Rule: Auto Scaling groups with a load balancer should use health checks
Ensure Auto Scaling groups with a load balancer utilize health checks for optimal performance.
| Rule | Auto Scaling groups with a load balancer should use health checks |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Critical |
Rule Description
Auto Scaling groups paired with a load balancer should employ health checks to comply with the FedRAMP Moderate Revision 4 security controls. These health checks ensure that instances running within the Auto Scaling group are functioning correctly and able to handle traffic appropriately. By implementing health checks, the load balancer can identify and automatically exclude any instances that are not responding or are experiencing issues, ensuring the availability and reliability of the application or service.
Troubleshooting Steps
Health Check Configuration
- 1.Verify that the Auto Scaling group is associated with a load balancer.
- 2.Confirm that the load balancer is specifically configured to perform health checks on the instances within the Auto Scaling group.
- 3.Check the health check settings to ensure they align with the defined requirements of FedRAMP Moderate Revision 4.
Instance Health
- 1.Inspect the health status of the instances within the Auto Scaling group.
- 2.Identify any instances that are marked as unhealthy or experiencing issues.
- 3.Investigate the root cause of the instance health issues (e.g., insufficient resources, networking problems, or application-level errors).
- 4.Address the underlying problems and resolve the instance health issues.
Load Balancer Configuration
- 1.Review the load balancer configuration to ensure it is correctly set up to distribute traffic to the instances within the Auto Scaling group.
- 2.Verify that the load balancer's health check settings align with the specified requirements.
- 3.Adjust any load balancing parameters if necessary, taking into account the performance and health of the instances.
Necessary Codes
AWS CLI Example
To enable health checks for an Auto Scaling group associated with a load balancer, use the
put-lifecycle-hookaws autoscaling put-lifecycle-hook --lifecycle-hook-name <hook-name> --auto-scaling-group-name <group-name> --lifecycle-transition autoscaling:EC2_INSTANCE_TERMINATING --heartbeat-timeout <timeout-seconds> --default-result <CONTINUE/ACTION/ABANDON> --notification-target-arn <target-ARN> --role-arn <role-ARN>
Be sure to replace the placeholders (
<hook-name><group-name><timeout-seconds><CONTINUE/ACTION/ABANDON><target-ARN><role-ARN>Step-by-Step Guide for Remediation
- 1.
Log in to the AWS Management Console.
- 2.
Navigate to the EC2 Auto Scaling service.
- 3.
Select the Auto Scaling group that is associated with the load balancer.
- 4.
Verify that the load balancer is correctly configured and associated with the Auto Scaling group.
- 5.
If not already configured, create a health check for the load balancer by following these steps:
a. Navigate to the EC2 Load Balancing service.
b. Select the load balancer associated with the Auto Scaling group.
c. Click on the "Health checks" tab.
d. Click on the "Add/Edit Health Check" button.
e. Set the health check parameters according to the requirements specified in FedRAMP Moderate Revision 4.
f. Save the health check settings.
- 6.
Validate the health of the instances within the Auto Scaling group by following these steps:
a. Go back to the EC2 Auto Scaling service.
b. Select the Auto Scaling group associated with the load balancer.
c. Click on the "Instances" tab.
d. Inspect the health status of each instance. Identify and investigate any instances marked as unhealthy or experiencing issues.
e. Troubleshoot and resolve the underlying problems affecting the instance health.
- 7.
If necessary, adjust load balancing parameters for the load balancer associated with the Auto Scaling group by following these steps:
a. Return to the EC2 Load Balancing service.
b. Select the load balancer associated with the Auto Scaling group.
c. Modify the load balancing settings as needed, considering the performance and health of the instances.
- 8.
Test the health check functionality by intentionally causing an instance to become unhealthy and verifying that the load balancer recognizes the issue and excludes the problematic instance.
- 9.
Monitor the health status of the instances and load balancer going forward, ensuring that any future issues are promptly addressed.
Following these steps ensures that your Auto Scaling group, combined with a load balancer, adheres to the health check requirements set forth in FedRAMP Moderate Revision 4, providing a resilient and responsive environment for your application or service.