This plugin ensures AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled for high availability (HA)
Risk Level: Low
Description
This plugin ensures AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled for high availability (HA). In order to connect to EC2 instances or other AWS components, VPCs should use highly available Managed NAT Gateways.
About the Service
Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.
Impact
In the absence of a NAT Gateway associated with a VPC, it cannot establish a connection with the outer environment. For the smooth running of the AWS infrastructure, it is necessary to have NAT Gateway associated with a VPC.
Steps to Reproduce
Using AWS Console-
- Log In to your AWS Console.
- Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in.
- Move to the NAT Gateways in the Virtual Private Cloud section from the left navigation pane.
- A list of NAT Gateways in the region will appear. Click on the NAT Gateway you wish to examine.
- Make a list of all the VPCs attached to these Gateways. Repeat for all NAT Gateways to find the complete list.
- Now, move to the Your VPC’s section.
- A list of VPCs will appear. Now verify if all the VPCs have attached NAT Gateway. If some VPCs do not have a NAT Gateway, the vulnerability exists.
- Repeat steps for all the VPCs you want to investigate.
Steps for Remediation
Update VPCs to use Managed NAT Gateways instead of NAT instances:
- Log In to your AWS Console.
- Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in.
- Move to the NAT Gateways in the Virtual Private Cloud section from the left navigation pane.
- Click on Create NAT Gateway from the top-right corner.
- Give the specifications to the Gateway according to the VPC you wish to attach. Select the subnet associated with the VPC you wish to attach. And click on Create NAT Gateway when done the changes.
- Repeat steps for all the vulnerable VPCs.