Ensure that your web-tier Elastic Load Balancers (ELBs) are using the appropriate health check configuration in order to monitor the availability of the EC2 instances associated with the ELBs through application layer. An application layer health check is an HTTP-based test performed periodically by an AWS ELB to determine the availability of the EC2 instances registered to the load balancer. The status of the backend instances that are healthy at the time of the health check is "InService" and the status of any instances that are unhealthy at the time of the health check is "OutOfService". When an AWS ELB determines that an EC2 backend instance is unhealthy, it stops routing requests to that instance. The load balancer resumes routing requests to the backend instance when it has been restored to a healthy state. This conformity rule assumes that all AWS resources (including ELBs) created within your web tier are tagged with <web_tier_tag>:<web_tier_tag_value>, where <web_tier_tag> is the tag name and <web_tier_tag_value> is the tag value. Prior to running this rule by the Cloud Conformity engine, the web-tier tags must be configured in the rule settings, on your Cloud Conformity account dashboard.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Improve the reliability of the web applications behind your web-tier ELBs by using the right health check configuration. Cloud Conformity recommends that you always use application layer (HTTP(S)) health checks instead of TCP health checks (where a specified TCP port is probed to make sure is accepting connections) for your web-tier load balancers.
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
Audit
To determine if your web-tier ELBs are using the right health check configuration, perform the following:
Remediation / Resolution
To update your web-tier ELBs configuration in order to use application layer health checks instead of TCP health checks, perform the following:
References
- AWS Documentation
- What Is Elastic Load Balancing?
- Configure Health Checks for Your Classic Load Balancer
- Troubleshoot a Classic Load Balancer: Health Checks
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- elb
- describe-load-balancers
- describe-tags
- configure-health-check
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Web-Tier ELBs Health Check
Risk level: High