App-Tier ELBs Health Check

Risk level: High (not acceptable risk)

Rule ID: ELB-022

Ensure that your app-tier Elastic Load Balancers (ELBs) are using the right health check configuration in order to monitor the availability of the EC2 instances registered to the ELBs through application layer. An application layer health check is an HTTP-based test performed periodically by an AWS ELB to determine the availability of the EC2 instances associated with the load balancer. The status of the backend instances that are healthy at the time of the health check is set to "InService" and the status of any instances that are unhealthy at the time of the health check is set to "OutOfService". When an AWS ELB determines that an EC2 backend instance is unhealthy, it stops routing requests to that instance. The ELB resource resumes routing requests to the backend instance when it has been restored to a healthy state. This conformity rule assumes that all AWS resources created in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

Improve the reliability of the applications behind your app-tier ELBs by using the appropriate health check configuration. Cloud Conformity recommends that you always use application layer health checks instead of TCP health checks for your app-tier load balancers.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.

Audit

To determine if your app-tier ELBs are using the suitable health check configuration, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access App-Tier ELBs Health Check conformity rule settings and copy the tags defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under LOAD BALANCING, click Load Balancers.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <app_tier_tag> : <app_tier_tag_value>) and press Enter. This filtering procedure will return only the ELBs tagged for the app tier. If no results are returned, there are no ELBs tagged within your app tier and the audit process stops here. If the EC2 dashboard lists one or more load balancers, continue the audit with the next step.

06 Select the app-tier load balancer that you want to examine.

07 Select the Health Check tab from the bottom panel and verify the ELB health check configuration details. If the ping protocol used by the ELB is TCP or SSL, i.e. the Ping Target configuration attribute is set to TCP:<port_number> or SSL:<port_number>, the health check configuration set for the selected AWS ELB is not using HTTP-based checks (application level) to determine the health of the registered EC2 instances, therefore the current configuration is not suitable for your app-tier load balancer.

08 Repeat step no. 6 and 7 to verify the health check configuration for other load balancers created for your app tier in the selected AWS region.

09 Change the AWS region from the navigation bar and repeat steps no. 5 – 8 for other regions.

Using AWS CLI

02 Run describe-load-balancers command (OSX/Linux/UNIX) to list the names of all AWS ELBs provisioned in the selected AWS region:

aws elb describe-load-balancers
	--region us-east-1
	--output table
	--query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return a table with the requested ELB names:

-------------------------
| DescribeLoadBalancers |
+-----------------------+
|  cc-application-elb   |
|  cc-legacy-app-elb    |
+-----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as identifier and custom query filters to describe the tags defined for the selected ELB resource:

aws elb describe-tags
	--region us-east-1
	--load-balancer-name cc-application-elb
	--query 'TagDescriptions[*].Tags[]'

05 The command request should return one of the following outputs:

If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified ELB is not tagged, therefore the audit process for the selected resource ends here:
```
[]
```
If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified ELB does not belong to your app tier, therefore the audit process for the selected resource ends here:
```
[
    {
        "Value": "Environment",
        "Key": "Main Production"
    }
]
```
If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>), as shown in the example below, the verified AWS ELB is tagged as a app-tier resource, therefore the audit process continues with the next step:
```
[
    {
        "Value": "<app_tier_tag_value>",
        "Key": "<app_tier_tag>"
    }
]
```

06 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the app-tier ELB identified at the previous step to describe the configuration of the health checks conducted on the selected AWS ELB:

aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-name cc-application-elb
	--query 'LoadBalancerDescriptions[*].{HealthCheck:HealthCheck}'

07 The command output should return the requested configuration metadata:

[
    {
        "HealthCheck": {
            "HealthyThreshold": 3,
            "Interval": 25,
            "Target": "TCP:80",
            "Timeout": 3,
            "UnhealthyThreshold": 2
        }
    }
]

Check the ELB health check configuration details returned by the describe-load-balancer-policies command output. If the ping protocol used by the ELB is TCP or SSL, i.e. the "Target" configuration attribute is set to "TCP:<port_number>" or "SSL:<port_number>", as shown in the example above, the health checks are not HTTP-based, therefore the health check configuration for the selected ELB resource is not suitable for your app-tier load balancer.

08 Repeat step no. 6 and 7 to verify the health check configuration for other ELBs provisioned for your app tier within the selected AWS region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the audit process for other regions.

Remediation / Resolution

To update your app-tier ELBs configuration in order to use application layer health checks instead of TCP health checks (where a specified TCP port is checked to make sure is accepting connections), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the app-tier ELB that you want to reconfigure (see Audit section part I to identify the right load balancer).

05 Select the Health Check tab from the bottom panel and click Edit Health Check to start the configuration update process.

06 In the Configure Health Check dialog box, select HTTP or HTTPS from the Ping Protocol dropdown list and configure the Ping Port and Ping Path attributes based on your requirements. In the Advanced Details section, leave the default settings unchanged or customize the health check settings to meet your specific needs. Click Save to apply the changes.

07 Repeat steps no. 4 – 6 to enable application layer health checks for other app-tier ELBs available in the selected region.

08 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 for other regions.

Using AWS CLI

01 Run configure-health-check command (OSX/Linux/UNIX) to configure the health check settings to use when evaluating the health state of the EC2 instances behind your app-tier ELB (see Audit section part II to identify the right ELB). The following command example updates the health check settings for a load balancer named "cc-application-elb" using an HTTP-based configuration (i.e. HTTP ping target with the port set to 80 and the path set to "/index.html"):

aws elb configure-health-check
	--region us-east-1
	--load-balancer-name cc-application-elb
	--health-check Target=HTTP:80/index.html,Interval=30,UnhealthyThreshold=2,HealthyThreshold=10,Timeout=5

02 The command output should return the metadata for the new ELB health check configuration:

{
    "HealthCheck": {
        "HealthyThreshold": 3,
        "Interval": 25,
        "Target": "HTTP:80/index.html",
        "Timeout": 3,
        "UnhealthyThreshold": 2
    }
}

03 Repeat step no. 1 and 2 to enable application layer health checks for other app-tier ELBs available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.

References

AWS Command Line Interface (CLI) Documentation
elb
describe-load-balancers
describe-tags
configure-health-check

Publication date Mar 13, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

App-Tier ELBs Health Check

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related ELB rules