🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 7 Classic Load Balancers should have connection draining enabled

Description

This control checks whether Classic Load Balancers have connection draining enabled.

Enabling connection draining on Classic Load Balancers ensures that the load balancer stops sending requests to instances that are de-registering or unhealthy. It keeps the existing connections open. This is particularly useful for instances in Auto Scaling groups, to ensure that connections aren’t severed abruptly.

Remediation

To enable connection draining on Classic Load Balancers, following the steps in Configure connection draining for your Classic Load Balancer in User Guide for Classic Load Balancers.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_elb_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_elb_7 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when connection_draining_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when connection_draining_enabled then title || ' connection draining enabled.'
    else title || ' connection draining disabled.'
  end as reason
  
  , region, account_id
from
  aws_ec2_classic_load_balancer;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resilience
foundational_security_item_id = elb_7
plugin = aws
service = AWS/ELB