Logo of Trend Micro

Auto Scaling Group Notifications

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: ASG-005

Ensure that your Auto Scaling Groups are configured to send email notifications whenever a scaling event, such as launching or terminating an EC2 instance, occurs. Once the ASG Notifications feature is enabled, the AWS SNS topic associated with the group will process and send ASG scaling events notifications to the email address that you specified during setup.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability
Sustainability

Auto Scaling Group notifications can increase the reliability and availability of the applications deployed within your auto scaling environments by allowing you to act fast and mitigate scaling issues such as failed instance launches.

Audit

To determine if your AWS IAM users have any unused (> 30 days) access keys currently active, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

03 Select the AWS ASG that you want to examine.

04 Select the AWS ASG that you want to examine.

05 Select Notifications tab from the dashboard bottom panel.

06 Under Create notification, check the panel for any notification entries available

Under Create notification, check the panel for any notification entries available

If there are no such entries available:

If there are no such entries available

the selected Auto Scaling Group is not configured to send scaling events notifications via email.

07 Repeat steps no. 4 – 6 to verify other Auto Scaling Groups available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of the Auto Scaling Groups available within the selected AWS region: 

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG names: 

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|  MyWebAppASG            |
|  ...                    |
|  MyBackendASG           |
|  ProdCacheASG           |
+-------------------------+

03 Run describe-notification-configurations command (OSX/Linux/UNIX) using the name of the ASG returned at the previous step as identifier, to describe the scaling event notification configurations associated with the selected group: 

aws autoscaling describe-notification-configurations
	--region us-east-1
	--auto-scaling-group-name MyWebAppASG

The command output should return the configuration details for each ASG notification entry currently available: 

{
	"NotificationConfigurations": []
}

04 If the NotificationConfigurations object property returns an empty array, i.e. [ ], the selected Auto Scaling Group is not associated with an AWS SNS topic required to send scaling event notifications.

05 Repeat step no. 3 and 4 to verify the notification configurations for other ASGs available in the current region.

06 Repeat steps no. 1 – 5 to repeat the entire audit process for other AWS regions.

Remediation / Resolution

To configure your AWS Auto Scaling Groups with the AWS SNS service in order to send scaling events notifications via email, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the Auto Scaling Group that you want to update (see Audit section part I to identify the groups that are not associated with an SNS topic for sending email notifications).

05 Select Notifications tab from the dashboard bottom panel.

06 Click Create notification button and provide the following information:

  1. In the Send a notification to box, enter a name for the new AWS SNS topic that will handle the notifications delivery to subscriber(s). If you want to use an existing SNS topic click use existing topic link: If you want to use an existing SNS topic click use existing topic link and select the preferred topic from the dropdown list.
  2. In the With these recipients box, enter the email address where the event notifications will be sent. You can also provide multiple email addresses, separated by commas, to add more than one subscriber.
  3. For Whenever instances category, select the scaling events to send the notifications for. Cloud Conformity recommends enabling notifications for all the event types available in this configuration category.
  4. Click the Save button to save the configuration changes.

07 Repeat steps no. 4 – 6 to enable event notifications for other ASGs available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending ASG scaling events email notifications: 

aws sns create-topic --region us-east-1 --name MyASGNotificationsTopic

02 The command output should return the new SNS topic Amazon Resource Name (ARN): 

{
	"TopicArn": "arn:aws:sns:us-east-1:123456789012:MyASGNotificationsTopic" 
}

03 Run subscribe command (OSX/Linux/UNIX) to subscribe to the SNS topic created earlier by sending the subscription confirmation message to the notification endpoint specified (i.e. your email address): 

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:MyASGNotificationsTopic
	--protocol email
	--notification-endpoint admin@domain.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the subscription by validating the token sent to the notification endpoint selected (the command does not return an output): 

aws sns confirm-subscription
	--topic-arn arn:aws:sns:us-east-1:123456789012:MyASGNotificationsTopic
	--token 4501092f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bc858d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da713387

05 Run put-notification-configuration command (OSX/Linux/UNIX) to configure the selected Auto Scaling Group to send email notifications when specified events take place. The following command example enable scaling events notifications by associating an SNS topic identified by the ARN arn:aws:sns:us-east-1:123456789012:MyASGNotificationsTopic with an AWS Auto Scaling Group named MyWebAppASG available in the US-East-1 region (the command does not return an output): 

aws autoscaling put-notification-configuration
	--region us-east-1
	--auto-scaling-group-name MyWebAppASG
	--topic-arn arn:aws:sns:us-east-1:123456789012:MyASGNotificationsTopic
	--notification-types
		"autoscaling:EC2_INSTANCE_LAUNCH"
		"autoscaling:EC2_INSTANCE_TERMINATE"
		"autoscaling:EC2_INSTANCE_LAUNCH_ERROR"
		"autoscaling:EC2_INSTANCE_TERMINATE_ERROR"

06 Repeat steps no. 1 – 5 to enable event notifications for other ASGs available in the current region.

07 Change the AWS region and repeat the entire process for other regions.

References

Publication date Sep 12, 2016

Related AutoScaling rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Auto Scaling Group Notifications

Risk level: Medium