# ################################### ## Rule Specification ## ##################################### # # Rule Identifier: # autoscaling_group_elb_healthcheck_required_check # # Description: # This control checks whether your Amazon EC2 Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. # # Reports on: # AWS::AutoScaling::AutoScalingGroup # # Evaluates: # AWS CloudFormation, AWS CloudFormation hook # # Rule Parameters: # None # # Scenarios: # Scenario: 1 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document does not contain any Auto Scaling groups # Then: SKIP # Scenario: 2 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an Auto Scaling Group resource # And: 'LoadBalancerNames' or 'TargetGroupARNs' are not present on the Auto Scaling Group resource or empty lists # Then: SKIP # Scenario: 3 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an Auto Scaling Group resource # And: 'LoadBalancerNames' or 'TargetGroupARNs' are present on the Auto Scaling group with at least # one configuration # And: 'HealthCheckType' is not present # Then: FAIL # Scenario: 4 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an Auto Scaling Group resource # And: 'LoadBalancerNames' or 'TargetGroupARNs' are present on the Auto Scaling group with at least # one configuration # And: 'HealthCheckType' is present and set to a value other than 'ELB' (e.g. 'EC2') # Then: FAIL # Scenario: 5 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an Auto Scaling Group resource # And: 'LoadBalancerNames' or 'TargetGroupARNs' are present on the Auto Scaling Group resource with at least # one configuration # And: 'HealthCheckType' is present and set to 'ELB' # Then: PASS # # Constants # let AUTOSCALING_GROUP_TYPE = "AWS::AutoScaling::AutoScalingGroup" let INPUT_DOCUMENT = this # # Assignments # let autoscaling_groups = Resources.*[ Type == %AUTOSCALING_GROUP_TYPE ] # # Primary Rules # rule autoscaling_group_elb_healthcheck_required_check when is_cfn_template(%INPUT_DOCUMENT) %autoscaling_groups not empty { check(%autoscaling_groups.Properties) << [CT.AUTOSCALING.PR.4]: Require an Amazon EC2 Auto Scaling group associated with an AWS Elastic Load Balancer (ELB) to have ELB health checks activated [FIX]: Configure Amazon EC2 Auto Scaling groups associated with an Elastic Load Balancing load balancer to use Elastic Load Balancing health checks. >> } rule autoscaling_group_elb_healthcheck_required_check when is_cfn_hook(%INPUT_DOCUMENT, %AUTOSCALING_GROUP_TYPE) { check(this.%AUTOSCALING_GROUP_TYPE.resourceProperties) << [CT.AUTOSCALING.PR.4]: Require an Amazon EC2 Auto Scaling group associated with an AWS Elastic Load Balancer (ELB) to have ELB health checks activated [FIX]: Configure Amazon EC2 Auto Scaling groups associated with an Elastic Load Balancing load balancer to use Elastic Load Balancing health checks. >> } # # Parameterized Rules # rule check(autoscaling_group) { %autoscaling_group [ filter_list_exists_and_not_empty(LoadBalancerNames) or filter_list_exists_and_not_empty(TargetGroupARNs) ] { check_healthcheck_type_on_asg(this) } } rule filter_list_exists_and_not_empty(property) { %property { # Scenario 2 this exists this is_list this not empty } } rule check_healthcheck_type_on_asg(asg) { %asg { # Scenario 3 HealthCheckType exists # Scenario 4 and 5 HealthCheckType == "ELB" } } # # Utility Rules # rule is_cfn_template(doc) { %doc { AWSTemplateFormatVersion exists or Resources exists } } rule is_cfn_hook(doc, RESOURCE_TYPE) { %doc.%RESOURCE_TYPE.resourceProperties exists }