Open menu
-->

Restrict data-tier subnet connectivity to VPC NAT Gateway

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that the Amazon VPC route table associated with the data-tier subnets has no default route configured to allow access to an AWS NAT Gateway in order to restrict Internet connectivity for the EC2 instances available within the data tier. A route table contains a set of rules (also known as routes) that are used to determine where the network traffic is directed. Each subnet deployed in your VPC must be associated with a route table to control the routing. The route table associated with the data-tier subnets should not have a default route (i.e. 0.0.0.0/0) that points to a NAT Gateway. This conformity rule assumes that the VPC subnets associated with your data-tier are tagged with <data_tier_tag>:<data_tier_tag_value>, where <data_tier_tag> represents the tag name and <data_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the data-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

This rule resolution is part of the Cloud Conformity Security Package

For security reasons, your data-tier instances must be protected from exposure. Therefore, the route table associated with your data-tier subnets should not have the default route pointing to an AWS NAT Gateway as this type of network device is used only to enable EC2 instances within a private subnet to connect to the Internet. Note: Ensure that you replace all <data_tier_tag>:<data_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the data tier.

Audit

To determine if the route table associated with your data-tier subnets contains a default route (0.0.0.0/0) that has a NAT device configured as gateway, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Restrict data-tier subnet connectivity to VPC NAT Gateway conformity rule settings, identify and copy the tag set defined for all AWS resources available within your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

05 In the navigation panel, under Virtual Private Cloud, click Subnets.

06 Select the subnet that you want to examine.

07 Select the Tags tab from the dashboard bottom panel.

08 On the Tags panel, search for the tag set identified at step no. 1 (i.e. <data_tier_tag>:<data_tier_tag_value>). If these two tag sets do not match, or the verified resource is not tagged at all, the selected VPC subnet is not a component of your data tier and the audit process stops here. If the tag sets match, continue the audit with the next step.

09 Select the Route Table tab from the dashboard bottom panel to access the routes configured for the selected data-tier subnet.

10 Check the existing routes to determine if these contain the default route (i.e. the route with Destination set to 0.0.0.0/0) pointing to a NAT Gateway (e.g. nat-012345678aabbccdd). If the table has one or more routes configured to point to an AWS NAT Gateway, the selected route table configuration is not compliant.

11 Repeat steps no. 6 – 10 to check the routing configuration for the rest of the data-tier subnets available. If one or more route tables have the default route linked to a NAT Gateway, the data-tier EC2 instances have access to the Internet, therefore the network configuration is not compliant.

12 If required, change the AWS region from the navigation bar and repeat steps no. 4 – 11 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Restrict data-tier subnet connectivity to VPC NAT Gateway conformity rule settings, identify and copy the tag set defined for all AWS resources available in your data tier (e.g. <data_tier_tag>:<data_tier_tag_value>).

02 Run describe-subnets command (OSX/Linux/UNIX) to list the IDs of the subnets associated with your data tier, available in the selected VPC, created within US East (N. Virginia) region:

aws ec2 describe-subnets
	--region us-east-1
	--filters Name=tag:<data_tier_tag>,Values=<data_tier_tag_value> Name=vpc-id,Values=vpc-12345678
	--query "Subnets[*].SubnetId"

03 The command request should return one of the following outputs:

  1. If describe-subnets command output returns an empty array (i.e. []), as shown in the example below, there are no VPC subnets created for your data tier in the selected AWS region, therefore the audit process ends here:
    []
    
  2. If the command output returns an array with subnet IDs, as shown in the example below, one or more data-tier subnets are available within the selected Virtual Private Cloud, therefore the audit process continues with the next step:
    [
        "subnet-aabbccdd",
        "subnet-abcdabcd"
    ]   
    

04 Run describe-route-tables command (OSX/Linux/UNIX) to describe the routes configured for the route table associated with the data-tier subnets returned at the previous step, available in the selected AWS region:

aws ec2 describe-route-tables
	--region us-east-1
	--filters Name=association.subnet-id,Values=subnet-aabbccdd,subnet-abcdabcd
	--query "RouteTables[*].{RouteTableId:RouteTableId, Routes:Routes}"

05 The command output should return the existing route(s) for the associated route table:

[
    {
        "Routes": [
            {
                "GatewayId": "local",
                "DestinationCidrBlock": "172.31.0.0/16",
                "State": "active",
                "Origin": "CreateRouteTable"
            },
            {
                "Origin": "CreateRoute",
                "DestinationCidrBlock": "0.0.0.0/0",
                "NatGatewayId": "nat-012345678aabbccdd",
                "State": "active"
            }
        ],
        "RouteTableId": "rtb-12345678"
    }
]

Check the routes returned by the describe-subnets command output to determine if these contain a route with the "DestinationCidrBlock" attribute set to "0.0.0.0/0" and the "NatGatewayId" attribute set to an AWS NAT Gateway ID such as "nat-012345678aabbccdd". If the command output does describe such a route, as shown in the example above, the table has one route configured to point to an AWS NAT Gateway, therefore the selected route table configuration is not compliant and does not adhere to security best practices.

06 If required, change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 5 for other regions.

Remediation / Resolution

To remove the default route that has an Amazon NAT device configured as gateway for the route table associated with your data-tier subnets, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 From Select a VPC dropdown menu, select the Virtual Private Cloud where the data-tier subnets were deployed.

04 In the navigation panel, under Virtual Private Cloud, click Route Tables.

05 Select the route table that you want to reconfigure (see Audit section part I to identify the right VPC resource).

06 Select the Routes tab from the bottom panel to access the table routing configuration.

07 On the Routes panel, choose Edit to modify the selected route table configuration.

08 Find the noncompliant route, i.e. the one with the Destination set to 0.0.0.0/0 and the Target set to a NAT Gateway ID such as nat-012345678aabbccdd, then click on the x button available in the Remove column to delete the selected route.

09 Click Save to apply the new configuration changes. The data-tier subnet connectivity to the VPC NAT Gateway should be restricted now.

10 If required, change the AWS region from the navigation bar and repeat steps no. 3 – 9 for other regions.

Using AWS CLI

01 Run delete-route command (OSX/Linux/UNIX) using the ID of the route table that you want to reconfigure (see Audit section part II to identify the right resource) as identifier to remove the default route that has an AWS NAT device configured as gateway, defined for the route table associated with your data-tier subnets (the command does not produce an output):

aws ec2 delete-route
	--region us-east-1
	--route-table-id rtb-12345678
	--destination-cidr-block 0.0.0.0/0

02 If required, change the AWS region by updating the --region command parameter value and repeat step no. 1 for other regions.

References

Publication date Jul 25, 2018