Skip to main content

VPC Cloud NAT Changed

This alert occurs when Lacework detects changes made to the configuration of a Cloud NAT (Network Address Translation) gateway in a Virtual Private Cloud (VPC) network.

Cloud NAT allows instances without public IP addresses to access the internet by translating their private IP addresses to a public IP address. This provides an extra layer of security by preventing direct access to instances from the internet.

The alert is triggered when a change is made to the Cloud NAT gateway configuration, such as updating the IP address range or changing the NAT gateway size.

Why this alert is important

If the Cloud NAT gateway configuration is changed, it could compromise the security of the instances in the VPC network or cause disruptions or downtime for your applications and services.

Investigation

Follow these steps to investigate the alert:

  1. Review the event logs to determine when the malicious change was made and who made it. Look for any patterns or anomalies in the logs that may help you identify the source of the breach.
  2. Determine the extent of the breach and which systems or applications were affected. This will help you prioritize your response and determine the best action.
  3. Collect network traffic data to determine if there were any unauthorized communications or data exfiltration. Analyze the data to identify the source of the attack and determine if any data was stolen.
  4. Identify and isolate any compromised systems from the network to prevent further damage.

Resolution

If you detect an unauthorized change in your Cloud NAT configuration, use these steps to resolve the incident:

  1. Revoke any access permissions or credentials that were used to make the unauthorized change.
  2. Restore the Cloud NAT gateway configuration to its original state. You can use the event logs and backups to determine the original configuration.
  3. Patch any vulnerabilities or weaknesses in your security controls that allowed the unauthorized change. This may involve updating your IAM policies or tightening network access controls.
  4. Conduct a thorough security audit of your VPC network and associated systems to ensure that there are no other unauthorized changes or security breaches.
  5. Monitor your VPC network and Cloud NAT gateway configuration continuously for any further unauthorized changes.