Amazon EC2

Unused VPC Egress Only Internet Gateways

This plugin ensures that unused Egress Only Internet Gateways are removed

Risk Level: Low

Description

This plugin ensures that unused Egress Only Internet Gateways are removed. Unused AWS Egress Only Internet Gateways can create unnecessary complexity for your infrastructure. They should be removed to follow best security practices.

About the Service

Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

Impact

Unused Egress Only Internet Gateways can create complexities in the cloud infrastructure. Moreover, it can add to the internet gateway limit and prevent resources from launching. Therefore, it is recommended to remove unused Egress Only Internet Gateways.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
  3. Move to the Egress Only Internet Gateways in the VIRTUAL PRIVATE CLOUD (VPN) section from the left navigation pane.
  4. A list of Internet Gateways in the region will appear. Scroll right to the Attached VPC ID column. If the value is empty, the vulnerability exists.
  5. Repeat steps for all the Internet Gateways you want to investigate.

Steps for Remediation

Remove the unused/detached Egress-Only Internet Gateways:

  1. Log In to your AWS Console.
  2. Open the VPC Management Console. You can use this link (https://console.aws.amazon.com/vpc) to navigate directly if already logged in. 
  3. Move to the Egress Only Internet Gateways in the VIRTUAL PRIVATE CLOUD (VPN) section from the left navigation pane.
  4. A list of Internet Gateways in the region will appear. Select the vulnerable gateway by clicking on the checkbox next to it.
  5. From the Actions menu, select Delete egress only Internet Gateway.
  6. Repeat steps for all the vulnerable Internet Gateways.