Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused Virtual Private Gateways

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: VPC-008

Identify and delete any unused Amazon Virtual Private Gateways (VGWs) in order to adhere to best practices and to avoid reaching the service limit (by default, you are limited to 5 VGWs - attached or detached - per AWS region). An AWS Virtual Private Gateway is considered unused when is no longer associated with a VPN connection (on the VPC side of the connection). Cloud Conformity Service Limits feature (integrated into Amazon Trusted Advisor service) can also help you ensure that the allocation of AWS VGW resources is not reaching the limit.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Performance
efficiency

As good practice, every unused (detached) AWS Virtual Private Gateway should be removed from your account for a better management of your AWS resources.


Audit

To recognize any unused Virtual Private Gateways (VGWs) currently available within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under VPN Connections section, click Virtual Private Gateways.

04 Select the VPN VGW that you want to examine.

05 Select the Summary tab from the dashboard bottom panel and check the value set for the State configuration attribute listed below the resource ID. If the State value is "detached", the selected AWS Virtual Private Gateway is not attached to the VPC side of the VPN connection, therefore is considered unused and can be safely removed from your AWS account (see Remediation/Resolution section).

06 Repeat step no. 4 and 5 to determine the current state for other AWS VGWs available within the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-vpn-gateways command (OSX/Linux/UNIX) using custom query filters to list the IDs of all AWS Virtual Private Gateways provisioned in the selected region:

aws ec2 describe-vpn-gateways
	--region us-east-1
	--output table
	--query 'VpnGateways[*].VpnGatewayId'

02 The command output should return a table with the requested VGW IDs:

---------------------
|DescribeVpnGateways|
+-------------------+
|  vgw-e35fb78a     |
|  vgw-b48da90a     |
|  vgw-c8db335f     |
+-------------------+

03 Run again describe-vpn-gateways command (OSX/Linux/UNIX) using the ID of the gateway that you want to examine and custom query filters to expose the current state of the attachment between the gateway and the VPC for the selected AWS VGW:

aws ec2 describe-vpn-gateways
	--region us-east-1
	--vpn-gateway-ids vgw-e35fb78a
	--query 'VpnGateways[*].VpcAttachments[*].State[]'

04 The command output should return the attachment state for the selected VGW:

[
    "detached"
]

If the command output returns "detached" as the status of the VGW attachment between the gateway and the VPC, the selected AWS Virtual Private Gateway is not attached anymore to the VPC side of the VPN connection, therefore is considered unused and can be safely removed from your AWS account.

05 Repeat step no. 3 and 4 to determine the current attachment state for other AWS VGWs available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To remove any unused AWS Virtual Private Gateways provisioned within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under VPN Connections section, click Virtual Private Gateways.

04 Select the Amazon VPN VGW that you want to remove (see Audit section part I to identify the right resource).

05 Click the Delete Virtual Private Gateway button from the dashboard top menu to initiate the resource removal.

06 Inside the Delete Virtual Private Gateway dialog box, review the gateway details one more time, then click Yes, Delete to confirm the action. If successful, the state of the removed AWS VGW should change from "detached" to "deleted".

07 Repeat steps no. 4 – 6 to remove other detached AWS Virtual Private Gateways available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run delete-vpn-gateway command (OSX/Linux/UNIX) using the ID of the gateway that you want to delete as identifier to remove the unused Amazon VGW selected (see Audit section part II to identify the right resource). The following command examples deletes a Virtual Private Gateway identified by the ID vgw-e35fb78a, provisioned within the US East (N. Virginia) region (if the command succeeds, no output is returned):

aws ec2 delete-vpn-gateway
	--region us-east-1
	--vpn-gateway-id vgw-e35fb78a

02 Repeat step no. 1 to remove other unused AWS VGWs available in the current region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the entire process for other regions.

References

Publication date Jun 22, 2017