Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Auto Scaling Group Referencing Missing ELB

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (act today)
Rule ID: ASG-007

Ensure that your Amazon Auto Scaling Groups (ASGs) are referencing active load balancers in order to maintain the auto-scaling process healthy and the application load evenly distributed.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Operational
excellence

When your Auto Scaling Group (ASG) fails to launch new backend instances due to inactive (deleted) load balancers, the ASG scaling mechanism is unable to add compute power (i.e. instances) in order to handle the increased load and this will cause a negative impact on your application availability and performance.


Audit

To identify any ASGs that are missing load balancing capabilities due to inactive load balancers, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to examine.

05 Choose the Details tab to view the ASG resource configuration details.

06 In the Load balancing section, copy the name of the associated Classic Load Balancer from Classic Load Balancers and/or the name of the associated Target Group from Load balancer target groups.

07 In the main navigation panel, under Load Balancing, choose Load Balancers.

08 Paste the name of the Classic Load Balancer/Target Group copied at step no. 6 in the Filter by tags and attributes or search by keyword search box and press Enter. If no results are returned, the associated load balancer is no longer available, therefore the selected Auto Scaling Group (ASG) will fail to distribute the traffic load and properly launch new instances during the auto-scaling process.

09 Repeat steps no. 4 – 8 for each ASG deployed within the selected AWS region.

10 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the name of each Auto Scaling Group (ASG) available in the selected AWS region:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --output table
  --query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG names:

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|   cc-production-asg     |
|   cc-internal-app-asg   |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the Auto Scaling Group that you want to examine as the identifier parameter and custom query filters to describe the identifiers of the Classic Load Balancers and/or Target Groups associated with the selected ASG:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-names cc-production-asg
  --query 'AutoScalingGroups[*].{"LoadBalancers":LoadBalancerNames, "TargetGroups":TargetGroupARNs}'

04 The command output should return the requested cloud resource identifiers:

[
	{
		"LoadBalancers": [
			"cc-classic-elb"
		],
		"TargetGroups": [
			"arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/abcd1234abcd1234"
		]
	}
]

05 Run describe-load-balancers command (OSX/Linux/UNIX) using the Classic Load Balancer identifier returned at the previous step to describe the configuration information available for the selected load balancer:

aws elb describe-load-balancers
  --region us-east-1
  --load-balancer-name cc-classic-elb

06 The command output should return the requested resource information or an error message:

An error occurred (LoadBalancerNotFound) when calling the DescribeLoadBalancers operation: There is no ACTIVE Load Balancer named 'cc-classic-elb'

If the describe-load-balancers command output returns an LoadBalancerNotFound error message, as shown in the example above, the associated load balancer has been deleted at one point after creating the ASG, therefore the selected Auto Scaling Group (ASG) will fail to launch new EC2 instances when needed.

07 Run describe-target-groupscommand (OSX/Linux/UNIX) using the ARN of the Target Group returned at step no. 4 to describe the configuration information available for the selected resource:

aws elbv2 describe-target-groups
  --target-group-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/abcd1234abcd1234

08 The command output should return the requested resource information or an error message:

An error occurred (TargetGroupNotFound) when calling the DescribeTargetGroups operation: One or more target groups not found

If the describe-target-groups command output returns an TargetGroupNotFound error message, as shown in the example above, the associated Target Group is no longer available, therefore the selected Auto Scaling Group (ASG) will fail to launch new EC2 instances when needed.

09 Repeat steps no. 3 – 8 for each ASG available in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable data-at-rest encryption for your AWS Athena query results stored in Amazon S3, perform the following actions:

Case A: To reconfigure any Auto Scaling Groups (ASGs) that are missing load balancing capabilities due to inactive (deleted) Classic Load Balancers, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Choose Create Load Balancer button from the console top menu to initiate the setup process.

05 On the Select load balancer type page, choose Classic Load Balancer - previous generation to set up a new Classic Load Balancer, then select Create to start the setup.

06 On the load balancer setup page, perform the following operations:

  1. For Step 1: Define Load Balancer, provide a unique name for your new load balancer, select the target VPC, choose whether or not to create an internal load balancer, and set up the required listener configuration. Choose Next: Assign Security Groups to continue the setup.
  2. For Step 2: Assign Security Groups, choose one or more existing security groups for the new load balancer or create new ones. These security groups should act as a set of firewall rules that control the traffic to your load balancer. Choose Next: Configure Security Settings to continue.
  3. For Step 3: Configure Security Settings, create and configure the necessary HTTPS listeners for your new Classic Load Balancer. Choose Next: Configure Health Check to continue.
  4. For Step 4: Configure Health Check, configure the health check settings to meet your specific needs. Choose Next: Add EC2 instances to continue the setup.
  5. For Step 5: Add EC2 Instances, add the necessary Amazon EC2 instances to your load balancer. Configure Availability Zone (AZ) distribution. Choose Next: Add EC2 instances to continue the setup.
  6. For Step 6: Add Tags, apply tags to your load balancer to help organize and identify the resource. Choose Review and Create to continue.
  7. For Step 7: Review, review your load balancer configuration, then choose Create to deploy your new Amazon Classic Load Balancer.
  8. Choose Close to return to the Amazon EC2 console.

07 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

08 Select the Auto Scaling Group (ASG) that you want to reconfigure.

09 Choose the Details tab to access the ASG resource configuration details.

10 In the Load balancing section choose Edit to modify the existing configuration.

11 Select Classic Load Balancers under Load balancers, and choose your new Classic Load Balancer from the setting dropdown list. Choose Update to apply the changes and integrate the new Classic Load Balancer with the selected Auto Scaling Group (ASG).

12 Repeat steps no. 3 – 11 for each ASG that you want to reconfigure, available within the current AWS region.

13 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the Auto Scaling Group that you want to reconfigure as the identifier parameter to describe the resource configuration details, required later when the new load balancer will be created and attached to the ASG:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-name cc-production-asg

02 The command output should return the requested configuration information:

{
	"AutoScalingGroups": [
		{
			"AutoScalingGroupName": "cc-production-asg",
			"AutoScalingGroupARN": "arn:aws:autoscaling:us-east-1:123456789012:autoScalingGroup:abcdabcd-1234-1234-1234-abcdabcdabcd:autoScalingGroupName/cc-production-asg",
			"LaunchTemplate": {
				"LaunchTemplateId": "lt-01234abcd1234abcd",
				"LaunchTemplateName": "cc-asg-launch-template",
				"Version": "$Default"
			},
			"MinSize": 1,
			"MaxSize": 1,
			"DesiredCapacity": 1,
			"DefaultCooldown": 300,
			"AvailabilityZones": [
				"us-east-1a"
			],
			"LoadBalancerNames": [],
			"TargetGroupARNs": [],
			"HealthCheckType": "EC2",
			"HealthCheckGracePeriod": 300,
			"Instances": [
				{
					"InstanceId": "i-01234abcd1234abcd",
					"InstanceType": "t2.micro",
					"AvailabilityZone": "us-east-1a",
					"LifecycleState": "InService",
					"HealthStatus": "Healthy",
					"LaunchTemplate": {
						"LaunchTemplateId": "lt-01234abcd1234abcd",
						"LaunchTemplateName": "cc-asg-launch-template",
						"Version": "1"
					},
					"ProtectedFromScaleIn": false
				}
			],
			"CreatedTime": "2022-09-09T15:18:08.259000+00:00",
			"SuspendedProcesses": [],
			"VPCZoneIdentifier": "subnet-01234abcd1234abcd",
			"EnabledMetrics": [],
			"Tags": [],
			"TerminationPolicies": [
				"Default"
			],
			"NewInstancesProtectedFromScaleIn": false,
			"ServiceLinkedRoleARN": "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
		}
	]
}

03 Run create-security-group command (OSX/Linux/UNIX) to create the security group that will be used by the new Classic Load Balancer. The following command example creates a security group named "cc-elb-security-group" inside a VPC identified with the ID vpc-abcd1234, available within the US East (N. Virginia) region:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-elb-security-group
  --description "ASG Classic Load Balancer Security Group"
  --vpc-id vpc-abcd1234

04 The command output should return the ID of the new security group:

{
	"GroupId": "sg-01234abcd1234abcd"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as the identifier parameter, to set up the inbound rules based on your web application requirements (the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 80
  --cidr 0.0.0.0/0

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter to configure the outbound rules based on your application needs (the command does not return an output):

aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run create-load-balancer command (OSX/Linux/UNIX) using the configuration information returned at steps no. 2 and 4 as input parameters, to create a new Classic Load Balancer:

aws elb create-load-balancer
  --region us-east-1
  --load-balancer-name cc-classic-load-balancer
  --listeners "Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80"
  --subnets "subnet-01234abcd1234abcd" "subnet-0abcd1234abcd1234"
  --security-groups sg-01234abcd1234abcd

08 The command output should return the DNS name for the new load balancer:

{
	"DNSName": "cc-classic-load-balancer-123456789012.us-east-1.elb.amazonaws.com"
}

09 Run attach-load-balancers command (OSX/Linux/UNIX) to attach the Classic Load Balancer created at the previous steps to the selected Auto Scaling Group (the command does not produce an output):

aws autoscaling attach-load-balancers
  --region us-east-1
  --load-balancer-names cc-classic-load-balancer
  --auto-scaling-group-name cc-production-asg

10 Repeat steps no. 1 – 9 for each ASG that you want to reconfigure, available in the selected AWS region.

11 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

Case B: To reconfigure any Auto Scaling Groups (ASGs) that are missing load balancing capabilities due to inactive Application/Network Load Balancers, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Choose Create Load Balancer from the console top menu to initiate the setup process.

05 On the Select load balancer type page, choose one of the following options based on your application requirements:

  1. For Application Load Balancers (ALBs):
    • Choose Application Load Balancer to set up a new load balancer, then select Createto start the setup process.
    • On the Create Application Load Balancer page, perform the following operations:
      • Provide a unique name for your new ALB in the Load balancer name box.
      • For Scheme, choose whether to create an internet-facing load balancer or an internal one.
      • Choose the right IP address type from the IP address type.
      • Select the Virtual Private Cloud (VPC) for the load balancer targets from the VPC dropdown list.
      • For Mappings, select at least one Availability Zone (AZ) and one subnet for each supported zone. AWS recommends selecting at least two Availability Zones. The load balancer will route traffic only to targets in the selected Availability Zones.
      • Click inside the Security groups box and choose one or more security groups for the new load balancer. The security group(s) should act as a set of firewall rules that control the traffic to your load balancer.
      • For Listeners and routing, create and configure the necessary HTTP(S) listener(s) for your new Application Load Balancer. Choose Create target group and follow the setup wizard to create a new Target Group resource for your Application Load Balancer. Ensure that the target type is set to Instances.
      • (Optional) For AWS Global Accelerator, choose whether or not to integrate an AWS Global Accelerator with the load balancer at launch.
      • (Optional) To attach tags to your new load balancer, use the Add tag button available in the Tags – optional section.
      • In the Summary section, review your load balancer configuration.
      • Choose Create load balancer to launch your new Amazon Application Load Balancer (ALB).
      • Choose View load balancer to return to the Amazon EC2 console.
  2. For Network Load Balancers (NLBs):
    • Choose Network Load Balancer to set up a new load balancer, then select Create to start the setup.
    • On the Create Network Load Balancer page, perform the following operations:
      • Provide a unique name for your new NLB in the Load balancer name box.
      • For Scheme, choose whether to create an internet-facing load balancer or an internal one.
      • Choose the right IP address type from the IP address type.
      • Select the Virtual Private Cloud (VPC) for the load balancer targets from the VPC dropdown list.
      • For Mappings, select at least one Availability Zone (AZ) and one subnet for each supported zone. AWS recommends selecting at least two Availability Zones. The load balancer will route traffic only to targets in the selected Availability Zones.
      • For Listeners and routing, create and configure the necessary TCP/TLS/UDP listener(s) for your new Network Load Balancer. Choose Create target group and follow the setup wizard to create a new Target Group resource for your Network Load Balancer. Make sure that the target type is set to Instances.
      • (Optional) To attach tags to your new load balancer, use the Add tag button available in the Tags – optional section.
      • In the Summary section, review your load balancer configuration.
      • Choose Create load balancer to launch your new Amazon Network Load Balancer.
      • Choose View load balancer to return to the Amazon EC2 console.

06 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

07 Select the Auto Scaling Group (ASG) that you want to reconfigure.

08 Choose the Details tab to access the ASG resource configuration details.

09 In the Load balancing section choose Edit to modify the exiting configuration.

10 Select Application, Network or Gateway Load Balancer target groups under Load balancers, and choose the Target Group associated with your Application/Network Load Balancer from the setting dropdown list. Choose Update to apply the changes and integrate the new Application/Network Load Balancer with the selected Auto Scaling Group (ASG).

11 Repeat steps no. 3 – 10 for each ASG that you want to reconfigure, available in the selected AWS region.

12 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the Auto Scaling Group that you want to reconfigure as the identifier parameter to describe the resource configuration details, required later when the new load balancer will be created and attached to the ASG:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-name cc-production-asg

02 The command output should return the requested configuration information:

{
	"AutoScalingGroups": [
		{
			"AutoScalingGroupName": "cc-production-asg",
			"AutoScalingGroupARN": "arn:aws:autoscaling:us-east-1:123456789012:autoScalingGroup:abcdabcd-1234-1234-1234-abcdabcdabcd:autoScalingGroupName/cc-production-asg",
			"LaunchTemplate": {
				"LaunchTemplateId": "lt-01234abcd1234abcd",
				"LaunchTemplateName": "cc-asg-launch-template",
				"Version": "$Default"
			},
			"MinSize": 1,
			"MaxSize": 1,
			"DesiredCapacity": 1,
			"DefaultCooldown": 300,
			"AvailabilityZones": [
				"us-east-1a"
			],
			"LoadBalancerNames": [],
			"TargetGroupARNs": [],
			"HealthCheckType": "EC2",
			"HealthCheckGracePeriod": 300,
			"Instances": [
				{
					"InstanceId": "i-01234abcd1234abcd",
					"InstanceType": "t2.micro",
					"AvailabilityZone": "us-east-1a",
					"LifecycleState": "InService",
					"HealthStatus": "Healthy",
					"LaunchTemplate": {
						"LaunchTemplateId": "lt-01234abcd1234abcd",
						"LaunchTemplateName": "cc-asg-launch-template",
						"Version": "1"
					},
					"ProtectedFromScaleIn": false
				}
			],
			"CreatedTime": "2022-09-09T15:18:08.259000+00:00",
			"SuspendedProcesses": [],
			"VPCZoneIdentifier": "subnet-01234abcd1234abcd",
			"EnabledMetrics": [],
			"Tags": [],
			"TerminationPolicies": [
				"Default"
			],
			"NewInstancesProtectedFromScaleIn": false,
			"ServiceLinkedRoleARN": "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
		}
	]
}

03 Run create-security-group command (OSX/Linux/UNIX) to create the security group that will be used by the new Application/Network Load Balancer. The following command example creates a security group named "cc-elbv2-security-group" inside a VPC identified with the ID vpc-abcd1234, available within the US East (N. Virginia) region:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-elbv2-security-group
  --description "ASG Load Balancer Security Group"
  --vpc-id vpc-abcd1234

04 The command output should return the ID of the new security group:

{
	"GroupId": "sg-01234abcd1234abcd"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as the identifier parameter, to set up the inbound rules based on your needs (the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 80
  --cidr 0.0.0.0/0

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter to configure the outbound rules based on your application needs (the command does not return an output):

aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Based on the type of the ELBv2 load balancer that you want to create, perform of the following sets of commands:

  1. For Application Load Balancers (ALBs):
    • Run create-load-balancer command (OSX/Linux/UNIX) to create a new Amazon Application Load Balancer (ALB):
      aws elbv2 create-load-balancer
        --region us-east-1
        --name cc-application-load-balancer
        --type application
        --ip-address-type ipv4
        --subnets subnet-0abcd1234abcd1234 subnet-01234abcd1234abcd
        --security-groups sg-0abcd1234abcd1234
        --tags Key=Environment,Value=production
      
    • The command output should return the configuration information available for the new load balancer:
      {
      	"LoadBalancers": [
      		{
      			"VpcId": "vpc-0abcd1234abcd1234",
      			"State": {
      				"Code": "provisioning"
      			},
      			"LoadBalancerName": "cc-application-load-balancer",
      
      	...
      
      			"Type": "application",
      			"AvailabilityZones": [
      				{
      					"SubnetId": "subnet-0abcd1234abcd1234",
      					"ZoneName": "us-east-1a"
      				},
      				{
      					"SubnetId": "subnet-01234abcd1234abcd",
      					"ZoneName": "us-east-1b"
      				}
      			]
      		}
      	]
      }
      
    • Run create-target-group command (OSX/Linux/UNIX) to set up the target group for the newly created Application Load Balancer:
      aws elbv2 create-target-group
        --region us-east-1
        --name cc-alb-target-group
        --protocol HTTP
        --port 80
        --vpc-id vpc-0abcd1234abcd1234
        --health-check-protocol HTTP
        --health-check-port traffic-port
        --health-check-path /index.html
        --health-check-interval-seconds 30
        --health-check-timeout-seconds 5
        --healthy-threshold-count 10
        --unhealthy-threshold-count 2
        --target-type instance
      
    • The command output should return the new ALB Target Group metadata:
      {
      	"TargetGroups": [
      		{
      			"HealthCheckPath": "/index.html",
      			"HealthCheckIntervalSeconds": 30,
      			"VpcId": "vpc-0abcd1234abcd1234",
      			"Protocol": "HTTP",
      			"HealthCheckTimeoutSeconds": 5,
      
      			... 
      
      			"Matcher": {
      				"HttpCode": "200"
      			},
      			"HealthCheckPort": "traffic-port",
      			"Port": 80,
      			"TargetGroupName": "cc-alb-target-group"
      		}
      	]
      }
      
    • Run create-listener command (OSX/Linux/UNIX) to create, configure, and attach the necessary HTTP(S) listener to the new Application Load Balancer (ALB):
      aws elbv2 create-listener
        --region us-east-1
        --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-application-load-balancer/aaaabbbbccccdddd
        --protocol HTTP
        --port 80
        --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd
      
    • The command output should return the configuration information for the new listener:
      {
      	"Listeners": [
      		{
      		"Protocol": "HTTP",
      		"DefaultActions": [
      			{
      				"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd",
      				"Type": "forward"
      			}
      		],
      		"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-application-load-balancer/aaaabbbbccccdddd",
      		"Port": 80,
      		"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-application-load-balancer/aaaabbbbccccdddd/bbbbccccddddeeee"
      		}
      	]
      }
      
  2. For Network Load Balancers (NLBs):
    • Run create-load-balancercommand (OSX/Linux/UNIX) to create a new Amazon Network Load Balancer (NLB):
      aws elbv2 create-load-balancer
        --region us-east-1
        --name cc-network-load-balancer
        --type network
        --ip-address-type ipv4
        --subnets subnet-0abcd1234abcd1234 subnet-01234abcd1234abcd
        --tags Key=Environment,Value=production
      
    • The command output should return the new NLB metadata:
      {
      	"LoadBalancers": [
      		{
      			"VpcId": "vpc-0abcd1234abcd1234",
      			"State": {
      				"Code": "active"
      			},
      			"LoadBalancerName": "cc-network-load-balancer",
      
      			...
      
      			"Type": "network",
      			"AvailabilityZones": [
      				{
      					"SubnetId": "subnet-0abcd1234abcd1234",
      					"ZoneName": "us-east-1a"
      				},
      				{
      					"SubnetId": "subnet-01234abcd1234abcd",
      					"ZoneName": "us-east-1b"
      				}
      			]
      		}
      	]
      }
      
    • Run create-target-group command (OSX/Linux/UNIX) to build the Target Group for the newly created Network Load Balancer (NLB):
      aws elbv2 create-target-group
        --region us-east-1
        --name cc-nlb-target-group
        --protocol TCP
        --port 80
        --vpc-id vpc-12345678
        --health-check-protocol TCP
        --health-check-port traffic-port
        --health-check-interval-seconds 30
        --health-check-timeout-seconds 10
        --healthy-threshold-count 3
        --unhealthy-threshold-count 3
        --target-type instance
      
    • The command output should return the new Target Group metadata:
      {
      	"TargetGroups": [
      		{
      			"TargetType": "instance",
      			"HealthCheckIntervalSeconds": 30,
      			"VpcId": "vpc-12345678",
      			"Protocol": "TCP",
      			"HealthCheckTimeoutSeconds": 10,
      			"HealthCheckProtocol": "TCP",
      
      			...
      
      
      			"UnhealthyThresholdCount": 3,
      			"HealthyThresholdCount": 3,
      			"Matcher": {},
      			"HealthCheckPort": "traffic-port",
      			"Port": 80,
      			"TargetGroupName": "cc-nlb-target-group"
      		}
      	]
      }
      
    • Run create-listener command (OSX/Linux/UNIX) to create, configure, and attach the necessary TCP/TLS/UDP listener to the newly created Network Load Balancer:
      aws elbv2 create-listener
        --region us-east-1
        --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd
        --protocol TCP
        --port 80
        --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd
      
    • The command output should return the configuration information for the new listener:
      {
      	"Listeners": [
      		{
      		"Protocol": "TCP",
      		"DefaultActions": [
      			{
      				"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd",
      				"Type": "forward"
      			}
      		],
      		"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd",                                            
      		"Port": 80,
      		"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-network-load-balancer/aaaabbbbccccdddd/bbbbccccddddeeee"
      		}
      	]
      }
      

08 Run attach-load-balancer-target-groups command (OSX/Linux/UNIX) to attach the Target Group associated with your Application/Network Load Balancer to the selected Amazon Auto Scaling Group (the command does not produce an output):

aws autoscaling attach-load-balancer-target-groups
  --region us-east-1
  --auto-scaling-group-name cc-production-asg
  --target-group-arns aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd

09 Repeat steps no. 1 – 8 for each ASG that you want to reconfigure, available in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Feb 6, 2017

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Auto Scaling Group Referencing Missing ELB

Risk Level: High