Terraform module to provision AWS Transit Gateway, AWS Resource Access Manager (AWS RAM) Resource, and share the Transit Gateway with the Organization or another AWS Account.
By default, this module deploys a transit gateway that automatically accepts any vpc attachment requests. I believe this default is dangerous, because if an attacker knows your account ID and tgw id, they can send an attachment request and have access to your network.
Expected Behavior
I think this model should instead use the aws_ec2_transit_gateway_vpc_attachment_accepter terraform resource to accept the attachment request, and have the default be to disable automatic attachments.
Steps to Reproduce
Steps to reproduce the behavior:
Deploy a transit gateway.
From a theoretical attackers account, initiate a peering request
The peering request is automatically accepted
Screenshots
N/A
Environment (please complete the following information):
Found a bug? Maybe our Slack Community can help.
Describe the Bug
By default, this module deploys a transit gateway that automatically accepts any vpc attachment requests. I believe this default is dangerous, because if an attacker knows your account ID and tgw id, they can send an attachment request and have access to your network.
Expected Behavior
I think this model should instead use the aws_ec2_transit_gateway_vpc_attachment_accepter terraform resource to accept the attachment request, and have the default be to disable automatic attachments.
Steps to Reproduce
Steps to reproduce the behavior:
Screenshots
N/A
Environment (please complete the following information):
N/A
Additional Context
N/A