Risk Level: Medium
Cloud Entity: AWS Nat Gateway
CloudGuard Rule ID: D9.AWS.NET.60
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

NatGateway should have getResource('Subnet', subnetId) contain [routeTable.routes contain-any [gatewayId like '%igw%']]

REMEDIATION

From Portal
Note: In order to do this, you need to change the route table or create a new NAT Gateway. Following are the steps:

Sign in to the Amazon VPC console at https://console.aws.amazon.com/vpc/
Choose NAT Gateways
Before doing the step below, make sure that it is possible to temporary disable internet access of the instances associated with this Gateway.
Find the Gateway that reside in a private subnet, and click delete.
Create a new NAT gateway, associate it in a public subnet - subnet that routes to the internet through Internet Gateway. Choose the Elastic IP of the previous Gateway.

From Command Line

aws ec2 delete-nat-gateway --nat-gateway-id NAT_GATEWAY_ID
then
aws ec2 create-nat-gateway --subnet-id PUBLIC_SUBNET_ID --allocation-id PREVIOUS_ELASTIC_IP_ID

References

AWS Nat Gateway

A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

Compliance Frameworks

AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
CloudGuard AWS All Rules Ruleset