Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Auto Scaling Group Notifications

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ASG-005

Ensure that your Amazon Auto Scaling Groups (ASGs) are configured to send email notifications whenever a scaling event, such as launching or terminating an EC2 instance, occurs. Once that activity notifications are enabled, the Amazon SNS topic associated with the ASG will send scaling events notifications to the email address that you specified during setup.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Auto Scaling Group activity notifications can increase the reliability and availability of the applications deployed within your auto-scaling environments by allowing you to act fast and mitigate scaling issues such as failed instance launches.

Audit

To determine if activity notifications are enabled for your Auto Scaling Groups (ASGs), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to examine.

05 Choose the Activity tab to view the activity notifications available for the selected ASG resource.

06 Check for any activity notification entries listed in the Activity notifications section. If there are no such entries, the selected Auto Scaling Group (ASG) is not configured to send scaling event notifications via email.

07 Repeat steps no. 4 and 5 for each ASG available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the name of each Auto Scaling Group (ASG) available in the selected AWS region: 

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --output table
  --query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG name(s): 

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|   cc-production-asg     |
|   cc-internal-app-asg   |
|   cc-frontend-app-asg   |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) using the name of the Auto Scaling Group (ASG) that you want to examine as the identifier parameter and custom query filters to describe the ARN of the Amazon SNS topic, configured to send scaling event notifications, associated with the selected ASG resource: 

aws autoscaling describe-notification-configurations
  --region us-east-1
  --auto-scaling-group-name cc-production-asg
  --query 'NotificationConfigurations[*].TopicARN'

04 The command output should return the ARN of the associated SNS topic: 

[]

If the describe-auto-scaling-groups command output returns an empty array (i.e. []), as shown in the example above, there are no SNS topics associated with your ASG, therefore the selected Auto Scaling Group (ASG) is not configured to send scaling event notifications via email.

05 Repeat steps no. 3 and 4 for each ASG available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To configure your Auto Scaling Groups (ASGs) in order to send scaling event notifications via email, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to examine.

05 Choose the Activity tab to access the activity notifications panel available for the selected ASG.

06 In the Activity notifications section, choose Create notification to set up scaling event notifications for the selected ASG resource.

07 In the Create notification box, perform the following actions:

  1. Choose Create a topic under SNS Topic to create the necessary SNS topic.
  2. Provide a unique name for the new SNS topic in the Send a notification to box.
  3. Enter the email address where you want to receive scaling event notifications in the With these recipients box. Use an email client to open the subscription confirmation message from AWS Notification, and click on the appropriate link to confirm your SNS subscription.
  4. For Event types, select the scaling events to send notifications for. Trend Cloud One™ – Conformity recommends enabling notifications for all the event types listed in this section.
  5. Choose Create to create the scaling event notification for the selected Auto Scaling Group (ASG).

08 Repeat steps no. 4 – 7 to enable scaling event notifications for each ASG available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new Amazon SNS topic required to send notifications whenever scaling events occur within your Auto Scaling Group (ASG): 

aws sns create-topic
  --name cc-scaling-events-topic

02 The command output should return the Amazon Resource Name (ARN) of the newly created SNS topic: 

{
	"TopicArn": "arn:aws:sns:us-east-1:12345678901:cc-scaling-events-topic" 
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (i.e. the email address provided): 

aws sns subscribe
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-scaling-events-topic
  --protocol email
  --notification-endpoint alerts@trendmicro.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not produce an output): 

aws sns confirm-subscription
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-scaling-events-topic
  --token abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd

05 Once the required SNS topic is created and configured, run put-notification-configuration command (OSX/Linux/UNIX) to reconfigure your Auto Scaling Group (ASG) in order to associate it with the newly created SNS topic and send email notifications when specified scaling events take place (the command does not produce an output): 

aws autoscaling put-notification-configuration
  --region us-east-1
  --auto-scaling-group-name cc-production-asg
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-scaling-events-topic
  --notification-types "autoscaling:EC2_INSTANCE_LAUNCH" "autoscaling:EC2_INSTANCE_TERMINATE" "autoscaling:EC2_INSTANCE_LAUNCH_ERROR" "autoscaling:EC2_INSTANCE_TERMINATE_ERROR"

06 Repeat step no. 5 to enable scaling event notifications for each ASG available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Sep 12, 2016

Related AutoScaling rules