---
title: VPC attached with too many gateways
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > VPC attached with too many gateways
---

# VPC attached with too many gateways

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `cloudformation-aws-vpc-attached-with-too-many-gateways` 

**Provider:** AWS

**Platform:** CloudFormation

**Severity:** Low

**Category:** Availability

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc-gateway-attachment.html)

### Description{% #description %}

Attaching an excessive number of gateways to a single VPC increases the attack surface and may indicate misconfiguration or exceed AWS service limits. Exceeding service limits can cause routing problems or service disruption.

This rule checks `AWS::EC2::VPC` resources and counts `AWS::EC2::VPCGatewayAttachment` resources whose `Properties.VpcId` refers to that VPC. The count must not be greater than `3`. Resources with more than three gateway attachments referencing the VPC will be flagged. `VpcId` may be specified as a literal value or a `Ref`.

Secure configuration example showing a single gateway attachment:

```yaml
MyVPC:
  Type: AWS::EC2::VPC
  Properties:
    CidrBlock: 10.0.0.0/16

MyInternetGateway:
  Type: AWS::EC2::InternetGateway

MyVPCGatewayAttachment:
  Type: AWS::EC2::VPCGatewayAttachment
  Properties:
    VpcId: !Ref MyVPC
    InternetGatewayId: !Ref MyInternetGateway
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
AWSTemplateFormatVersion: '2010-09-09'
Resources:
    myVPC_2:
      Type: AWS::EC2::VPC
      Properties:
        CidrBlock: 10.0.0.0/16
        EnableDnsSupport: 'false'
        EnableDnsHostnames: 'false'
        InstanceTenancy: dedicated
    AttachVpnGateway:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC_2
        VpnGatewayId:
           Ref: myVPNGateway
    AttachVpnGateway2:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC_2
        VpnGatewayId:
           Ref: myVPNGateway2
    AttachVpnGateway3:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC_2
        VpnGatewayId:
           Ref: myVPNGateway3
```

```json
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myVPC_2": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsSupport": "false",
        "EnableDnsHostnames": "false",
        "InstanceTenancy": "dedicated"
      }
    },
    "AttachVpnGateway": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC_2"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway"
        }
      }
    },
    "AttachVpnGateway2": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC_2"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway2"
        }
      }
    },
    "AttachVpnGateway3": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC_2"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway3"
        }
      }
    }
  }
}
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
AWSTemplateFormatVersion: '2010-09-09'
Resources:
    myVPC:
      Type: AWS::EC2::VPC
      Properties:
        CidrBlock: 10.0.0.0/16
        EnableDnsSupport: 'false'
        EnableDnsHostnames: 'false'
        InstanceTenancy: dedicated
    AttachVpnGateway:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC
        VpnGatewayId:
           Ref: myVPNGateway
    AttachVpnGateway2:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC
        VpnGatewayId:
           Ref: myVPNGateway2
    AttachVpnGateway3:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC
        VpnGatewayId:
           Ref: myVPNGateway3
    AttachVpnGateway4:
      Type: AWS::EC2::VPCGatewayAttachment
      Properties:
        VpcId:
           Ref: myVPC
        VpnGatewayId:
           Ref: myVPNGateway4
```

```json
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "AttachVpnGateway4": {
      "Properties": {
        "VpcId": {
          "Ref": "myVPC"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway4"
        }
      },
      "Type": "AWS::EC2::VPCGatewayAttachment"
    },
    "myVPC": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "EnableDnsHostnames": "false",
        "InstanceTenancy": "dedicated",
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsSupport": "false"
      }
    },
    "AttachVpnGateway": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway"
        }
      }
    },
    "AttachVpnGateway2": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway2"
        }
      }
    },
    "AttachVpnGateway3": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "myVPC"
        },
        "VpnGatewayId": {
          "Ref": "myVPNGateway3"
        }
      }
    }
  }
}
```