Profile Applicability

  • Level 2

Description

Configuring your EC2 Auto Scaling Group to span multiple Availability Zones ensures high availability and fault tolerance. By distributing resources across multiple AZs, you minimize the risk of disruption caused by zone-specific outages. This configuration is critical for maintaining application resilience and improving overall system reliability.

Rationale

  • Improved Fault Tolerance: Spreads resources across multiple AZs, reducing the risk of downtime due to Regional disruptions.

  • Enhanced Availability: Ensures instances are launched in healthy and available AZs during scaling operations.

  • Compliance: Aligns with best practices for highly available cloud architectures.

Impact

Pros:

  • Provides a robust and highly available environment for your workloads.

  • Balances load efficiently across AZs, improving performance.

  • Reduces the single point of failure associated with using only one AZ.

Cons:

  • May increase network latency if AZs are not geographically close.

  • Slightly more complex to configure and manage compared to single AZ setups.

Default Value

By default, an Auto Scaling Group may be created with only one Availability Zone unless additional subnets spanning multiple AZs are explicitly configured.

Pre-Requisite

IAM Permissions Required:

  • autoscaling:CreateAutoScalingGroup

  • autoscaling:UpdateAutoScalingGroup

  • autoscaling:DescribeAutoScalingGroups

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 > Auto Scaling Groups.

  3. Select your Auto Scaling Group and view its Details.

  4. Verify that the Availability Zones or Subnets span multiple zones within the Region.

Using AWS CLI:

  1. Describe the Auto Scaling Group:

    aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names <asg-name>

  2. Check the AvailabilityZones field in the output for multiple AZs.

Implementation Steps:

Using AWS Console:

  1. Navigate to EC2 > Auto Scaling Groups.

  2. Select the Auto Scaling Group to edit.

  3. Click Edit and update the Network section:

    • Add subnets from multiple Availability Zones within the same Region.

    • Ensure load balancers (if used) are configured across these AZs.

  4. Save the updated configuration.

Using AWS CLI:

  1. Update the Auto Scaling Group to span multiple AZs:

    aws autoscaling update-auto-scaling-group \
--auto-scaling-group-name <asg-name> \
--vpc-zone-identifier "<subnet-id-1>,<subnet-id-2>,<subnet-id-3>"

  1. Verify the updated configuration:

    aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names <asg-name>

Backout Plan

Using AWS Console:

  1. If using multiple Availability Zones causes issues, sign in to the AWS Management Console.

  2. Navigate to EC2, then to Auto Scaling Groups.

  3. Select the Auto Scaling Group and go to the Network section.

  4. Change the Availability Zones to a single Availability Zone if necessary.

  5. Save the changes and verify that the Auto Scaling Group is now using a single AZ.

Using AWS CLI:

  1. To revert to a single Availability Zone, run:

    aws autoscaling update-auto-scaling-group --auto-scaling-group-name <ASG_NAME> --availability-zones <SINGLE_AZ>

  2. Verify that the Auto Scaling Group is now using only a single Availability Zone:

    aws autoscaling describe-auto-scaling-groups --auto-scaling-group-name <ASG_NAME>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.