Detections
Analytics

Ensure AWS NAT Gateways are used instead of default routes for AWS Route Table

HIGH

Description

Default routes are used for route table instead of AWS NAT Gateways. AWS NAT Gateways are more scalable than default routes.

Remediation

In AWS Console -

  1. Sign in to the AWS Console.
  2. In the console, select the specific region.
  3. Go to VPC Dashboard.
  4. In the navigation pane, open 'NAT Gateways'.
  5. Create a new NAT gateway, associate it in a public subnet - subnet that routes to the internet through Internet Gateway. Choose the Elastic IP of the previous Gateway.
  6. In the navigation pane, open 'Route Tables'.
  7. Select the reported route table associated with your private subnet.
  8. Select 'Routes' and Click 'Edit routes'.
  9. Replace the current with route that points the NAT gateway created.
  10. Click 'Save routes'.

In Terraform -

  1. In the aws_route_table resource, configure the route.cidr_block to use the standard default route 0.0.0.0/0.
  2. Set the gateway_id or nat_gateway_id to an appropriate resource ID. For more information on which to use, see the Terraform documentation.

References:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table

Policy Details

Rule Reference ID: AC_AWS_0578
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_route_table
Resource Category: Virtual Network
Resource Type: Network Address Translation (NAT)

Frameworks