--- title: VPC peering route table with unrestricted CIDR description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > VPC peering route table with unrestricted CIDR --- # VPC peering route table with unrestricted CIDR {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-vpc-peering-route-table-with-unrestricted-cidr` **Provider:** AWS **Platform:** Terraform **Severity:** High **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) ### Description{% #description %} VPC Peering Route Tables with unrestricted CIDR blocks (`0.0.0.0/0`) create a significant security vulnerability by allowing all IP addresses to route through the VPC peering connection. This configuration effectively bypasses network isolation between VPCs and exposes your resources to potential unauthorized access from any IP address that can reach the peering connection. Instead of using unrestricted CIDR blocks, you should always limit the route to the specific IP range of the peered VPC or a minimum required subset. For example, use `cidr_block = "10.0.0.0/8"` or the exact VPC CIDR such as `cidr_block = aws_vpc.vpc2.cidr_block`, instead of `cidr_block = "0.0.0.0/0"`. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform terraform { required_providers { aws = { source = "hashicorp/aws" version = "<= 3.49.0" } } } provider "aws" { region = "us-east-1" } variable vpc_1_cidr_block { type = string default = "10.0.0.0/16" description = "vpc default CIDR block" } variable vpc_2_cidr_block { type = string default = "10.2.0.0/16" description = "vpc default CIDR block" } variable vpc_cidr_public_block { type = string default = "10.0.1.0/24" description = "public CIDR block" } variable vpc_cidr_private_block { type = string default = "10.0.2.0/24" description = "private CIDR block" } resource "aws_vpc" "vpc1" { cidr_block = var.vpc_1_cidr_block tags = { Name = "tf-test-vpc-1" Project = "CIS Certification" } } resource "aws_subnet" "public" { vpc_id = aws_vpc.vpc1.id cidr_block = var.vpc_cidr_public_block availability_zone = "us-east-1a" tags = { Name = "public-subnet-1" Project = "CIS Certification" } } resource "aws_subnet" "private" { vpc_id = aws_vpc.vpc1.id cidr_block = var.vpc_cidr_private_block availability_zone = "us-east-1a" tags = { Name = "private-subnet-1" Project = "CIS Certification" } } resource "aws_vpc" "vpc2" { cidr_block = var.vpc_2_cidr_block tags = { Name = "tf-test-vpc-2" Project = "CIS Certification" } } resource "aws_internet_gateway" "igw" { vpc_id = aws_vpc.vpc1.id tags = { Name = "igw" Project = "CIS Certification" } } resource "aws_eip" "nat" {} resource "aws_nat_gateway" "nat" { allocation_id = aws_eip.nat.id subnet_id = aws_subnet.public.*.id[0] tags = { Name = "nat" Project = "CIS Certification" } depends_on = [aws_internet_gateway.igw] } data "aws_caller_identity" "current" {} resource "aws_vpc_peering_connection" "my_peering" { peer_owner_id = data.aws_caller_identity.current.account_id peer_vpc_id = aws_vpc.vpc1.id vpc_id = aws_vpc.vpc2.id auto_accept = true tags = { Name = "VPC Peering between vpc1 and vpc2" Project = "CIS Certification" } } resource "aws_route_table" "public_route_table" { vpc_id = aws_vpc.vpc1.id route { cidr_block = "10.0.0.0/8" vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id } tags = { Name = "public_route_table" Project = "CIS Certification" } } resource "aws_route_table" "private_route_table" { vpc_id = aws_vpc.vpc1.id route { cidr_block = aws_vpc.vpc2.cidr_block vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id } tags = { Name = "private_route_table" Project = "CIS Certification" } } resource "aws_route_table_association" "private_route_table_association" { subnet_id = aws_subnet.private.id route_table_id = aws_route_table.private_route_table.id } ``` ```terraform terraform { required_providers { aws = { source = "hashicorp/aws" version = "<= 3.49.0" } } } provider "aws" { region = "us-east-1" } variable vpc_1_cidr_block { type = string default = "10.0.0.0/16" description = "vpc default CIDR block" } variable vpc_2_cidr_block { type = string default = "10.2.0.0/16" description = "vpc default CIDR block" } variable vpc_cidr_public_block { type = string default = "10.0.1.0/24" description = "public CIDR block" } variable vpc_cidr_private_block { type = string default = "10.0.2.0/24" description = "private CIDR block" } resource "aws_vpc" "vpc1" { cidr_block = var.vpc_1_cidr_block tags = { Name = "tf-test-vpc-2" Project = "CIS Certification" } } resource "aws_subnet" "public" { vpc_id = aws_vpc.vpc1.id cidr_block = var.vpc_cidr_public_block availability_zone = "us-east-1a" tags = { Name = "public-subnet-1" Project = "CIS Certification" } } resource "aws_subnet" "private" { vpc_id = aws_vpc.vpc1.id cidr_block = var.vpc_cidr_private_block availability_zone = "us-east-1a" tags = { Name = "private-subnet-1" Project = "CIS Certification" } } resource "aws_vpc" "vpc2" { cidr_block = var.vpc_2_cidr_block tags = { Name = "tf-test-vpc-2" Project = "CIS Certification" } } resource "aws_internet_gateway" "igw" { vpc_id = aws_vpc.vpc1.id tags = { Name = "igw" Project = "CIS Certification" } } resource "aws_eip" "nat" {} resource "aws_nat_gateway" "nat" { allocation_id = aws_eip.nat.id subnet_id = aws_subnet.public.*.id[0] tags = { Name = "nat" Project = "CIS Certification" } depends_on = [aws_internet_gateway.igw] } data "aws_caller_identity" "current" {} resource "aws_vpc_peering_connection" "my_peering" { peer_owner_id = data.aws_caller_identity.current.account_id peer_vpc_id = aws_vpc.vpc1.id vpc_id = aws_vpc.vpc2.id auto_accept = true tags = { Name = "VPC Peering between vpc1 and vpc2" Project = "CIS Certification" } } resource "aws_route_table" "public_route_table2" { vpc_id = aws_vpc.vpc1.id tags = { Name = "public-route-table" Project = "CIS Certification" } } resource "aws_route_table" "private_route_table" { vpc_id = aws_vpc.vpc1.id tags = { Project = "CIS Certification" } } resource "aws_route" "private_route2" { route_table_id = aws_route_table.public_route_table2.id destination_cidr_block = "10.0.0.0/8" vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id depends_on = [aws_route_table.public_route_table2] } resource "aws_route_table_association" "private_route_table_association" { subnet_id = aws_subnet.private.*.id[0] route_table_id = aws_route_table.private_route_table.id } ``` ```terraform terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.55.0" } } } provider "aws" { region = "us-east-1" } variable vpc_1_cidr_block { type = string default = "10.0.0.0/16" description = "vpc default CIDR block" } variable vpc_2_cidr_block { type = string default = "10.2.0.0/16" description = "vpc default CIDR block" } variable vpc_cidr_public_block { type = string default = "10.0.1.0/24" description = "public CIDR block" } variable vpc_cidr_private_block { type = string default = "10.0.2.0/24" description = "private CIDR block" } resource "aws_vpc" "vpc1" { cidr_block = var.vpc_1_cidr_block tags = { Name = "tf-test-vpc-1" Project = "CIS Certification" } } resource "aws_subnet" "public" { vpc_id = aws_vpc.vpc1.id cidr_block = var.vpc_cidr_public_block availability_zone = "us-east-1a" tags = { Name = "public-subnet-1" Project = "CIS Certification" } } resource "aws_subnet" "private" { vpc_id = aws_vpc.vpc1.id cidr_block = var.vpc_cidr_private_block availability_zone = "us-east-1a" tags = { Name = "private-subnet-1" Project = "CIS Certification" } } resource "aws_vpc" "vpc2" { cidr_block = var.vpc_2_cidr_block tags = { Name = "tf-test-vpc-2" Project = "CIS Certification" } } resource "aws_internet_gateway" "igw" { vpc_id = aws_vpc.vpc1.id tags = { Name = "igw" Project = "CIS Certification" } } resource "aws_eip" "nat" {} resource "aws_nat_gateway" "nat" { allocation_id = aws_eip.nat.id subnet_id = aws_subnet.public.*.id[0] tags = { Name = "nat" Project = "CIS Certification" } depends_on = [aws_internet_gateway.igw] } data "aws_caller_identity" "current" {} resource "aws_vpc_peering_connection" "my_peering" { peer_owner_id = data.aws_caller_identity.current.account_id peer_vpc_id = aws_vpc.vpc1.id vpc_id = aws_vpc.vpc2.id auto_accept = true tags = { Name = "VPC Peering between vpc1 and vpc2" Project = "CIS Certification" } } resource "aws_route_table" "public_route_table" { vpc_id = aws_vpc.vpc1.id route = [ { cidr_block = "10.0.0.0/8" vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id gateway_id = "" instance_id = "" ipv6_cidr_block = "" egress_only_gateway_id = "" nat_gateway_id = "" network_interface_id = "" transit_gateway_id = "" carrier_gateway_id = "" destination_prefix_list_id = "" local_gateway_id = "" vpc_endpoint_id = "" } ] tags = { Name = "public_route_table" Project = "CIS Certification" } } resource "aws_route_table" "private_route_table" { vpc_id = aws_vpc.vpc1.id route { cidr_block = aws_vpc.vpc2.cidr_block vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id } tags = { Name = "private_route_table" Project = "CIS Certification" } } resource "aws_route_table_association" "private_route_table_association" { subnet_id = aws_subnet.private.id route_table_id = aws_route_table.private_route_table.id } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform terraform { required_providers { aws = { source = "hashicorp/aws" version = "<= 3.49.0" } } } provider "aws" { region = "us-east-1" } variable vpc_1_cidr_block { type = string default = "10.0.0.0/16" description = "vpc default CIDR block" } variable vpc_2_cidr_block { type = string default = "10.2.0.0/16" description = "vpc default CIDR block" } variable vpc_cidr_public_block { type = string default = "10.0.1.0/24" description = "public CIDR block" } variable vpc_cidr_private_block { type = string default = "10.0.2.0/24" description = "private CIDR block" } resource "aws_vpc" "vpc1" { cidr_block = var.vpc_1_cidr_block tags = { Name = "tf-test-vpc-1" Project = "CIS Certification" } } resource "aws_subnet" "public" { vpc_id = aws_vpc.vpc1.id cidr_block = var.vpc_cidr_public_block availability_zone = "us-east-1a" tags = { Name = "public-subnet-1" Project = "CIS Certification" } } resource "aws_subnet" "private" { vpc_id = aws_vpc.vpc1.id cidr_block = var.vpc_cidr_private_block availability_zone = "us-east-1a" tags = { Name = "private-subnet-1" Project = "CIS Certification" } } resource "aws_vpc" "vpc2" { cidr_block = var.vpc_2_cidr_block tags = { Name = "tf-test-vpc-2" Project = "CIS Certification" } } resource "aws_internet_gateway" "igw" { vpc_id = aws_vpc.vpc1.id tags = { Name = "igw" Project = "CIS Certification" } } resource "aws_eip" "nat" {} resource "aws_nat_gateway" "nat" { allocation_id = aws_eip.nat.id subnet_id = aws_subnet.public.*.id[0] tags = { Name = "nat" Project = "CIS Certification" } depends_on = [aws_internet_gateway.igw] } data "aws_caller_identity" "current" {} resource "aws_vpc_peering_connection" "my_peering" { peer_owner_id = data.aws_caller_identity.current.account_id peer_vpc_id = aws_vpc.vpc1.id vpc_id = aws_vpc.vpc2.id auto_accept = true tags = { Name = "VPC Peering between vpc1 and vpc2" Project = "CIS Certification" } } resource "aws_route_table" "public_route_table" { vpc_id = aws_vpc.vpc1.id route { cidr_block = "0.0.0.0/0" vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id } tags = { Name = "public_route_table" Project = "CIS Certification" } } resource "aws_route_table" "private_route_table" { vpc_id = aws_vpc.vpc1.id route { cidr_block = aws_vpc.vpc2.cidr_block vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id } tags = { Name = "private_route_table" Project = "CIS Certification" } } resource "aws_route_table_association" "private_route_table_association" { subnet_id = aws_subnet.private.id route_table_id = aws_route_table.private_route_table.id } ``` ```terraform terraform { required_providers { aws = { source = "hashicorp/aws" version = "<= 3.49.0" } } } provider "aws" { region = "us-east-1" } variable vpc_1_cidr_block { type = string default = "10.0.0.0/16" description = "vpc default CIDR block" } variable vpc_2_cidr_block { type = string default = "10.2.0.0/16" description = "vpc default CIDR block" } variable vpc_cidr_public_block { type = string default = "10.0.1.0/24" description = "public CIDR block" } variable vpc_cidr_private_block { type = string default = "10.0.2.0/24" description = "private CIDR block" } resource "aws_vpc" "vpc1" { cidr_block = var.vpc_1_cidr_block tags = { Name = "tf-test-vpc-2" Project = "CIS Certification" } } resource "aws_subnet" "public" { vpc_id = aws_vpc.vpc1.id cidr_block = var.vpc_cidr_public_block availability_zone = "us-east-1a" tags = { Name = "public-subnet-1" Project = "CIS Certification" } } resource "aws_subnet" "private" { vpc_id = aws_vpc.vpc1.id cidr_block = var.vpc_cidr_private_block availability_zone = "us-east-1a" tags = { Name = "private-subnet-1" Project = "CIS Certification" } } resource "aws_vpc" "vpc2" { cidr_block = var.vpc_2_cidr_block tags = { Name = "tf-test-vpc-2" Project = "CIS Certification" } } resource "aws_internet_gateway" "igw" { vpc_id = aws_vpc.vpc1.id tags = { Name = "igw" Project = "CIS Certification" } } resource "aws_eip" "nat" {} resource "aws_nat_gateway" "nat" { allocation_id = aws_eip.nat.id subnet_id = aws_subnet.public.*.id[0] tags = { Name = "nat" Project = "CIS Certification" } depends_on = [aws_internet_gateway.igw] } data "aws_caller_identity" "current" {} resource "aws_vpc_peering_connection" "my_peering" { peer_owner_id = data.aws_caller_identity.current.account_id peer_vpc_id = aws_vpc.vpc1.id vpc_id = aws_vpc.vpc2.id auto_accept = true tags = { Name = "VPC Peering between vpc1 and vpc2" Project = "CIS Certification" } } resource "aws_route_table" "public_route_table9" { vpc_id = aws_vpc.vpc1.id tags = { Name = "public-route-table" Project = "CIS Certification" } } resource "aws_route_table" "private_route_table" { vpc_id = aws_vpc.vpc1.id tags = { Project = "CIS Certification" } } resource "aws_route" "private_route2" { route_table_id = aws_route_table.public_route_table9.id destination_cidr_block = "0.0.0.0/0" vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id depends_on = [aws_route_table.public_route_table9] } resource "aws_route_table_association" "private_route_table_association" { subnet_id = aws_subnet.private.*.id[0] route_table_id = aws_route_table.private_route_table.id } ``` ```terraform terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.55.0" } } } provider "aws" { region = "us-east-1" } variable vpc_1_cidr_block { type = string default = "10.0.0.0/16" description = "vpc default CIDR block" } variable vpc_2_cidr_block { type = string default = "10.2.0.0/16" description = "vpc default CIDR block" } variable vpc_cidr_public_block { type = string default = "10.0.1.0/24" description = "public CIDR block" } variable vpc_cidr_private_block { type = string default = "10.0.2.0/24" description = "private CIDR block" } resource "aws_vpc" "vpc1" { cidr_block = var.vpc_1_cidr_block tags = { Name = "tf-test-vpc-1" Project = "CIS Certification" } } resource "aws_subnet" "public" { vpc_id = aws_vpc.vpc1.id cidr_block = var.vpc_cidr_public_block availability_zone = "us-east-1a" tags = { Name = "public-subnet-1" Project = "CIS Certification" } } resource "aws_subnet" "private" { vpc_id = aws_vpc.vpc1.id cidr_block = var.vpc_cidr_private_block availability_zone = "us-east-1a" tags = { Name = "private-subnet-1" Project = "CIS Certification" } } resource "aws_vpc" "vpc2" { cidr_block = var.vpc_2_cidr_block tags = { Name = "tf-test-vpc-2" Project = "CIS Certification" } } resource "aws_internet_gateway" "igw" { vpc_id = aws_vpc.vpc1.id tags = { Name = "igw" Project = "CIS Certification" } } resource "aws_eip" "nat" {} resource "aws_nat_gateway" "nat" { allocation_id = aws_eip.nat.id subnet_id = aws_subnet.public.*.id[0] tags = { Name = "nat" Project = "CIS Certification" } depends_on = [aws_internet_gateway.igw] } data "aws_caller_identity" "current" {} resource "aws_vpc_peering_connection" "my_peering" { peer_owner_id = data.aws_caller_identity.current.account_id peer_vpc_id = aws_vpc.vpc1.id vpc_id = aws_vpc.vpc2.id auto_accept = true tags = { Name = "VPC Peering between vpc1 and vpc2" Project = "CIS Certification" } } resource "aws_route_table" "public_route_table" { vpc_id = aws_vpc.vpc1.id route = [ { cidr_block = "0.0.0.0/0" vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id gateway_id = "" instance_id = "" ipv6_cidr_block = "" egress_only_gateway_id = "" nat_gateway_id = "" network_interface_id = "" transit_gateway_id = "" carrier_gateway_id = "" destination_prefix_list_id = "" local_gateway_id = "" vpc_endpoint_id = "" } ] tags = { Name = "public_route_table" Project = "CIS Certification" } } resource "aws_route_table" "private_route_table" { vpc_id = aws_vpc.vpc1.id route { cidr_block = aws_vpc.vpc2.cidr_block vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id } tags = { Name = "private_route_table" Project = "CIS Certification" } } resource "aws_route_table_association" "private_route_table_association" { subnet_id = aws_subnet.private.id route_table_id = aws_route_table.private_route_table.id } ```