Auto Scaling Group With No Associated ELB

  • Query id: ad21e616-5026-4b9d-990d-5b007bfe679c
  • Query name: Auto Scaling Group With No Associated ELB
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Availability
  • CWE: Ongoing
  • URL: Github

Description

AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateName: !Sub ${AWS::StackName}-launch-template
      LaunchTemplateData:
        BlockDeviceMappings:
          - Ebs:
              VolumeSize: 22
              VolumeType: gp2
              DeleteOnTermination: true
              Encrypted: true
            DeviceName: /dev/xvdcz
        CreditSpecification:
          CpuCredits: Unlimited
        ImageId: ami-02354e95b39ca8dec
        InstanceType: t2.micro
        KeyName: my-key-pair-useast1
        Monitoring:
          Enabled: true
        SecurityGroupIds:
          - sg-7c227019
          - sg-903004f8
  myASG:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      AutoScalingGroupName: myASG
      MinSize: "1"
      MaxSize: "6"
      DesiredCapacity: "2"
      HealthCheckGracePeriod: 300
      LaunchTemplate:
        LaunchTemplateId: !Ref myLaunchTemplate
        Version: !GetAtt myLaunchTemplate.LatestVersionNumber
      VPCZoneIdentifier:
        - !Ref myPublicSubnet1
        - !Ref myPublicSubnet2
      MetricsCollection:
        - Granularity: "1Minute"
          Metrics:
            - "GroupMinSize"
            - "GroupMaxSize"
      Tags:
        - Key: Environment
          Value: Production
          PropagateAtLaunch: "true"
        - Key: Purpose
          Value: WebServerGroup
          PropagateAtLaunch: "false"
  myASG2:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      AutoScalingGroupName: myASG2
      MinSize: "1"
      MaxSize: "6"
      DesiredCapacity: "2"
      HealthCheckGracePeriod: 300
      LoadBalancerNames: []
      LaunchTemplate:
        LaunchTemplateId: !Ref myLaunchTemplate
        Version: !GetAtt myLaunchTemplate.LatestVersionNumber
      VPCZoneIdentifier:
        - !Ref myPublicSubnet1
        - !Ref myPublicSubnet2
      MetricsCollection:
        - Granularity: "1Minute"
          Metrics:
            - "GroupMinSize"
            - "GroupMaxSize"
      Tags:
        - Key: Environment
          Value: Production
          PropagateAtLaunch: "true"
        - Key: Purpose
          Value: WebServerGroup
          PropagateAtLaunch: "false"
  myASG3:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      AutoScalingGroupName: myASG
      MinSize: "1"
      MaxSize: "6"
      DesiredCapacity: "2"
      HealthCheckGracePeriod: 300
      LoadBalancerNames: []
      LaunchTemplate:
        LaunchTemplateId: !Ref myLaunchTemplate
        Version: !GetAtt myLaunchTemplate.LatestVersionNumber
      VPCZoneIdentifier:
        - !Ref myPublicSubnet1
        - !Ref myPublicSubnet2
      MetricsCollection:
        - Granularity: "1Minute"
          Metrics:
            - "GroupMinSize"
            - "GroupMaxSize"
      Tags:
        - Key: Environment
          Value: Production
          PropagateAtLaunch: "true"
        - Key: Purpose
          Value: WebServerGroup
          PropagateAtLaunch: "false"
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myLaunchTemplate": {
      "Type": "AWS::EC2::LaunchTemplate",
      "Properties": {
        "LaunchTemplateName": "${AWS::StackName}-launch-template",
        "LaunchTemplateData": {
          "InstanceType": "t2.micro",
          "KeyName": "my-key-pair-useast1",
          "Monitoring": {
            "Enabled": true
          },
          "SecurityGroupIds": [
            "sg-7c227019",
            "sg-903004f8"
          ],
          "BlockDeviceMappings": [
            {
              "Ebs": {
                "VolumeSize": 22,
                "VolumeType": "gp2",
                "DeleteOnTermination": true,
                "Encrypted": true
              },
              "DeviceName": "/dev/xvdcz"
            }
          ],
          "CreditSpecification": {
            "CpuCredits": "Unlimited"
          },
          "ImageId": "ami-02354e95b39ca8dec"
        }
      }
    },
    "myASG": {
      "Type": "AWS::AutoScaling::AutoScalingGroup",
      "Properties": {
        "HealthCheckGracePeriod": 300,
        "LaunchTemplate": {
          "LaunchTemplateId": "myLaunchTemplate",
          "Version": "myLaunchTemplate.LatestVersionNumber"
        },
        "VPCZoneIdentifier": [
          "myPublicSubnet1",
          "myPublicSubnet2"
        ],
        "MetricsCollection": [
          {
            "Granularity": "1Minute",
            "Metrics": [
              "GroupMinSize",
              "GroupMaxSize"
            ]
          }
        ],
        "AutoScalingGroupName": "myASG",
        "MaxSize": "6",
        "DesiredCapacity": "2",
        "MinSize": "1",
        "Tags": [
          {
            "Key": "Environment",
            "Value": "Production",
            "PropagateAtLaunch": "true"
          },
          {
            "Key": "Purpose",
            "Value": "WebServerGroup",
            "PropagateAtLaunch": "false"
          }
        ]
      }
    },
    "myASG2": {
      "Type": "AWS::AutoScaling::AutoScalingGroup",
      "Properties": {
        "LoadBalancerNames": [],
        "LaunchTemplate": {
          "Version": "myLaunchTemplate.LatestVersionNumber",
          "LaunchTemplateId": "myLaunchTemplate"
        },
        "VPCZoneIdentifier": [
          "myPublicSubnet1",
          "myPublicSubnet2"
        ],
        "MinSize": "1",
        "MaxSize": "6",
        "HealthCheckGracePeriod": 300,
        "Tags": [
          {
            "Value": "Production",
            "PropagateAtLaunch": "true",
            "Key": "Environment"
          },
          {
            "Key": "Purpose",
            "Value": "WebServerGroup",
            "PropagateAtLaunch": "false"
          }
        ],
        "AutoScalingGroupName": "myASG2",
        "DesiredCapacity": "2",
        "MetricsCollection": [
          {
            "Granularity": "1Minute",
            "Metrics": [
              "GroupMinSize",
              "GroupMaxSize"
            ]
          }
        ]
      }
    },
    "myASG3": {
      "Type": "AWS::AutoScaling::AutoScalingGroup",
      "Properties": {
        "VPCZoneIdentifier": [
          "myPublicSubnet1",
          "myPublicSubnet2"
        ],
        "MaxSize": "6",
        "MinSize": "1",
        "DesiredCapacity": "2",
        "HealthCheckGracePeriod": 300,
        "LoadBalancerNames": [],
        "LaunchTemplate": {
          "LaunchTemplateId": "myLaunchTemplate",
          "Version": "myLaunchTemplate.LatestVersionNumber"
        },
        "MetricsCollection": [
          {
            "Granularity": "1Minute",
            "Metrics": [
              "GroupMinSize",
              "GroupMaxSize"
            ]
          }
        ],
        "Tags": [
          {
            "Key": "Environment",
            "Value": "Production",
            "PropagateAtLaunch": "true"
          },
          {
            "Key": "Purpose",
            "Value": "WebServerGroup",
            "PropagateAtLaunch": "false"
          }
        ],
        "AutoScalingGroupName": "myASG"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateName: !Sub ${AWS::StackName}-launch-template
      LaunchTemplateData:
        BlockDeviceMappings:
          - Ebs:
              VolumeSize: 22
              VolumeType: gp2
              DeleteOnTermination: true
              Encrypted: true
            DeviceName: /dev/xvdcz
        CreditSpecification:
          CpuCredits: Unlimited
        ImageId: ami-02354e95b39ca8dec
        InstanceType: t2.micro
        KeyName: my-key-pair-useast1
        Monitoring:
          Enabled: true
        SecurityGroupIds:
          - sg-7c227019
          - sg-903004f8
  myASG:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      AutoScalingGroupName: myASG
      MinSize: "1"
      MaxSize: "6"
      DesiredCapacity: "2"
      HealthCheckGracePeriod: 300
      LoadBalancerNames:
        - elb_1
        - elb_2
      LaunchTemplate:
        LaunchTemplateId: !Ref myLaunchTemplate
        Version: !GetAtt myLaunchTemplate.LatestVersionNumber
      VPCZoneIdentifier:
        - !Ref myPublicSubnet1
        - !Ref myPublicSubnet2
      MetricsCollection:
        - Granularity: "1Minute"
          Metrics:
            - "GroupMinSize"
            - "GroupMaxSize"
      Tags:
        - Key: Environment
          Value: Production
          PropagateAtLaunch: "true"
        - Key: Purpose
          Value: WebServerGroup
          PropagateAtLaunch: "false"
Negative test num. 2 - json file
{
  "Resources": {
    "myLaunchTemplate": {
      "Type": "AWS::EC2::LaunchTemplate",
      "Properties": {
        "LaunchTemplateName": "${AWS::StackName}-launch-template",
        "LaunchTemplateData": {
          "ImageId": "ami-02354e95b39ca8dec",
          "InstanceType": "t2.micro",
          "KeyName": "my-key-pair-useast1",
          "Monitoring": {
            "Enabled": true
          },
          "SecurityGroupIds": [
            "sg-7c227019",
            "sg-903004f8"
          ],
          "BlockDeviceMappings": [
            {
              "Ebs": {
                "Encrypted": true,
                "VolumeSize": 22,
                "VolumeType": "gp2",
                "DeleteOnTermination": true
              },
              "DeviceName": "/dev/xvdcz"
            }
          ],
          "CreditSpecification": {
            "CpuCredits": "Unlimited"
          }
        }
      }
    },
    "myASG": {
      "Type": "AWS::AutoScaling::AutoScalingGroup",
      "Properties": {
        "Tags": [
          {
            "Key": "Environment",
            "Value": "Production",
            "PropagateAtLaunch": "true"
          },
          {
            "Key": "Purpose",
            "Value": "WebServerGroup",
            "PropagateAtLaunch": "false"
          }
        ],
        "AutoScalingGroupName": "myASG",
        "MaxSize": "6",
        "HealthCheckGracePeriod": 300,
        "LoadBalancerNames": [
          "elb_1",
          "elb_2"
        ],
        "LaunchTemplate": {
          "LaunchTemplateId": "myLaunchTemplate",
          "Version": "myLaunchTemplate.LatestVersionNumber"
        },
        "VPCZoneIdentifier": [
          "myPublicSubnet1",
          "myPublicSubnet2"
        ],
        "MetricsCollection": [
          {
            "Granularity": "1Minute",
            "Metrics": [
              "GroupMinSize",
              "GroupMaxSize"
            ]
          }
        ],
        "MinSize": "1",
        "DesiredCapacity": "2"
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}