Skip to main content

More Info:

Elastic Load Balancer should not send any new requests to the unhealthy instance if an EC2 backend instance fails health checks.

Risk Level

Informational

Address

Reliability

Compliance Standards

NIST, NISTCSF

Triage and Remediation

Remediation

Using Console

Sure, here are the step by step instructions to remediate the misconfiguration of ELBs not having Connection Draining enabled in AWS console:
  1. Open the AWS Management Console and navigate to the EC2 Dashboard.
  2. From the left-hand menu, click on the “Load Balancers” option.
  3. Select the ELB that you want to remediate from the list of available load balancers.
  4. Click on the “Attributes” tab from the bottom panel.
  5. Under the “Connection Settings” section, click on the “Edit” button.
  6. In the “Edit Connection Settings” window, check the box next to “Enable Connection Draining”.
  7. Set the “Connection Draining Timeout” value to the desired number of seconds (e.g., 300 seconds).
  8. Click on the “Save” button to save the changes.
  9. Verify that the “Connection Draining” attribute is now enabled for the selected ELB.
That’s it! You have successfully remediated the misconfiguration of ELBs not having Connection Draining enabled in AWS.

To remediate the misconfiguration “ELBs Should Have Connection Draining Enabled” in AWS using AWS CLI, please follow the below steps:Step 1: Open the AWS CLI on your local machine.Step 2: Run the following command to enable connection draining for an existing ELB:
aws elb modify-load-balancer-attributes --load-balancer-name <ELB_Name> --load-balancer-attributes "{\"ConnectionDraining\":{\"Enabled\":true,\"Timeout\":300}}"
Note: Replace <ELB_Name> with the name of your ELB.Step 3: Verify the connection draining is enabled by running the following command:
aws elb describe-load-balancer-attributes --load-balancer-name <ELB_Name> --query 'LoadBalancerAttributes.ConnectionDraining'
Note: Replace <ELB_Name> with the name of your ELB.If the output of the above command shows “Enabled”: true, then the connection draining is enabled for your ELB.That’s it! You have successfully remediated the misconfiguration “ELBs Should Have Connection Draining Enabled” in AWS using AWS CLI.
To remediate the “ELBs Should Have Connection Draining Enabled” misconfiguration in AWS using Python, follow these steps:
  1. First, import the necessary AWS SDK libraries in your Python script. You will need boto3 and botocore libraries.
import boto3
from botocore.exceptions import ClientError
  1. Next, create a boto3 client for the Elastic Load Balancing (ELB) service.
elb_client = boto3.client('elb')
  1. Retrieve a list of all the ELBs in your AWS account using the describe_load_balancers() method.
response = elb_client.describe_load_balancers()
load_balancers = response['LoadBalancerDescriptions']
  1. For each ELB in the list, check if Connection Draining is enabled by calling the describe_load_balancer_attributes() method.
for lb in load_balancers:
    lb_name = lb['LoadBalancerName']
    response = elb_client.describe_load_balancer_attributes(LoadBalancerName=lb_name)
    attrs = response['LoadBalancerAttributes']
    if 'ConnectionDraining' not in attrs or not attrs['ConnectionDraining']['Enabled']:
        # Connection Draining is not enabled. Remediate the misconfiguration.
  1. If Connection Draining is not enabled, use the modify_load_balancer_attributes() method to enable it.
elb_client.modify_load_balancer_attributes(
    LoadBalancerName=lb_name,
    LoadBalancerAttributes={
        'ConnectionDraining': {
            'Enabled': True,
            'Timeout': 300 # Set the timeout value in seconds
        }
    }
)
  1. Finally, add appropriate logging and error handling to your script.
try:
    # Put the above code here
except ClientError as e:
    print(f"Error: {e}")
With these steps, you can remediate the “ELBs Should Have Connection Draining Enabled” misconfiguration in AWS using Python.

Additional Reading: