Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Specific Gateway Attached To Specific VPC

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: VPC-013

Ensure that a specific Virtual Private Cloud (VPC) has attached a specific Internet/NAT gateway in order to meet security and regulatory compliance requirements within your organization. Prior to running this rule by the Cloud Conformity engine, use the rule settings available on your Cloud Conformity account dashboard, to configure an ID set that contains the identifier of the specific VPC and the ID of the Internet/NAT gateway that needs to be associated with the specified VPC. You can define multiple ID sets in the conformity rule settings.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Improve the overall state of network security in your AWS account and fulfill the compliance requirements in your organization by attaching the right gateways to your Amazon Virtual Private Clouds (VPCs).


Audit

To determine if a specific NAT/Internet gateway is attached to the specific VPC in your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Check for Specific Gateway Attached to Specific VPC conformity rule settings and identify the ID set defined for your AWS account. Copy the ID of the Internet gateway (i.e. igw-*) or the ID of the NAT gateway (i.e. nat-*) together with the ID of the associated VPC.

02 Sign in to AWS Management Console.

03 Navigate to VPC dashboard at .

04 Select the Virtual Private Cloud (VPC) that you want to examine from the Select a VPC dropdown menu.

05 In the navigation panel, under Virtual Private Cloud, choose Internet Gateways or NAT Gateways, depending on the type of the gateway that you want to examine.

06 Paste the ID of the Internet/NAT gateway copied at step no. 1 in the Filter by tags and attributes or search by keyword search box and press Enter.

07 Select the gateway returned at the previous step, and based on the resource type, perform the following:

  1. If the resource examined is an Internet gateway (IGW), select the Description tab and check the State and Attached VPC ID attributes value. If the State value is set to attached and the Attached VPC ID value does not match the VPC ID copied at step no. 1, the selected Internet gateway is not attached to the right Virtual Private Cloud (VPC), therefore the specific IGW-VPC association is not compliant.
  2. If the gateway examined is a NAT gateway (NGW), select the Details tab from the dashboard bottom panel and check the Status and the VPC attributes value. If the Status value is set to available and the VPC value does not match the VPC ID copied at step no. 1, the selected NAT gateway is not attached to the designated Virtual Private Cloud (VPC), hence the specific NGW-VPC association is not compliant.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Specific Gateway Attached to Specific VPC conformity rule settings and identify the ID set defined for your AWS account. Copy the ID of the Internet gateway (i.e. igw-*) or the ID of the NAT gateway (i.e. nat-*) together with the ID of the associated VPC.

02 Based on the gateway type that you want to examine, perform one of the following CLI commands:

  1. For Internet gateways (IGWs):
    • Run describe-internet-gateways command (OSX/Linux/UNIX) using the ID of the VPC copied at step no. 1 as value for the attachment.vpc-id filter parameter and the ID of the IGW attached to the VPC, copied at step no. 1, as value for the internet-gateway-id parameter, to describe the configuration metadata for the selected Internet gateway and its association with the specified VPC:
      aws ec2 describe-internet-gateways
      	--region us-east-1
      	--filters "Name=internet-gateway-id,Values=igw-01234abcd1234abcd" "Name=attachment.state,Values=available" "Name=attachment.vpc-id,Values=vpc-abcd1234"
      	--query 'InternetGateways'
      
    • The command output should return an array with the requested configuration metadata:
      []
      
    • If the command output returns an empty array, as shown in the example above, the selected Internet gateway is not attached to its associated Virtual Private Cloud (VPC), therefore the specific IGW-VPC association, as defined in the conformity rule settings, is not currently active (i.e. non-compliant).
  2. For NAT gateways (NGWs):
    • Run describe-nat-gateways command (OSX/Linux/UNIX) using the ID of the VPC copied at step no. 1 as value for the vpc-id filter parameter and the ID of the NGW attached to the VPC, copied at step no. 1, as value for the nat-gateway-id parameter, to return the configuration metadata for the selected NAT gateway and its association with the specified VPC:
      aws ec2 describe-nat-gateways
      	--region us-east-1
      	--filter "Name=nat-gateway-id,Values=nat-0abcd1234abcd1234" "Name=state,Values=available" "Name=vpc-id,Values=vpc-1234abcd"
      	--query 'NatGateways'
      
    • The command output should return the configuration metadata for the selected NGW:
      []
      
    • If describe-nat-gateways command output returns an empty array, as shown in the example above, the selected NAT gateway is not attached to its associated Virtual Private Cloud (VPC), hence the specific NGW-VPC association, as defined in the rule settings, is not currently active (i.e. non-compliant).

03 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

Case A: To associate a specific Internet gateway (IGW) with a specific Virtual Private Cloud (VPC), perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under Virtual Private Cloud, choose Internet Gateways.

04 Select the Internet gateway that you want to attach to the specific VPC.

05 Click the Actions dropdown button from the dashboard top menu and select Attach to VPC.

06 On Attach to VPC page, choose the VPC that you want to associate with the selected IGW from the VPC dropdown list, then click Attach to submit the request.

07 Select the Description tab from the dashboard bottom panel and click the Attached VPC ID link to open the page with the associated VPC.

08 Select the VPC's Description tab from the bottom panel and click the Route table link to access main route table associated with the VPC.

09 Select Routes tab from the dashboard bottom panel and click the Edit routes button.

10 By default, the main route table does not contain a route to the Internet gateway, therefore on Edit routes page, click Add route button to set up a route to the attached IGW. Specify 0.0.0.0/0 in the Destination box and select the ID of the associated Internet gateway from the Target list. Choose Save routes to apply the changes and click Close to return to the VPC dashboard.

11 Sign in to your Cloud Conformity console, access Specific Gateway Attached to Specific VPC conformity rule settings and create a new specific ID set using the IDs of the VPC and Internet gateway (IGW) associated at the previous steps.

12 Repeat steps no. 4 – 11 to associate other specific Internet gateways with their VPCs.

13 If necessary, change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run attach-internet-gateway command (OSX/Linux/UNIX) to associate a specific Internet gateway (e.g. vpc-01234123412341234) with a specific Virtual Private Cloud (e.g. igw-0abcdabcdabcdabcd) in the selected AWS region (if successful, the command does not produce an output):

aws ec2 attach-internet-gateway
	--region us-east-1
	--internet-gateway-id igw-0abcdabcdabcdabcd
	--vpc-id vpc-01234123412341234

02 Run create-route command (OSX/Linux/UNIX) using the ID of VPC main route table as identifier to create a new route that matches all IPv4 traffic (i.e. 0.0.0.0/0) and routes it to the Internet gateway (IGW) associated with the VPC at the previous step:

aws ec2 create-route
	--region us-east-1
	--route-table-id rtb-0aaaabbbbccccdddd
	--destination-cidr-block 0.0.0.0/0
	--gateway-id igw-0abcdabcdabcdabcd

03 The command output should return true if the request succeeds, otherwise, it should return an error:

{
    "Return": true
}

04 Sign in to your Cloud Conformity console, access Specific Gateway Attached to Specific VPC conformity rule settings and create a new specific ID set using the IDs of the VPC and Internet gateway (IGW) associated earlier in the process

05 Repeat steps no. 1 – 4 to associate other specific Internet gateways with their VPCs.

06 If required, change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

Case B: To attach a specific NAT gateway (NGW) to a specific Virtual Private Cloud (VPC), perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to VPC dashboard at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under Virtual Private Cloud, click NAT Gateways.

04 Click Create NAT Gateway button from the dashboard top menu to initiate the setup process.

05 On Create NAT Gateway page, perform the following:

  1. Click inside the Subnet box and select the public subnet of the specific VPC, in which the new NAT gateway will reside.
  2. Click Create New EIP to allocate a new Elastic IP address and associate it automatically with the gateway.
  3. Click Create a NAT Gateway to deploy your new NAT gateway. If successful, the following message should be returned: "Your NAT gateway has been created. NAT Gateway ID: <gateway-id>." Click Edit route tables to redirect your request to the Route Tables listing page.

06 On the Route Tables listing page, select the main route table associated with the specific Virtual Private Cloud (VPC).

07 Select Routes tab from the dashboard bottom panel and click the Edit routes button.

08 On Edit routes page, click Add route button to set up a route to the newly created NGW. Specify 0.0.0.0/0 in the Destination box and select the ID of the associated NAT gateway from the Target list. Choose Save routes to apply the changes and click Close to return to the VPC dashboard.

09 Sign in to your Cloud Conformity console, access Specific Gateway Attached to Specific VPC conformity rule settings and create a new specific ID set using the IDs of the VPC and NAT gateway (NGW) attached at the previous steps.

10 Repeat steps no. 4 – 10 to attach other specific NAT gateways to their Virtual Private Clouds (VPCs).

11 If necessary, change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run create-nat-gateway command (OSX/Linux/UNIX) to create a new NAT gateway inside a public subnet of the specific VPC, and associate it with a new Elastic IP address (EIP). The following command example creates a NAT gateway within a VPC subnet identified by the ID "subnet-1234abcd ", using an Elastic IP address identified by the ID " eipalloc-01234abcd1234abcd ", in the US East (N. Virginia) region:

aws ec2 create-nat-gateway
	--region us-east-1
	--allocation-id eipalloc-01234abcd1234abcd
	--subnet-id subnet-1234abcd

02 The command output should return the new NAT gateway (NGW) metadata:

{
    "NatGateway": {
        "NatGatewayAddresses": [
            {
                "AllocationId": "eipalloc-01234abcd1234abcd"
            }
        ],
        "VpcId": "vpc-0abcdabcdabcdabcd",
        "State": "pending",
        "NatGatewayId": "nat-0abcdabcd12341234",
        "SubnetId": "subnet-1234abcd",
        "CreateTime": "2019-02-25T20:08:10.000Z"
    }
} 

03 Run create-route command (OSX/Linux/UNIX) using the ID of VPC main route table as identifier to create a new route that matches all IPv4 traffic (i.e. 0.0.0.0/0) and routes it to the NAT gateway (NGW) created at the previous steps:

aws ec2 create-route
	--region us-east-1
	--route-table-id rtb-0abcd1234abcd1234
	--destination-cidr-block 0.0.0.0/0
	--gateway-id nat-0abcdabcd12341234

04 The command output should return true if the request succeeds, otherwise an error:

{
    "Return": true
}

05 Repeat steps no. 1 – 4 to attach other specific NAT gateways to their Virtual Private Clouds (VPCs).

06 If required, change the AWS region by updating the --region command parameter value and repeat the remediation/resolution process for other regions.

References

Publication date Mar 1, 2019