search

aws-solutions / network-orchestration-for-aws-transit-gateway

The Network Orchestration for AWS Transit Gateway solution automates the process of setting up and managing transit networks in distributed AWS environments. It creates a web interface to help control, audit, and approve (transit) network changes.
https://aws.amazon.com/solutions/implementations/serverless-transit-network-orchestrator/
Apache License 2.0
110 stars 48 forks source link

Update Hub Cloudformation Template to support Disabling External Principals for Resource Share #39

Closed aussiecloudguy closed 1 year ago

aussiecloudguy commented 2 years ago

Currently when a Resource Share is created for the Transit Gateway it is configured with the Default Configuration of AllowExternalPrincipals: True

This can be a security issue and a good enhancement (which we have done ourselves by amending the Cfn) is to allow users to disable External principals by a parameter in the Hub Cloudformation and then using a condition set the AllowExternalPrincipals to false so that only AWS accounts within an Organisation can be shared access to the Transit Gateway

An example configuration to support this (I set No for default for our needs but for public generic requirements yes may still be OK)

Add to Parameters:

    "AllowExternalPrincipals": {
        "Type": "String",
        "AllowedValues": [
            "Yes",
            "No"
        ],
        "Default": "No"
    },

Add to Conditions:

"NoExternalPrincipals": { "Fn::Equals": [ { "Ref": "AllowExternalPrincipals" }, "No" ] },

Add Property to TGW Resource Share:

"AllowExternalPrincipals": { "Fn::If": [ "NoExternalPrincipals",false,true ] },

gsingh04 commented 2 years ago

Thanks for opening the issue. We have added this to our back log items and will look into this with next release.

groverlalit commented 1 year ago

We will ship this feature request in the next release.