Ensure private subnets are not used to deploy AWS NAT Gateways

HIGH

Description

Defining NAT Gateway in a private subnet could risk exposing the subnet to the internet.

Remediation

In AWS Console -

Sign in to the AWS Console.
Open NAT Gateways.
Before continuing, ensure that it is possible to temporary disable and internet access of the instances associated with this Gateway.
Find the Gateway that reside in a private subnet, and click delete.
Create a new NAT gateway, associate it in a public subnet - subnet that routes to the internet through Internet Gateway. Choose the Elastic IP of the previous Gateway.

In Terraform -

In the aws_nat_gateway resource, configure subnet_id with the appropriately ID.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway#subnet_id

Policy Details

Rule Reference ID: AC_AWS_0576

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_nat_gateway

Resource Category: Virtual Network

Resource Type: Network Address Translation (NAT)

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0