Rule: Auto Scaling groups with a load balancer should use health checks
This rule ensures that Auto Scaling groups use health checks for load balancer integration.
| Rule | Auto Scaling groups with a load balancer should use health checks |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Critical |
Rule Description:
Auto Scaling groups with a load balancer must use health checks in order to comply with the FedRAMP Low Revision 4 security requirements. This ensures that instances within the Auto Scaling group are in a healthy state and capable of serving traffic, providing a high level of availability and reliability.
Troubleshooting Steps:
- 1.Verify Load Balancer Configuration: Check if the load balancer associated with the Auto Scaling group is correctly configured to perform health checks on instances.
- 2.Check Health Check Settings: Ensure that the health check settings are appropriately configured to reflect the desired behavior and sensitivity.
- 3.Verify Target Group Settings: If using Application Load Balancer, confirm that the Auto Scaling group instances are correctly registered with the target group associated with the load balancer.
- 4.Verify Health Check Paths: Check if the health check path(s) specified are correct and correspond to the expected functionality of the instances.
- 5.Review Security Group Rules: Ensure that the security group associated with the load balancer allows inbound traffic on the health check port from the load balancer's security group.
Necessary Codes:
There are no specific code snippets required for this rule. However, the following AWS CLI commands can be useful for troubleshooting and verification:
- 1.
Describe Auto Scaling Groups:
aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names <auto-scaling-group-name> - 2.
Describe Load Balancers:
aws elbv2 describe-load-balancers --load-balancer-arns <load-balancer-arn> - 3.
Describe Target Groups (for Application Load Balancer):
aws elbv2 describe-target-groups --target-group-arns <target-group-arn> - 4.
Describe Load Balancer Attributes:
aws elbv2 describe-load-balancer-attributes --load-balancer-arn <load-balancer-arn> - 5.
Describe Target Health (for Application Load Balancer):
aws elbv2 describe-target-health --target-group-arn <target-group-arn>
Step-by-Step Guide for Remediation:
- 1.Login to the AWS Management Console.
- 2.Navigate to the EC2 service.
- 3.In the navigation pane, click on "Auto Scaling Groups".
- 4.Select the Auto Scaling group that needs to comply with the FedRAMP Low Revision 4 requirement.
- 5.Click on the "Edit" button.
- 6.Under the "Health Check Type" section, ensure that the "ELB" option is selected.
- 7.Specify the health check settings based on the requirements provided in the FedRAMP Low Revision 4 security requirements.
- 8.Click "Save" to apply the changes.
It is also essential to review the load balancer configuration. Follow the below steps for an Application Load Balancer:
- 1.In the navigation pane, click on "Load Balancers".
- 2.Select the load balancer associated with the Auto Scaling group.
- 3.Verify that the Auto Scaling group instances are correctly registered with the target group.
- 4.Confirm that the health check path(s) specified in the target group settings align with the expected functionality of the instances.
- 5.Ensure that the load balancer's security group allows inbound traffic on the health check port from the load balancer's security group.
By following these steps and confirming the necessary configurations, you can comply with the FedRAMP Low Revision 4 requirement for Auto Scaling groups with a load balancer using health checks.