Ensure AWS NAT Gateways are being utilized instead of the default route

NAT Gateway is a scalable and resilient method for allowing outbound internet traffic from your private VPC subnets. It is recommended to use NAT gateways, and not the default route which permits all traffic, in Route Tables.

Risk Level: Low
Cloud Entity: Route Table
CloudGuard Rule ID: D9.AWS.NET.46
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

RouteTable where routes contain [ state='active' ] should not have routes contain [ destinationCidrBlock='0.0.0.0/0' and natGatewayId isEmpty() ]

REMEDIATION

From Portal:
To create a NAT gateway:

  1. Sign into the AWS console
  2. In the console, select the specific region
  3. Navigate to VPC Dashboard
  4. In the navigation pane, select 'NAT Gateways'
  5. Click 'Create NAT Gateway', Specify the subnet in which to create the NAT gateway, and select the allocation ID of an Elastic IP address to associate with the NAT gateway. When you're done, click 'Create a NAT Gateway'. The NAT gateway displays in the console. After a few moments, its status changes to Available, after which it's ready for you to use.

To update Route Table:
After you've created your NAT gateway, you must update your route tables for your private subnets to point internet traffic to the NAT gateway. We use the most specific route that matches the traffic to determine how to route the traffic.

  1. Sign into the AWS console
  2. In the console, select the region
  3. Navigate to VPC Dashboard
  4. In the navigation pane, select 'Route Tables'
  5. Select the reported route table associated with your private subnet
  6. Select 'Routes' and Click 'Edit routes'
  7. Replace the current route that points to the NAT instance with a route to the NAT gateway
  8. Click 'Save routes'.

From Command Line:
use following command to delete destination Cidr Block 0.0.0.0/0 in the route table. Replace the current route that points to the NAT instance with a route to the NAT gateway.

aws ec2 delete-route --region region_name --route-table-id rtb_ID --destination-cidr-block 0.0.0.0/0

References:

  1. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html
  2. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-route.html

Route Table

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset