ELB.10: CLBs should span multiple AZs

What does AWS Security Hub ELB.10 check?

ELB.10 fails when a Classic Load Balancer is enabled in fewer Availability Zones than required (at least two, configurable via the minAvailabilityZones parameter). A CLB node can only serve targets in its own AZ.

Why does ELB.10 matter?

A single-AZ CLB is a data-plane single point of failure: if that zone has a network or power event, the load balancer cannot route to anything, regardless of how many healthy targets sit in other AZs. Spanning at least two zones keeps the front door open through a single-AZ outage. Pair this with ELB.9 (cross-zone balancing) so the extra AZs actually share traffic evenly.

How do I fix ELB.10?

1. Audit which AZs each CLB is enabled in with describe-load-balancers.
2. Add a zone to a live load balancer with enable-availability-zones-for-load-balancer; the change is non-disruptive.
3. Register healthy targets in the new AZ so its node can serve traffic.
4. Longer term, consider migrating Classic Load Balancers to an ALB or NLB.

# Fix the highest-impact data stores first: enable Multi-AZ on production databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?MultiAZ==`false` && DBClusterIdentifier==null].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --multi-az --apply-immediately
  echo "$db: standby being provisioned in a second AZ"
done

# Span a stateless compute fleet across three AZs, then mirror the set on its load balancer.
aws autoscaling update-auto-scaling-group --auto-scaling-group-name web-tier-asg \
  --vpc-zone-identifier "subnet-0aaa1,subnet-0bbb2,subnet-0ccc3"
aws elbv2 set-subnets --load-balancer-arn "$ALB_ARN" \
  --subnets subnet-0aaa1 subnet-0bbb2 subnet-0ccc3