Logo of Trend Micro

Auto Scaling Group Health Check

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: ASG-001

Ensure your AWS Auto Scaling Group (ASG) health check feature is properly configured to detect whether its registered EC2 instances are healthy or not. If an AWS Elastic Load Balancer (ELB) is being used for distributing traffic across instances within the ASG make sure that the ELB health check is enabled (works at hypervisor and application level). If an Elastic Load Balancer is not being used within your ASG make sure that the EC2 health check is enabled (works at hypervisor level only).

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Performance
efficiency

By using the right health check configuration for your Auto Scaling Groups, you can increase the reliability and availability of the applications deployed within these groups.

Audit

To determine if your ASGs are configured properly for using health checks and to verify the health check type used (ELB or EC2-based), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the AWS ASG that you want to examine.

05 Select Details tab from the dashboard bottom panel and verify the ASG health check configuration details:

  1. If the ASG is associated with a load balancer, i.e. the Load Balancers property value is not empty, for example: the Load Balancers property value is not empty check the Health Check Type configuration status. If the status is set to EC2: If the status is set to EC2 the health check configuration for the selected Auto Scaling Group is not optimal.
  2. If the ASG is not using a load balancer, i.e. the Load Balancers property value is empty, for example: the Load Balancers property value is empty check the Health Check Type configuration status. If the current status is set to ELB: If the current status is set to ELB the selected Auto Scaling Group health check feature is not properly configured and needs to be updated (see Remediation/ Resolution section of the rule).

06 Repeat step no. 4 and 5 to verify other Auto Scaling Groups configuration, available in the current region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using custom query filters to list the names of the Auto Scaling Groups available within the selected AWS region: 

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG names: 

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|  MyWebAppASG            |
|  ...                    |
|  MyBackendASG           |
|  ProdCacheASG           |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to describe the selected AWS Auto Scaling Group health check configuration. The following command example provides information about an ASG named MyWebAppASG available in the US-East-1 region: 

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-names MyWebAppASG

04 The command output should return the selected Auto Scaling Group configuration metadata:

  1. If the ASG is associated with a load balancer, i.e. the LoadBalancerNames parameter value is not empty, e.g. "LoadBalancerNames": [ "MyASGLoadBalancer" ], check the HealthCheckType property value. If this value is set to EC2, as shown in the output example below, the health check configuration for the selected Auto Scaling Group is suboptimal. 
    {
    "AutoScalingGroups": [
        {
            "AutoScalingGroupARN": "arn:aws:autoscaling:us-east-1:
             123456789012:autoScalingGroup:42364fd5-5840-4e03-963
             a-1ec90d291302:autoScalingGroupName/MyWebAppASG",
            "HealthCheckGracePeriod": 300,
            "SuspendedProcesses": [],
            "DesiredCapacity": 1,
            "Tags": [],
            "EnabledMetrics": [],
            "LoadBalancerNames": [
                "MyASGLoadBalancer"
            ],
            "AutoScalingGroupName": "MyWebAppASG",
            "DefaultCooldown": 300,
            "MinSize": 1,
            "Instances": [
                {
                    "ProtectedFromScaleIn": true,
                    "AvailabilityZone": "us-east-1a",
                    "InstanceId": "i-02a9b72e63d135f4d",
                    "HealthStatus": "Healthy",
                    "LifecycleState": "InService",
                    "LaunchConfigurationName": "MyASGWebLaunchConfig"
                }
            ],
            "MaxSize": 1,
            "VPCZoneIdentifier": "subnet-19e7cc6f,subnet-4c377014",
            "TerminationPolicies": [
                "Default"
            ],
            "LaunchConfigurationName": "MyASGWebLaunchConfig",
            "CreatedTime": "2016-09-02T08:14:21.638Z",
            "AvailabilityZones": [
                "us-east-1a",
                "us-east-1b"
            ],
            "HealthCheckType": "EC2",
            "NewInstancesProtectedFromScaleIn": true
        }
    ]
}
  2. If the ASG is not using a load balancer, i.e. the LoadBalancerNames parameter returns an empty array for its value, e.g. "LoadBalancerNames": [ ], check the HealthCheckType property value. If this value is set to ELB, as shown in the example below, the selected Auto Scaling Group is not properly configured and needs to be updated (see Remediation/ Resolution section of the rule). 
    {
    "AutoScalingGroups": [
        {
            "AutoScalingGroupARN": "arn:aws:autoscaling:us-east-1:
             123456789012:autoScalingGroup:42364fd5-5840-4e03-963
             a-1ec90d291302:autoScalingGroupName/MyWebAppASG",
            "HealthCheckGracePeriod": 300,
            "SuspendedProcesses": [],
            "DesiredCapacity": 1,
            "Tags": [],
            "EnabledMetrics": [],
            "LoadBalancerNames": [],
            "AutoScalingGroupName": "MyWebAppASG",
            "DefaultCooldown": 300,
            "MinSize": 1,
            "Instances": [
                {
                    "ProtectedFromScaleIn": true,
                    "AvailabilityZone": "us-east-1a",
                    "InstanceId": "i-02a9b72e63d135f4d",
                    "HealthStatus": "Healthy",
                    "LifecycleState": "InService",
                    "LaunchConfigurationName": "MyASGWebLaunchConfig"
                }
            ],
            "MaxSize": 1,
            "VPCZoneIdentifier": "subnet-19e7cc6f,subnet-4c377014",
            "TerminationPolicies": [
                "Default"
            ],
            "LaunchConfigurationName": "MyASGWebLaunchConfig",
            "CreatedTime": "2016-09-02T08:14:21.638Z",
            "AvailabilityZones": [
                "us-east-1a",
                "us-east-1b"
            ],
            "HealthCheckType": "ELB",
            "NewInstancesProtectedFromScaleIn": true
        }
    ]
}

05 Repeat step no. 3 and 4 to verify the health check configuration for other ASGs available in the current region.

06 Repeat steps no. 1 – 5 to repeat the entire audit process for other AWS regions.

Remediation / Resolution

To update your ASGs health check configuration based on whether these are associated with a load balancer, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the Auto Scaling Group that you want to update.

05 If the selected ASG is associated with an AWS Elastic Load Balancer, perform the following actions:

  1. Select the Details tab from the dashboard bottom panel and click the Edit button: Select the Details tab from the dashboard bottom panel and click the Edit button to edit the scaling group configuration.
  2. Select ELB from the Health Check Type dropdown list and click the Save button to apply the changes. Your Auto Scaling Group will now delegate the health checks to the Elastic Load Balancer attached.

06 If the selected ASG is not using an AWS Elastic Load Balancer, perform the following actions:

  1. Select the Details tab from the dashboard bottom panel and click the Edit button: Select the Details tab from the dashboard bottom panel and click the Edit button to edit the scaling group configuration.
  2. Select EC2 from the Health Check Type dropdown list and click the Save button to save the changes. Your ASG health check feature will now use the results returned from the registered EC2 instances status checks.

07 Repeat steps no. 4 – 6 to update the health check configuration for other ASGs available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 If the ASG that you want to update is associated with an AWS Elastic Load Balancer, run update-auto-scaling-group command (OSX/Linux/UNIX) with the --health-check-type parameter set to ELB. The following command example updates the health check configuration of an AWS Auto Scaling Group named MyWebAppASG available in the US-East-1 region (if successful, the command does not return an output): 

aws autoscaling update-auto-scaling-group
--region us-east-1
--auto-scaling-group-name MyWebAppASG
--health-check-type ELB

02 If the ASG that you want to update is not using a load balancer, run update-auto-scaling-group command (OSX/Linux/UNIX) with the --health-check-type parameter set to EC2 and provide the amount of time (in seconds) required by the ASG to wait before checking the health status of the new EC2 instances provisioned in the group. The following command example updates the health check configuration of an AWS Auto Scaling Group named MyWebAppASG available in the US-East-1 region (if successful, the command does not return an output): 

aws autoscaling update-auto-scaling-group
--region us-east-1
--auto-scaling-group-name MyWebAppASG
--health-check-type EC2
--health-check-grace-period 300

03 Repeat step no. 1 and 2 to update the health check configuration for other ASGs available in the current region.

04 Change the AWS region and repeat the entire process for other regions.

References

Publication date Sep 2, 2016

Related AutoScaling rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Auto Scaling Group Health Check

Risk level: Medium