Ensure that the Amazon VPC route table associated with the web-tier subnets has the default route configured to allow connectivity to the NAT Gateway deployed in the same VPC, in order to provide Internet access for the web-tier EC2 instances. A VPC route table contains a set of rules (also known as routes) that are used to determine where the network traffic is directed. The route table associated with the web-tier subnets should have a default route (i.e. 0.0.0.0/0) that points to a NAT Gateway. A Network Address Translation (NAT) gateway is a device that helps enabling EC2 instances in a private subnet to connect to the Internet and prevent the Internet from initiating a connection with those instances. This conformity rule assumes that the private subnets associated with your web-tier are also tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> is tag name and <web_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
To provide Internet access to EC2 instances running within your web-tier private subnets, make sure that the necessary route table is configured to have the default route (0.0.0.0/0) pointing to a NAT Gateway.
Note: Ensure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
To determine if the route table associated with your web-tier subnets has the default route configured to allow connectivity to a VPC NAT Gateway, perform the following:
Remediation / Resolution
To create the necessary route (i.e. 0.0.0.0/0) with an AWS NAT device configured as gateway for the route table associated with the web-tier subnets, perform the following actions:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Check web-tier subnet connectivity to VPC NAT Gateway
Risk level: Medium