# Delete unused NAT Gateway

## What It Does

Deletes unused NAT gateways that no longer serve active traffic. Unused NAT gateways can accumulate avoidable costs. Removing them helps lower VPC-related expenses without affecting ongoing workloads.

## Risk and Scope

| Detail                   | Value |
| ------------------------ | ----- |
| **Risk Level**           | Low   |
| **AWS Service Targeted** | VPC   |

{% hint style="warning" %}

## Permissions Required

**Delete Permissions**

* `ec2:DeleteNatGateway`

**Read Permissions**

* `ec2:DescribeNatGateways`

> These permissions are granted **only to the runbook**, not to the OneLens platform itself.
> {% endhint %}

## Optimization Policies Addressed

This runbook remediates violation tickets of the following policy:

| Policy ID | Policy Name                                            |
| --------- | ------------------------------------------------------ |
| vpc\_103  | NAT Gateway with no outgoing traffic should be deleted |

## Risk Mitigation

{% hint style="success" %}

## Risk Mitigation Strategy

* The change is assessed as **low risk** with limited scope and impact.
* **No downtime** is expected during or after implementation.
* **No additional safety measures** are required due to the non-disruptive nature of the change.
* A **rollback plan is not defined**, as standard procedures are sufficient to manage the change.
  {% endhint %}

## How to Install

Refer to the [Runbook Setup Guide ](/automate/remediations/runbooks/install-runbooks.md#installing-a-runbook)for steps to install and enable this runbook in your environment.

## Runbook Workflow

### Step 1: Start

**Trigger:** Begins the runbook to identify and delete unused NAT gateways.

### Step 2: CheckAndDelete

**Action:** Executes a script that checks for unused NAT gateways and flags them for deletion.

### Step 3: If/Else

**Condition:** Checks if any NAT gateway is unused and eligible for deletion.

1. **If eligible, proceeds to delete the unused NAT gateway:**
   1. **DeleteNatGateway**\
      Executes `DeleteNatGateway` on the identified EC2 NAT gateway resource.
2. **Else:**

   Workflow terminates if no deletable NAT gateway is found.

## See How It Works

<figure><img src="/files/mGyu1VviSzzhFDt9mSSo" alt=""><figcaption></figcaption></figure>

## Triggering the Runbook

To run this workflow:

### **1. Locate the Ticket**

Identify the ticket associated with the above mentioned policy violation.

### **2. Execute the Runbook**

Follow the steps described in the [executing a runbook](/automate/remediations/runbooks.md#executing-a-runbook) section to apply this runbook to the ticket.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onelens.cloud/automate/remediations/runbooks/runbook-catalog/delete-unused-nat-gateway.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.