Autoscaling Not Enabled on EC2 Instance

Risk level: Medium (should be achieved)

Rule ID: EC2-01

There is no Autoscaling attached to an EC2 instance . You can enable to improve the availability and scalability of your web applications during instance failures or denial-of-service attacks (DoS, DDoS).

When the number of requests to your web application increases, the demand can increase the load on the servers which can cause degraded performance of your application and eventually a failure. Amazon Elastic Compute Cloud (EC2) provides an Auto Scaling service that overcomes this challenge.

This rule can help you with the following compliance standards which aligns with AWS Well-Architected Framework:

  • MAS
  • NIST 800-53 (Rev. 4)

Audit

To identify Instances with disabled Autoscaling group perform the following:

Using AWS Console

  1. Sign in to the AWS Management Console.
  2. Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
  3. In the left navigation panel, under the INSTANCES section, choose Instances.
  4. Select the EC2 instance that you want to examine.
  5. Click on the Actions dropdown button from the dashboard top menu, select Instance Settings and verify the Attach to Auto Scaling Group command link state. If the command link is active, i.e.

 

the selected EC2 instance is not currently running within an AWS Auto Scaling Group (ASG), therefore the running instance is not configured to follow AWS best practices.

  1. Repeat steps no. 4 and 5 to verify if the rest of the EC2 instances provisioned in the current region are running inside an Auto Scaling Group.
  2. Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

1. Run describe-instances command (OSX/Linux/UNIX) using appropriate filtering to list the IDs of all the existing EC2 instances currently available in the selected region:

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

 

2. The command output should return a table with the requested instance IDs:

 

 

3. Run describe-auto-scaling-instances command (OSX/Linux/UNIX) using custom filtering to list the IDs of all EC2 instances that are currently running within an AWS ASG, provisioned in the selected region.

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0d202950f52efba08  |
|  i-0db1164af0be98ddf  |
|  i-0455346e06d9425e5  |
|  i-043801b9c55f55f5c  |
|  i-0b9cdfa00d01f7d0b  |
+-----------------------+

 

4. The command output should return a table with the ID(s) of the EC2 instance(s) launched within an auto-scaling configuration:

Now compare the metadata from the table returned at step no. 2 with the one returned at step no. 4 in order to identify any EC2 instances that are not currently running within AWS Auto Scaling Groups by using their ID as an identifier. Any EC2 instances, provisioned in the current region, that are not listed in the second table are not using an ASG for auto-scaling, therefore are not configured to follow AWS best practices.

 

5. Steps No. 1 – 4 can be repeated to perform the audit process for the other AWS regions.

Remediation / Resolution

To deploy a running EC2 instance into an AWS auto-scaling configuration using Auto Scaling Groups (ASGs) for high reliability and security, perform the following:

Using AWS Console

You can attach an existing instance to an existing Auto Scaling group, or to a new Auto Scaling group as you create it.

To attach an instance to a new Auto Scaling group

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. On the navigation pane, under INSTANCES, choose Instances, and then select an instance.
  3. Choose Actions, Instance Settings, Attach to Auto Scaling Group.
  4. On the Attach to Auto Scaling group page, for Auto Scaling Group, enter a name for the group, and then choose Attach.The new Auto Scaling group is created using a new launch configuration with the same name that you specified for the Auto Scaling group. The launch configuration gets its settings (for example, security group and IAM role) from the instance that you attached. The Auto Scaling group gets settings (for example, Availability Zone and subnet) from the instance that you attached, and has the desired capacity and maximum size of 1.
  5. (Optional) To edit the settings for the Auto Scaling group, on the navigation pane, under AUTO SCALING, choose Auto Scaling Groups. Select the check box next to the new Auto Scaling group, choose the Edit button that is above the list of groups, change the settings as needed, and then choose Update.

To attach an instance to an existing Auto Scaling group

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. (Optional) On the navigation pane, under AUTO SCALING, choose Auto Scaling Groups. Select the Auto Scaling group and verify that the maximum size of the Auto Scaling group is large enough that you can add another instance. Otherwise, on the Details tab, increase the maximum capacity.
  3. On the navigation pane, under INSTANCES, choose Instances, and then select an instance.
  4. Choose Actions, Instance Settings, Attach to Auto Scaling Group.
  5. On the Attach to Auto Scaling group page, for Auto Scaling Group, select the Auto Scaling group, and then choose Attach.

 

If the instance doesn't meet the criteria, you get an error message with the details. For example, the instance might not be in the same Availability Zone as the Auto Scaling group. Choose Close and try again with an instance that meets the criteria.

Using AWS CLI

To attach an instance to an Auto Scaling group

1. Describe a specific Auto Scaling group using the following describe-auto-scaling-groups command

aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names my-asg

The following example response shows that the desired capacity is 2 and that the group has two running instances.

{
    "AutoScalingGroups": [
        {
            "AutoScalingGroupARN": "arn",
            "ServiceLinkedRoleARN": "arn",
            "TargetGroupARNs": [],
            "SuspendedProcesses": [],
            "LaunchTemplate": {
                "LaunchTemplateName": "my-launch-template",
                "Version": "1",
                "LaunchTemplateId": "lt-050555ad16a3f9c7f"
            },
            "Tags": [],
            "EnabledMetrics": [],
            "LoadBalancerNames": [],
            "AutoScalingGroupName": "my-asg",
            "DefaultCooldown": 300,
            "MinSize": 1,
            "Instances": [
                {
                    "ProtectedFromScaleIn": false,
                    "AvailabilityZone": "us-west-2a",
                    "LaunchTemplate": {
                        "LaunchTemplateName": "my-launch-template",
                        "Version": "1",
                        "LaunchTemplateId": "lt-050555ad16a3f9c7f"
                    },
                    "InstanceId": "i-05b4f7d5be44822a6",
                    "HealthStatus": "Healthy",
                    "LifecycleState": "Pending"
                },
                {
                    "ProtectedFromScaleIn": false,
                    "AvailabilityZone": "us-west-2a",
                    "LaunchTemplate": {
                        "LaunchTemplateName": "my-launch-template",
                        "Version": "1",
                        "LaunchTemplateId": "lt-050555ad16a3f9c7f"
                    },
                    "InstanceId": "i-0c20ac468fa3049e8",
                    "HealthStatus": "Healthy",
                    "LifecycleState": "InService"
                }
            ],
            "MaxSize": 5,
            "VPCZoneIdentifier": "subnet-c87f2be0",
            "HealthCheckGracePeriod": 300,
            "TerminationPolicies": [
                "Default"
            ],
            "CreatedTime": "2019-03-18T23:30:42.611Z",
            "AvailabilityZones": [
                "us-west-2a"
            ],
            "HealthCheckType": "EC2",
            "NewInstancesProtectedFromScaleIn": false,
            "DesiredCapacity": 2
        }
    ]
}

 

2. Attach an instance to the Auto Scaling group using the following attach-instances command.

aws autoscaling attach-instances --instance-ids i-0787762faf1c28619 --auto-scaling-group-name my-asg

 

3. To verify that the instance is attached, use the following describe-auto-scaling-groups command.

aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names my-asg

The following example response shows that the desired capacity has increased by 1 instance (to a new capacity of 3), and that there is a new instance, i-0787762faf1c28619.

{
    "AutoScalingGroups": [
        {
            "AutoScalingGroupARN": "arn",
            "ServiceLinkedRoleARN": "arn",
            "TargetGroupARNs": [],
            "SuspendedProcesses": [],
            "LaunchTemplate": {
                "LaunchTemplateName": "my-launch-template",
                "Version": "1",
                "LaunchTemplateId": "lt-050555ad16a3f9c7f"
            },
            "Tags": [],
            "EnabledMetrics": [],
            "LoadBalancerNames": [],
            "AutoScalingGroupName": "my-asg",
            "DefaultCooldown": 300,
            "MinSize": 1,
            "Instances": [
                {
                    "ProtectedFromScaleIn": false,
                    "AvailabilityZone": "us-west-2a",
                    "LaunchTemplate": {
                        "LaunchTemplateName": "my-launch-template",
                        "Version": "1",
                        "LaunchTemplateId": "lt-050555ad16a3f9c7f"
                    },
                    "InstanceId": "i-05b4f7d5be44822a6",
                    "HealthStatus": "Healthy",
                    "LifecycleState": "Pending"
                },
                {
                    "ProtectedFromScaleIn": false,
                    "AvailabilityZone": "us-west-2a",
                    "LaunchTemplate": {
                        "LaunchTemplateName": "my-launch-template",
                        "Version": "1",
                        "LaunchTemplateId": "lt-050555ad16a3f9c7f"
                    },
                    "InstanceId": "i-0c20ac468fa3049e8",
                    "HealthStatus": "Healthy",
                    "LifecycleState": "InService"
                },
                {
                    "ProtectedFromScaleIn": false,
                    "AvailabilityZone": "us-west-2a",
                    "LaunchTemplate": {
                        "LaunchTemplateName": "my-launch-template",
                        "Version": "1",
                        "LaunchTemplateId": "lt-050555ad16a3f9c7f"
                    },
                    "InstanceId": "i-0787762faf1c28619",
                    "HealthStatus": "Healthy",
                    "LifecycleState": "InService"
                }
            ],
            "MaxSize": 5,
            "VPCZoneIdentifier": "subnet-c87f2be0",
            "HealthCheckGracePeriod": 300,
            "TerminationPolicies": [
                "Default"
            ],
            "CreatedTime": "2019-03-18T23:30:42.611Z",
            "AvailabilityZones": [
                "us-west-2a"
            ],
            "HealthCheckType": "EC2",
            "NewInstancesProtectedFromScaleIn": false,
            "DesiredCapacity": 3
        }
    ]
}

 

nOps Pro Tips

  • Auto-scaling is not a silver bullet. There are often dramatic costs involved with poorly configured Autoscaling groups which may be offset and additionally many services have their share are stuggles with sessions and state.
  • The costs incurred from load balancing traffic can exceed that of properly sizing an individual instance if the above recommendations are not a concern. Additionally, there are spool up and termination costs which can factor in to a lesser extent.

Still Need Help?

Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.