All Products
Search
Document Center

Cloud Config:intranet-natgateway-idle-check

Last Updated:Jun 23, 2026

Evaluates whether SNAT or DNAT entries are configured for the elastic IP address (EIP) associated with each VPC NAT gateway. A NAT gateway is compliant if at least one SNAT or DNAT entry exists.

Scenarios

Monitoring and managing idle VPC NAT gateways helps reduce unnecessary costs.

Risk level

Default risk level: medium.

You can change the risk level based on your business requirements when you apply this rule.

Compliance evaluation logic

  • If SNAT or DNAT entries are configured for the EIP associated with a VPC NAT gateway, the evaluation result is Compliant.

  • If no SNAT or DNAT entries are configured for the EIP associated with a VPC NAT gateway, the evaluation result is Non-compliant.

  • If a VPC NAT gateway was created within the specified number of days, the evaluation result is Not Applicable. The default value is 7 days.

Rule details

Item

Description

Rule name

intranet-natgateway-idle-check

Rule ID

intranet-natgateway-idle-check

Tag

NAT and NAT gateway

Automatic remediation

Not supported

Trigger type

Configuration change

Supported resource type

NAT gateway

Input parameter

allocateDays. Default value: 7, in days

Non-compliance remediation

To resolve non-compliance, associate an EIP with the VPC NAT gateway and configure SNAT or DNAT entries for the EIP. For more information, see Create and manage Internet NAT gateways.