Evaluates whether SNAT or DNAT entries are configured for the elastic IP address (EIP) associated with each VPC NAT gateway. A NAT gateway is compliant if at least one SNAT or DNAT entry exists.
Scenarios
Monitoring and managing idle VPC NAT gateways helps reduce unnecessary costs.
Risk level
Default risk level: medium.
You can change the risk level based on your business requirements when you apply this rule.
Compliance evaluation logic
-
If SNAT or DNAT entries are configured for the EIP associated with a VPC NAT gateway, the evaluation result is Compliant.
-
If no SNAT or DNAT entries are configured for the EIP associated with a VPC NAT gateway, the evaluation result is Non-compliant.
-
If a VPC NAT gateway was created within the specified number of days, the evaluation result is Not Applicable. The default value is 7 days.
Rule details
|
Item |
Description |
|
Rule name |
intranet-natgateway-idle-check |
|
Rule ID |
|
|
Tag |
NAT and NAT gateway |
|
Automatic remediation |
Not supported |
|
Trigger type |
Configuration change |
|
Supported resource type |
NAT gateway |
|
Input parameter |
allocateDays. Default value: 7, in days |
Non-compliance remediation
To resolve non-compliance, associate an EIP with the VPC NAT gateway and configure SNAT or DNAT entries for the EIP. For more information, see Create and manage Internet NAT gateways.