Auto Scaling Group Cooldown Period

Risk level: High (not acceptable risk)

Rule ID: ASG-009

Ensure that your AWS Auto Scaling Groups (ASGs) are configured to use a cooldown period to temporarily suspend any scaling activities in order to allow the newly launched EC2 instance(s) some time to start handling the application traffic.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

If the cooldown period is set to 0, the AWS ASG service can initiate another scaling event before the effects of a previous event become evident. Since a newly launched EC2 instance need time for booting and initial software configuration before it can take some of the application workload, implementing a proper cooldown period to temporarily suspend any scaling actions is strongly recommended.

Note 1: Cooldown periods are not supported by step scaling or scheduled scaling policies.
Note 2: The "Default Cooldown" value is set to 300 seconds, however, you can change the default threshold for this rule on Cloud Conformity console and set your own value for the cooldown period based on your requirements.

Audit

To identify any AWS ASGs that are not using appropriate cooldown periods, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the AWS ASG that you want to examine.

05 Select Details tab from the dashboard bottom panel and verify the Default Cooldown setting value. If the current value set for this attribute is zero:

or less than the one defined on your Cloud Conformity console, the cooldown period feature is not properly configured for the selected Amazon ASG, therefore during auto-scaling process any additional instances can be launched or terminated before the previous scaling activity takes effect.

06 Repeat step no. 4 and 5 to verify the cooldown period for other AWS ASGs available in the selected region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of all Auto Scaling Groups created within the selected AWS region:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG names:

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|  CloudConformityWebASG  |
|  MobileAppDynamicASG    |
+-------------------------+

03 Run again describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the ASG returned at the previous step as identifier and custom query filters to expose the default cooldown period (in seconds) set for selected Auto Scaling Group:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-names CloudConformityWebASG
	--query 'AutoScalingGroups[*].DefaultCooldown'

04 The command output should return an array with the requested value (seconds):

[
   0
]

If the array value returned is 0 (zero) or less than the one defined on your Cloud Conformity console, the cooldown period setting is not properly configured for the selected Amazon ASG, therefore the feature reconfiguration is highly recommended (see Remediation/Resolution section for more details).

05 Repeat steps no. 3 and 4 to verify the default cooldown period for other AWS ASGs provisioned in the selected region.

06 Repeat steps no. 1 – 5 to repeat the entire audit process for other AWS regions.

Remediation / Resolution

To implement an appropriate cooldown period for your Amazon Auto Scaling Groups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the AWS ASG that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Details tab from the dashboard bottom panel and click the Edit button:

to edit the selected group configuration.

06 Enter the desired value for your ASG cooldown period in the Default Cooldown box then click the Save button to apply the configuration changes.

07 Repeat steps no. 4 – 6 to reconfigure other AWS Auto Scaling Groups available in the current region and implement your custom cooldown period.

08 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run update-auto-scaling-group command (OSX/Linux/UNIX) using the name of the AWS ASG that you want to reconfigure as identifier to set the required value (in seconds) for the default cooldown period (the command does not produce an output):

aws autoscaling update-auto-scaling-group
	--region us-east-1
	--auto-scaling-group-name CloudConformityWebASG
	--default-cooldown 300

02 Repeat step no. 1 to update the cooldown period value for other AWS Auto Scaling Groups provisioned in the current region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 perform the entire process for other regions.

References

AWS Documentation
Auto Scaling Groups
Scaling the Size of Your Auto Scaling Group
Dynamic Scaling
Manual Scaling
Auto Scaling Cooldowns

AWS Command Line Interface (CLI) Documentation
autoscaling
describe-auto-scaling-groups
update-auto-scaling-group

Publication date Feb 24, 2017

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Auto Scaling Group Cooldown Period

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related AutoScaling rules