AWS Auto Scaling

Auto Scaling Groups ELB Health Check Inactive

This plugin ensures all Auto Scaling groups have ELB health check active.

Risk Level: Medium

Description

This plugin ensures all Auto Scaling groups have ELB health checks active. ELB health checks ensure that running instances are considered Healthy only if they are reported so by the Elastic Load Balancers. Auto Scaling groups should have ELB health checks active to make sure unhealthy instances are replaced.

About the Service

AWS Auto Scaling: As the name suggests, AWS AutoScaling monitors the running resources and if required, increases the scaling capability at the lowest possible costs. AutoScaling is easy to set up and automatically maintains the performance of your cloud infrastructure.

Impact

Auto Scaling groups should have ELB health checks active to make sure unhealthy instances are replaced. By default, the health of an Auto Scaling group is only determined by the EC2 instances, but for a more secure environment, health check by Elastic Load Balancer must be enabled as well. In such a case, the group will be reported healthy when it is verified by both EC2 instances and ELB’s attached.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon EC2 Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Scroll down and select Auto Scaling Groups under the Auto Scaling section from the left pane.
  4. A list of Auto Scaling Groups will be displayed, select the one you want to investigate by clicking on its Name.
  5. Move to the Load Balancers section. Verify if it has at least one active Classic Elastic Load Balancer.
  6. In the Health Check section, verify if the Health Check Type is set to EC2 & ELB. If not, the Auto Scaling Group has the ELB health check inactive.
  7. Repeat steps 3 to 6 for all the Auto Scaling groups you want to investigate.

Steps for Remediation

Enable ELB health check for the Auto Scaling groups.

  1. Log In to your AWS Console.
  2. Open the Amazon EC2 Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Scroll down and select Auto Scaling Groups under the Auto Scaling section from the left pane.
  4. A list of Auto Scaling Groups will be displayed, select the one you want to investigate by clicking on its Name.
  5. Move to the Load Balancers section. Verify if it has at least one active Classic Elastic Load Balancer.
  6. In the Health Check section, click on the Edit button.
  7. Click on the checkbox next to ELB to enable ELB health check. Modify the grace period if required. When done, click on Update to save changes.
  8. Repeat steps 3 to 7 for all the vulnerable Auto Scaling groups.