Description

The Transit Gateway changes alarm refers to the detection of any changes made to the configuration of a Transit Gateway in AWS, such as the addition or removal of attached VPCs, VPN connections, or Direct Connect gateways. This alarm is used to monitor and track any unauthorized or unexpected changes made to the Transit Gateway configuration, which could potentially impact network connectivity or compromise security. When this alarm is triggered, it indicates that a change has occurred to the Transit Gateway configuration and should be investigated further to ensure that it was an authorized change and to identify any potential issues.

Remediation

When the Transit Gateway (TGW) changes alarm is triggered, the following remediation steps can be taken:

  1. Verify the change: Check the details of the change and compare it with the expected configuration. Ensure that the change was authorized and documented.
  2. Investigate the cause: Determine the cause of the change, whether it was a planned change or an unauthorized change. Check if the change was initiated by an authorized user or if it was caused by a security breach.
  3. Mitigate security risks: If the change was unauthorized, take immediate corrective actions to mitigate the security risks. For example, revoke any unauthorized access or terminate any unauthorized connections.
  4. Restore the configuration: Restore the TGW configuration to its desired state by applying any necessary changes or reverting to a previous configuration. Ensure that the changes are made following best practices and are properly documented.
  5. Review logs and monitoring data: Review logs and monitoring data to identify any potential security concerns or anomalies. Check if there are any other changes made to the TGW configuration that could pose a security risk.
  6. Update documentation and policies: Update any relevant documentation and policies to ensure that future changes to the TGW are properly authorized and documented. This can include updating access controls, documenting change management procedures, and training users on best practices for maintaining the TGW configuration.
  7. Follow up: Follow up with the team responsible for the change to ensure that they are aware of the issue and that the change was properly authorized and documented. Additionally, consider conducting a post-incident review to identify any areas for improvement and update any relevant policies or procedures.
Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.