6.10 Ensure NAT Gateways are created in at least 2 Availability Zones - Subnet2

Information

You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances.

To create a NAT gateway, you must specify the public subnet in which the NAT gateway will reside. You must also specify an Elastic IP address to associate with the NAT gateway when you create it. This enables instances in your private subnets to communicate with the Internet.

Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone
In order to enable instances in a private subnets to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances, NAT Gateways should be created in at least 2 Availability Zones.

Some AWS Regions have more than 2 Availability Zones, in this case it is recommended to create a NAT Gateway in each of the public subnets used.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Using the Amazon unified command line interface:

* Create a NAT Gateway in a public subnet from a different Availability Zone:

aws ec2 create-nat-gateway --subnet-id _<public_subnet1>_ --allocation-id _<elastic_ip_allocation>_

and/or

aws ec2 create-nat-gateway --subnet-id _<public_subnet2>_ --allocation-id _<elastic_ip_allocation>_

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(22)

Plugin: amazon_aws

Control ID: 5805393c03959767ac07b6beb0754868197246bf5acbcccea13d113e4a899466