--- title: Auto Scaling group with no associated ELB description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Auto Scaling group with no associated ELB --- # Auto Scaling group with no associated ELB {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-auto-scaling-group-with-no-associated-elb` **Provider:** AWS **Platform:** CloudFormation **Severity:** Medium **Category:** Availability #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html) ### Description{% #description %} Auto Scaling groups must be associated with a load balancer to distribute traffic and maintain availability during scaling and instance replacement. Without a load balancer, instances can become single points of failure and traffic may be routed unevenly. In CloudFormation, the `AWS::AutoScaling::AutoScalingGroup` resource must define the `LoadBalancerNames` property, and it must be a non-empty list of Classic ELB names. Resources missing `LoadBalancerNames` or where `LoadBalancerNames` is an empty array will be flagged. If your environment uses Application Load Balancers (ALBs) or Network Load Balancers (NLBs), attach the Auto Scaling group to target groups via the `TargetGroupARNs` property instead, since this rule only checks `LoadBalancerNames`. Secure configuration example: ```yaml MyAutoScalingGroup: Type: AWS::AutoScaling::AutoScalingGroup Properties: LaunchConfigurationName: myLaunchConfig MinSize: '1' MaxSize: '3' LoadBalancerNames: - my-classic-elb ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml #this code is a correct code for which the query should not find any result AWSTemplateFormatVersion: '2010-09-09' Resources: myLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: !Sub ${AWS::StackName}-launch-template LaunchTemplateData: BlockDeviceMappings: - Ebs: VolumeSize: 22 VolumeType: gp2 DeleteOnTermination: true Encrypted: true DeviceName: /dev/xvdcz CreditSpecification: CpuCredits: Unlimited ImageId: ami-02354e95b39ca8dec InstanceType: t2.micro KeyName: my-key-pair-useast1 Monitoring: Enabled: true SecurityGroupIds: - sg-7c227019 - sg-903004f8 myASG: Type: AWS::AutoScaling::AutoScalingGroup Properties: AutoScalingGroupName: myASG MinSize: "1" MaxSize: "6" DesiredCapacity: "2" HealthCheckGracePeriod: 300 LoadBalancerNames: - elb_1 - elb_2 LaunchTemplate: LaunchTemplateId: !Ref myLaunchTemplate Version: !GetAtt myLaunchTemplate.LatestVersionNumber VPCZoneIdentifier: - !Ref myPublicSubnet1 - !Ref myPublicSubnet2 MetricsCollection: - Granularity: "1Minute" Metrics: - "GroupMinSize" - "GroupMaxSize" Tags: - Key: Environment Value: Production PropagateAtLaunch: "true" - Key: Purpose Value: WebServerGroup PropagateAtLaunch: "false" ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml #this is a problematic code where the query should report a result(s) AWSTemplateFormatVersion: '2010-09-09' Resources: myLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: !Sub ${AWS::StackName}-launch-template LaunchTemplateData: BlockDeviceMappings: - Ebs: VolumeSize: 22 VolumeType: gp2 DeleteOnTermination: true Encrypted: true DeviceName: /dev/xvdcz CreditSpecification: CpuCredits: Unlimited ImageId: ami-02354e95b39ca8dec InstanceType: t2.micro KeyName: my-key-pair-useast1 Monitoring: Enabled: true SecurityGroupIds: - sg-7c227019 - sg-903004f8 myASG: Type: AWS::AutoScaling::AutoScalingGroup Properties: AutoScalingGroupName: myASG MinSize: "1" MaxSize: "6" DesiredCapacity: "2" HealthCheckGracePeriod: 300 LaunchTemplate: LaunchTemplateId: !Ref myLaunchTemplate Version: !GetAtt myLaunchTemplate.LatestVersionNumber VPCZoneIdentifier: - !Ref myPublicSubnet1 - !Ref myPublicSubnet2 MetricsCollection: - Granularity: "1Minute" Metrics: - "GroupMinSize" - "GroupMaxSize" Tags: - Key: Environment Value: Production PropagateAtLaunch: "true" - Key: Purpose Value: WebServerGroup PropagateAtLaunch: "false" myASG2: Type: AWS::AutoScaling::AutoScalingGroup Properties: AutoScalingGroupName: myASG2 MinSize: "1" MaxSize: "6" DesiredCapacity: "2" HealthCheckGracePeriod: 300 LoadBalancerNames: [] LaunchTemplate: LaunchTemplateId: !Ref myLaunchTemplate Version: !GetAtt myLaunchTemplate.LatestVersionNumber VPCZoneIdentifier: - !Ref myPublicSubnet1 - !Ref myPublicSubnet2 MetricsCollection: - Granularity: "1Minute" Metrics: - "GroupMinSize" - "GroupMaxSize" Tags: - Key: Environment Value: Production PropagateAtLaunch: "true" - Key: Purpose Value: WebServerGroup PropagateAtLaunch: "false" myASG3: Type: AWS::AutoScaling::AutoScalingGroup Properties: AutoScalingGroupName: myASG MinSize: "1" MaxSize: "6" DesiredCapacity: "2" HealthCheckGracePeriod: 300 LoadBalancerNames: [] LaunchTemplate: LaunchTemplateId: !Ref myLaunchTemplate Version: !GetAtt myLaunchTemplate.LatestVersionNumber VPCZoneIdentifier: - !Ref myPublicSubnet1 - !Ref myPublicSubnet2 MetricsCollection: - Granularity: "1Minute" Metrics: - "GroupMinSize" - "GroupMaxSize" Tags: - Key: Environment Value: Production PropagateAtLaunch: "true" - Key: Purpose Value: WebServerGroup PropagateAtLaunch: "false" ```