Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
vpc_vpn_connection_tunnels_up
A VPN tunnel is an encrypted link where data can pass from the customer network to or from AWS within an AWS Site-to-Site VPN connection. Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability. Ensuring that both VPN tunnels are up for a VPN connection is important for confirming a secure and highly available connection between an AWS VPC and your remote network.
Risk
If one or both VPN tunnels are down, it can compromise the security and availability of the connection between your AWS VPC and your remote network. This could result in connectivity issues and potential data exposure or loss during the downtime, affecting business operations and overall network security.
Run this check with Prowler CLI
prowler aws --checks vpc_vpn_connection_tunnels_up
ARN template
arn:partition:service:region:account-id:vpn-connection/resource-id
Remediation
https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-20
To modify VPN tunnel options, see Modifying Site-to-Site VPN tunnel options in the AWS Site-to-Site VPN User Guide.
Source Code
Resource Type
AwsEc2ClientVpnEndpoint