Rule: Auto Scaling groups with a load balancer should use health checks
Ensure compliance by configuring health checks for Auto Scaling groups with load balancers.
| Rule | Auto Scaling groups with a load balancer should use health checks |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Critical |
Auto Scaling Groups with Load Balancer Health Checks for FedRAMP Moderate Revision 4
Overview of the Rule
FedRAMP (Federal Risk and Authorization Management Program) Moderate Revision 4 includes requirements for ensuring the robustness and resilience of cloud-hosted services. Auto Scaling groups used in AWS, that are integrated with Elastic Load Balancers (ELBs), should be configured to perform health checks. This enhances the reliability of the service by ensuring that only healthy instances receive traffic. The combination of ELB health checks with Auto Scaling ensures that instances which fail health checks are replaced automatically, maintaining the desired capacity and performance.
Troubleshooting Steps
Step 1: Verify Health Check Configuration
- Start by inspecting the health check settings of your Elastic Load Balancer connected to the Auto Scaling group. Make sure that the health check types include both ELB and EC2 status checks.
Step 2: Verify Status of Instances
- Check the status of the instances in the Auto Scaling group. Ensure that they are passing the health checks. If any instances are unhealthy, they should be terminated and replaced automatically by Auto Scaling.
Step 3: Review Auto Scaling Group Events
- Audit the activity history in the Auto Scaling group for any failures or errors during scaling events. Look for patterns that could indicate configuration issues or problems with the application's health check endpoint.
If issues persist:
- Consult AWS documentation for specific error codes and messages.
- Verify security group and network ACL settings to ensure health check traffic is allowed.
- Confirm that the application endpoints used in the health checks are responding correctly.
Necessary Codes and CLI Commands
Configuring Health Checks with CLI
The AWS Command Line Interface (CLI) can be used to configure health checks for an Auto Scaling group.
Step 1: Configure the Health Check Type
aws autoscaling update-auto-scaling-group \ --auto-scaling-group-name my-auto-scaling-group \ --health-check-type ELB \ --health-check-grace-period 300
The code above sets the health check type to ELB and specifies a grace period of 300 seconds (5 minutes).
Step 2: Configure Health Checks for the Load Balancer
aws elbv2 modify-target-group-attributes \ --target-group-arn YOUR_TARGET_GROUP_ARN \ --attributes Key=healthy_threshold_count,Value=3 Key=unhealthy_threshold_count,Value=3
The command updates the target group attributes to specify the threshold counts for healthy and unhealthy states.
Step by Step Guide for Remediation
Step 1: Review and Enhance Health Check Settings
- Check the current health check settings on your ELB and Auto Scaling group.
- Adjust the thresholds and intervals for health checks to ensure timely detection of unhealthy instances.
Step 2: Apply the Health Check Configuration to Auto Scaling
- Apply the health check settings using the AWS CLI or AWS Management Console.
- Confirm that the Auto Scaling group acknowledges the ELB health check settings.
Step 3: Test and Monitor
- After changes are applied, monitor the Auto Scaling group and the load balancer to ensure instances are correctly registered and traffic is being distributed to healthy instances.
- Implement CloudWatch alarms for notification of any health check failures and scaling activities.
Following these steps and implementing the outlined commands should ensure compliance with FedRAMP Moderate Revision 4 requirements for Auto Scaling groups with load balancers. Remember to perform these tasks in a manner that is consistent with your organization's change management policies and security guidelines.