Skip to main content

AWS VPC peering connection to an unknown external account established

ID:aws_vpc_peering_unknown
Data type:AWS CloudTrail
Severity:
Medium
MITRE ATT&CK:TA0005:T1562

Description

AlphaSOC detected a Virtual Private Cloud (VPC) peering connection established with an external AWS account. AWS VPC peering enables direct communication between two VPCs in different AWS accounts, allowing them to interact as if they were on the same network, although with certain limitations. Malicious actors may exploit VPC peering connections to circumvent security controls, gain unauthorized network access, or facilitate data exfiltration across account boundaries.

Impact

An unauthorized VPC peering connection, depending on its route tables and security group configurations, could enable attackers to bypass network security controls and access sensitive resources across account boundaries. This situation risks potential data breaches and may violate organizational compliance requirements.

Severity

SeverityCondition
Medium
AWS VPC peering connection to an unknown external account was established

Investigation and Remediation

Verify the legitimacy of the VPC peering connection by consulting with relevant team members and account owners. Examine AWS CloudTrail logs to determine who established the peering connection and identify the source account. Review the associated route tables and security groups to understand the scope of potential exposure. If you confirm unauthorized activity, immediately terminate the peering connection and perform a comprehensive security assessment to identify any indicators of compromise or unauthorized access attempts.