Skip to main content
emnode / learn
Compliance Low severity

AWS Security Hub · AutoScaling

AutoScaling.1: ASGs with an LB should use ELB health checks

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub AutoScaling.1 check?

AutoScaling.1 fails when an Auto Scaling group is associated with a load balancer but still uses EC2 health checks instead of ELB health checks. The control checks the group's HealthCheckType against its attached load balancers or target groups.

Why does AutoScaling.1 matter?

An EC2 health check only confirms the instance is running, not that the application is serving. If the app crashes on boot, the load balancer pulls the broken instance from rotation, but the ASG still sees it as healthy and never replaces it — so effective capacity quietly bleeds away while the group reports full strength. ELB health checks tie the ASG's replacement decisions to the same signal the load balancer uses.

How do I fix AutoScaling.1?

  1. Find groups attached to a load balancer that are still using the EC2 health check type.
  2. Switch the group's HealthCheckType to ELB.
  3. Set a health check grace period long enough for instances to boot and pass the application check.
  4. Default new load-balanced groups to ELB health checks.

Remediation script · bash

# Harden every Application Load Balancer in the region: reject invalid headers and
# require defensive (or strictest) desync mode. Both are instant, non-disruptive flips.
for arn in $(aws elbv2 describe-load-balancers \
    --query 'LoadBalancers[?Type==`application`].LoadBalancerArn' --output text); do
  aws elbv2 modify-load-balancer-attributes --load-balancer-arn "$arn" \
    --attributes \
      Key=routing.http.drop_invalid_header_fields.enabled,Value=true \
      Key=routing.http.desync_mitigation_mode,Value=defensive
  echo "$arn: hardened"
done

# Switch load-balanced Auto Scaling groups to ELB health checks with a safe grace period
# (confirm the target-group probe reflects real app health first).
for g in $(aws autoscaling describe-auto-scaling-groups \
    --query 'AutoScalingGroups[?(LoadBalancerNames!=`[]` || TargetGroupARNs!=`[]`) && HealthCheckType==`EC2`].AutoScalingGroupName' \
    --output text); do
  aws autoscaling update-auto-scaling-group --auto-scaling-group-name "$g" \
    --health-check-type ELB --health-check-grace-period 300
  echo "$g: now using ELB health checks"
done

Full walkthrough (console steps, edge cases and verification) in the lesson Harden load balancers (ALB/NLB/CLB).

Full lesson Harden load balancers (ALB/NLB/CLB) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for AutoScaling controls ↗ Check your own account for AutoScaling.1 →
Part of the learning path Build in resilience

More AutoScaling controls