3.8 Ensure Web Tier Elastic Load Balancer has application layer Health Check Configured

Information

By default, an Auto-Scaling Group periodically uses the results of the EC2 instance status checks to determine the health status of each instance. If an instance fails the EC2 instance status checks, Auto-Scaling marks the instance as unhealthy and replaces the instance.

However, if you have attached one or more Elastic Load Balancing (ELB) load balancers to your Auto-Scaling Group and the instance fails the ELB health checks, Auto-Scaling does not replace the instance.

Amazon ELB will periodically sends pings, attempts connections, or sends requests to test the EC2 instances, these tests are called health checks.

The status of the instances that are healthy at the time of the health check is InService.

The status of any instances that are unhealthy at the time of the health check is OutOfService.

The load balancer performs health checks on all registered instances, whether the instance is in a healthy state or an unhealthy state.

The load balancer routes requests only to the healthy instances. When the load balancer determines that an instance is unhealthy, it stops routing requests to that instance. The load balancer resumes routing requests to the instance when it has been restored to a healthy state
Ensures availability of back-end EC2 instances associated with an Amazon ELB through application layer health check (ex: http) instead of TCP health checks.

Solution

Using the Amazon unified CLI:

* Create a JSON file containing the attributes you want to modify and save it locally as /tmp/ELBhealthcheck.json:

{
"Target": "_<string>_",
"Interval": _<integer>_,
"Timeout": _<integer>_,
"UnhealthyThreshold": _<integer>,_
"HealthyThreshold": _<integer>_
}

* Modify Web tier ELB to include appropriate health check:

aws elb configure-health-check --load-balancer-name _<web_tier_elb>_ --health-check file:///tmp/ELBhealthcheck.json

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6

Plugin: amazon_aws

Control ID: d08e6b4fa2185499a5ae27487f77340747ced55bc2fddae56abf05da756c87b5