Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Auto Scaling Group associated ELB

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ASG-012

Ensure that your Amazon Auto Scaling Groups (ASGs) have associated load balancers in order to maintain the availability of the compute resources in the event of a failure, and provide an evenly distributed application load. There are three types of load balancers that can be used with your Auto Scaling Groups: Classic Load Balancers, Application Load Balancers, and Network Load Balancers. With Classic Load Balancers, the EC2 instances are registered with the load balancer. With Application and Network Load Balancers, the instances are registered as targets with a target group.

This rule can help you with the following compliance standards:

  • APRA

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Integrating Amazon Auto Scaling Groups with Classic, Application, or Network Load Balancers helps provide high availability and improve application performance through compute instance scaling.


Audit

To determine if your Auto Scaling Groups (ASGs) are using load balancers for efficient application scaling and high availability, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the main navigation panel, under Auto Scaling, choose Auto Scaling Groups.

04 Click on the name (link) of the Auto Scaling Group (ASG) that you want to examine.

05 Select the Details tab to access the ASG resource configuration information.

06 In the Load balancing section, check the Classic Load Balancers attribute value to identify the name of the Classic Load Balancer attached to the selected ASG, and the Load balancer target groups value to identify the name of the Target Group attached to the selected ASG. If both Classic Load Balancers and Target Groups attributes are missing their values, there are no Classic, Application, or Network Load Balancers associated with the selected Amazon Auto Scaling Group (ASG).

07 Repeat steps no. 4 – 6 for each Auto Scaling Group available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the name of each Auto Scaling Group (ASG) deployed in the selected AWS region:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --output table
  --query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG name(s):

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|  cc-production-web-asg  |
|  cc-internal-data-asg   |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the Auto Scaling Group that you want to examine as the identifier parameter and custom query filters to get the identifiers (names or ARNs) of the Elastic Load Balancers and/or Target Groups associated with the selected ASG:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-names cc-production-web-asg
  --query 'AutoScalingGroups[*].{"LoadBalancers":LoadBalancerNames, "TargetGroups":TargetGroupARNs}'

04 The command output should return the requested cloud resource identifiers:

[
    {
        "LoadBalancers": [],
        "TargetGroups": []
    }
]

If the describe-auto-scaling-groups command output returns an empty array (i.e. []) for both "LoadBalancers" and "TargetGroups" configuration attributes, as shown in the output example above, there are no Classic, Application, or Network Load Balancers associated with the selected Amazon Auto Scaling Group (ASG).

05 Repeat steps no. 3 and 4 for each Auto Scaling Group available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable data-at-rest encryption for your AWS Athena query results stored in Amazon S3, perform the following actions:

Case A: To create and attach Classic Load Balancers to existing Amazon Auto Scaling Groups (ASGs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Choose Create Load Balancer button from the console top menu to initiate the setup process.

05 On the Select load balancer type page, choose Classic Load Balancer - previous generation to set up a new Classic Load Balancer, then select Create to start the setup.

06 On the load balancer setup page, perform the following operations:

  1. For Step 1: Define Load Balancer, provide a unique name for your new load balancer, select the target VPC, choose whether or not to create an internal load balancer, and set up the required listener configuration. Choose Next: Assign Security Groups to continue the setup.
  2. For Step 2: Assign Security Groups, choose one or more existing security groups for the new load balancer or create new ones. These security groups should act as a set of firewall rules that control the traffic to your load balancer. Choose Next: Configure Security Settings to continue.
  3. For Step 3: Configure Security Settings, create and configure the necessary HTTPS listeners for your new Classic Load Balancer. Choose Next: Configure Health Check to continue.
  4. For Step 4: Configure Health Check, configure the health check settings to meet your specific needs. Choose Next: Add EC2 instances to continue the setup.
  5. For Step 5: Add EC2 Instances, add the necessary Amazon EC2 instances to your load balancer. Configure Availability Zone (AZ) distribution. Choose Next: Add EC2 instances to continue the setup.
  6. For Step 6: Add Tags, apply tags to your load balancer to help organize and identify the resource. Choose Review and Create to continue.
  7. For Step 7: Review, review your load balancer configuration, then choose Create to deploy your new Amazon Classic Load Balancer.
  8. Choose Close to return to the Amazon EC2 console.

07 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

08 Select the Auto Scaling Group (ASG) that you want to reconfigure.

09 Choose the Details tab to access the ASG resource configuration details.

10 In the Load balancing section choose Edit to modify the exiting configuration.

11 Select Classic Load Balancers under Load balancers, and choose your new Classic Load Balancer from the setting dropdown list. Choose Update to apply the changes and integrate the new Classic Load Balancer with the selected Auto Scaling Group (ASG).

12 Repeat steps no. 3 – 11 for each ASG that you want to reconfigure, available within the current AWS region.

13 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the Auto Scaling Group that you want to reconfigure as the identifier parameter to describe the resource configuration details, required later when the new load balancer will be created and attached to the ASG:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-name cc-production-asg

02 The command output should return the requested configuration information:

{
	"AutoScalingGroups": [
		{
			"AutoScalingGroupName": "cc-production-asg",
			"AutoScalingGroupARN": "arn:aws:autoscaling:us-east-1:123456789012:autoScalingGroup:abcdabcd-1234-1234-1234-abcdabcdabcd:autoScalingGroupName/cc-production-asg",
			"LaunchTemplate": {
				"LaunchTemplateId": "lt-01234abcd1234abcd",
				"LaunchTemplateName": "cc-asg-launch-template",
				"Version": "$Default"
			},
			"MinSize": 1,
			"MaxSize": 1,
			"DesiredCapacity": 1,
			"DefaultCooldown": 300,
			"AvailabilityZones": [
				"us-east-1a"
			],
			"LoadBalancerNames": [],
			"TargetGroupARNs": [],
			"HealthCheckType": "EC2",
			"HealthCheckGracePeriod": 300,
			"Instances": [
				{
					"InstanceId": "i-01234abcd1234abcd",
					"InstanceType": "t2.micro",
					"AvailabilityZone": "us-east-1a",
					"LifecycleState": "InService",
					"HealthStatus": "Healthy",
					"LaunchTemplate": {
						"LaunchTemplateId": "lt-01234abcd1234abcd",
						"LaunchTemplateName": "cc-asg-launch-template",
						"Version": "1"
					},
					"ProtectedFromScaleIn": false
				}
			],
			"CreatedTime": "2022-09-09T15:18:08.259000+00:00",
			"SuspendedProcesses": [],
			"VPCZoneIdentifier": "subnet-01234abcd1234abcd",
			"EnabledMetrics": [],
			"Tags": [],
			"TerminationPolicies": [
				"Default"
			],
			"NewInstancesProtectedFromScaleIn": false,
			"ServiceLinkedRoleARN": "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
		}
	]
}

03 Run create-security-group command (OSX/Linux/UNIX) to create the security group that will be used by the new Classic Load Balancer. The following command example creates a security group named "cc-elb-security-group" inside a VPC identified with the ID vpc-abcd1234, available within the US East (N. Virginia) region:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-elb-security-group
  --description "ASG Classic Load Balancer Security Group"
  --vpc-id vpc-abcd1234

04 The command output should return the ID of the new security group:

{
	"GroupId": "sg-01234abcd1234abcd"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as the identifier parameter, to set up the inbound rules based on your web application requirements (the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 80
  --cidr 0.0.0.0/0

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter to configure the outbound rules based on your application needs (the command does not return an output):

aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run create-load-balancer command (OSX/Linux/UNIX) using the configuration information returned at steps no. 2 and 4 as input parameters, to create a new Classic Load Balancer:

aws elb create-load-balancer
  --region us-east-1
  --load-balancer-name cc-classic-load-balancer
  --listeners "Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80"
  --subnets "subnet-01234abcd1234abcd" "subnet-0abcd1234abcd1234"
  --security-groups sg-01234abcd1234abcd

08 The command output should return the DNS name for the new load balancer:

{
	"DNSName": "cc-classic-load-balancer-123456789012.us-east-1.elb.amazonaws.com"
}

09 Run attach-load-balancers command (OSX/Linux/UNIX) to attach the Classic Load Balancer created at the previous steps to the selected Auto Scaling Group (the command does not produce an output):

aws autoscaling attach-load-balancers
  --region us-east-1
  --load-balancer-names cc-classic-load-balancer
  --auto-scaling-group-name cc-production-asg

10 Repeat steps no. 1 – 9 for each ASG that you want to reconfigure, available in the selected AWS region.

11 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

Case B: To create Application/Network Load Balancers and associate their Target Groups with your Amazon Auto Scaling Groups (ASGs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Load Balancing, choose Load Balancers.

04 Choose Create Load Balancer from the console top menu to initiate the setup process.

05 On the Select load balancer type page, choose one of the following options based on your application requirements:

  1. For Application Load Balancers (ALBs):
    • ChooseApplication Load Balancer to set up a new load balancer, then select Createto start the setup process.
    • On the Create Application Load Balancerpage, perform the following operations:
      • Provide a unique name for your new ALB in the Load balancer name box.
      • For Scheme, choose whether to create an internet-facing load balancer or an internal one.
      • Choose the right IP address type from the IP address type.
      • Select the Virtual Private Cloud (VPC) for the load balancer targets from the VPC dropdown list.
      • For Mappings, select at least one Availability Zone (AZ) and one subnet for each supported zone. AWS recommends selecting at least two Availability Zones. The load balancer will route traffic only to targets in the selected Availability Zones.
      • Click inside the Security groups box and choose one or more security groups for the new load balancer. The security group(s) should act as a set of firewall rules that control the traffic to your load balancer.
      • For Listeners and routing, create and configure the necessary HTTP(S) listener(s) for your new Application Load Balancer. Choose Create target group and follow the setup wizard to create a new Target Group resource for your Application Load Balancer. Ensure that the target type is set to Instances.
      • (Optional) For AWS Global Accelerator, choose whether or not to integrate an AWS Global Accelerator with the load balancer at launch.
      • (Optional) To attach tags to your new load balancer, use the Add tag button available in the Tags – optionalsection.
      • In the Summary section, review your load balancer configuration.
      • Choose Create load balancer to launch your new Amazon Application Load Balancer (ALB).
      • Choose View load balancer to return to the Amazon EC2 console.
  2. For Network Load Balancers (NLBs):
    • ChooseNetwork Load Balancer to set up a new load balancer, then select Createto start the setup.
    • On the Create Network Load Balancerpage, perform the following operations:
      • Provide a unique name for your new NLB in the Load balancer name box.
      • For Scheme, choose whether to create an internet-facing load balancer or an internal one.
      • Choose the right IP address type from the IP address type.
      • Select the Virtual Private Cloud (VPC) for the load balancer targets from the VPC dropdown list.
      • For Mappings, select at least one Availability Zone (AZ) and one subnet for each supported zone. AWS recommends selecting at least two Availability Zones. The load balancer will route traffic only to targets in the selected Availability Zones.
      • For Listeners and routing, create and configure the necessary TCP/TLS/UDP listener(s) for your new Network Load Balancer. Choose Create target group and follow the setup wizard to create a new Target Group resource for your Network Load Balancer. Make sure that the target type is set to Instances.
      • (Optional) To attach tags to your new load balancer, use the Add tag button available in the Tags – optional section.
      • In the Summary section, review your load balancer configuration.
      • Choose Create load balancer to launch your new Amazon Network Load Balancer.
      • Choose View load balancer to return to the Amazon EC2 console.

06 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

07 Select the Auto Scaling Group (ASG) that you want to reconfigure.

08 Choose the Details tab to access the ASG resource configuration details.

09 In the Load balancingsection choose Edit to modify the exiting configuration.

10 Select Application, Network or Gateway Load Balancer target groupsunder Load balancers, and choose the Target Group associated with your Application/Network Load Balancer from the setting dropdown list. Choose Update to apply the changes and integrate the new Application/Network Load Balancer with the selected Auto Scaling Group (ASG).

11 Repeat steps no. 3 – 10 for each ASG that you want to reconfigure, available in the selected AWS region.

12 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the Auto Scaling Group that you want to reconfigure as the identifier parameter to describe the resource configuration details, required later when the new load balancer will be created and attached to the ASG:

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-name cc-production-asg
02 The command output should return the requested configuration information:
{
	"AutoScalingGroups": [
		{
			"AutoScalingGroupName": "cc-production-asg",
			"AutoScalingGroupARN": "arn:aws:autoscaling:us-east-1:123456789012:autoScalingGroup:abcdabcd-1234-1234-1234-abcdabcdabcd:autoScalingGroupName/cc-production-asg",
			"LaunchTemplate": {
				"LaunchTemplateId": "lt-01234abcd1234abcd",
				"LaunchTemplateName": "cc-asg-launch-template",
				"Version": "$Default"
			},
			"MinSize": 1,
			"MaxSize": 1,
			"DesiredCapacity": 1,
			"DefaultCooldown": 300,
			"AvailabilityZones": [
				"us-east-1a"
			],
			"LoadBalancerNames": [],
			"TargetGroupARNs": [],
			"HealthCheckType": "EC2",
			"HealthCheckGracePeriod": 300,
			"Instances": [
				{
					"InstanceId": "i-01234abcd1234abcd",
					"InstanceType": "t2.micro",
					"AvailabilityZone": "us-east-1a",
					"LifecycleState": "InService",
					"HealthStatus": "Healthy",
					"LaunchTemplate": {
						"LaunchTemplateId": "lt-01234abcd1234abcd",
						"LaunchTemplateName": "cc-asg-launch-template",
						"Version": "1"
					},
					"ProtectedFromScaleIn": false
				}
			],
			"CreatedTime": "2022-09-09T15:18:08.259000+00:00",
			"SuspendedProcesses": [],
			"VPCZoneIdentifier": "subnet-01234abcd1234abcd",
			"EnabledMetrics": [],
			"Tags": [],
			"TerminationPolicies": [
				"Default"
			],
			"NewInstancesProtectedFromScaleIn": false,
			"ServiceLinkedRoleARN": "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
		}
	]
}
03 Run create-security-groupcommand (OSX/Linux/UNIX) to create the security group that will be used by the new Application/Network Load Balancer. The following command example creates a security group named "cc-elbv2-security-group" inside a VPC identified with the ID vpc-abcd1234, available within the US East (N. Virginia) region:
aws ec2 create-security-group
  --region us-east-1
  --group-name cc-elbv2-security-group
  --description "ASG Load Balancer Security Group"
  --vpc-id vpc-abcd1234
04 The command output should return the ID of the new security group:
{
	"GroupId": "sg-01234abcd1234abcd"
}
05 Run authorize-security-group-ingresscommand (OSX/Linux/UNIX) using the group ID returned at the previous step as the identifier parameter, to set up the inbound rules based on your needs (the command does not produce an output):
aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 80
  --cidr 0.0.0.0/0
06 Run authorize-security-group-egresscommand (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter to configure the outbound rules based on your application needs (the command does not return an output):
aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'
07 Based on the type of the ELBv2 load balancer that you want to create, perform of the following sets of commands:
  1. For Application Load Balancers (ALBs):
    • Run create-load-balancercommand (OSX/Linux/UNIX) to create a new Amazon Application Load Balancer (ALB):
      aws elbv2 create-load-balancer
        --region us-east-1
        --name cc-application-load-balancer
        --type application
        --ip-address-type ipv4
        --subnets subnet-0abcd1234abcd1234 subnet-01234abcd1234abcd
        --security-groups sg-0abcd1234abcd1234
        --tags Key=Environment,Value=production
      
    • The command output should return the configuration information available for the new load balancer:
      {
      	"LoadBalancers": [
      		{
      			"VpcId": "vpc-0abcd1234abcd1234",
      			"State": {
      				"Code": "provisioning"
      			},
      			"LoadBalancerName": "cc-application-load-balancer",
      
      	...
      
      			"Type": "application",
      			"AvailabilityZones": [
      				{
      					"SubnetId": "subnet-0abcd1234abcd1234",
      					"ZoneName": "us-east-1a"
      				},
      				{
      					"SubnetId": "subnet-01234abcd1234abcd",
      					"ZoneName": "us-east-1b"
      				}
      			]
      		}
      	]
      }
      
    • Run create-target-group command (OSX/Linux/UNIX) to set up the target group for the newly created Application Load Balancer:
      aws elbv2 create-target-group
        --region us-east-1
        --name cc-alb-target-group
        --protocol HTTP
        --port 80
        --vpc-id vpc-0abcd1234abcd1234
        --health-check-protocol HTTP
        --health-check-port traffic-port
        --health-check-path /index.html
        --health-check-interval-seconds 30
        --health-check-timeout-seconds 5
        --healthy-threshold-count 10
        --unhealthy-threshold-count 2
        --target-type instance
      
    • The command output should return the new ALB Target Group metadata:
      {
      	"TargetGroups": [
      		{
      			"HealthCheckPath": "/index.html",
      			"HealthCheckIntervalSeconds": 30,
      			"VpcId": "vpc-0abcd1234abcd1234",
      			"Protocol": "HTTP",
      			"HealthCheckTimeoutSeconds": 5,
      
      			... 
      
      			"Matcher": {
      				"HttpCode": "200"
      			},
      			"HealthCheckPort": "traffic-port",
      			"Port": 80,
      			"TargetGroupName": "cc-alb-target-group"
      		}
      	]
      }
      
    • Run create-listener command (OSX/Linux/UNIX) to create, configure, and attach the necessary HTTP(S) listener to the new Application Load Balancer (ALB):
      aws elbv2 create-listener
        --region us-east-1
        --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-application-load-balancer/aaaabbbbccccdddd
        --protocol HTTP
        --port 80
        --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd
      
    • The command output should return the configuration information for the new listener:
      {
      	"Listeners": [
      		{
      			"Protocol": "HTTP",
      			"DefaultActions": [
      				{
      				"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd",
      				"Type": "forward"
      				}
      			],
      			"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-application-load-balancer/aaaabbbbccccdddd",
      			"Port": 80,
      			"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-application-load-balancer/aaaabbbbccccdddd/bbbbccccddddeeee"
      		}
      	]
      }
      
  2. For Network Load Balancers (NLBs):
    • Run create-load-balancer command (OSX/Linux/UNIX) to create a new Amazon Network Load Balancer (NLB):
      aws elbv2 create-load-balancer
        --region us-east-1
        --name cc-network-load-balancer
        --type network
        --ip-address-type ipv4
        --subnets subnet-0abcd1234abcd1234 subnet-01234abcd1234abcd
        --tags Key=Environment,Value=production
      
    • The command output should return the new NLB metadata:
      {
      	"LoadBalancers": [
      		{
      			"VpcId": "vpc-0abcd1234abcd1234",
      			"State": {
      				"Code": "active"
      			},
      			"LoadBalancerName": "cc-network-load-balancer",
      
      			...
      
      			"Type": "network",
      			"AvailabilityZones": [
      				{
      					"SubnetId": "subnet-0abcd1234abcd1234",
      					"ZoneName": "us-east-1a"
      				},
      				{
      					"SubnetId": "subnet-01234abcd1234abcd",
      					"ZoneName": "us-east-1b"
      				}
      			]
      		}
      	]
      }
      
    • Run create-target-group command (OSX/Linux/UNIX) to build the Target Group for the newly created Network Load Balancer (NLB):
      aws elbv2 create-target-group
        --region us-east-1
        --name cc-nlb-target-group
        --protocol TCP
        --port 80
        --vpc-id vpc-12345678
        --health-check-protocol TCP
        --health-check-port traffic-port
        --health-check-interval-seconds 30
        --health-check-timeout-seconds 10
        --healthy-threshold-count 3
        --unhealthy-threshold-count 3
        --target-type instance
      
    • The command output should return the new Target Group metadata:
      {
      	"TargetGroups": [
      		{
      			"TargetType": "instance",
      			"HealthCheckIntervalSeconds": 30,
      			"VpcId": "vpc-12345678",
      			"Protocol": "TCP",
      			"HealthCheckTimeoutSeconds": 10,
      			"HealthCheckProtocol": "TCP",
      
      			...
      
      
      			"UnhealthyThresholdCount": 3,
      			"HealthyThresholdCount": 3,
      			"Matcher": {},
      			"HealthCheckPort": "traffic-port",
      			"Port": 80,
      			"TargetGroupName": "cc-nlb-target-group"
      		}
      	]
      }
      
    • Run create-listener command (OSX/Linux/UNIX) to create, configure, and attach the necessary TCP/TLS/UDP listener to the newly created Network Load Balancer:
      aws elbv2 create-listener
        --region us-east-1
        --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd
        --protocol TCP
        --port 80
        --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd
      
    • The command output should return the configuration information for the new listener:
      {
      	"Listeners": [
      		{
      			"Protocol": "TCP",
      			"DefaultActions": [
      				{
      					"TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-nlb-target-group/aaaabbbbccccdddd",
      					"Type": "forward"
      				}
      			],
      			"LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-network-load-balancer/aaaabbbbccccdddd",
      			"Port": 80,
      			"ListenerArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/cc-network-load-balancer/aaaabbbbccccdddd/bbbbccccddddeeee"
      		}
      	]
      }
      
08 Run attach-load-balancer-target-groups command (OSX/Linux/UNIX) to attach the Target Group associated with your Application/Network Load Balancer to the selected Amazon Auto Scaling Group (the command does not produce an output):
aws autoscaling attach-load-balancer-target-groups
  --region us-east-1
  --auto-scaling-group-name cc-production-asg
  --target-group-arns aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/cc-alb-target-group/aaaabbbbccccdddd
09 Repeat steps no. 1 – 8 for each ASG that you want to reconfigure, available in the selected AWS region. 10 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Auto Scaling Group associated ELB

Risk Level: Medium