Compliance

Secure Site-to-Site VPN connections

One capability across Site-to-Site and Client VPN: run tunnels on current crypto, keep redundant tunnels up, and log every connection, so the encrypted links into your network are modern, resilient and auditable.

13 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: EC2.20 EC2.51 EC2.171 EC2.183

Securing VPN connections: the basics

What does "a healthy VPN" actually mean across the four checks?

An AWS Site-to-Site VPN is an encrypted IPsec link between your VPC and a remote network, a data center, a branch office, or another cloud, and AWS always provisions it as two redundant tunnels in two Availability Zones. A Client VPN is the managed remote-access service that lets users tunnel into your VPCs from the internet. Securing them is one capability that AWS expresses through four checks. EC2.183 fails any Site-to-Site tunnel whose accepted IKE versions still include the deprecated IKEv1. EC2.20 fails a Site-to-Site connection where either of its two tunnels is DOWN, because a connection running on one tunnel has already spent its safety margin. EC2.171 fails a Site-to-Site connection whose tunnels do not log session events to CloudWatch, and EC2.51 fails a Client VPN endpoint with connection logging switched off.

They look like four separate problems on the report, but they are one capability: the encrypted doors into your network should use current cryptography, fail over without you noticing, and record what they did. The crypto check (IKEv1 versus IKEv2) is about the strength and modernity of the handshake. The tunnel-state check is about resilience, redundancy you are paying for that has silently degraded to one-of-one. And the two logging checks are about accountability, the ability to explain what a tunnel did and who connected through it during an incident or an audit.

Most of these are a single setting that ships off by default. Tunnel logging is opt-in, so every Site-to-Site VPN created in the console fails EC2.171 until someone turns it on; Client VPN connection logging is the same. IKEv1 is usually a default someone clicked through years ago and never revisited. The one exception is a downed tunnel, which is a real fault to diagnose. The job is to inventory every VPN, lock the tunnels to IKEv2, restore and harden any downed tunnel, turn logging on, and guardrail the lot so new connections are born secure.

In this lesson you will learn how AWS expresses VPN security across Site-to-Site and Client VPN, how to find every connection that uses deprecated crypto, runs on a single tunnel, or logs nothing, and how to remediate each without dropping more than the brief renegotiation needs. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The tunnel that was down for 90 days

A retail company ran a Site-to-Site VPN to its on-prem order-management system. One tunnel dropped during a routine firewall change at the data center and never came back, because the change had narrowed an ACL so only one of the two AWS tunnel endpoints could reach the customer gateway. Nothing broke, because the surviving tunnel carried all the traffic, so no alarm fired and no ticket was opened. Ninety-one days later AWS took the endpoint hosting the surviving tunnel down for scheduled, announced maintenance, with automatic failover assumed, and the entire hybrid order flow went dark for forty minutes because there was no second tunnel to fail over to. The tunnel-state finding had been red the entire time; nobody was looking at it.

Auditing VPN health across an estate

Marco owns the network platform at a logistics company. Security Hub flags a cluster of VPN findings across several Site-to-Site connections: one with a tunnel DOWN, two still accepting IKEv1, and a batch with logging off across both tunnels.

Rather than work the findings one by one, he starts by reading the live telemetry for every connection, so he can see at a glance which tunnels are up, which crypto they negotiated, and which are dark, before changing anything.

Inventory every Site-to-Site VPN and the live status of each of its two tunnels. A tunnel DOWN for weeks is the worst case: redundancy has silently gone.

$ aws ec2 describe-vpn-connections --query 'VpnConnections[].VgwTelemetry[].{Ip:OutsideIpAddress,Status:Status,Since:LastStatusChange,Msg:StatusMessage}' --output table

--------------------------------------------------------------

| Ip | Status | Since | Msg |

--------------------------------------------------------------

| 203.0.113.10 | UP | 2026-04-30T08:12:00Z | |

| 203.0.113.20 | DOWN | 2026-05-05T14:03:00Z | IPSEC IS DOWN|

--------------------------------------------------------------

# One tunnel down for ~3 weeks: EC2.20 fails and there is no failover path left.

VgwTelemetry exposes per-tunnel status, the last status change, and a message pointing at the cause.

How AWS evaluates a healthy VPNdeep dive

Three of the four checks read fields on the tunnel options, which is why the fix is usually two API calls per Site-to-Site connection (one per tunnel). EC2.183 fails whenever a tunnel's IkeVersions list contains ikev1, regardless of which version the live session actually negotiated, so leaving ikev1 in the list keeps the finding open because the configuration still permits a downgrade. EC2.171 fails whenever a tunnel's LogOptions.CloudWatchLogOptions.LogEnabled is false; both tunnels must log for the connection to pass. EC2.20, backed by the Config rule vpc-vpn-2-tunnels-up, reads the per-tunnel Status inside VgwTelemetry and fails if either reports DOWN. EC2.51 reads a single field on a Client VPN endpoint, ConnectionLogOptions.Enabled.

A tunnel is UP when IKE Phase 1 and Phase 2 are established and, for dynamic routing, the BGP session is in Established state. The common silent-drop causes are an on-prem firewall blocking UDP 500/4500 to one endpoint after a change, an idle SA expiring on a low-traffic link, and StartupAction left at add so AWS waits passively for the customer gateway to initiate instead of starting the handshake itself. Connection logging is distinct from packet-level data: VPN tunnel logs capture IKE and BGP session events, Client VPN connection logs capture who connected from where and when, and neither is the same as VPC flow logs, so satisfying one logging control does not satisfy another.

Most of these evaluate continuously through AWS Config (every 12 hours, or change-triggered for the Client VPN logging check), so a fix clears at the next cycle. Changing a tunnel's IKE version or log options triggers a brief in-place renegotiation: the IPsec SA is rebuilt and, for BGP-dynamic VPNs, the route reconverges on the other tunnel in 30 to 60 seconds. That is why you change one tunnel at a time, so the second keeps carrying traffic throughout.

What is the impact of an insecure VPN?

The resilience impact is the most insidious because nothing looks broken. A Site-to-Site connection with one tunnel DOWN still carries all its traffic on the survivor, so it generates no urgency, yet it has gone from two-of-two to one-of-one with no failover path. AWS schedules and announces endpoint maintenance on the assumption that the second tunnel carries traffic; if it is already down, that routine maintenance becomes your outage, and the blast radius is whatever rides the link, on-prem databases, Active Directory, internal APIs, file shares.

The cryptographic impact is about handshake strength. IKEv1 dates from 1998, has known PSK-mode weaknesses in aggressive mode, and historically allowed weaker algorithms; a tunnel that still accepts it is one customer-gateway misconfiguration from negotiating something an assessor will mark substandard, and without MOBIKE it forces a full fresh handshake on every ISP IP change rather than carrying the session across. The accountability impact is forensic blindness: connection logs are how you answer "who was on the VPN during the incident, and from where?" and "why did the tunnel drop?" Without them that question has no answer, and unlike most gaps it cannot be reconstructed after the fact, because logs are not retroactive.

On the compliance side, these map to NIST high-availability and contingency-planning controls (CP-10, SC-5), NIST SP 800-77 which deprecates IKEv1 for new deployments, and the audit and access-control logging requirements (AU-2, AU-3, AU-12) in NIST 800-53, NIST 800-171 and PCI DSS. A persistent finding here is evidence that the stated security and availability posture and the actual running configuration have drifted apart, which is exactly what surfaces in a SOC 2 review or a customer security questionnaire.

How do you secure VPN connections safely?

Work the capability as one loop rather than chasing individual findings. The order matters: verify the far side and pick a low-traffic window before you change a tunnel, and change one tunnel at a time so the other keeps carrying traffic.

1. Inventory every VPN and read its telemetry and options

List every Site-to-Site VPN and Client VPN endpoint across every region. For each Site-to-Site connection, read VgwTelemetry for per-tunnel status, the IkeVersions list, and the LogOptions; for each Client VPN endpoint, read ConnectionLogOptions.Enabled. A tunnel DOWN with a LastStatusChange weeks in the past is the highest priority, because the connection has been single-tunnel that whole time.

2. Diagnose downed tunnels and verify the far side before changing crypto

For a DOWN tunnel, the StatusMessage and timing usually point at the cause: an on-prem firewall now blocking UDP 500/4500, an idle SA with no keepalive traffic, or StartupAction left at add. Fix the root cause first. Before locking a tunnel to IKEv2, confirm the customer gateway supports it (every modern firewall does; very old industrial gear may not, in which case the right answer is to replace the gateway, not leave the VPN deprecated).

3. Remediate one tunnel at a time, in a low-traffic window

Apply modify-vpn-tunnel-options to one tunnel, watch BGP reconverge on the other, confirm the changed tunnel comes back UP, then do the second. Lock IkeVersions to ikev2 only, enable LogOptions pointed at a CloudWatch log group with a retention policy, and set StartupAction to start so AWS initiates IKE itself. For Client VPN, create a log group with retention and point the endpoint's ConnectionLogOptions at it. Generate steady traffic or a low-rate health check across each link so the SA never idles out.

4. Alarm and enforce so the posture maintains itself

Publish a CloudWatch alarm on the AWS/VPN TunnelState metric per tunnel wired to on-call, so the next drop pages a human in minutes rather than waiting for a scan. Pin IKEv2 and logging in your IaC so new connections are born secure, and add Service Control Policies that deny ModifyVpnTunnelOptions payloads containing ikev1 and block new VPNs without logging. Prevention is what turns this from a recurring finding into a one-time fix.

# List every Site-to-Site VPN that currently has a tunnel DOWN.
aws ec2 describe-vpn-connections \
  --query 'VpnConnections[?VgwTelemetry[?Status==`DOWN`]].VpnConnectionId' --output text

# Lock a tunnel to IKEv2 only and turn logging on, one tunnel at a time.
aws ec2 modify-vpn-tunnel-options \
  --vpn-connection-id vpn-0a1b2c3d4e5f6a7b8 \
  --vpn-tunnel-outside-ip-address 203.0.113.20 \
  --tunnel-options '{"IKEVersions":[{"Value":"ikev2"}],"StartupAction":"start","LogOptions":{"CloudWatchLogOptions":{"LogEnabled":true,"LogGroupArn":"arn:aws:logs:us-east-1:111122223333:log-group:/aws/vpn/s2s","LogOutputFormat":"json"}}}'

# Turn on connection logging for a Client VPN endpoint.
aws ec2 modify-client-vpn-endpoint \
  --client-vpn-endpoint-id cvpn-endpoint-0a1b2c3d4e5f6a7b8 \
  --connection-log-options Enabled=true,CloudwatchLogGroup=/aws/clientvpn/prod-access

# Alarm on tunnel state (0 = down) so the next drop pages on-call, not the next scan.
aws cloudwatch put-metric-alarm --alarm-name vpn-tunnel2-down \
  --namespace AWS/VPN --metric-name TunnelState \
  --dimensions Name=VpnId,Value=vpn-0a1b2c3d4e5f6a7b8 Name=TunnelIpAddress,Value=203.0.113.20 \
  --statistic Minimum --period 300 --evaluation-periods 1 \
  --threshold 1 --comparison-operator LessThanThreshold \
  --alarm-actions arn:aws:sns:us-east-1:111122223333:network-oncall

Quick quiz

Question 1 of 5

Security Hub shows a downed tunnel, two IKEv1 tunnels, and several VPNs with logging off. What is the most efficient way to think about them?

Keep learning

Go deeper on Site-to-Site VPN tunnel options, IPsec hardening, and the monitoring and logging around VPN connections.

You can now treat VPN security as one capability rather than four separate findings: inventory every Site-to-Site and Client VPN, restore and harden any downed tunnel, lock the tunnels to IKEv2, turn connection and tunnel logging on, and ratchet it shut with TunnelState alarms and Service Control Policies so new connections are born secure. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Securing VPN connections: the cost and risk view

Near-zero AWS cost; the exposure is continuity, crypto hygiene and audit evidence

None of these controls add meaningful AWS spend. VPN pricing is per-connection-hour and per-GB regardless of IKE version; CloudWatch Logs for sparse VPN and connection events typically cost single-digit dollars a month across an entire fleet, held flat with a retention policy. There is nothing to fund, which is exactly the category that slips through cost-led governance. The cost lives in inaction, and it is asymmetric.

Each check maps to a different flavour of risk. A downed redundant tunnel is a continuity risk: the connection still works on the survivor, so nothing looks wrong, until routine AWS maintenance on the surviving tunnel takes the whole link down during business hours, cutting off hybrid databases, authentication or internal APIs. The right way to value an open tunnel-state finding is the cost-per-hour of the systems on that link being unreachable, not any AWS charge. A deprecated IKEv1 tunnel is more likely to drop on an ISP failover (it lacks the path-mobility IKEv2 has), so it carries an engineering-hours cost on top of the audit exposure.

The audit dimension is the common thread. PCI DSS, ISO 27001 and HIPAA all require logs for systems carrying sensitive cross-network traffic, and deprecated crypto on an encrypted link is a finding any assessor will write up. An open finding in a regulated account is a liability with a carrying cost that accrues each audit cycle until it is closed, against a fix that is one configuration change at near-zero marginal cost.

This lesson is for the finance or risk partner who sees VPN findings on the security report and wants to understand why a near-free set of configuration changes belongs on the risk register. It covers why these carry no AWS bill change, how to value a downed-tunnel finding by the outage it prevents, how open findings in regulated accounts accrue audit-cycle cost, and the governance levers, ownership, monitoring and a recorded exception for any tunnel left behind, that keep this from sitting unnoticed.

Fun fact

The tunnel that was down for 90 days

How a finance partner frames the VPN findings

Priya is the finance and risk partner for the network platform team. Security Hub surfaces a cluster of VPN findings: one Site-to-Site connection with a tunnel DOWN for three weeks, two connections still accepting IKEv1, and a batch with tunnel logging off. Her first instinct is not to ask what the fixes cost, because she already knows the answer is essentially nothing. VPN pricing is per-connection-hour and per-GB regardless of IKE version, and CloudWatch Logs for sparse VPN events run single-digit dollars a month across the whole fleet. There is nothing to fund, which is exactly the category that slips through cost-led governance, so the cost lives in inaction and it is asymmetric.

She reads each finding by the exposure it removes rather than by the finding count. The downed-tunnel finding is the one she ranks highest, because the connection still carries all its traffic on the survivor so nothing looks wrong, yet it has gone from two-of-two to one-of-one with no failover path; the right way to value it is the cost-per-hour of the hybrid databases, authentication and internal APIs on that link being unreachable when routine AWS maintenance takes the surviving tunnel down. The IKEv1 findings she values as the engineering-hours of tunnel flaps on ISP failovers plus the audit-cycle cost of carrying an open crypto finding in a regulated account. Her output for the risk pack is a worklist ordered by exposure, with a note that any tunnel left on IKEv1, unlogged or single-tunnel after the remediation window needs a recorded, time-bounded exception with a named owner, not a silent suppression.

Why VPN posture belongs on the risk register

This is a continuity, crypto-hygiene and audit-evidence capability, not a cost-savings one. Fixing it does not lower the invoice, so the right way to value it is by the exposure it removes. A downed-tunnel finding is worth the cost-per-hour of the systems on that link being unreachable multiplied by the likely outage duration, a number that dwarfs the ten-minute config change to restore and harden the tunnel. An IKEv1 finding is worth the engineering-hours of the tunnel flaps it causes on ISP failovers plus the audit-cycle cost of carrying an open finding in a regulated account.

The asymmetry is the whole argument: the cost to remediate is trivial, the cost of inaction is a low-probability-per-day, high-impact event plus a compounding compliance liability. The finance role is to make that asymmetry visible so a cheap fix to a live risk does not lose the priority contest to features, to track open findings in regulated accounts as liabilities with a carrying cost, and to require a recorded, time-bounded exception with a named owner for any tunnel left on IKEv1, unlogged, or single-tunnel after the remediation window.

What finance can do about the VPN findings

Finance cannot change a tunnel's IKE version or restore a downed tunnel, but it can make the asymmetry between a near-free fix and a live continuity-and-audit risk visible enough that the fix does not lose the priority contest to features. Three levers.

1. Value each finding by the exposure it removes, not by any AWS charge

None of these controls change the invoice, so size them by what they prevent. A downed-tunnel finding is worth the cost-per-hour of the systems on that link being unreachable multiplied by the likely outage duration when AWS maintenance takes the survivor down; an IKEv1 finding is worth the engineering-hours of the tunnel flaps it causes on ISP failovers plus the audit-cycle cost of an open crypto finding. Pricing by outage-and-audit exposure, not by the report's ordering, is what turns four flags into a short, defensible worklist.

2. Make the asymmetry explicit so a cheap fix to a live risk keeps its priority

The whole argument is the asymmetry: the cost to remediate is a ten-minute configuration change at near-zero marginal cost, while the cost of inaction is a low-probability-per-day, high-impact outage plus a compounding compliance liability. Because there is nothing to fund, these findings slip through cost-led governance; the finance contribution is to spell out the asymmetry on the risk register so a free fix to a live exposure does not sit behind feature work for another reporting cycle.

3. Track open findings as carrying liabilities and require recorded exceptions

An open VPN finding in a regulated account is a liability with a carrying cost that accrues each audit cycle until it is closed, against frameworks like PCI DSS, ISO 27001 and HIPAA that all require logs for systems carrying sensitive cross-network traffic. Track those open findings as liabilities, and require a recorded, time-bounded exception with a named owner for any tunnel left on IKEv1, unlogged, or single-tunnel after the remediation window, kept finance-visible rather than silently suppressed.

Quick quiz

Question 1 of 5

What is the cost profile of the VPN controls in this group?

Keep learning

Go deeper on Site-to-Site VPN tunnel options, IPsec hardening, and the monitoring and logging around VPN connections.

You have finished the finance view of VPN security. You know these controls add no meaningful AWS spend, that the right way to value them is by the exposure they remove, the cost-per-hour of an outage for a downed tunnel and the audit-cycle cost of an open crypto finding, and that the whole argument is the asymmetry between a near-free fix and a live continuity-and-audit risk. Next time a cluster of VPN findings lands, you will produce an exposure-ordered worklist, track open findings in regulated accounts as carrying liabilities, and require a recorded exception with a named owner for anything left behind.

Back to the library

Securing VPN connections: the headline

Whether the encrypted links into our network are modern, resilient and auditable

Site-to-Site and Client VPNs are the encrypted bridges between AWS and our offices, data centers, partners and remote staff. These findings ask three things of them: are they using current cryptography, is the redundancy we paid for actually there, and can we explain what they did if something goes wrong? The report shows four separate flags, but it is one governance question.

The leadership concern is not the dollar amount, because there barely is one. It is that a working connection can be hiding a degraded backup tunnel, a deprecated protocol an auditor will flag, or a remote-access door with no log of who walked through it, and the organisation often finds out from a compliance scan rather than from the team that owns the link.

The durable answer is policy plus enforcement: IKEv2 only, both tunnels monitored so a drop pages a human in minutes, and logging on by default, all backed by guardrails so new VPNs cannot be created insecure. The fixes are cheap; the exposure they remove, unplanned downtime and missing audit evidence, is not.

A short read for the leader who wants the headline and one question to ask. You will get why VPN crypto, resilience and logging matter, why the fixes are essentially free, and why the real signal is whether the organisation detects degraded resilience and missing logs by policy rather than discovering them in a quarterly scan.

Fun fact

The tunnel that was down for 90 days

What it looks like when VPN health is a default

After a Site-to-Site VPN to the on-prem order-management system went dark for forty minutes during announced AWS maintenance, the CTO asked the network team one question: why did routine, scheduled maintenance become our outage. The answer was that one of the two tunnels had been DOWN for ninety-one days after a firewall change at the data center, the surviving tunnel had quietly carried all the traffic, and no alarm had ever been wired to tunnel state, so the redundancy the business paid for had silently degraded to one-of-one with nobody watching.

The team stopped treating the encrypted links as set-and-forget and made VPN health a default. Every tunnel is now locked to IKEv2 only, both tunnels are monitored with a CloudWatch alarm on the AWS/VPN TunnelState metric wired to network on-call so the next drop pages a human in minutes rather than waiting for a quarterly scan, and connection and tunnel logging are on by default. The standard is pinned in the infrastructure-as-code modules and backed by Service Control Policies that deny tunnel options containing ikev1 and block new VPNs created without logging, so a new connection cannot be born insecure. Each critical link now has a named owner. The next maintenance window was a non-event, because failover actually had somewhere to go. That standing posture, detected and owned by policy rather than discovered in a scan, is the governance signal.

Why this is a leadership item

The reason this is tracked is not its cost, which is negligible. It is that a working VPN can quietly be a live unplanned-downtime risk, a deprecated-crypto liability, or a remote-access door with no audit trail, all hidden behind the fact that the service still works. The next routine failure, ISP event, or audit is what surfaces it.

There is a maturity signal underneath each finding. That a periodic compliance scan, rather than the team's own monitoring, surfaced a tunnel dead for weeks or a deprecated protocol nobody decided to allow tells you the network layer is not being watched and owned the way critical infrastructure should be. The leadership move is to set the standard, IKEv2 only, both tunnels monitored, logging on by default, enforce it with guardrails, and assign a named owner to each critical link, so the posture maintains itself.

The leadership move on VPN security

The executive handle is to set the standard once and enforce it, so a working VPN cannot quietly hide a degraded backup tunnel, a deprecated protocol or an unlogged remote-access door. Three moves.

1. Set the standard: IKEv2 only, both tunnels monitored, logging on by default

Make it policy that every encrypted link uses current cryptography, runs on two healthy tunnels, and records what it did, so the encrypted doors into the network are modern, resilient and auditable by default rather than by whoever last touched them. The right place to enforce this is the infrastructure-as-code that creates connections, so a new VPN is born secure rather than corrected after a scan flags it. The fixes are cheap; the exposure they remove, unplanned downtime and missing audit evidence, is not.

2. Demand proof the insecure configuration cannot be created

A clean report is not the proof; the proof is that an insecure VPN cannot be created or merged. Ask to see the CloudWatch alarm on tunnel state wired to on-call so a drop pages a human in minutes, the IKEv2 and logging defaults pinned in the IaC modules, and the Service Control Policies that deny ModifyVpnTunnelOptions payloads containing ikev1 and block new VPNs without logging. Prevention by default, not cleanup after a quarterly scan, is the end state to insist on, and it is what turns a recurring finding into a one-time fix.

3. Treat discovery-by-scan as a maturity signal and assign named owners

That a periodic compliance scan, rather than the team's own monitoring, surfaced a tunnel dead for weeks or a deprecated protocol nobody decided to allow is itself the signal: the network layer is not being watched and owned the way critical infrastructure should be. Assign a named owner to each critical link and require monitored tunnel state, so degraded resilience and missing logs are detected by policy rather than discovered in a scan, and any tunnel left behind after the remediation window is a deliberate, recorded exception.

Quick quiz

Question 1 of 5

What is the central leadership question across the four VPN findings?

Keep learning

Go deeper on Site-to-Site VPN tunnel options, IPsec hardening, and the monitoring and logging around VPN connections.

Two takeaways: a working VPN can quietly be an unplanned-downtime risk, a deprecated-crypto liability or a remote-access door with no audit trail, so this is a governance question rather than a cost one; and the right end state is IKEv2 only, both tunnels monitored so a drop pages a human in minutes, and logging on by default, all enforced by guardrails so new VPNs cannot be created insecure. The fixes are essentially free; the exposure they remove is not.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

EC2

Part of the learning path Trim your network spend

Secure Site-to-Site VPN connections

Securing VPN connections: the basics

The tunnel that was down for 90 days

Auditing VPN health across an estate

How AWS evaluates a healthy VPNdeep dive

What is the impact of an insecure VPN?

How do you secure VPN connections safely?

1. Inventory every VPN and read its telemetry and options

2. Diagnose downed tunnels and verify the far side before changing crypto

3. Remediate one tunnel at a time, in a low-traffic window

4. Alarm and enforce so the posture maintains itself

Quick quiz

Keep learning

Securing VPN connections: the cost and risk view

The tunnel that was down for 90 days

How a finance partner frames the VPN findings

Why VPN posture belongs on the risk register

What finance can do about the VPN findings

1. Value each finding by the exposure it removes, not by any AWS charge

2. Make the asymmetry explicit so a cheap fix to a live risk keeps its priority

3. Track open findings as carrying liabilities and require recorded exceptions

Quick quiz

Keep learning

Securing VPN connections: the headline

The tunnel that was down for 90 days

What it looks like when VPN health is a default

Why this is a leadership item

The leadership move on VPN security

1. Set the standard: IKEv2 only, both tunnels monitored, logging on by default

2. Demand proof the insecure configuration cannot be created

3. Treat discovery-by-scan as a maturity signal and assign named owners

Quick quiz

Keep learning

Controls this lesson covers

EC2

Related compliance lessons