Checks whether an elastic IP address (EIP) is associated with each NAT gateway and source network address translation (SNAT) or destination network address translation (DNAT) entries are configured for the EIP. If so, the evaluation result is Compliant.
Scenarios
Paying attention to and managing NAT gateways that are not in use during idle periods help enterprises better manage costs.
Risk level
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
If an EIP is associated with each NAT gateway and SNAT or DNAT entries are configured for the EIP, the evaluation result is Compliant.
If no EIP is associated with a NAT gateway or no SNAT or DNAT entries are configured for an EIP that is associated with a NAT gateway, the evaluation result is Non-compliant.
If the creation time of a NAT gateway is within the specified number of days, the evaluation result is Not Applicable. The default number of days is 7.
Rule details
Item | Description |
Rule name | internet-natgateway-idle-check |
Rule ID | |
Tag | NAT and NAT gateway |
Automatic remediation | Not supported |
Trigger type | Configuration change |
Supported resource type | NAT gateway |
Input parameter | allocateDays. Default value: 7, in days |
Non-compliance remediation
Create a NAT gateway, associate an EIP with the NAT gateway, and configure SNAT or DNAT entries for the EIP. For more information, see Create and manage Internet NAT gateways.