Ensure that the Amazon VPC route table associated with the web-tier subnets has the default route configured to allow connectivity to the NAT Gateway deployed in the same VPC, in order to provide Internet access for the web-tier EC2 instances. A VPC route table contains a set of rules (also known as routes) that are used to determine where the network traffic is directed. The route table associated with the web-tier subnets should have a default route (i.e. 0.0.0.0/0) that points to a NAT Gateway. A Network Address Translation (NAT) gateway is a device that helps enabling EC2 instances in a private subnet to connect to the Internet and prevent the Internet from initiating a connection with those instances. This conformity rule assumes that the private subnets associated with your web-tier are also tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> is tag name and <web_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
To provide Internet access to EC2 instances running within your web-tier private subnets, make sure that the necessary route table is configured to have the default route (0.0.0.0/0) pointing to a NAT Gateway.
Note: Ensure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
Audit
To determine if the route table associated with your web-tier subnets has the default route configured to allow connectivity to a VPC NAT Gateway, perform the following:
Remediation / Resolution
To create the necessary route (i.e. 0.0.0.0/0) with an AWS NAT device configured as gateway for the route table associated with the web-tier subnets, perform the following actions:
References
- AWS Documentation
- VPCs and Subnets
- Route Tables
- NAT
- NAT Gateways
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-subnets
- describe-route-tables
- create-route
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Check web-tier subnet connectivity to VPC NAT Gateway
Risk level: Medium