|   Trend Micro Cloud One™
Open menu

Web-Tier Auto Scaling Group associated ELB

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Knowledge Base Amazon Web Services AWS Auto Scaling Web-Tier Auto Scaling Group associated ELB
Risk level: Medium (not acceptable risk)
Rule ID: ASG-013

Ensure that your web-tier Auto Scaling Groups (ASGs) have associated Elastic Load Balancers (ELBs) to equally distribute incoming traffic across all EC2 instances available within the ASG and help provide high availability for your web applications. This conformity rule assumes that all AWS resources (including AWS ASGs) created for your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> is the tag name and <web_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be well known and configured in the rule settings, on your Cloud Conformity account dashboard.

This rule can help you with the following compliance standards:

  • APRA

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

Attaching AWS Elastic Load Balancers (ELBs) to your web-tier Auto Scaling Groups (ASGs) can help you maintain the availability of the EC2 compute resources in the event of a failure and improve scaling for the instances behind the load balancers (also known as backend instances).

Audit

To determine if your web-tier ASGs have associated ELBs, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Web-Tier Auto Scaling Group associated ELB rule settings and identify the tag set defined for all AWS resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

05 Select the Auto Scaling Group that you want to examine.

06 Select the Tags tab from the dashboard bottom panel.

07 On the Tags panel, search for the tag set identified at step no. 1 (i.e. <web_tier_tag> : <web_tier_tag_value>). If the two tag sets do not match, or the verified resource is not tagged at all, the selected ASG is not a component of your web tier and the audit process ends here. If the tag sets match, the selected resource is a web-tier Auto Scaling Group and the audit process continues with the next step.

08 Select Details tab from the dashboard bottom panel to access the ASG resource configuration details.

09 Check the current value set for the Load Balancers configuration attribute, listed on the Details panel. If the Load Balancers attribute has no value assigned, there are no AWS Elastic Load Balancers associated with the selected web-tier Auto Scaling Group.

10 Repeat steps no. 5 – 9 to check other web-tier ASGs, available in the selected region, for associated ELBs.

11 Change the AWS region from the navigation bar and repeat steps no. 5 – 10 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Web-Tier Auto Scaling Group associated ELB rule settings and identify the tag set defined for all AWS resources available within your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of all Auto Scaling Groups provisioned within the selected AWS region: 

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

03 The command output should return a table with the requested resource name(s): 

-----------------------------
| DescribeAutoScalingGroups |
+---------------------------+
| cc-frontend-app-asg       |
| cc-test-autoscaling-group |
| cc-web-autoscaling-group  |
+---------------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the ASG that you want to examine as identifier and custom query filters to describe the tags defined for the selected Auto Scaling Group: 

aws autoscaling describe-tags
	--region us-east-1
	--filters "Name=auto-scaling-group,Values=cc-frontend-app-asg"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. [], as shown in the example below, the verified ASG is not tagged, therefore the audit process for the selected resource ends here: 
    []
  2. If the command output returns a set of tags that is different than the one identified at step no. 1, as shown in the example below, the verified AWS Auto Scaling Group does not belong to your web tier, therefore the audit process for the selected resource ends here: 
    [
    {
        "Value": "Name",
        "Key": "WebProjectASG"
    }
]
  3. If the describe-tags command output returns a set of tags that match the one identified at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified Amazon ASG is tagged as a web-tier resource, therefore the audit process continues with the next step: 
    [
    {
        "Key": "<web_tier_tag>",
        "Value": "<web_tier_tag_value>"
    }
]

06 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the ASG resource that you want to examine as identifier and custom query filters to get the name(s) of the load balancer(s) associated with the selected web-tier ASG: 

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-names cc-frontend-app-asg
	--query 'AutoScalingGroups[*].LoadBalancerNames[]'

07 The command output should return an array with the requested identifier(s) or an empty array if there are no load balancers attached to the specified ASG: 

[
    "cc-app-launch-config"
]

If the command output returns an empty array (i.e. []), as shown in the example above, there are no Elastic Load Balancers associated with the selected web-tier Auto Scaling Group.

08 Repeat step no. 6 and 7 to verify other web-tier ASGs, created in the selected region, for associated ELBs.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the audit process for other regions.

Remediation / Resolution

To create an AWS Elastic Load Balancer (ELB) and associate it with your web-tier Auto Scaling Group (ASG), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under LOAD BALANCING, choose Load Balancers.

04 Click Create Load Balancer button from the dashboard top menu to start the setup process for your new load balancer.

05 On Select load balancer type page, inside the Classic Load Balancer section, click Create.

06 On Step 1: Define Load Balancer page, perform the following:

  1. Type a name for the new ELB inside the Load Balancer name box.
  2. Select the VPC that will host the load balancer from the Create LB inside dropdown list. Both your ELB and web-tier ASG must share the same VPC.
  3. Select Enable advanced VPC configuration checkbox and choose the Availability Zones where you wish that the application traffic to be routed by the load balancer.
  4. In the Load Balancer Protocol section, use the Add button to add more protocols (if required by your web application).
  5. Click Next: Assign Security Groups to continue the setup process.

07 On Step 2: Assign Security Groups page, select Create a new security group, provide a name and a description for the new security group then add the necessary inbound and outbound rules based on your web application requirements using the Add Rule button. Once configured, click Next: Configure Security Settings.

08 On Step 3: Configure Security Settings page, configure the HTTPS/SSL listeners if you want your traffic to be routed using HTTPS/SSL. Once you have configured the security settings available on this page, click Next: Configure Health Check to continue.

09 On Step 4: Configure Health Check page, customize the load balancer health check or use the defaults settings then click Next: Add EC2 Instances.

10 On Step 5: Add EC2 Instances page, select Enable Cross-Zone Load Balancing and Enable Connection Draining then click the Next: Add Tags button. Avoid selecting any EC2 instances at this point as the load balancer will add them automatically once the resource is attached to your web-tier ASG.

11 Define the necessary web-tier tags (e.g. <web_tier_tag>:<web_tier_tag_value>) for the new load balancer on Step 6: Add Tags page, then click Review and Create button to continue the process.

12 On Step 7: Review page, review your ELB configuration details then click Create to build the new load balancer. Once your AWS Elastic Load Balancer is successfully created, click Close to return to the EC2 dashboard.

13 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

14 Select the web-tier Auto Scaling Group that you want to reconfigure (see Audit section part I to identify the right ASG resource).

15 Select the Details tab from the dashboard bottom panel and click Edit to update the group configuration.

16 Click inside the Load Balancers box and select the name of the load balancer created at the previous steps.

17 Click Save to apply the configuration changes and associate the new ELB with the selected web-tier ASG.

18 Repeat steps no. 3 – 17 to create new AWS Elastic Load Balancers (if required) and integrate them with other web-tier Auto Scaling Groups, provisioned in the current region.

19 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Execute describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the web-tier ASG that you want to reconfigure as identifier to describe its configuration information, required later when the new ELB will be created and attached to the selected ASG: 

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--auto-scaling-group-name cc-frontend-app-asg

02 The command output should return the requested configuration details: 

{
    "AutoScalingGroups": [
        {
            "AutoScalingGroupName": "cc-frontend-app-asg",
            "LoadBalancerNames": [],
            "DefaultCooldown": 300,
            "HealthCheckGracePeriod": 300,
            "TerminationPolicies": [
                "Default"
            ],

            ...

            "LaunchConfigurationName": "cc-web-app-launch-config",
            "CreatedTime": "2018-01-11T14:34:27.541Z",
            "AvailabilityZones": [
                "us-east-1a",
                "us-east-1b",
                "us-east-1c",
                "us-east-1d",
            ],
            "HealthCheckType": "EC2",
            "NewInstancesProtectedFromScaleIn": false
        }
    ]
}

03 Run create-security-group command (OSX/Linux/UNIX) to set up the security group required by the new AWS ELB. The following command example creates a security group named "cc-load-balancer-sg" inside a VPC identified by the ID vpc-abcdabcd, available in the US East region: 

aws ec2 create-security-group
	--region us-east-1
	--group-name cc-load-balancer-sg
	--description "AWS ELB Security Group"
	--vpc-id vpc-abcdabcd

04 The command output should return the ID of the new security group: 

{
    "GroupId": "sg-1234abcd"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the security group ID returned at the previous step as identifier, to configure the inbound rules based on your web application requirements (the command does not produce an output): 

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-1234abcd
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the new security group as identifier to configure the outbound rules based on your application requirements (the command does not return an output): 

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-1234abcd
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run create-load-balancer command (OSX/Linux/UNIX) using the configuration information returned at step no. 2 and 4 as input for command parameters, to create a new Elastic Load Balancer that will be associated later with your web-tier Auto Scaling Group (replace <web_tier_tag>:<web_tier_tag_value> with your own tag set): 

aws elb create-load-balancer
	--region us-east-1
	--load-balancer-name cc-web-asg-load-balancer
	--listeners "Protocol=HTTP,LoadBalancerPort=80,InstanceProtocol=HTTP,InstancePort=80"
	--subnets "subnet-aabb1234" "subnet-bbaa1234" "subnet-bbcc1234" "subnet-ccbb1234"
	--security-groups sg-1234abcd
	--tags Key=<web_tier_tag>,Value=<web_tier_tag_value>

08 The command output should return the DNS name of the new AWS ELB: 

{
   "DNSName": "cc-web-asg-load-balancer-123456789012.us-east-1.elb.amazonaws.com"
}

09 Run attach-load-balancers command (OSX/Linux/UNIX) to attach the new AWS Elastic Load Balancer created at the previous steps to the specified web-tier Auto Scaling Group (the command does not produce an output): 

aws autoscaling attach-load-balancers
	--region us-east-1
	--load-balancer-names cc-web-asg-load-balancer
	--auto-scaling-group-name cc-frontend-app-asg

10 Repeat steps no. 1 – 9 to provision new AWS Elastic Load Balancers (if required) and integrate them with other web-tier Auto Scaling Groups, created within the current region.

11 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 10 to perform the entire process for other regions.

References

Publication date Apr 1, 2018

Related AutoScaling rules

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base

Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Web-Tier Auto Scaling Group associated ELB

Risk level: Medium