Ensure NAT gateway state is available

To ensure proper operation, NAT gateway state should be available without any failure codes

Risk Level: High
Cloud Entity: AWS Nat Gateway
CloudGuard Rule ID: D9.AWS.MON.17
Covered by Spectral: No
Category: Networking & Content Delivery


NatGateway should not have failureCode


From Portal
To check the status and failure code of NAT gateway, follow the steps below:

  1. Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
  2. Choose NAT Gateways
  3. Check for State and State message in the main screen.
  4. Follow the references according to the state message.

From Command Line
Use describe-nat-gateways command to verify the status and failure code of NAT gateway:

aws ec2 describe-nat-gateways


  1. https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-troubleshooting.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-nat-gateways.html

AWS Nat Gateway

A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset