Update Hub Cloudformation Template to support Disabling External Principals for Resource Share

Question

Update Hub Cloudformation Template to support Disabling External Principals for Resource Share

Closed this issue a year ago · 2 comments

Currently when a Resource Share is created for the Transit Gateway it is configured with the Default Configuration of AllowExternalPrincipals: True

This can be a security issue and a good enhancement (which we have done ourselves by amending the Cfn) is to allow users to disable External principals by a parameter in the Hub Cloudformation and then using a condition set the AllowExternalPrincipals to false so that only AWS accounts within an Organisation can be shared access to the Transit Gateway

An example configuration to support this (I set No for default for our needs but for public generic requirements yes may still be OK)

Add to Parameters:

    "AllowExternalPrincipals": {
        "Type": "String",
        "AllowedValues": [
            "Yes",
            "No"
        ],
        "Default": "No"
    },

Add to Conditions:

"NoExternalPrincipals": {
"Fn::Equals": [
{
"Ref": "AllowExternalPrincipals"
},
"No"
]
},

Add Property to TGW Resource Share:

"AllowExternalPrincipals": {
"Fn::If": [
"NoExternalPrincipals",false,true ]
},

Answer 1 · 2021-11-15T15:59:50.000Z

Thanks for opening the issue. We have added this to our back log items and will look into this with next release.

Answer 2 · 2023-06-06T15:22:32.000Z

We will ship this feature request in the next release.