Evaluates whether each NAT gateway has an associated elastic IP address (EIP) with source network address translation (SNAT) or destination network address translation (DNAT) entries configured. If so, the evaluation result is Compliant.
Scenarios
Identifying and managing idle NAT gateways helps reduce unnecessary costs.
Risk level
Default risk level: medium.
You can change the risk level based on your business requirements when you apply this rule.
Compliance evaluation logic
-
If an EIP is associated with each NAT gateway and SNAT or DNAT entries are configured for the EIP, the evaluation result is Compliant.
-
If no EIP is associated with a NAT gateway or no SNAT or DNAT entries are configured for an EIP that is associated with a NAT gateway, the evaluation result is Non-compliant.
-
If a NAT gateway was created within the specified number of days, the evaluation result is Not Applicable. The default value is 7 days.
Rule details
|
Item |
Description |
|
Rule name |
internet-natgateway-idle-check |
|
Rule ID |
|
|
Tag |
NAT and NAT gateway |
|
Automatic remediation |
Not supported |
|
Trigger type |
Configuration change |
|
Supported resource type |
NAT gateway |
|
Input parameter |
allocateDays. Default value: 7, in days |
Non-compliance remediation
Create a NAT gateway, associate an EIP with it, and configure SNAT or DNAT entries for the EIP. For more information, see Create and manage Internet NAT gateways.