All Products
Search
Document Center

Cloud Config:internet-natgateway-idle-check

Last Updated:Jun 23, 2026

Evaluates whether each NAT gateway has an associated elastic IP address (EIP) with source network address translation (SNAT) or destination network address translation (DNAT) entries configured. If so, the evaluation result is Compliant.

Scenarios

Identifying and managing idle NAT gateways helps reduce unnecessary costs.

Risk level

Default risk level: medium.

You can change the risk level based on your business requirements when you apply this rule.

Compliance evaluation logic

  • If an EIP is associated with each NAT gateway and SNAT or DNAT entries are configured for the EIP, the evaluation result is Compliant.

  • If no EIP is associated with a NAT gateway or no SNAT or DNAT entries are configured for an EIP that is associated with a NAT gateway, the evaluation result is Non-compliant.

  • If a NAT gateway was created within the specified number of days, the evaluation result is Not Applicable. The default value is 7 days.

Rule details

Item

Description

Rule name

internet-natgateway-idle-check

Rule ID

internet-natgateway-idle-check

Tag

NAT and NAT gateway

Automatic remediation

Not supported

Trigger type

Configuration change

Supported resource type

NAT gateway

Input parameter

allocateDays. Default value: 7, in days

Non-compliance remediation

Create a NAT gateway, associate an EIP with it, and configure SNAT or DNAT entries for the EIP. For more information, see Create and manage Internet NAT gateways.