Auto Scaling Groups Not Referencing Active Load Balancers

This plugin ensures all Auto Scaling groups are referencing active Elastic Load Balancers.

Risk Level: Medium

Description

This plugin ensures all Auto Scaling groups are referencing active Elastic Load Balancers. Each Auto Scaling group with a load balancer configured should reference an active Elastic Load Balancer. This plugin also reports groups with health check set to ‘ELB’ but no load balancers referenced.

About the Service

AWS Auto Scaling: As the name suggests, AWS AutoScaling monitors the running resources and if required, increases the scaling capability at the lowest possible costs. AutoScaling is easy to set up and automatically maintains performance of your cloud infrastructure.

Impact

Auto Scaling groups that have ELB health check active report the group to be healthy only if it is verified by both EC2 and ELB. If the Auto Scaling Group references inactive or deleted ELBs, the health check will generate inaccurate results, leading to inferior function of the Auto Scaling group.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon EC2 Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Scroll down and select Auto Scaling Groups under the Auto Scaling section from the left pane.
  4. A list of Auto Scaling Groups will be displayed, select the one you want to investigate by clicking on its Name.
  5. Move to the Activity tab. In the Health Check section, verify if the Health Check Type is set to EC2 & ELB. If not, the Auto Scaling Group does not need any Load Balancers.
  6. Move to the Load Balancing section. The following vulnerable situations can occur-
    1. No Load Balancers are present- The Classic Load Balancers list is empty. 
    2. The Load Balancer is inactive - Click on the load balancer name present in the Classic Load Balancers list. If it is redirected to the “No Results Found” page, the ELB attached is inactive.

  7. Repeat steps 3 to 6 for all the Auto Scaling groups you want to investigate.

Steps for Remediation

Ensure that the Auto Scaling group load balancer has not been deleted. If so, remove it from the Auto Scaling Group and add an active Elastic Load Balancer.

  1. Log In to your AWS Console.
  2. Open the Amazon EC2 Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Scroll down and select Auto Scaling Groups under the Auto Scaling section from the left pane.
  4. A list of Auto Scaling Groups will be displayed, select the one you want to investigate by clicking on its Name.
  5. Move to the Activity tab. In the Health Check section, verify if the Health Check Type is set to EC2 & ELB. If not, the Auto Scaling Group does not need any Load Balancers.
  6. Move to the Load Balancing section. Click on the Edit button on the extreme right.
  7. Remove the invalid ELBs by clicking on the cross beside the ELB name under Classic Load Balancers list. 
  8. Choose an active Classic Load Balancer from the list and finally click on Update to save the changes.
  9. Repeat steps from 3 to 8 for all the vulnerable Auto Scaling Groups.