Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Auto Scaling Group Health Check

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ASG-001

Ensure your Amazon Auto Scaling Group (ASG) health check feature is properly configured to detect whether the registered EC2 instances are healthy or not. If a load balancer is being used for distributing the traffic across the ASG instances, make sure that the ELB health check configuration is enabled (works at hypervisor and application level). If the Auto Scaling Group is not using a load balancer, make sure that the EC2 health check configuration is enabled (works at hypervisor level only).

This rule can help you with the following compliance standards:

  • APRA
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Performance
efficiency

By using the right health check configuration for your Amazon Auto Scaling Groups (ASGs), you can increase the reliability and availability of the applications deployed within your ASGs.

Audit

To determine if your Auto Scaling Groups are configured with the correct health check configuration (ELB or EC2-based), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the main navigation panel, under Auto Scaling, choose Auto Scaling Groups.

04 Click on the name (link) of the Auto Scaling Group (ASG) that you want to examine.

05 Select the Details tab and verify the Auto Scaling Group health checks configuration:

  1. If the selected ASG is associated with a load balancer or a target group, i.e. a Classic Load Balancer or a target group is listed in the Load balancing section, check the Health check type configuration attribute available in the Health checks section. If the Health check type attribute is set to EC2, the health check configuration available for the selected Amazon Auto Scaling Group (ASG) is not optimal.
  2. If the selected ASG is not associated with a load balancer or a target group, i.e. there are no Classic Load Balancers or target groups listed in the Load balancing section, check the Health check type configuration attribute available in the Health checks section. If the Health check type attribute is set to ELB, the health check configuration available for the selected Amazon Auto Scaling Group (ASG) is not optimal.

06 Repeat steps no. 4 and 5 for each Auto Scaling Group available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the name of each Auto Scaling Group (ASG) deployed in the selected AWS region: 

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --output table
  --query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG name(s): 

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|  cc-production-web-asg  |
|  cc-internal-data-asg   |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the Auto Scaling Group (ASG) that you want to examine as the identifier parameter and custom query filters to describe the identifiers of the Elastic Load Balancers and/or Target Groups associated with the ASG, and the health check type configured for the selected ASG: 

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-names cc-production-web-asg
  --query 'AutoScalingGroups[*].{"LoadBalancers":LoadBalancerNames, "TargetGroups":TargetGroupARNs, "HealthCheckType":HealthCheckType}'

04 The command output should return the requested configuration information:

  1. If the selected ASG is associated with a load balancer or a target group, i.e. the "LoadBalancers" or "TargetGroups" property is not empty, as shown in the output example below, check the "HealthCheckType" property value. If the "HealthCheckType" value is set to "EC2", the health check configuration available for the selected Amazon Auto Scaling Group (ASG) is suboptimal. 
    [
    {
        "LoadBalancers": [
            "asg-classic-load-balancer"
        ],
        "TargetGroups": [],
        "HealthCheckType": "EC2"
    }
]
  2. If the selected ASG is not associated with a load balancer or a target group, i.e. the "LoadBalancers" or "TargetGroups" property is empty, as shown in the output example below, check the "HealthCheckType" property value. If the "HealthCheckType" value is set to "ELB", the health check configuration available for the selected Auto Scaling Group (ASG) is suboptimal. 
    [
    {
        "LoadBalancers": [],
        "TargetGroups": [],
        "HealthCheckType": "ELB"
    }
]

05 Repeat steps no. 3 and 4 for each Auto Scaling Group available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To reconfigure your Auto Scaling Group health check configuration based on whether your ASG is associated with a load balancer or a target group, perform the following actions:
If your Auto Scaling Group is associated with a load balancer or a target group, set the health check type to ELB. This will enable your Auto Scaling Group (ASG) to delegate the health checks to the associated Classic Load Balancer or ALB/NLB target group:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
   "AWSTemplateFormatVersion":"2010-09-09",
   "Description":"Set Health Check Type to ELB",
   "Resources":{
      "ASGLaunchTemplate":{
      "Type":"AWS::EC2::LaunchTemplate",
      "Properties":{
        "LaunchTemplateData":{
          "ImageId": "ami-0abcd1234abcd1234",
          "InstanceType":"t2.micro"
        }
      }
    },
      "EC2AutoScalingGroup" : {
         "Type" : "AWS::AutoScaling::AutoScalingGroup",
         "Properties" : {
            "LaunchTemplate": {
               "LaunchTemplateId": {
                  "Ref":"ASGLaunchTemplate"
               },
               "Version": "2"
            },
            "AvailabilityZones" : ["us-east-1a","us-east-1b"],
            "MinSize":"1",
            "MaxSize":"1",
            "DesiredCapacity":"1",
            "HealthCheckType":"ELB",
            "HealthCheckGracePeriod":300
         }
      }
   }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: Set Health Check Type to ELB
Resources:
  ASGLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateData:
        ImageId: ami-0abcd1234abcd1234
        InstanceType: t2.micro
  EC2AutoScalingGroup:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      LaunchTemplate:
        LaunchTemplateId:
          Ref: ASGLaunchTemplate
        Version: '2'
      AvailabilityZones:
      - us-east-1a
      - us-east-1b
      MinSize: '1'
      MaxSize: '1'
      DesiredCapacity: '1'
      HealthCheckType: ELB
      HealthCheckGracePeriod: 300

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_launch_template" "cc-production-launch-template" {
  name_prefix   = "cc-production-launch-template"
  image_id      = "ami-0abcd1234abcd1234"
  instance_type = "t2.micro"
}

resource "aws_autoscaling_group" "cc-production-web-asg" {
  availability_zones = ["us-east-1a","us-east-1b"]
  desired_capacity   = 1
  max_size           = 1
  min_size           = 1
  health_check_type  = "ELB"
  health_check_grace_period = 300

  launch_template {
    id      = aws_launch_template.cc-production-launch-template.id
    version = "2"
  }
}

If your Auto Scaling Group is not associated with a load balancer or a target group, set the health check type to EC2. The health check feature will use the status checks returned from the EC2 instances registered with the selected ASG:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
   "AWSTemplateFormatVersion":"2010-09-09",
   "Description":"Set Health Check Type to ELB",
   "Resources":{
      "ASGLaunchTemplate":{
      "Type":"AWS::EC2::LaunchTemplate",
      "Properties":{
        "LaunchTemplateData":{
          "ImageId": "ami-0abcd1234abcd1234",
          "InstanceType":"t2.micro"
        }
      }
    },
      "EC2AutoScalingGroup" : {
         "Type" : "AWS::AutoScaling::AutoScalingGroup",
         "Properties" : {
            "LaunchTemplate": {
               "LaunchTemplateId": {
                  "Ref":"ASGLaunchTemplate"
               },
               "Version": "2"
            },
            "AvailabilityZones" : ["us-east-1a","us-east-1b"],
            "MinSize":"1",
            "MaxSize":"1",
            "DesiredCapacity":"1",
            "HealthCheckType":"EC2",
            "HealthCheckGracePeriod":300
         }
      }
   }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: Set Health Check Type to ELB
Resources:
  ASGLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateData:
        ImageId: ami-0abcd1234abcd1234
        InstanceType: t2.micro
  EC2AutoScalingGroup:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      LaunchTemplate:
        LaunchTemplateId:
          Ref: ASGLaunchTemplate
        Version: '2'
      AvailabilityZones:
      - us-east-1a
      - us-east-1b
      MinSize: '1'
      MaxSize: '1'
      DesiredCapacity: '1'
      HealthCheckType: EC2
      HealthCheckGracePeriod: 300

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_launch_template" "cc-production-launch-template" {
  name_prefix   = "cc-production-launch-template"
  image_id      = "ami-0abcd1234abcd1234"
  instance_type = "t2.micro"
}

resource "aws_autoscaling_group" "cc-production-web-asg" {
  availability_zones = ["us-east-1a","us-east-1b"]
  desired_capacity   = 1
  max_size           = 1
  min_size           = 1
  health_check_type  = "EC2"
  health_check_grace_period = 300

  launch_template {
    id      = aws_launch_template.cc-production-launch-template.id
    version = "2"
  }
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the main navigation panel, under Auto Scaling, choose Auto Scaling Groups.

04 Click on the name of the Auto Scaling Group (ASG) that you want to reconfigure.

05 Select the Details tab to access the ASG resource configuration information.

06 In the Health checks section choose Edit to access the health check configuration settings available for the selected ASG.

07 In the Health checks – optional section, perform the following operations:

  1. If the selected Auto Scaling Group is associated with a load balancer or a target group, select the ELB checkbox available under Health check type. This will enable your Auto Scaling Group (ASG) to delegate the health checks to the associated Classic Load Balancer or ALB/NLB target group.
  2. If the selected Auto Scaling Group is not associated with a load balancer or a target group, make sure that the EC2 checkbox is selected under Health check type. The health check feature will use the status checks returned from the EC2 instances registered with the selected ASG.

08 Repeat steps no. 4 – 7 for each Auto Scaling Group (ASG) that you want to reconfigure, available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 If your Auto Scaling Group (ASG) is associated with a load balancer, run update-auto-scaling-group command (OSX/Linux/UNIX) with the --health-check-type parameter set to ELB (the command does not produce an output): 

aws autoscaling update-auto-scaling-group
  --region us-east-1
  --auto-scaling-group-name cc-production-web-asg
  --health-check-type ELB

02 If your Auto Scaling Group (ASG) is not associated with a load balancer, run update-auto-scaling-group command (OSX/Linux/UNIX) with the --health-check-type parameter set to EC2 and provide the amount of time (in seconds) required by the ASG to wait before checking the health status of the new EC2 instances provisioned within the group (the command does not return an output): 

aws autoscaling update-auto-scaling-group
  --region us-east-1
  --auto-scaling-group-name cc-production-web-asg
  --health-check-type EC2
  --health-check-grace-period 300

03 Repeat step no. 1 or 2 for each Auto Scaling Group (ASG) that you want to reconfigure, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

References

Publication date Sep 2, 2016

Related AutoScaling rules