Unused Elastic Load Balancers

Risk Level: Low (generally tolerable level of risk)

Rule ID: ELB-001

Identify unused Amazon Classic Load Balancers available within your AWS cloud account and delete these load balancers in order to lower the cost of your AWS bill.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

Sustainability

Any Classic Load Balancer provisioned in your AWS cloud account is adding charges to your AWS monthly bill, regardless whether is being used or not. If your load balancer has no registered instances, consider registering EC2 instances or delete the load balancer. If your load balancer has no healthy EC2 instances registered, consider troubleshooting the instances configuration or delete the load balancer. Removing unused Amazon Classic Load Balancers from your AWS account will help you to avoid unexpected charges on your AWS bill.

Audit

Case A: To determine if your Classic Load Balancer has registered EC2 instances, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the Amazon Classic Load Balancer that you want to examine.

06 Select the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.

07 In the Basic Configuration section, check the Status value to determine the number of EC2 instances registered to the load balancer. If the Status value is 0 of 0 instances in service, there are no registered backend EC2 instances, therefore the selected Amazon Classic Load Balancer can be removed from your AWS account.

08 Repeat steps no. 5 – 7 for each Classic Load Balancer provisioned within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region:

aws elb describe-load-balancers
  --region us-east-1
  --query 'LoadBalancerDescriptions[*].LoadBalancerName'

02 The command output should return an array with the requested load balancer name(s):

[
    "cc-frontend-load-balancer",
    "cc-project5-load-balancer"
]

03 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as the identifier parameter and custom query filters to list the ID of each of EC2 instance registered to the selected load balancer:

aws elb describe-load-balancers
  --load-balancer-names cc-frontend-load-balancer
  --query 'LoadBalancerDescriptions[*].Instances[*].InstanceId | []'

04 The command output should return the requested instance ID(s):

[]

If the describe-load-balancers command output returns an empty array (i.e. []), as shown in the output example above, there are no registered backend EC2 instances, therefore the selected Amazon Classic Load Balancer can be terminated.

05 Repeat steps no. 3 and 4 for each Classic Load Balancer provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Audit

Case B: To determine if your Classic Load Balancer has healthy backend EC2 instances, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the Amazon Classic Load Balancer that you want to examine.

06 Select the Instances tab from the console bottom panel to view the EC2 instances registered to the selected load balancer.

07 Check the status of each EC2 instance available in the registered instances list. If the status for all registered instances is OutOfService and the status description tooltip displays the following message: Instance has failed at least the UnhealthyThreshold number of health checks consecutively, there are no healthy EC2 instances registered to the load balancer, therefore the selected Amazon Classic Load Balancer can be deleted.

08 Repeat steps no. 5 – 7 for each Classic Load Balancer provisioned within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region:

aws elb describe-load-balancers
  --region us-east-1
  --query 'LoadBalancerDescriptions[*].LoadBalancerName'

02 The command output should return an array with the requested load balancer name(s):

[
    "cc-frontend-load-balancer",
    "cc-project5-load-balancer"
]

03 Run describe-instance-health command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as the identifier parameter and custom query filters to determine the health status of the EC2 instances registered to the selected load balancer:

aws elb describe-instance-health
  --load-balancer-name cc-frontend-load-balancer
  --query 'InstanceStates[].{"InstanceId":InstanceId, "State":State, "Description": Description}'

04 The command output should return the requested status information:

[
    {
        "InstanceId": "i-0abcd1234abcd1234",
        "State": "OutOfService",
        "Description": "Instance has failed at least the UnhealthyThreshold number of health checks consecutively."
    },
        {
        "InstanceId": "i-01234abcd1234abcd",
        "State": "OutOfService",
        "Description": "Instance has failed at least the UnhealthyThreshold number of health checks consecutively."
    }
]

Check the status and the description of each registered instance returned by the describe-instance-health command output. If the "State" is set to "OutOfService" and the "Description" is set to "Instance has failed at least the UnhealthyThreshold number of health checks consecutively." for all registered instances, there are no healthy EC2 instances registered to the load balancer, therefore the selected Amazon Classic Load Balancer can be terminated.

05 Repeat steps no. 3 and 4 for each Classic Load Balancer provisioned in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To remove any unused or inactive Amazon Classic Load Balancers from your AWS cloud account, perform the following actions:

Using Terraform (AWS Provider)

01 To remove an unused Amazon Classic Load Balancer, run the following Terraform command, using the Terraform name of the load balancer that you want to delete (e.g. classic-load-balancer) as the --target parameter:

terraform destroy
  --target aws_elb.classic-load-balancer

02 Type yes and press Enter to confirm the unused load balancer deletion:

│ Warning: Resource targeting is in effect
│ You are creating a plan with the -target option, which means that the result of this plan may not represent all of the changes requested by the current configuration.
│ The -target option is not for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error message.
│

Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.

05 Select the Classic Load Balancer that you want to terminate, choose Actions, and select Delete.

06 In the Delete Load Balancer confirmation box, choose Yes, Delete to remove the selected load balancer from your AWS cloud account.

07 Repeat steps no. 5 and 6 for each Classic Load Balancer that you want to delete, available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run delete-load-balancer command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to terminate as the identifier parameter, to remove the selected load balancer from your AWS cloud account (the command does not produce an output):

aws elb delete-load-balancer
  --load-balancer-name cc-frontend-load-balancer

02 Repeat step no. 1 for each Classic Load Balancer that you want to delete, available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
elb
describe-load-balancers
describe-instance-health
delete-load-balancer

CloudFormation Documentation
AWS::ElasticLoadBalancing::LoadBalancer

Terraform Documentation
AWS Provider

Publication date Apr 29, 2016

Audit

Using AWS Console

Using AWS CLI

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related ELB rules