Auto Scaling Group with no associated ELB

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Auto Scaling Group with no associated ELB

Metadata

Id: 050f085f-a8db-4072-9010-2cca235cc02f

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Availability

Learn More

Provider Reference

Description

Auto Scaling Groups must be associated with a load balancer so new instances receive traffic and health checks can detect and replace unhealthy instances. Without a load balancer, instances may not serve requests, and application availability and scaling behavior can be impacted.

For Ansible autoscaling_group tasks (modules amazon.aws.autoscaling_group and autoscaling_group), the load_balancers property must be defined and set to a non-empty list of Classic ELB names. Tasks missing the load_balancers property or with load_balancers: [] are flagged. If you use Application Load Balancers with target groups instead of Classic ELBs, configure target_group_arns accordingly—this rule only validates the load_balancers attribute.

Secure example:

- name: Create Auto Scaling Group with ELB
  amazon.aws.autoscaling_group:
    name: my-asg
    launch_template: my-launch-template
    min_size: 2
    max_size: 5
    load_balancers:
      - my-classic-elb

Compliant Code Examples

- name: elb12
  amazon.aws.autoscaling_group:
    name: special
    load_balancers: [ 'lb1', 'lb2' ]
    availability_zones: [ 'eu-west-1a', 'eu-west-1b' ]
    launch_config_name: 'lc-1'
    min_size: 1
    max_size: 10
    desired_capacity: 5
    vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ]
    tags:
      - environment: production
        propagate_at_launch: no

- name: elb22
  amazon.aws.autoscaling_group:
    name: special
    load_balancers: [ 'lb1', 'lb2' ]
    availability_zones: [ 'eu-west-1a', 'eu-west-1b' ]
    launch_config_name: 'lc-1'
    min_size: 1
    max_size: 10
    desired_capacity: 5
    vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ]
    tags:
      - environment: production
        propagate_at_launch: no

Non-Compliant Code Examples

- name: elb2
  amazon.aws.autoscaling_group:
    name: special
    availability_zones: [ 'eu-west-1a', 'eu-west-1b' ]
    launch_config_name: 'lc-1'
    min_size: 1
    max_size: 10
    desired_capacity: 5
    vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ]
    tags:
      - environment: production
        propagate_at_launch: no

- name: elb1
  amazon.aws.autoscaling_group:
    name: special
    load_balancers: []
    availability_zones: [ 'eu-west-1a', 'eu-west-1b' ]
    launch_config_name: 'lc-1'
    min_size: 1
    max_size: 10
    desired_capacity: 5
    vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ]
    tags:
      - environment: production
        propagate_at_launch: no