Add tags to transit gateway route table Custom compliance rules Example: Infrastructure route table rules using OU membership

Custom compliance for network changes

This section provides instructions for custom compliance.

Add tags to transit gateway route table

Each transit gateway route table is tagged with an ApprovalRequired tag key with a default value of No. You can set the value to:

Yes to enforce manual approval
Conditional and add custom rules for compliance

Key	Value	Description
ApprovalRequired	`No`	The default value is `No`. This default setting allows any auto-approved or manually approved association and propagation changes.
ApprovalRequired	`Yes`	This setting enforces the manually approved workflow for any change in the association and propagation changes.
ApprovalRequired	`Conditional`	You can use this setting to automate approving or rejecting requests separately for associations and propagations. You can also optionally define rules based on the requesting account’s OU.

Custom compliance rules

Administrators can change from the default automatic approval setup to manual approval by changing the ApprovalRequired tag value for every transit gateway route table individually.

See View transit gateway route tables for instuctions on viewing your transit gateway route tables and updating tags.

The following tag keys and values are required with at least one rule if the ApprovalRequired is set to Conditional.

Key	Value	Description
ApprovalRule-Default-Association	`Reject \|Accept \|ApprovalRequired`	Default approval action for `Associate-with` route tables if none of the custom rules match. Enter `Reject`, `Accept`, or `ApprovalRequired` to match your desired action.
ApprovalRule-Default-Propagation	`Reject \|Accept \|ApprovalRequired`	Default approval action for `Propagate-to` route tables if none of the custom rules match. Enter `Reject`, `Accept`, or `ApprovalRequired` to match your desired action.
ApprovalRule-`<NN>`-InOUs \| ApprovalRule-`<NN>`-NotInOUs	`Root/OUName1, Root/OUName2`	A comma-separated list of OU paths starting with `Root/`. If you enter the key with the `InOUs` string, the rule checks if the account is in one of these OUs. If you enter the key with the `NotInOUs` string, the rule checks if the account isn’t in any of the specified OUs. Note `<NN>` denotes a two-digit number `01-99`. Review service quotas for the tags for each resource in your account.
*ApprovalRule--<NN>-Association*	`Reject \| Accept \| ApprovalRequired`	The approval action to take for a VPC that associates with this route table if the `ApprovalRule-<NN>-InOUs` or `ApprovalRule-<NN>-NotInOUs` check matches. Enter `Reject`, `Accept`, or `ApprovalRequired` to match your desired action. Note `<NN>` denotes a two-digit number `01-99`. Review service quotas for the tags for each resource in your account.
ApprovalRule--`<NN>`-Propagation	`Reject \|Accept \|ApprovalRequired`	The approval action to take for a VPC that propagates to this route table if the `ApprovalRule-<NN>-InOUs` or `ApprovalRule-<NN>-NotInOUs` check matches. Enter `Reject`, `Accept`, or `ApprovalRequired` to match your desired action. Note `<NN>` denotes a two-digit number `01-99`. Review service quotas for the tags for each resource in your account.

Note

If you don’t provide a value for the ApprovalRule keys, the default value is ApprovalRequired_._

Example: Infrastructure route table rules using OU membership

If your VPCs provide organization-wide shared services, such as Microsoft Active Directory and patching servers, and are limited to AWS accounts in the Infrastructure or Security OU, you can use the following rules to ensure that only VPCs in those OUs associate with the Infrastructure route table without approval. This prevents workload VPCs accidentally associating with the Infrastructure route table, which could inadvertently expose them to the entire organization.

This example also demonstrates how you can prevent VPCs in Sandbox OUs from accessing the organizational shared services. Together, the following rules auto-reject associations or propagations from Sandbox VPCs for the Infrastructure route table.

Infrastructure Route Table Tag Key	Value
Name	`Infrastructure`
ApprovalRequired	`Conditional`
ApprovalRule-Default-Association	`ApprovalRequired`
ApprovalRule-Default-Propagation	`ApprovalRequired`
ApprovalRule-01-InOUs	`Root/Infrastructure/, Root/Security/`
ApprovalRule-01-Association	`Accept`
ApprovalRule-01-Propagation	`Accept`
ApprovalRule-02-InOUs	`Root/Sandbox/`
ApprovalRule-02-Association	`Reject`
ApprovalRule-02-Propagation	`Reject`

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Transit gateway peering attachments

Update the solution