Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Suspended Auto Scaling Groups

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ASG-011

Ensure there are no Auto Scaling Groups (ASGs) with suspended processes, provisioned in your AWS account, in order to avoid disrupting the auto scaling workflow. AWS ASG service enables you to suspend one or more of the processes (Launch, Terminate, HealthCheck, etc) in your Auto Scaling Group. This feature can be extremely useful when you need to investigate a configuration problem or other issues with your web application, then resolve the issue found without triggering the auto scaling process. For example, if your Auto Scaling Group fails repeatedly to launch new EC2 instances, you can suspend the "Launch" process to stop launching new instances until you fix the issue. Any suspended ASG processes detected will be highlighted on the Cloud Conformity dashboard. Cloud Conformity strongly recommends that you resume the suspended processes within your AWS ASGs as soon as the remediation process is completed.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Operational
excellence
Performance
efficiency
Sustainability

Monitoring your Amazon Auto Scaling Groups for suspended processes and resume them promptly will help you maintain the reliability of your ASGs.


Audit

To identify any AWS Auto Scaling Groups with suspended processes, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the AWS ASG that you want to examine.

05 Select Details tab from the dashboard bottom panel.

06 Check the Suspended Processes configuration attribute value. If the attribute value is set to one or more auto scaling processes such as Launch, Terminate, HealthCheck, ReplaceUnhealthy, AddToLoadBalancer, etc, the selected AWS Auto Scaling Group has one or more suspended processes that need to be resumed.

07 Repeat steps no. 4 – 6 to verify other Auto Scaling Groups, available within the current region, for suspended auto scaling processes.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of all Auto Scaling Groups available within the selected AWS region:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG names:

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|    cc-web-prod-asg      |
|    cc-backend-asg       |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the ASG that you want to examine as identifier and custom query filters to list any auto scaling processes suspended for the selected AWS ASG:

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-names cc-web-prod-asg
	--query 'AutoScalingGroups[*].{SUSPENDED_PROCESSES:SuspendedProcesses}'

04 The command output should return the SUSPENDED_PROCESSES array containing suspended auto scaling processes metadata (process name, suspension reason, etc) or no metadata if there are no processes currently suspended:

{
    "SUSPENDED_PROCESSES": [
        {
            "ProcessName": "Launch",
            "SuspensionReason": "User suspended at 2017-11-08T19:47:55Z"
        }
    ]
}

If the SUSPENDED_PROCESSES array returned by the describe-auto-scaling-groups command output contains metadata, as shown in the example above, the selected AWS Auto Scaling Group has one or more suspended processes that need to be resumed.

05 Repeat step no. 3 and 4 to verify other Auto Scaling Groups, available in the current region, for suspended processes such as "Launch", "Terminate", etc.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To resume any auto scaling processes suspended within your Amazon ASGs after the application and/or environment remediation process is complete, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the Auto Scaling Group that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Details tab from the dashboard bottom panel and click the Edit button to edit the selected ASG configuration.

06 Remove the suspended auto scaling process available within Suspended Processes box by clicking the X button inside the process widget. Repeat this step to remove (resume) as many suspended processes as required.

07 Click the Save button from the top-right corner to save the changes. The selected auto scaling processes removed at the previous step should be successfully resumed.

08 Repeat steps no. 4 – 7 to reconfigure other ASGs, available in the current region, to resume suspended auto scaling processes.

09 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run resume-processes command (OSX/Linux/UNIX) using the name of the Amazon ASG that you want to reconfigure as identifier (see Audit section part II to identify the right resource) to resume suspended auto scaling processes. To resume a certain process, you need to specify the name of the process as the value for the --scaling-processes parameter. The valid auto scaling processes are: Launch, Terminate, HealthCheck, ReplaceUnhealthy, AZRebalance, AlarmNotification, ScheduledActions and AddToLoadBalancer. To resume all the suspended auto scaling processes, just omit the --scaling-processes parameter (the command does not produce an output):

aws autoscaling resume-processes
	--region us-east-1
	--auto-scaling-group-name cc-web-prod-asg
	--scaling-processes Launch

02 Repeat step no. 1 to reconfigure other AWS ASGs, available in the current region, to resume suspended auto scaling processes.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the process for other regions.

References

Publication date Nov 21, 2017

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Suspended Auto Scaling Groups

Risk Level: Medium