Ensure that the Amazon VPC route table associated with the data-tier subnets has no default route configured to allow access to an AWS NAT Gateway in order to restrict Internet connectivity for the EC2 instances available within the data tier. A route table contains a set of rules (also known as routes) that are used to determine where the network traffic is directed. Each subnet deployed in your VPC must be associated with a route table to control the routing. The route table associated with the data-tier subnets should not have a default route (i.e. 0.0.0.0/0) that points to a NAT Gateway. This conformity rule assumes that the VPC subnets associated with your data-tier are tagged with <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> represents the tag name and <data_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the data-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
For security reasons, your data-tier instances must be protected from exposure. Therefore, the route table associated with your data-tier subnets should not have the default route pointing to an AWS NAT Gateway as this type of network device is used only to enable EC2 instances within a private subnet to connect to the Internet. Note: Ensure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the data tier.
To determine if the route table associated with your data-tier subnets contains a default route (0.0.0.0/0) that has a NAT device configured as gateway, perform the following actions:
To remove the default route that has an Amazon NAT device configured as gateway for the route table associated with your data-tier subnets, perform the following: