  tags = {
    Name = "example-transit-gateway"
  }
}

For existing Transit Gateways managed by Terraform, update the auto_accept_shared_attachments attribute and run terraform apply.

Verification

After making changes, verify that auto-accept is disabled:

1. In the VPC Console, go to Transit gateways
2. Select your Transit Gateway
3. Check the Details tab - Auto accept shared attachments should show Disabled

CLI Verification

aws ec2 describe-transit-gateways \
    --region us-east-1 \
    --transit-gateway-ids tgw-0123456789abcdef0 \
    --query 'TransitGateways[0].Options.AutoAcceptSharedAttachments' \
    --output text

This should return disable.

To verify all Transit Gateways have auto-accept disabled:

aws ec2 describe-transit-gateways \
    --region us-east-1 \
    --query 'TransitGateways[?Options.AutoAcceptSharedAttachments==`enable`].TransitGatewayId' \
    --output text

An empty result means all Transit Gateways are compliant.

Additional Resources

• AWS Transit Gateway Documentation
• Modify a Transit Gateway
• Transit Gateway Attachments
• AWS Well-Architected Framework - Security Pillar

Notes

• Changes apply to new attachments only: Modifying this setting does not affect existing VPC attachments. Existing connections remain active.
• Pending attachments: After disabling auto-accept, any pending attachment requests will need to be manually accepted or rejected.
• Multi-region consideration: Transit Gateways are regional resources. You must check and remediate Transit Gateways in each AWS region where they exist.
• Impact assessment: Before disabling, review any automation or workflows that may depend on automatic attachment acceptance.