Rule: Auto Scaling Groups with a Load Balancer Should Use Health Checks
This rule ensures that auto scaling groups with a load balancer utilize health checks for optimal performance.
| Rule | Auto Scaling groups with a load balancer should use health checks |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Critical |
Rule Description:
Auto Scaling groups with a load balancer should utilize health checks to ensure the health and availability of instances. This rule is applicable for FedRAMP Low Revision 4 compliance.
Troubleshooting steps:
- 1.Ensure that your Auto Scaling group is associated with a load balancer.
- 2.Verify that health checks are properly configured for the load balancer.
- 3.Check if instances in the Auto Scaling group are registered with the load balancer.
- 4.Confirm that the health check settings are aligned with the required parameters for FedRAMP Low Revision 4 compliance.
Necessary codes:
The following code snippets can be used to configure health checks for an Auto Scaling group and load balancer.
CLI Command for configuring health checks for Auto Scaling group:
aws autoscaling put-lifecycle-hook --auto-scaling-group-name <auto_scaling_group_name> --lifecycle-hook-name <lifecycle_hook_name> --heartbeat-timeout <timeout_seconds> --default-result <default_result> --heartbeat-timeout-action <timeout_action>
Replace the following placeholders:
: Name of the Auto Scaling group.<auto_scaling_group_name>
: Name of the lifecycle hook.<lifecycle_hook_name>
: Timeout period for the heartbeat.<timeout_seconds>
: Default result for the lifecycle hook.<default_result>
: Action to take when heartbeat timeout occurs.<timeout_action>
CLI Command for configuring health checks for the load balancer:
aws elbv2 modify-target-group --target-group-arn <target_group_arn> --health-check-protocol <protocol> --health-check-path <path> --health-check-interval-seconds <interval_seconds> --healthy-threshold-count <healthy_threshold> --unhealthy-threshold-count <unhealthy_threshold>
Replace the following placeholders:
: ARN of the target group associated with the load balancer.<target_group_arn>
: Health check protocol (HTTP, HTTPS, TCP, etc.).<protocol>
: Path to be used for health checks.<path>
: Interval between health checks in seconds.<interval_seconds>
: Number of consecutive successful health checks required for an instance to be considered healthy.<healthy_threshold>
: Number of consecutive unsuccessful health checks required for an instance to be considered unhealthy.<unhealthy_threshold>
Step-by-Step Guide for Remediation:
- 1.Identify the Auto Scaling group associated with the load balancer that needs health checks.
- 2.Configure a lifecycle hook for the Auto Scaling group:
- Use the
command to set the heartbeat timeout, default result, and timeout action.put-lifecycle-hook
- 3.Configure health checks for the load balancer:
- Use the
command to specify the health check protocol, path, interval, healthy threshold, and unhealthy threshold.modify-target-group
- 4.Validate the health checks:
- Monitor the load balancer and Auto Scaling group to ensure that instances pass the health checks and are properly registered.
- 5.Test the failover:
- Simulate unhealthy instances and verify if the Auto Scaling group replaces them with healthy instances based on the health check results.
Following these steps will ensure that your Auto Scaling group with a load balancer is utilizing health checks to meet the requirements of FedRAMP Low Revision 4 compliance.