Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check Web-tier Subnet Connectivity to VPC NAT Gateway

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Amazon VPC route table associated with the web-tier subnets has the default route (i.e. 0.0.0.0/0) configured to allow connectivity to the NAT Gateway deployed in the same VPC, in order to provide Internet access for the web-tier Amazon EC2 instances. A VPC route table contains a set of rules (also known as routes) that are used to determine where the network traffic is directed. The route table associated with the web-tier subnets should have a default route (0.0.0.0/0) that points to a NAT Gateway. A Network Address Translation (NAT) gateway is a device that helps enabling EC2 instances within a private subnet to connect to the Internet and prevent the Internet from initiating a connection with those instances. This conformity rule assumes that the VPC subnets within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> represents the tag name and <web_tier_tag_value> represents. Before running this rule by the Trend Cloud One™ – Conformity engine, the web-tier tags must be configured in the rule settings, on your Conformity account console.

Security

To provide Internet access to Amazon EC2 instances running within your private web-tier subnets, make sure that the necessary route table is configured to have the default route (0.0.0.0/0) pointing to a NAT Gateway.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders outlined in the conformity rule content with your own tag set created for the web tier.

Audit

To determine if the route table associated with your web-tier subnets has the default route configured to allow connectivity to a VPC NAT Gateway, perform the following actions:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Check Web-tier Subnet Connectivity to VPC NAT Gateway conformity rule settings, and identify the tag set defined for the AWS cloud resources created for your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

04 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

05 In the navigation panel, under VIRTUAL PRIVATE CLOUD, choose Subnets.

06 Select the VPC subnet that you want to examine and choose the Tags tab from the console bottom panel.

07 In the Tags section, search for the tag set identified at step no. 1 (i.e. <web_tier_tag>:<web_tier_tag_value>). If the verified VPC resource is not tagged with the web-tier tags identified at step no. 1, the selected Amazon VPC subnet is not a component of your web tier and the Audit process ends here. If the selected VPC subnet is tagged with your web-tier tags, continue the Audit process with the next step.

08 Select the Route table tab from the console bottom panel to access the routes configured for the selected web-tier subnet. Check the existing routes to determine if the default route (i.e. the route with the Destination set to 0.0.0.0/0) is pointing to a NAT Gateway (e.g. nat-01234abcd1234abcd). If the default route is not linked to a VPC NAT Gateway, the route table configuration is not compliant.

09 Repeat steps no. 6 – 8 to check the routing configuration for other web-tier VPC subnets available. If none of the associated route tables have the default route linked to a VPC NAT Gateway, the web-tier Amazon EC2 instances don't have Internet access via the VPC NAT Gateway.

10 Repeat steps no. 4 – 9 for each VPC created within the current AWS cloud region.

11 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Check Web-tier Subnet Connectivity to VPC NAT Gateway conformity rule settings, and identify the tag set defined for the AWS cloud resources created for your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-vpcs command (OSX/Linux/UNIX) with custom query filters to list the IDs of all the Virtual Private Clouds (VPCs) available in the selected AWS cloud region: 

aws ec2 describe-vpcs
  --region us-east-1
  --output table
  --query 'Vpcs[*].VpcId'

03 The command output should return a table with the requested VPC identifiers: 

------------------
|  DescribeVpcs  |
+----------------+
|  vpc-abcdabcd  |
|  vpc-12341234  |
+----------------+

04 Run describe-subnets command (OSX/Linux/UNIX) to list the IDs of the WEB-tier subnets created for the Virtual Private Cloud (VPC) that you want to examine. Replace <web_tier_tag> and <web_tier_tag_value> with your web-tier tag set identified at step no. 1: 

aws ec2 describe-subnets
  --region us-east-1
  --filters Name=tag:<web_tier_tag>,Values=<web_tier_tag_value> Name=vpc-id,Values=vpc-abcdabcd
  --query "Subnets[*].SubnetId"

05 The command request should return one of the following outputs:

  1. If the command output returns an empty array (i.e. []), as shown in the example below, there are no VPC subnets created for your web tier in the selected AWS region, therefore the Audit process for the selected resource ends here: 
    []
  2. If the describe-subnets command output returns an array with subnet IDs, as shown in the example below, there are web-tier subnets available within the selected Virtual Private Cloud (VPC), therefore the Audit process continues with the next step: 
    [
	"subnet-1234abcd",
	"subnet-abcd1234"
]

06 Run describe-route-tables command (OSX/Linux/UNIX) to describe the routes configured for the route table associated with the web-tier VPC subnets returned at the previous step: 

aws ec2 describe-route-tables
  --region us-east-1
  --filters Name=association.subnet-id,Values=subnet-1234abcd,subnet-abcd1234
  --query "RouteTables[*].{RouteTableId:RouteTableId, Routes:Routes}"

07 The command output should return the existing route(s) for the associated route table: 

[
	{
		"Routes": [
			{
				"GatewayId": "local",
				"DestinationCidrBlock": "10.0.0.0/16",
				"State": "active",
				"Origin": "CreateRouteTable"
			}
		],
		"RouteTableId": "rtb-12345678"
	}
]

Check the routes returned by the describe-subnets command output to determine if there is a route with the "DestinationCidrBlock" attribute set to "0.0.0.0/0" and the "GatewayId" attribute set to a VPC NAT Gateway ID such as "nat-01234abcd1234abcd". If the verified route table does not have such a route, there is no connectivity between the web-tier VPC subnets and the VPC's NAT Gateway, therefore the web-tier Amazon EC2 instances don't have Internet access via the VPC NAT Gateway.

08 Repeat steps no. 4 – 7 for each VPC available within the selected AWS cloud region.

09 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To create the necessary route with a VPC NAT device configured as gateway for the route table associated with your web-tier VPC subnets, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud (VPC) that you want to access from the Select a VPC dropdown menu.

04 In the navigation panel, under VIRTUAL PRIVATE CLOUD, choose Route Tables.

05 Select the route table that you want to reconfigure (see Audit section part I to identify the right VPC route table).

06 Select the Routes tab from the console bottom panel and choose Edit routes.

07 On the Edit routes configuration page, perform the following operations:

  1. Choose Add route to add a new route.
  2. Type 0.0.0.0/0 in the Destination box.
  3. Click inside the Target box, choose NAT Gateway, and select the ID of the NAT Gateway (e.g. nat-01234abcd1234abcd) created for the selected VPC. If there is no NAT Gateway deployed within the selected VPC network, follow the instructions outlined in this conformity rule to create one.
  4. Choose Save routes to apply the changes.

08 Repeat steps no. 5 – 7 for each non-compliant route table created for the selected VPC.

09 Repeat steps no. 3 – 8 for each VPC network available within the current AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run create-route command (OSX/Linux/UNIX) using the ID of the non-compliant route table that you want to reconfigure as the identifier parameter (see Audit section part II to identify the right VPC route table), to create a new route that matches all traffic (i.e. 0.0.0.0/0) and routes the traffic to the NAT Gateway deployed within the web-tier VPC network. If there is no NAT Gateway deployed within the selected VPC, follow the instructions outlined in this conformity rule to create a new one before executing the create-routecommand: 

aws ec2 create-route
  --region us-east-1
  --route-table-id rtb-12345678
  --destination-cidr-block 0.0.0.0/0
  --gateway-id nat-01234abcd1234abcd

02 The command output should return true if the command request succeeds, otherwise it should return an error: 

{
	"Return": true
}

03 Repeat steps no. 1 and 2 for each non-compliant route table created for your VPC network.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Jul 25, 2018

Related EC2 rules