Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Idle Elastic Load Balancer

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ELB-012

Identify any Amazon ELBs that appear to be idle and terminate them to help lower the cost of your monthly AWS bill. By default, an Elastic Load Balancer is considered 'idle' when meets the following criteria:

  • The sum of the requests made to the load balancer in the past 7 days is less than 100.

The AWS CloudWatch metric used to detect idle Elastic Load Balancers is RequestCount (Sum). This metric records the number of requests completed (HTTP/HTTPS listener) or connections made (TCP/SSL listener) during the specified time frame (1 or 5 minutes).

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability
Cost
optimisation

Idle load balancers represent a good candidate to reduce your monthly AWS costs and avoid accumulating unnecessary usage charges.

Note 1: Knowing the role and the owner of an AWS Elastic Load Balancer before you take the decision to delete it is very important. For this rule Cloud Conformity assumes that your ELBs are tagged with Role and Owner tags which provide visibility into their usage profile and help you decide whether it's safe or not to terminate these resources.
Note 2: You can change the default threshold (100) for this rule on the Cloud Conformity console and set your own value for the RequestCount metric in order to configure the load balancers idleness.


Audit

To identify any idle ELBs available within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the load balancer that you want to examine.

05 Select the Monitoring tab from the dashboard bottom panel.

06 Within the CloudWatch metrics section, click on the Sum Requests (Count) usage graph thumbnail to open the usage details box for the requests made to the ELB. Inside the CloudWatch Monitoring Details dialog box, set the following parameters:

  1. From the Statistic dropdown list, select Sum.
  2. From the Time Range list, select Last 1 Week.
  3. From the Period dropdown list, select 1 Minute.

Once the monitoring data is loaded, verify the RequestCount usage for the last 7 days. If the sum of the requests made to the Elastic Load Balancer in the past 7 days is less than 100, e.g.

If the sum of the requests made to the Elastic Load Balancer in the past 7 days is less than 100

the selected AWS ELB qualifies as candidate for the idle load balancer. Click Close to return to the dashboard.

07 Now determine the selected ELB role within the stack and its owner by checking the Role and Owner tags values assigned to the load balancer in order to decide whether it's safe or not to terminate the resource. To check for the necessary tags, perform the following:

  1. Select the Tags tab from the ELB dashboard bottom panel.
  2. Verify the requested tags and their values:
    • Check the Role tag value, available in the Value column, or any Role-like tag value that can provide information about the usage profile of the load balancer (e.g. webapp-stress-test-elb) in order to decide if the ELB can be terminated or not.
    • Check the Owner tag value, available in the Value column, or any Owner-like tag value that can provide the contact information (name, email, phone number) of the resource owner in order to get the confirmation to terminate or not the selected ELB.
    If all conditions outlined at step no. 6 and 7 are met (including the owner confirmation), the selected Elastic Load Balancer is considered "idle" and can be safely deleted in order to stop incurring charges for it.

08 Repeat steps no. 4 – 7 to verify the RequestCount usage and the necessary tags (Role and Owner) for the rest of the load balancers provisioned in the current region.

09 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using appropriate filtering to list the names of all existing AWS ELBs available in the selected region:

aws elb describe-load-balancers
	--region us-east-1
	--output table
	--query 'LoadBalancerDescriptions[*].LoadBalancerName'

02 The command output should return a table with the requested ELB identifiers:

-------------------------
| DescribeLoadBalancers |
+-----------------------+
|  MyWebStackELB        |
|  MyStressTestELB      |
|  MyLegacyAppELB       |
+-----------------------+

03 Run get-metric-statistics command (OSX/Linux/UNIX) to get the statistics recorded by AWS CloudWatch for the RequestCount metric, representing the number of requests completed or connections made by the selected load balancer during the specified interval. Change the --start-time (start recording date) and --end-time (stop recording date) parameters value to choose your own time frame for recording the RequestCount usage. Also, set the --period parameter value to define the granularity - in seconds - of the returned datapoints, based on your requirements. A period can be as short as one minute (60 seconds) or as long as one day (86400 seconds). The following command example returns the RequestCount (Sum) data for an AWS ELB named MyWebStackELB, usage data captured during a 7 days period (set by the --start-time and --end-time command parameters), using 1 hour period as the granularity of the returned datapoints (set by the --period parameter):

aws cloudwatch get-metric-statistics
	--region us-east-1
	--metric-name RequestCount
	--start-time 2016-10-04T13:16:00
	--end-time 2016-10-11T13:16:00
	--period 300
	--namespace AWS/EC2
	--statistics Sum
	--dimensions Name=LoadBalancerName,Value=MyWebStackELB

04 The command output should return the usage information requested:

{
    "Datapoints": [
        {
            "Timestamp": "2016-10-04T13:16:00Z",
            "Sum": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2016-10-04T14:16:00Z",
            "Sum": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2016-10-04T15:16:00Z",
            "Sum": 0.0,
            "Unit": "Count"
        },

        ...

        {
            "Timestamp": "2016-10-11T10:16:00Z",
            "Sum": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2016-10-11T11:16:00Z",
            "Sum": 0.0,
            "Unit": "Count"
        },
        {
            "Timestamp": "2016-10-11T12:16:00Z",
            "Sum": 0.0,
            "Unit": "Count"
        }
    ],
    "Label": "RequestCount"
}

If the sum of the requests made to the Elastic Load Balancer is less than 100, the selected AWS ELB qualifies as candidate for the idle load balancer.

05 Run describe-tags command (OSX/Linux/UNIX) to describe the tags for the selected ELB:

aws elb describe-tags
	--region us-east-1
	--load-balancer-name MyWebStackELB

06 The command output should return the tags (key-value pairs) applied to the load balancer. The Role and Owner tags returned and their values (highlighted) can used to determine the resource role within the application stack and to contact its owner for more information in order to decide whether the load balancer can be deleted or not:

{
    "TagDescriptions": [
        {
            "Tags": [
                {
                    "Value": "webapp-stress-test-elb",
                    "Key": "Role"
                },
                {
                    "Value": "ops@cloudconformity.com",
                    "Key": "Owner"
                },
                {
                    "Value": "MyWebAppStackELB",
                    "Key": "Name"
                }
            ],
            "LoadBalancerName": "MyWebStackELB"
        }
    ]
}

If the output data returned for the steps no. 3 - 6 satisfy the condition set by this conformity rule, the selected Elastic Load Balancer is considered "idle" and can be safely terminated in order to reduce AWS ELB usage costs.

07 Repeat steps no. 3 – 6 to verify the RequestCount usage and the necessary tags (Role and Owner) for the rest of the load balancers provisioned in the current region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Remediation / Resolution

Option 1: terminate the idle load balancers. To delete any AWS Elastic Load Balancers that are currently running in idle mode, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING section, choose Load Balancers.

04 Select the load balancer that you want to terminate (see Audit section part I to identify the right resource).

05 Click the Actions dropdown button from the dashboard top menu and select Delete.

06 On the Delete Load Balancer confirmation page, review the selected ELB details then click /strong>Yes, Delete to confirm the action.

07 Repeat steps no. 4 - 6 to delete any other idle Elastic Load Balancers provisioned within the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run delete-load-balancer command (OSX/Linux/UNIX) using the resource name as identifier (see Audit section part II to identify the right load balancer and its name) to delete the selected idle AWS ELB (the command does not produce an output):

aws elb delete-load-balancer
	--region us-east-1
	--load-balancer-name MyWebStackELB

02 Repeat step no. 1 to terminate any other idle ELBs provisioned within the current region.

03 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

Option 2: disable the rule check. If the selected idle load balancer is needed (its role within your application stack is important and the owner confirms it), you should turn off the conformity rule check for the ELB from the Cloud Conformity console.

References

Publication date Oct 13, 2016

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Idle Elastic Load Balancer

Risk Level: High