Web-Tier ELBs Health Check

Risk level: High (not acceptable risk)

Rule ID: ELB-021

Ensure that your web-tier Elastic Load Balancers (ELBs) are using the appropriate health check configuration in order to monitor the availability of the EC2 instances associated with the ELBs through application layer. An application layer health check is an HTTP-based test performed periodically by an AWS ELB to determine the availability of the EC2 instances registered to the load balancer. The status of the backend instances that are healthy at the time of the health check is "InService" and the status of any instances that are unhealthy at the time of the health check is "OutOfService". When an AWS ELB determines that an EC2 backend instance is unhealthy, it stops routing requests to that instance. The load balancer resumes routing requests to the backend instance when it has been restored to a healthy state. This conformity rule assumes that all AWS resources (including ELBs) created within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> is the tag name and <web_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

Improve the reliability of the web applications behind your web-tier ELBs by using the right health check configuration. Cloud Conformity recommends that you always use application layer (HTTP(S)) health checks instead of TCP health checks (where a specified TCP port is probed to make sure is accepting connections) for your web-tier load balancers.

Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.

Audit

To determine if your web-tier ELBs are using the right health check configuration, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Web-Tier ELBs Health Check conformity rule settings and copy the tag set defined for AWS resources available in your web tier (e.g. <web_tier_tag>:<web_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under LOAD BALANCING, click Load Balancers.

05 Paste the tag set copied at step no. 1 in the Filter by tags and attributes or search by keyword box, then add a space before and after the separation colon (i.e. <web_tier_tag> : <web_tier_tag_value>) and press Enter. This filtering method will return only the ELBs tagged for the web tier. If no results are returned, there are no ELBs tagged within your web tier and the audit process ends here. If the EC2 dashboard lists one or more load balancers, continue the audit with the next step.

06 Select the web-tier load balancer that you want to examine.

07 Select the Health Check tab from the bottom panel and verify the ELB health check configuration details. If the ping protocol used by the ELB is TCP or SSL, i.e. the Ping Target configuration attribute is set to TCP:<port_number> or SSL:<port_number>, the health check configuration set for the selected AWS ELB is not using HTTP-based checks (performed at application level) to determine the health of the registered EC2 instances, therefore the current configuration is not suitable for your web-tier load balancer.

08 Repeat step no. 6 and 7 to verify the health check configuration for other load balancers created for your web tier in the selected AWS region.

09 Change the AWS region from the navigation bar and repeat steps no. 5 – 8 for other regions.

Using AWS CLI

02 Run describe-load-balancers command (OSX/Linux/UNIX) to list the names of all AWS ELBs provisioned in the selected AWS region:

aws elb describe-load-balancers
	--region us-east-1
	--output table
	--query 'LoadBalancerDescriptions[*].LoadBalancerName'

03 The command output should return a table with the requested ELB names:

-------------------------
| DescribeLoadBalancers |
+-----------------------+
|  cc-web-project-elb   |
|  cc-frontend-elb      |
+-----------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as identifier and custom query filters to describe the tags defined for the selected ELB resource:

aws elb describe-tags
	--region us-east-1
	--load-balancer-name cc-web-project-elb
	--query 'TagDescriptions[*].Tags[]'

05 The command request should return one of the following outputs:

If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified ELB is not tagged, therefore the audit process for the selected resource ends here:
```
[]
```
If the command output returns a set of tags that is different than the one copied at step no. 1, as shown in the example below, the verified ELB does not belong to your web tier, therefore the audit process for the selected resource ends here:
```
[
    {
        "Value": "Role",
        "Key": "Frontend Load Balancer"
    }
]
```
If the describe-tags command output returns a set of tags that match the one copied at step no. 1 (e.g. <web_tier_tag>:<web_tier_tag_value>), as shown in the example below, the verified AWS ELB is tagged as a web-tier resource, therefore the audit process continues with the next step:
```
[
    {
        "Value": "<web_tier_tag_value>",
        "Key": "<web_tier_tag>"
    }
]
```

06 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the web-tier ELB identified at the previous step to describe the configuration of the health checks conducted on the selected load balancer:

aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-name cc-web-project-elb
	--query 'LoadBalancerDescriptions[*].{HealthCheck:HealthCheck}'

07 The command output should return the requested configuration metadata:

[
    {
        "HealthCheck": {
            "HealthyThreshold": 10,
            "Interval": 30,
            "Target": "TCP:80",
            "Timeout": 5,
            "UnhealthyThreshold": 2
        }
    }
]

Check the ELB health check configuration details returned by the describe-load-balancer-policies command output. If the ping protocol used by the ELB is either TCP or SSL, i.e. the "Target" configuration attribute is set to "TCP:<port_number>" or "SSL:<port_number>", as shown in the example above, the health checks are not HTTP-based, therefore the health check configuration for the selected ELB resource is not suitable for your web-tier load balancer.

08 Repeat step no. 6 and 7 to verify the health check configuration for other ELBs provisioned for your web tier in the selected AWS region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To update your web-tier ELBs configuration in order to use application layer health checks instead of TCP health checks, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the web-tier ELB that you want to reconfigure (see Audit section part I to identify the right ELB resource).

05 Select the Health Check tab from the bottom panel and click Edit Health Check to initiate the configuration update process.

06 Within Configure Health Check dialog box, select HTTP or HTTPS from the Ping Protocol dropdown list and configure the Ping Port and Ping Path attributes based on your requirements. In the Advanced Details section, leave the default settings unchanged or customize the health check settings to meet your specific needs. Click Save to apply the changes and return to the EC2 dashboard.

07 Repeat steps no. 4 – 6 to enable application layer health checks for other web-tier ELBs available in the selected region.

08 Change the AWS region from the navigation bar and repeat steps no. 4 – 7 for other regions.

Using AWS CLI

01 Run configure-health-check command (OSX/Linux/UNIX) to configure the health check settings to use when evaluating the health state of the EC2 instances behind your web-tier ELB (see Audit section part II to identify the right resource). The following command example updates the health check configuration for a load balancer named "cc-web-project-elb" using an HTTP-based ping target with the port set to 80 and the path set to "/index.html":

aws elb configure-health-check
	--region us-east-1
	--load-balancer-name cc-web-project-elb
	--health-check Target=HTTP:80/index.html,Interval=30,UnhealthyThreshold=2,HealthyThreshold=10,Timeout=5

02 The command output should return the metadata for the updated ELB health check configuration:

{
    "HealthCheck": {
        "HealthyThreshold": 10,
        "Interval": 30,
        "Target": "HTTP:80/index.html",
        "Timeout": 5,
        "UnhealthyThreshold": 2
    }
}

03 Repeat step no. 1 and 2 to enable application layer health checks for other web-tier ELBs provisioned in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 for other regions.

References

AWS Command Line Interface (CLI) Documentation
elb
describe-load-balancers
describe-tags
configure-health-check

Publication date Mar 8, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Web-Tier ELBs Health Check

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related ELB rules