Managing VPC Peering Outside AWS Organization
Having the VPC peering communication well configured to allow traffic only between the member accounts of your AWS Organization represents an effective way of keeping the organization's resources private and isolated, and meeting regulatory compliance.
Using AWS CLI
- Run list-accounts command (OSX/Linux/UNIX) using custom query filters to list the IDs of all the accounts (master and member accounts) available in your AWS Organization. This command can be called only from your organization’s master account:
aws organizations list-accounts
--query 'Accounts[*].Id'2. The command output should return an array with the requested AWS account IDs:
[
"123456789012",
"123412341234",
"111222333444"
]3. Run describe-vpc-peering-connections command (OSX/Linux/UNIX) using build-in and custom query filters to list the IDs of all active VPC peering connections provisioned in the selected region:
aws ec2 describe-vpc-peering-connections
--region us-east-1
--filters Name=status-code,Values=active
--query 'VpcPeeringConnections[*].VpcPeeringConnectionId'4. The command output should return the VPC peering connections identifiers:
[
"pcx-01234abcd1234abcd",
"pcx-0abcd1234abcd1234"
]5. Execute again describe-vpc-peering-connections command (OSX/Linux/UNIX) using the ID of the VPC peering connection that you want to examine as identifier and build-in filters to list the AWS account IDs for the owners of the VPC connection requester and accepter available for the selected connection:
aws ec2 describe-vpc-peering-connections
--region us-east-1
--filters Name=status-code,Values=active
--query 'VpcPeeringConnections[*].{RequesterId: RequesterVpcInfo.OwnerId, AccepterId:AccepterVpcInfo.OwnerId}'6. The command output should return the requester and accepter account owner IDs:
[
"RequesterId": "123456789012",
"AccepterId": "123123123123"
]Compare the RequesterId/AccepterId value with each 12-digit AWS account ID returned at step no. 2. If RequesterId and AccepterId IDs do not match any of the member account IDs, the selected VPC peering connection is linked to a Virtual Private Cloud (VPC) available within an AWS account outside your AWS Organization.
7. Repeat step no. 5 and 6 to verify other VPC peering connections created in the current AWS region.
8. Change the AWS region by updating the — region command parameter value and repeat steps no. 3–7 for other regions.
9. Sign in to each member account of your AWS Organization and repeat steps no. 1–8.
Resolution
To remove any VPC peering connections established with AWS accounts outside your AWS Organization, perform the following:
Using AWS CLI
- Run delete-vpc-peering-connection command (OSX/Linux/UNIX) using the ID of the non-compliant VPC peering connection that you want to delete as identifier (see Audit section part II to identify the right VPC resource) to terminate the selected peering connection. This command can be called only from a member AWS account. Note that either the account of the requester VPC owner or the account of accepter VPC owner can delete this VPC peering connection:
aws ec2 delete-vpc-peering-connection
--region us-east-1
--vpc-peering-connection-id pcx-01234abcd1234abcd2. If successful, the command output should return true, as shown in the example below:
{
"Return": true
}3. Repeat step no. 1 and 2 to delete other non-compliant VPC peering connections available in the selected AWS region.
4. Change the AWS region by updating the — region command parameter value and repeat steps no. 1–3 for other regions.
5. Sign in to each member account of your AWS Organization and repeat the entire process.
References
👋 Join us today !!
️Follow us on LinkedIn, Twitter, Facebook, and Instagram
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇
