Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Auto Scaling Group Cooldown Period

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ASG-009

Ensure that your Amazon Auto Scaling Groups (ASGs) are configured to use a cooldown period to temporarily suspend any scaling activities in order to allow the newly launched Amazon EC2 instances some time to start handling the application traffic.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

The cooldown period helps to prevent Auto Scaling Groups (ASGs) from launching or terminating additional instances before the effects of previous activities are visible. If the cooldown period is set to zero, the ASG service can initiate another scaling event before the effects of a previous event become evident. Since a newly launched Amazon EC2 instance needs time for booting and initial software configuration before it can take some of the application workload, implementing a proper cooldown period to temporarily suspend any scaling actions is strongly recommended.

Note: The "Default Cooldown" value is set to 300 seconds, however you can change the default threshold for this rule on Trend Micro Cloud One™ – Conformity account console and set your own value for the cooldown period based on your application requirements.

Audit

To identify Auto Scaling Groups (ASGs) that are not using appropriate cooldown periods, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to examine.

05 Choose the Details tab to view the ASG resource configuration details.

06 In the Advanced configurations section, check the Default cooldown attribute value. If the value set for the Default cooldown attribute is zero or is different than the one defined in your Trend Micro Cloud One™ – Conformity account, the Cooldown Period feature is not enabled or properly configured for the selected Auto Scaling Group (ASG), therefore during auto-scaling, any additional instances can be launched or terminated before the previous scaling activity takes effect.

07 Repeat steps no. 4 – 6 for each ASG available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the name of each Auto Scaling Group (ASG) available in the selected AWS region: 

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --output table
  --query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG name(s): 

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|   cc-production-asg     |
|   cc-internal-app-asg   |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the Auto Scaling Group (ASG) that you want to examine as the identifier parameter and custom query filters to describe the default cooldown period (in seconds) configured for selected ASG: 

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-names cc-production-asg
  --query 'AutoScalingGroups[*].DefaultCooldown'

04 The command output should return the cooldown period configured for the selected ASG: 

[
	0
]

If the cooldown period value returned by the describe-auto-scaling-groups command output is zero, as shown in the example above, or is different than the one defined in your Trend Micro Cloud One™ – Conformity account, the Cooldown Period feature is not enabled or properly configured for the selected Auto Scaling Group (ASG), therefore during auto-scaling, any additional Amazon EC2 instances can be launched or terminated before the previous scaling activity takes effect.

05 Repeat steps no. 3 and 4 for each ASG available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To configure an optimal cooldown period for your Amazon Auto Scaling Groups (ASG), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to examine.

05 Choose the Details tab to view the ASG resource configuration details.

06 In the Advanced configurations section, choose Edit to modify the advanced configuration settings available for the selected ASG.

07 Enter an optimal value in seconds (must match de value defined on your Trend Micro Cloud One™ – Conformity account console) for the default cooldown period in the Default cooldown configuration box, then choose Update to apply the configuration changes.

08 Repeat steps no. 4 – 7 for each ASG that you want to reconfigure, available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run update-auto-scaling-group command (OSX/Linux/UNIX) using the name of the Auto Scaling Group (ASG) that you want to reconfigure as the identifier parameter, to set the default cooldown period (in seconds) for the selected ASG (the command does not produce an output): 

aws autoscaling update-auto-scaling-group
  --region us-east-1
  --auto-scaling-group-name cc-production-asg
  --default-cooldown 350

02 Repeat step no. 1 for each ASG that you want to reconfigure, available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

References

Publication date Feb 24, 2017

Related AutoScaling rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Auto Scaling Group Cooldown Period

Risk Level: High