How can the security engineer meet these requirements?
Remove the existing NAT gateway. Create a new NAT gateway that only the application server subnets can use.
Configure the DB instance’s inbound network ACL to deny traffic from the security group ID of the NAT gateway.
Modify the route tables of the DB instance subnets to remove the default route to the NAT gateway.
Configure the route table of the NAT gateway to deny connections to the DB instance subnets.
Explanations:
Removing the existing NAT gateway would disrupt the application servers’ internet access, violating the requirement of not affecting their traffic. A new NAT gateway would also require additional configuration and would not isolate the DB instance from internet access as required.
Network ACLs operate at the subnet level and are stateless. Denying traffic from the NAT gateway’s security group ID does not prevent the DB instance from initiating connections to the internet because it can still route through the NAT gateway unless the route table is modified.
Modifying the route tables of the DB instance subnets to remove the default route to the NAT gateway effectively prevents the DB instance from accessing the internet while not affecting the application servers’ ability to connect to the NAT gateway for internet access. This meets the security requirement without disrupting existing traffic.
Route tables are not associated with NAT gateways but with subnets. You cannot configure a route table for a NAT gateway; instead, you configure the route table associated with the subnets. Denying connections in this manner is not feasible and does not isolate the DB instance from internet access.