Checks whether source network address translation (SNAT) or destination network address translation (DNAT) entries are configured for an EIP that is associated with each NAT gateway in a virtual private cloud (VPC). If so, the evaluation result is Compliant.
Scenarios
Paying attention to and managing NAT gateways in a VPC that are not in use during idle periods help enterprises better manage costs.
Risk level
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
If SNAT or DNAT entries are configured for an EIP that is associated with each NAT gateway in a VPC, the evaluation result is Compliant.
If no SNAT or DNAT entries are configured for an EIP that is associated with a NAT gateway in a VPC, the evaluation result is Non-compliant.
If the creation time of a NAT gateway in a VPC is within the specified number of days, the evaluation result is Not Applicable. The default number of days is 7.
Rule details
Item | Description |
Rule name | intranet-natgateway-idle-check |
Rule ID | |
Tag | NAT and NAT gateway |
Automatic remediation | Not supported |
Trigger type | Configuration change |
Supported resource type | NAT gateway |
Input parameter | allocateDays. Default value: 7, in days |
Non-compliance remediation
Associate an EIP with each NAT gateway in a VPC and configure SNAT or DNAT entries for the EIP. For more information, see Create and manage Internet NAT gateways.