A collection of AWS Security controls for AWS Load Balancers and Auto Scaling Groups. Controls include configuration to create Application Load Balancers (ALB),Network Load Balancers (NLB), and Auto Scaling configurations. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

Load Balancer
Application Load Balancer

Configuration to create an Application Load Balancer (ALB), target groups and listeners in an AWS VPC to load balance incoming traffic to targets such as EC2 instances or Lambda functions. The ALB also includes health checks to ensure the state of the targets before forwarding traffic.

CloudFormationTerraformAWS CLI
Network Load Balancer

Configuration to create a Network Load Balancer (NLB), target groups and listeners in an AWS VPC to load balance incoming traffic to targets such as EC2 instances or ALBs. The NLB also includes health checks to ensure the state of the targets before forwarding traffic.

CloudFormationTerraformAWS CLI
ELBv2 Target Group with Lambda Target

This template creates a target group where the target is a Lambda function. It creates an AWS::Lambda::Permission resource to allow the target group to invoke the Lambda function. It also creates an AWS::ElasticLoadBalancingV2::TargetGroup resource with the specified properties, including disabling health checks, setting the name to 'MyTargets', and specifying the target type as 'lambda'. The target group is associated with the Lambda function specified in the Targets property.

CloudFormationTerraform
Classic Load Balancer with Secure Listener

This template creates a Classic Load Balancer with a secure listener. The load balancer is configured to use one availability zone, enable cross-zone load balancing, and has a listener that forwards traffic from port 443 to port 80 on the instances. The listener uses HTTPS protocol and requires an SSL certificate. The load balancer also has a health check configured to check the health of the instances.

CloudFormationTerraform
Application Load Balancer with Listener with Redirect to HTTPS

This template creates an Elastic Load Balancing V2 listener with a default action that redirects HTTP requests on port 80 to HTTPS requests on port 443, retaining the original host name, path, and query string.

CloudFormationTerraform
AutoScaling
Auto Scaling Group with Warm Pool

This template creates an Auto Scaling group with a warm pool. The `AWS::AutoScaling::WarmPool` resource is used to define the warm pool for the Auto Scaling group. The `MinSize` property specifies the minimum number of instances in the warm pool, and the `PoolState` property specifies the initial state of the warm pool. The `AutoScalingGroupName` property is used to reference the Auto Scaling group to which the warm pool belongs.

CloudFormationTerraform
CloudFormation WaitCondition For Desired Number of Instances

This template creates an Auto Scaling Group for a web server group. It also creates a Wait Condition Handle and a Wait Condition. The Wait Condition waits for the desired number of instances in the Auto Scaling Group to be created. The Wait Condition has a timeout of 300 seconds and the count is determined by the value of the WebServerCapacity parameter.

CloudFormationTerraform
Launch Configuration with provisioned IOPS EBS-optimized volume, key-pair name, and user data

This template creates a launch configuration that configures the `EbsOptimized` property to launch instances with a provisioned IOPS EBS-optimized volume. It specifies an AMI with a volume type of `io1` and the desired number of IOPS. The launch configuration also includes a key-pair name and user data.

CloudFormationTerraform
Simple Scaling Policy

This template creates a scaling policy with the SimpleScaling policy type and the ChangeInCapacity adjustment type. The policy increases the capacity of the Auto Scaling group by one when a CloudWatch alarm is triggered. The policy is associated with a CloudWatch alarm that monitors a CloudWatch metric for the Auto Scaling group.

CloudFormationTerraform
Scheduled Scaling Action that Occurs Only Once

This template creates a one-time scheduled action for an Auto Scaling group. At the specified 'StartTime' (4:00 PM UTC on March 31, 2021), if the group currently has more than 1 instance, it scales in to 1 instance. If the group currently has no instances, it scales out to 1 instance.

CloudFormationTerraform
Scheduled Actions that Run on a Recurring Schedule

This template creates two scheduled actions for an Auto Scaling group. The 'ScheduledActionOut' action starts at 7 AM every day and sets the Auto Scaling group to a minimum of five Amazon EC2 instances with a maximum of 10. The 'ScheduledActionIn' action starts at 7 PM every day and sets the Auto Scaling group to a minimum and maximum of one Amazon EC2 instance. The time zone is not provided, so these scheduled actions will recur in UTC time.

CloudFormationTerraform
Step Scaling Policy

This template creates a scaling policy with the StepScaling policy type and the ChangeInCapacity adjustment type. The policy increases the capacity of the Auto Scaling group based on step adjustments when a CloudWatch alarm is triggered. The step adjustments are defined based on the value of a CloudWatch metric for the Auto Scaling group.

CloudFormationTerraform
Target Tracking Scaling Policy with Load Balancer and Scaling Group

This template creates an Auto Scaling group with two target tracking scaling policies. The first policy is based on the ASGAverageCPUUtilization metric and the second policy is based on the ALBRequestCountPerTarget metric. The properties of each policy include a TargetValue property that references a parameter value from the template. The launch template used by the Auto Scaling group has monitoring enabled for detailed metric data at 1-minute intervals.

CloudFormationTerraform
Predictive Scaling Policy

This template creates an Auto Scaling group with a predictive scaling policy. The policy uses CPU utilization metrics with a target utilization of 70. The policy is set to 'ForecastOnly' mode, which means that Amazon EC2 Auto Scaling generates forecasts with traffic predictions for the two days ahead, but does not actively scale the group.

CloudFormationTerraform
Lifecycle Hook for Instance Termination

This template creates a lifecycle hook that supports a custom action at instance termination. The lifecycle hook is associated with an Auto Scaling group specified by the `myASG` parameter. The `NotificationMetadata` property is used to provide additional information to be sent with the notification, such as the name of the cluster to which the instance belongs.

CloudFormationTerraform
Launch Configuration with instance store-backed AMI and Spot price

This template creates a launch configuration that can be used by an Auto Scaling group to configure Amazon EC2 instances. It specifies an instance store-backed AMI and includes a Spot price and IAM role. The launch configuration will only be active if the current Spot price is less than the specified price (0.045). The launch configuration also uses an IAM instance profile.

CloudFormationTerraform
Launch Configuration with EBS-backed AMI and defined block device mappings

This template creates a launch configuration that can be used by an Auto Scaling group to configure Amazon EC2 instances. It specifies an EBS-backed AMI and defines two block device mappings: a 30 gigabyte EBS root volume mapped to /dev/sda1 and a 100 gigabyte EBS volume mapped to /dev/sdm. The /dev/sdm volume uses the default EBS volume type based on the region and is not deleted when terminating the instance it is attached to.

CloudFormationTerraform
Auto Scaling Group with CloudWatch Monitoring and Custom Tags

This template creates an Auto Scaling group with CloudWatch monitoring enabled and custom tags. The Auto Scaling group references a launch template and has properties for maximum size, minimum size, desired capacity, VPC zone identifier, metrics collection, and tags. The launch template specifies the instance configuration information for the group.

CloudFormationTerraform
Auto Scaling Group with Launch Template

This template creates an Auto Scaling group with a launch template. The launch template specifies the instance configuration information for the group, including the image ID and instance type. The Auto Scaling group has properties for maximum size, minimum size, desired capacity, and VPC zone identifier.

CloudFormationTerraform
Config Rule
Classic Load Balancer ACM Certificate Required

Checks whether the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this rule, use an SSL or HTTPS listener with your Classic Load Balancer. This rule is only applicable to Classic Load Balancers. This rule does not check Application Load Balancers and Network Load Balancers.

CloudFormationTerraformAWS CLI
Classic Load Balancer Custom SSL Security Policy Check

Checks whether your Classic Load Balancer SSL listeners are using a custom policy. The rule is only applicable if there are SSL listeners for the Classic Load Balancer.

CloudFormationTerraformAWS CLI
elb-predefined-security-policy-ssl-check

Checks whether your Classic Load Balancer SSL listeners are using a predefined policy. The rule is only applicable if there are SSL listeners for the Classic Load Balancer.

CloudFormationTerraformAWS CLI
ELB Logging Enabled

A Config rule that checks whether the Application Load Balancers and the Classic Load Balancers have logging enabled. The rule is NON_COMPLIANT if the the access_logs.s3.enabled is true and access_logs.S3.bucket is equal to the s3BucketName that you provided.

CloudFormationTerraformAWS CLI
ELB HTTPS Listeners Only Check

A Config rule that checks whether your Classic Load Balancer is configured with SSL or HTTPS listeners. The rule is applicable if a Classic Load Balancer has listeners.

CloudFormationTerraformAWS CLI
ELB Cross AZ Load Balancing Enabled

A Config rule that checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs). This rule is NON_COMPLIANT if cross-zone load balancing is not enabled for a CLB.

CloudFormationTerraformAWS CLI
ELB Health Checks are Configured for Auto Scaling Groups

A Config rule that checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.

CloudFormationTerraformAWS CLI
ELB Deletion Protection Enabled Check

A Config rule that checks whether Elastic Load Balancing has deletion protection enabled. The rule is NON_COMPLIANT if deletion_protection.enabled is false

CloudFormationTerraformAWS CLI
Load Balancer ACM Certificate Required

A Config rule that checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM). This rule is NON_COMPLIANT if at least 1 load balancer has at least 1 listener that is configured without a certificate from ACM or is configured with a certificate different from an ACM certificate.

CloudFormationTerraformAWS CLI
Load Balancer Multiple AZ Check

A Config rule that checks if an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones (AZs). The rule is NON_COMPLIANT if an Elastic Load Balancer V2 has instances registered in less than 2 AZs.

CloudFormationTerraformAWS CLI