Ensure Auto Scaling group being used with multiple Availability zones
You should define your ASG to user multiple Availability zones, In order to balance your instances across these zones.
Risk Level: Low
Cloud Entity: EC2 Auto Scaling Group
CloudGuard Rule ID: D9.AWS.NET.61
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
AutoScalingGroup should have vpcZoneIdentifier regexMatch /,/
REMEDIATION
From Portal:
- Open the Amazon EC2 console.
- From the sidebar, navigate to Auto Scaling and go to Auto Scaling Groups.
- Select the check box next to an existing group.
- On the Details tab, choose Network, Edit.
- In Subnets, choose the subnet corresponding to the Availability Zone.
- Choose Update.
From TF:
resource "aws_autoscaling_group" "example" {
- availability_zones = ["us-east-1a"]
+ vpc_zone_identifier = [aws_subnet.example1.id, aws_subnet.example2.id]
}
From Command Line:
In order to update the subnets of your ASG, use to following CLI command
aws autoscaling update-auto-scaling-group --auto-scaling-group-name autoscaling_group_name --vpc-zone-identifier Subnets_IDs (comma-separated)
Note: Make sure that your ASG and ELB are sharing the same AZ. This will increase performance and will decrease the latency.
References:
- https://docs.aws.amazon.com/autoscaling/ec2/userguide/auto-scaling-groups.html
- https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group
- https://docs.aws.amazon.com/cli/latest/reference/autoscaling/update-auto-scaling-group.html
EC2 Auto Scaling Group
An Auto Scaling group contains a collection of Amazon EC2 instances that are treated as a logical grouping for the purposes of automatic scaling and management. An Auto Scaling group also enables you to use Amazon EC2 Auto Scaling features such as health check replacements and scaling policies. Both maintaining the number of instances in an Auto Scaling group and automatic scaling are the core functionality of the Amazon EC2 Auto Scaling service.
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago