ELBs Should Have Connection Draining Enabled

More Info:

Elastic Load Balancer should not send any new requests to the unhealthy instance if an EC2 backend instance fails health checks.

Risk Level

Informational

Address

Reliability

Compliance Standards

NIST, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “ELBs Should Have Connection Draining Enabled” in AWS using AWS CLI, please follow the below steps:Step 1: Open the AWS CLI on your local machine.Step 2: Run the following command to enable connection draining for an existing ELB:

aws elb modify-load-balancer-attributes --load-balancer-name <ELB_Name> --load-balancer-attributes "{\"ConnectionDraining\":{\"Enabled\":true,\"Timeout\":300}}"

Note: Replace <ELB_Name> with the name of your ELB.Step 3: Verify the connection draining is enabled by running the following command:

aws elb describe-load-balancer-attributes --load-balancer-name <ELB_Name> --query 'LoadBalancerAttributes.ConnectionDraining'

Note: Replace <ELB_Name> with the name of your ELB.If the output of the above command shows “Enabled”: true, then the connection draining is enabled for your ELB.That’s it! You have successfully remediated the misconfiguration “ELBs Should Have Connection Draining Enabled” in AWS using AWS CLI.

Using Python

To remediate the “ELBs Should Have Connection Draining Enabled” misconfiguration in AWS using Python, follow these steps:

First, import the necessary AWS SDK libraries in your Python script. You will need boto3 and botocore libraries.

import boto3
from botocore.exceptions import ClientError

Next, create a boto3 client for the Elastic Load Balancing (ELB) service.

elb_client = boto3.client('elb')

Retrieve a list of all the ELBs in your AWS account using the describe_load_balancers() method.

response = elb_client.describe_load_balancers()
load_balancers = response['LoadBalancerDescriptions']

For each ELB in the list, check if Connection Draining is enabled by calling the describe_load_balancer_attributes() method.

for lb in load_balancers:
    lb_name = lb['LoadBalancerName']
    response = elb_client.describe_load_balancer_attributes(LoadBalancerName=lb_name)
    attrs = response['LoadBalancerAttributes']
    if 'ConnectionDraining' not in attrs or not attrs['ConnectionDraining']['Enabled']:
        # Connection Draining is not enabled. Remediate the misconfiguration.

If Connection Draining is not enabled, use the modify_load_balancer_attributes() method to enable it.

elb_client.modify_load_balancer_attributes(
    LoadBalancerName=lb_name,
    LoadBalancerAttributes={
        'ConnectionDraining': {
            'Enabled': True,
            'Timeout': 300 # Set the timeout value in seconds
        }
    }
)

Finally, add appropriate logging and error handling to your script.

try:
    # Put the above code here
except ClientError as e:
    print(f"Error: {e}")

With these steps, you can remediate the “ELBs Should Have Connection Draining Enabled” misconfiguration in AWS using Python.

Additional Reading:

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

ELBs Should Have Connection Draining Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: