For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-vpc-attached-with-too-many-gateways.md. A documentation index is available at /llms.txt.

VPC attached with too many gateways

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-vpc-attached-with-too-many-gateways

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Availability

Learn More

Description

Attaching an excessive number of gateways to a single VPC increases the attack surface and may indicate misconfiguration or exceed AWS service limits. Exceeding service limits can cause routing problems or service disruption.

This rule checks AWS::EC2::VPC resources and counts AWS::EC2::VPCGatewayAttachment resources whose Properties.VpcId refers to that VPC. The count must not be greater than 3. Resources with more than three gateway attachments referencing the VPC will be flagged. VpcId may be specified as a literal value or a Ref.

Secure configuration example showing a single gateway attachment:

MyVPC:
  Type: AWS::EC2::VPC
  Properties:
    CidrBlock: 10.0.0.0/16

MyInternetGateway:
  Type: AWS::EC2::InternetGateway

MyVPCGatewayAttachment:
  Type: AWS::EC2::VPCGatewayAttachment
  Properties:
    VpcId: !Ref MyVPC
    InternetGatewayId: !Ref MyInternetGateway

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
    myVPC_2:
      Type: AWS::EC2::VPC
      Properties:
        CidrBlock: 10.0.0.0/16
        EnableDnsSupport: 'false'
        EnableDnsHostnames: 'false'
        InstanceTenancy: dedicated
    AttachVpnGateway:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC_2
        VpnGatewayId:
           Ref: myVPNGateway
    AttachVpnGateway2:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC_2
        VpnGatewayId:
           Ref: myVPNGateway2
    AttachVpnGateway3:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC_2
        VpnGatewayId:
           Ref: myVPNGateway3

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myVPC_2": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsSupport": "false",
        "EnableDnsHostnames": "false",
        "InstanceTenancy": "dedicated"
      }
    },
    "AttachVpnGateway": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC_2"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway"
        }
      }
    },
    "AttachVpnGateway2": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC_2"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway2"
        }
      }
    },
    "AttachVpnGateway3": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC_2"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway3"
        }
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
    myVPC:
      Type: AWS::EC2::VPC
      Properties:
        CidrBlock: 10.0.0.0/16
        EnableDnsSupport: 'false'
        EnableDnsHostnames: 'false'
        InstanceTenancy: dedicated
    AttachVpnGateway:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC
        VpnGatewayId:
           Ref: myVPNGateway
    AttachVpnGateway2:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC
        VpnGatewayId:
           Ref: myVPNGateway2
    AttachVpnGateway3:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC
        VpnGatewayId:
           Ref: myVPNGateway3
    AttachVpnGateway4:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC
        VpnGatewayId:
           Ref: myVPNGateway4

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "AttachVpnGateway4": {
      "Properties": {
        "VpcId": {
          "Ref": "myVPC"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway4"
        }
      },
      "Type": "AWS::EC2::VPCGatewayAttachment"
    },
    "myVPC": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "EnableDnsHostnames": "false",
        "InstanceTenancy": "dedicated",
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsSupport": "false"
      }
    },
    "AttachVpnGateway": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway"
        }
      }
    },
    "AttachVpnGateway2": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway2"
        }
      }
    },
    "AttachVpnGateway3": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway3"
        }
      }
    }
  }
}