The multi-account visibility problem

The multi-account AWS strategy is correct. Separate IAM boundaries, separate security controls, separate blast radii. That's the whole point.

But the networks connecting those accounts don't respect account boundaries. A VPC peering, a Transit Gateway attachment, a cross-region route — and suddenly two accounts that are supposed to be isolated have a path between them that nobody put on a diagram and nobody is monitoring.

36%
of cloud breaches involve cross-account network misconfiguration
Palo Alto Unit 42
longer to audit multi-account environments vs single-account
Gartner
0
native AWS tools that give you a unified cross-account network map

The attack pattern is almost always the same: an attacker gains access to a lower-trust account — dev, staging, an acquired company — and finds a network path into production that nobody knew existed. Not because of a configuration error. Because nobody had a map.

The demo environment

The topology below shows a three-account environment: a corporate production account with five VPCs across two regions (us-east-2 and eu-west-1), a staging account, and an acquired company's account. On paper, the architecture follows AWS best practices — a shared-services hub, environment separation, a dedicated EU data VPC for GDPR compliance.

Netway multi-account VPC topology — three accounts, two regions, three compliance violations

One Netway scan across all three accounts produced three findings. Here's what was found — and what it means.

Finding 1: EU data routable to US infrastructure

GDPR ART. 46 · BREACH

EU personal data with a network path to US infrastructure

eu-data — the EU personal data VPC in eu-west-1 — holds EU customer PII: names, emails, transaction records. It sits in eu-west-1 specifically because it has to, for data residency compliance.

A cross-region VPC peering connects eu-data to prod-data in us-east-2. That peering means EU personal data has a routable network path to US infrastructure.

The peering was added during a database migration. The migration completed. The peering wasn't cleaned up. It had been live for seven months. The DPO didn't know. Netway was the first thing that found it.

Consequence: GDPR Article 46 — personal data transferred outside the EU without adequate safeguards. Fine ceiling: €20 million or 4% of global annual turnover, whichever is higher.

Finding 2: Dev-to-production shadow highway

PCI-DSS 1.3.1 / 1.3.2 · BREACH

Two-hop path from development into production through shared-services

dev-api and prod-shared are not directly peered — that's correct. But dev-api connects to shared-services, and shared-services connects to prod-shared.

Two hops. dev-api → shared-services → prod-shared. A routable path from development into the production hub — and from there into prod-api and prod-data.

Both peerings are individually legitimate. The dev team connected to shared-services for internal tooling. The prod team connected to shared-services for internal APIs. Neither team created a problem on their own. Together they did. No single team could see the combined path — it crossed account boundaries.

Consequence: PCI-DSS Requirements 1.3.1 and 1.3.2 — production carries PCI scope. A compromised dev instance has a routable path to the entire production environment.

Finding 3: M&A ghost account still in production

UNMANAGED ACCOUNT · BREACH

Acquired company's VPC peered directly into production — no owner, no patches

acq-prod — the acquired company's VPC — is still peered directly into prod-shared. The acquisition closed. The integration team dissolved. The peering was never reviewed or removed.

No owner tag on any resource. Two EC2 instances running unmonitored. No one on the network team, security team, or finance team knew this account still had access to production.

The peering is a direct connection — not two hops. An attacker with access to the acquired account has direct network access to the production hub.

Consequence: Unmanaged account with direct prod access. Unpatched instances. No incident response plan. $60/month in wasted compute is the least of the problems.

Why none of this was visible

Each team saw only their own account. The network team saw the prod-shared peerings. The dev team saw the dev-api peering to shared-services. The M&A integration team dissolved before anyone reviewed what they left behind.

The GDPR violation crossed regions. The PCI violation crossed accounts. The M&A ghost crossed both. No single AWS Console view, no single team, and no single account-level audit could have found any of these. They only become visible when you map the entire network — all accounts, all regions — in one graph.

The shared-services hub pattern is the recommended AWS architecture. It creates unintended cross-account paths not by making mistakes, but by following best practices. Two individually-correct peerings combine into a compliance violation that neither team created alone.

Watch the full demo

The video below walks through the live scan, the topology graph, and each finding — including how Netway distinguishes planned architecture from policy violations.

How Netway finds these

Netway deploys as a lightweight Lambda into each AWS account — one CloudFormation command per account, same API key. No cross-account IAM trust, no management account access. Each Lambda scans its own account and posts findings to a unified dashboard.

One scan command triggers all accounts and all regions in parallel. The topology graph assembles every VPC, peering, Transit Gateway, and internet gateway across all accounts into a single view. Isolation rules evaluate reachability across account boundaries — so a two-hop path through a shared-services account is detected even though neither hop individually violates a rule.

The compliance report — timestamped, HMAC-signed — is one click from a PDF your QSA, DPO, and board can read directly.

FREE 14-DAY TRIAL · NO CREDIT CARD

Deploys in 5 minutes · No agents · No code changes · Works with existing AWS accounts