Risk Level: Low
Cloud Entity: Route Table
CloudGuard Rule ID: D9.AWS.NET.46
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

RouteTable where routes contain [ state='active' ] should not have routes contain [ destinationCidrBlock='0.0.0.0/0' and natGatewayId isEmpty() ]

REMEDIATION

From Portal:
To create a NAT gateway:

Sign into the AWS console
In the console, select the specific region
Navigate to VPC Dashboard
In the navigation pane, select 'NAT Gateways'
Click 'Create NAT Gateway', Specify the subnet in which to create the NAT gateway, and select the allocation ID of an Elastic IP address to associate with the NAT gateway. When you're done, click 'Create a NAT Gateway'. The NAT gateway displays in the console. After a few moments, its status changes to Available, after which it's ready for you to use.

To update Route Table:
After you've created your NAT gateway, you must update your route tables for your private subnets to point internet traffic to the NAT gateway. We use the most specific route that matches the traffic to determine how to route the traffic.

Sign into the AWS console
In the console, select the region
Navigate to VPC Dashboard
In the navigation pane, select 'Route Tables'
Select the reported route table associated with your private subnet
Select 'Routes' and Click 'Edit routes'
Replace the current route that points to the NAT instance with a route to the NAT gateway
Click 'Save routes'.

From Command Line:
use following command to delete destination Cidr Block 0.0.0.0/0 in the route table. Replace the current route that points to the NAT instance with a route to the NAT gateway.

aws ec2 delete-route --region region_name --route-table-id rtb_ID --destination-cidr-block 0.0.0.0/0

References:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-route.html

Route Table

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.

Compliance Frameworks

AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard CheckUp
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset