Ensure that your AWS VPC network(s) use the highly available Managed NAT Gateway service instead of an NAT instance in order to enable EC2 instances sitting in a private subnet to connect to the internet or with other AWS components.
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
AWS provides two types of NAT devices: a managed NAT gateway and a NAT instance instantiated from a public AMI. Using the AWS VPC Managed NAT Gateway service instead of an NAT instance to forward traffic for your instances available in a private subnet has multiple advantages. For example, the Managed NAT Gateway provides built-in redundancy for high availability (using the multi-AZ configuration) compared to the NAT instance which use just a script to manage failover, Managed NAT Gateway provides better bandwidth (traffic bursts up to 10Gbps) than the NAT instance which is limited to the bandwidth allocated for the EC2 instance type used. Lastly, the Managed NAT Gateway service is using optimized software to handle NAT traffic and is fully managed by AWS compared to the NAT instance which is not optimized and requires scaling and regular maintenance such as installing software updates or patches.
To determine if your VPC network(s) use a Managed NAT Gateway as a NAT device, perform the following:
Remediation / Resolution
To enable the Managed NAT Gateway service for your AWS VPC network(s), perform the following:
- AWS Documentation
- Amazon VPC FAQs
- What is Amazon VPC?
- NAT Gateways
- NAT Instances
- Comparison of NAT Instances and NAT Gateways
- Scenario 2: VPC with Public and Private Subnets (NAT)
- AWS Command Line Interface (CLI) Documentation
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Managed NAT Gateway In Use
Risk level: Medium