Description:
Internet Gateway is allowed to communicate between VPC and the internet. It provides a target in your VPC route tables for internet-routable traffic and performs network address translation(NAT) for instances that have been assigned public IPv4 addresses. It supports both IPv4 and IPv6 traffic. If we enable the internet for instances in a subnet in a VPC we must attach an internet gateway with VPC.
Rationale:
If we want to access the internet through the instances without assigning public IP address then we can use a NAT device in aws we can use an Internet gateway instead of a NAT device. So we attach the internet gateway only with Authorize VPCs.
This policy checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs). The rule is NON_COMPLIANT if IGWs are not attached to an authorized VPC.
Impact:
After following this policy you can able to find out whether an Internet Gateway is attached with an authorized VPC or not. If you do not want to attach with default VPC you can detach it and make sure the right gateways to your Amazon Virtual Private Clouds and improve your overall network security state.
Default Value:
By default, AWS will not contain any VPC or Gateway.
Pre-Requisite:
Before attaching the Internet Gateway make sure that VPC is authorized
Remediation:
Test Plan:
Before auditing, you need to know which is authorized VPC from your organization and which gateway is associated with which VPC.
Login to AWS Management Console
Go to the VPC dashboard at https://console.aws.amazon.com/vpc/
Click on Internet Gateway in the left navigation pane and choose Internet Gateways which you want to examine
Click on the Actions and select View Details
- In the details, you can see Internet gateway ID - igw-xxxxxxx and its state, if it is connected with VPC you can see VPC Id in your Internet Gateway
Using AWS CLI:
To describe your internet gateways
aws ec2 describe-internet-gateways --internet-gateway-ids igw-xxxxxxx
Implementation Steps:
Login to AWS Management Console
Go to the VPC dashboard at https://console.aws.amazon.com/vpc/
Click on Internet Gateway in the left navigation pane and choose Internet Gateways which you want to attach with authorized VPC
- If an internet gateway is attached with another VPC that you don’t want to use, click on the Actions button and select Detach from VPC
- Click on the Action button and select Attach to VPC
- Select authorized VPC and then click on Attach Internet Gateway button
Using AWS CLI:
To attach an Internet gateway to your VPC
aws ec2 attach-internet-gateway --internet-gateway-id igw-xxxxxxx --vpc-id vpc-xxxxxxxx
Backout Plan:
In case you want to detach the VPC follow the steps
For Selected Internet Gateway click on an Action and click on Detach from VPC
Click on Detach Internet Gateway to make sure you want to Detach from VPC.
Using AWS CLI:
To detach an Internet gateway from your VPC
aws ec2 detach-internet-gateway --internet-gateway-id igw-xxxxxxx --vpc-id vpc-xxxxxxxx