AWS HTTP and HTTPS target groups do not define health check
Description
Health checks ensure that a target is reachable before sending traffic from a load balancer to the endpoint. This is a best practice compared to blindly sending traffic to what can be unhealthy targets.
Code Example
resource "aws_alb_target_group" "example" {
name = "target-group-1"
port = 80
protocol = "HTTP"
* has to be HTTP 200 or fails*
}Remediation
The way you enable health checks varies by the endpoint. If you are using an autoscaling group:
. Go to the EC2 console and select Auto Scaling Groups
. Select the check box next to an existing group
. On the Details tab, choose Health checks and Edit
. Select your health check type
. Add a Health check grace period
. Select update + Or for the load balancer:
. Open the Amazon EC2 console
. Under Load Balancing, select Load Balancers
. Select your load balancer
. On the Health Check tab, choose Edit Health Check
. On the Configure Health Check page, configure your health check
. Select Save === Fix - Buildtime
- Resource: aws_lb_target_group, aws_alb_target_group
- Arguments: health_check
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0309 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_261 |