AWS EC2 NAT gateway deleted
Description
AlphaSOC detected the use of the DeleteNatGateway action to delete an AWS EC2
Network Address Translation (NAT) gateway. NAT gateways allow instances in
private subnets to securely access services outside the subnet. Deleting them
may indicate adversarial attempt to disrupt network connectivity or isolate
systems from external resources.
Impact
Deleting an AWS EC2 NAT gateway can impact network connectivity for instances in private subnets, potentially causing service disruptions.
Severity
| Severity | Condition |
|---|---|
Informational | AWS EC2 NAT gateway deleted |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user or role that performed the
DeleteNatGateway action and verify whether it was authorized. If unauthorized,
rotate any potentially compromised credentials, perform security audit for
further signs of a compromise, and restore network connectivity by creating a
new NAT gateway.