Ensure that NAT gateway is not associated in a private subnet

Don't define NAT gateway in the private subnet, to avoid the risk of exposing the private subnet to the internet

Risk Level: Medium
Cloud Entity: AWS Nat Gateway
CloudGuard Rule ID: D9.AWS.NET.60
Covered by Spectral: No
Category: Networking & Content Delivery


NatGateway should have getResource('Subnet', subnetId) contain [routeTable.routes contain-any [gatewayId like '%igw%']]


From Portal
Note: In order to do this, you need to change the route table or create a new NAT Gateway. Following are the steps:

  1. Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
  2. Choose NAT Gateways
  3. Before doing the step below, make sure that it is possible to temporary disable internet access of the instances associated with this Gateway.
  4. Find the Gateway that reside in a private subnet, and click delete.
  5. Create a new NAT gateway, associate it in a public subnet - subnet that routes to the internet through Internet Gateway. Choose the Elastic IP of the previous Gateway.

From Command Line

aws ec2 delete-nat-gateway --nat-gateway-id NAT_GATEWAY_ID
aws ec2 create-nat-gateway --subnet-id PUBLIC_SUBNET_ID --allocation-id PREVIOUS_ELASTIC_IP_ID


  1. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-nat-gateway.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-nat-gateway.html

AWS Nat Gateway

A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset