AWS VPC peering connection to an unknown external account established
Description
AlphaSOC detected a Virtual Private Cloud (VPC) peering connection established with an external AWS account. AWS VPC peering enables direct communication between two VPCs in different AWS accounts, allowing them to interact as if they were on the same network, although with certain limitations. Malicious actors may exploit VPC peering connections to circumvent security controls, gain unauthorized network access, or facilitate data exfiltration across account boundaries.
Impact
An unauthorized VPC peering connection, depending on its route tables and security group configurations, could enable attackers to bypass network security controls and access sensitive resources across account boundaries. This situation risks potential data breaches and may violate organizational compliance requirements.
Severity
Severity | Condition |
---|---|
Medium | AWS VPC peering connection to an unknown external account was established |
Investigation and Remediation
Verify the legitimacy of the VPC peering connection by consulting with relevant team members and account owners. Examine AWS CloudTrail logs to determine who established the peering connection and identify the source account. Review the associated route tables and security groups to understand the scope of potential exposure. If you confirm unauthorized activity, immediately terminate the peering connection and perform a comprehensive security assessment to identify any indicators of compromise or unauthorized access attempts.