🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 1 Auto Scaling groups associated with a load balancer should use load balancer health checks

Description

This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.

PCI DSS does not require load balancing or highly available configurations. However, this check aligns with AWS best practices.

Remediation

To enable Elastic Load Balancing health checks

  1. Open the Amazon EC2 console
  2. On the navigation pane, under Auto Scaling, choose Auto Scaling Groups
  3. To select the group from the list, choose the right box
  4. Choose Edit
  5. For Health Check Type, choose ELB
  6. For Health Check Grace Period, enter 300
  7. Choose Save

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_autoscaling_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_autoscaling_1 --share

SQL

This control uses a named query:

select
  autoscaling_group_arn as resource,
  case
    when load_balancer_names is null and target_group_arns is null then 'alarm'
    when health_check_type != 'ELB' then 'alarm'
    else 'ok'
  end as status,
  case
    when load_balancer_names is null and target_group_arns is null then title || ' not associated with a load balancer.'
    when health_check_type != 'ELB' then title || ' does not use ELB health check.'
    else title || ' uses ELB health check.'
  end as reason
  
  , region, account_id
from
  aws_ec2_autoscaling_group;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = inventory
foundational_security_item_id = autoscaling_1
plugin = aws
service = AWS/AutoScaling