Risk Level: Medium
Cloud Entity: AWS Nat Gateway
CloudGuard Rule ID: D9.AWS.NET.60
Covered by Spectral: No
Category: Networking & Content Delivery
NatGateway should have getResource('Subnet', subnetId) contain [routeTable.routes contain-any [gatewayId like '%igw%']]
Note: In order to do this, you need to change the route table or create a new NAT Gateway. Following are the steps:
- Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
- Choose NAT Gateways
- Before doing the step below, make sure that it is possible to temporary disable internet access of the instances associated with this Gateway.
- Find the Gateway that reside in a private subnet, and click delete.
- Create a new NAT gateway, associate it in a public subnet - subnet that routes to the internet through Internet Gateway. Choose the Elastic IP of the previous Gateway.
From Command Line
aws ec2 delete-nat-gateway --nat-gateway-id NAT_GATEWAY_ID then aws ec2 create-nat-gateway --subnet-id PUBLIC_SUBNET_ID --allocation-id PREVIOUS_ELASTIC_IP_ID
A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated 3 months ago