Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Unused VPC Internet Gateways

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: VPC-007

Identify and remove any unused VPC Internet Gateways (IGWs) and VPC Egress-Only Internet Gateways (EIGWs) in order to adhere to best practices and to avoid approaching the service limit (by default, you are limited to 5 IGWs and 5 EIGWs per AWS region). An Internet Gateway/Egress-Only Internet Gateway is evaluated as unused when is not attached anymore to an AWS Virtual Private Cloud (VPC). Cloud Conformity Service Limits feature (integrated into Amazon Trusted Advisor service) can also help you ensure that the allocation of AWS VPC resources is not reaching the service limit.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Performance
efficiency

For a better management of your VPC resources, all unused (detached) Internet Gateways and Egress-Only Internet Gateways should be removed from your AWS VPC environment.


Audit

To identify any unused IGWs and EIGWs provisioned within your AWS Virtual Private Cloud (VPC), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 To determine the VPC gateway resource state based on its type, perform the following actions:

  1. For AWS VPC Internet Gateways (IGWs):
    • In the left navigation panel, under Virtual Private Cloud, click Internet Gateways.
    • Select the VPC IGW that you want to examine.
    • Select the Summary tab from the dashboard bottom panel and check the value set for the State configuration attribute listed below the resource ID. If the State current value is "detached", the selected Internet Gateway is not attached to an AWS Virtual Private Cloud (VPC), therefore the gateway should be marked as unused and safely removed from your AWS account.
  2. For AWS VPC Egress-Only Internet Gateways (EIGWs):
    • In the left navigation panel, under Virtual Private Cloud section, click Egress Only Internet Gateways.
    • Select the VPC EIGW that you want to examine.
    • Select the Summary tab from the dashboard bottom panel and verify the value set for the Attached VPC ID attribute listed next the resource ID. If the Attached VPC ID attribute does not have any value assigned, i.e. Attached VPC ID, the selected Egress-Only Internet Gateways is not attached to an AWS VPC, therefore the egress-only gateway should be marked as unused and safely removed from your AWS account.

04 Repeat step no. 3 (a and b) to check the attachment status for other AWS VPC IGWs and EIGWs provisioned within the current region.

05 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 To determine the Amazon VPC gateway attachment state based on the resource type, perform the following:

  1. For AWS VPC Internet Gateways (IGWs):
    • Run describe-internet-gateways command (OSX/Linux/UNIX) using custom query filters to list the IDs of all VPC Internet Gateways provisioned in the selected region:
      aws ec2 describe-internet-gateways
      	--region us-east-1
      	--output table
      	--query 'InternetGateways[*].InternetGatewayId'
      
    • The command output should return a table with the requested IGW IDs:
      --------------------------
      |DescribeInternetGateways|
      +------------------------+
      |  igw-37666b50          |
      |  igw-816810e5          |
      +------------------------+
      
    • Run again describe-internet-gateways command (OSX/Linux/UNIX) to describe the current state of the VPC attachment for the selected IGW:
      aws ec2 describe-internet-gateways
      	--region us-east-1
      	--filters "Name=internet-gateway-id,Values=igw-37666b50"
      	--query 'InternetGateways[*].Attachments[]'
      
    • The command output should return an array that contains the attachment status for the selected VPC IGW:
      []
      
    • If the describe-internet-gateways command output returns an empty array, i.e. [ ] (as shown in the example above), the selected Internet Gateway does not have any attachment information available, meaning that the gateway is not currently attached to an AWS VPC, therefore the IGW should be marked as unused and deleted from your AWS account.
  2. For AWS VPC Egress-Only Internet Gateways (EIGWs):
    • Run describe-egress-only-internet-gateways command (OSX/Linux/UNIX) using custom query filters to list the IDs of all VPC Egress-Only Internet Gateways created within the selected region:
      aws ec2 describe-egress-only-internet-gateways
      	--region us-east-1
      	--output table
      	--query 'EgressOnlyInternetGateways[*].EgressOnlyInternetGatewayId'
      
    • The command output should return a table with the requested EIGW IDs:
      ------------------------------------
      |DescribeEgressOnlyInternetGateways|
      +----------------------------------+
      |  eigw-0c663c1d435f80f30          |
      |  eigw-0c842d2d231f80045          |
      |  eigw-0733ve1d845f8d897          |
      +----------------------------------+
      
    • Now run describe-egress-only-internet-gateways command (OSX/Linux/UNIX) to reveal the current state of the VPC attachment for the selected EIGW:
      aws ec2 describe-egress-only-internet-gateways
      	--region us-east-1
      	--egress-only-internet-gateway-ids eigw-0c663c1d435f80f30
      	--query 'EgressOnlyInternetGateways[*].Attachments[]'
      
    • The command output should return an array that contains the attachment status for the selected AWS VPC EIGW:
      []
      
    • If the describe-egress-only-internet-gateways command output returns an empty array, i.e. [ ] (as shown in the example above), the selected Egress-Only Internet Gateway (EIGW) does not have any attachment information currently available, meaning that the egress-only gateway is not attached to an AWS VPC at this moment, therefore the EIGW should be marked as unused and removed from your AWS account.

02 Repeat step no. 1 (a and b) to check the attachment status for other AWS VPC IGWs/EIGWs provisioned in the current region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To remove any unused IGWs and EIGWs available within your Amazon VPC, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/.

03 To delete an unused VPC gateway resource based on its type, perform the following:

  1. For AWS VPC Internet Gateways (IGWs):
    • In the left navigation panel, under Virtual Private Cloud, click Internet Gateways.
    • Select the VPC IGW that you want to remove.
    • Click the Delete button from the dashboard top menu to initiate the removal process.
    • Within the Delete Internet Gateway dialog box, review the gateway details then click Yes, Delete to confirm the action.
  2. For AWS VPC Egress-Only Internet Gateways (EIGWs):
    • In the left navigation panel, under Virtual Private Cloud section, click Egress Only Internet Gateways.
    • Select the VPC EIGW that you want to remove.
    • Click the Delete button from the dashboard top menu to initiate the gateway removal.
    • Inside the Delete dialog box, review the egress-only gateway details (ID) then click the Delete Egress Only Internet Gateway button to confirm the action.

04 Repeat step no. 3 (a and b) to remove other unused VPC IGWs and EIGWs available in the current region.

05 Change the AWS region from the navigation bar and repeat the entire remediation/resolution process for other regions.

Using AWS CLI

01 To delete your unused VPC internet gateways based on their resource type, perform the following commands:

  1. For AWS VPC Internet Gateways (IGWs):
    • Run delete-internet-gateway command (OSX/Linux/UNIX) to remove the unused IGW selected (see Audit section part II to identify the right VPC resource). The following command examples deletes an AWS VPC Internet Gateway identified by the ID igw-37666b50, provisioned within the US East (N. Virginia) region (the command does not produce an output):
      aws ec2 delete-internet-gateway
      	--region us-east-1
      	--internet-gateway-id igw-37666b50
      
  2. For AWS VPC Egress-Only Internet Gateways (EIGWs):
    • Run delete-egress-only-internet-gateway command (OSX/Linux/UNIX) to delete the unused EIGW specified (see Audit section part II to identify the right resource). The following command examples deletes an AWS VPC Egress-Only Internet Gateway identified by the ID eigw-0c663c1d435f80f30, available in the US East (N. Virginia) region:
      aws ec2 delete-egress-only-internet-gateway
      	--region us-east-1
      	--egress-only-internet-gateway-id eigw-0c663c1d435f80f30
      
    • The command output should return true if the request succeeds, otherwise, it should return an error:
      {
          "ReturnCode": true
      }
      

02 Repeat step no. 1 (a and b) to remove other unused VPC IGWs and EIGWs provisioned within the current region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the entire process for other regions.

References

Publication date Jun 22, 2017