EC2 transit gateways should have auto accept shared attachments disabled

A transit gateway with auto-accept enabled allows any AWS account granted access via Resource Access Manager to immediately attach a VPC without any approval step. A shared account could attach a rogue VPC to your network backbone, gaining routing access to other attached VPCs and on-premises networks. The blast radius of a compromised or misconfigured shared account grows accordingly.

Disabling auto-accept forces a two-step handshake: the requesting account proposes an attachment, and the transit gateway owner explicitly accepts it. Your network team gets a checkpoint to validate the attachment before any traffic can flow.

Retrofit consideration

Changing this setting on an existing transit gateway does not affect already-accepted attachments, but any pending attachments will require manual acceptance going forward.

Implementation

Choose the approach that matches how you manage Terraform.

Terraform resources

Use AWS provider resources directly. See docs for the resources involved: aws_ec2_transit_gateway.

resource "aws_ec2_transit_gateway" "this" {
  auto_accept_shared_attachments = "disable"
}

What this control checks

This control validates the aws_ec2_transit_gateway resource's auto_accept_shared_attachments argument. To pass, the argument must be set to "disable" or omitted entirely ("disable" is the default). Setting it to "enable" fails the control. No additional resources are required. If you use Resource Access Manager (aws_ram_resource_share) to share the transit gateway, the receiving account creates an aws_ec2_transit_gateway_vpc_attachment; the owning account then uses aws_ec2_transit_gateway_vpc_attachment_accepter to explicitly approve it.

Common pitfalls

Default value masks explicit intent
The default for auto_accept_shared_attachments on aws_ec2_transit_gateway is "disable", so omitting the argument passes the control. Some teams set it explicitly anyway, and that's a reasonable call: if a future provider update or import drift shifts the default, an explicit declaration is your safety net.
RAM sharing still grants attachment proposal rights
Disabling auto-accept doesn't prevent a shared account from proposing an attachment via aws_ec2_transit_gateway_vpc_attachment. It only blocks automatic acceptance. Without monitoring, proposals quietly pile up or get accidentally approved. Wire an EventBridge rule to CloudTrail CreateTransitGatewayVpcAttachment events so your team gets alerted on new proposals.
Terraform lifecycle on accepter resources
When using aws_ec2_transit_gateway_vpc_attachment_accepter in the owning account, Terraform needs the attachment ID from the requesting account. That means cross-account state references or data sources, and teams sometimes sidestep that complexity by flipping auto-accept back on. Don't. Build the cross-account data source pattern once and reuse it.

Audit evidence

Auditors typically want Config evaluation results for EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLED (or an equivalent custom rule) showing COMPLIANT for all in-scope transit gateways. Supplement with CLI output from aws ec2 describe-transit-gateways confirming "AutoAcceptSharedAttachments": "disable" on each gateway. CloudTrail records for CreateTransitGateway and ModifyTransitGateway show the setting was never changed to enable, and AcceptTransitGatewayVpcAttachment events confirm that cross-account attachments went through the manual approval workflow.

Framework-specific interpretation

PCI DSS v4.0: For environments in scope for cardholder data, Requirement 1 expects deliberate review of all network connections. Letting any RAM-shared account auto-attach to your transit gateway circumvents that review and can silently bridge your CDE with an untrusted network segment.

NIST Cybersecurity Framework v2.0: PR.AA and PR.IR both apply. Requiring explicit acceptance before a cross-account VPC can join the transit gateway is a network-layer access control decision under PR.AA. PR.IR's infrastructure resilience angle is covered by keeping unvetted accounts off the routing backbone entirely.

VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf Control: ec2_transit_gateway_auto_cross_account_attachment_disabled
AWS Config Managed Rule: EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLED
Checkov Check: CKV_AWS_331
Powerpipe Control: aws_compliance.control.ec2_transit_gateway_auto_cross_account_attachment_disabled
Prowler Check: ec2_transitgateway_auto_accept_vpc_attachments
AWS Security Hub Control: EC2.23

Last reviewed: 2026-03-09