Skip to main content
emnode / learn
Compliance High severity

AWS Security Hub · EC2

EC2.23: A Transit Gateway auto-accepts any VPC attachment request

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub EC2.23 check?

EC2.23 fails any transit gateway whose AutoAcceptSharedAttachments option is set to enable. It is a binary pass/fail on that option value, backed by the change-triggered AWS Config rule ec2-transit-gateway-auto-vpc-attach-disabled.

Why does EC2.23 matter?

A transit gateway is the hub wiring together production, shared services, and on-prem. With auto-accept on, any account you have shared the gateway with via RAM can attach a VPC and start routing into your network the moment it asks — no review, no human in the loop. That converts "I shared the gateway" into "that account is now plugged into everything," which is the exact authorisation step the control preserves.

How do I fix EC2.23?

  1. Audit every transit gateway in every region and account, reading Options.AutoAcceptSharedAttachments.
  2. Set it back to disable with modify-transit-gateway --options AutoAcceptSharedAttachments=disable — non-disruptive, no existing routing torn down.
  3. Review attachments that already exist with describe-transit-gateway-vpc-attachments, identify the owning account for each, and detach anything unaccounted for.
  4. Bake disable into the IaC module and enforce the Config rule so new gateways ship secure.

Remediation script · bash

# Close the highest-blast-radius mode first: confirm and remove the root access key.
# (Deletion is done as the root user via the console; an IAM identity cannot do it.)
aws iam get-account-summary --query 'SummaryMap.AccountAccessKeysPresent'
# Expect 0 after deletion.

# Close a public EKS endpoint (only after confirming a private path exists).
aws eks update-cluster-config --name svc-orders \
  --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true

# Disable legacy ACLs on a bucket and let policy govern access.
aws s3api put-bucket-ownership-controls --bucket my-legacy-assets \
  --ownership-controls 'Rules=[{ObjectOwnership=BucketOwnerEnforced}]'

# Migrate a Transfer Family server off plain FTP to SFTP only.
aws transfer update-server --server-id s-0a1b2c3d4e5f --protocols SFTP

Full walkthrough (console steps, edge cases and verification) in the lesson Disable insecure access modes and protocols.

Is EC2.23 a false positive?

modify-transit-gateway only governs attachments created after the change — existing attachments, including ones auto-accepted while the option was on, stay exactly as they are. Disabling auto-accept secures the future but you must still review and detach the past.

Full lesson Disable insecure access modes and protocols Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for EC2 controls ↗ Check your own account for EC2.23 →
Part of the learning path Lock down access

More EC2 controls

  • EC2.1 An EBS snapshot is publicly restorable by any account
  • EC2.2 Default security groups still allow traffic
  • EC2.3 Attached EBS volumes are not encrypted at rest
  • EC2.4 Long-stopped instances are abandoned attack surface
  • EC2.6 No VPC flow logs, so there is no network audit trail
  • EC2.7 New EBS volumes are not encrypted by default
  • EC2.8 IMDSv1 lets an SSRF steal instance credentials
  • EC2.9 Instances are directly reachable on public IPv4
  • EC2.10 EC2 API traffic leaves the VPC over the internet
  • EC2.13 SSH (port 22) is open to the entire internet
  • EC2.14 RDP (port 3389) is open to the entire internet
  • EC2.15 Subnets auto-assign public IPs to new instances