🛡️ AWS EC2 Auto Scaling Group does not span multiple Availability Zones🟢

Contextual name: 🛡️ Auto Scaling Group does not span multiple Availability Zones🟢
ID: /ce/ca/aws/autoscaling/group-multiple-az
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: RELIABILITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS EC2 Auto Scaling Group
- 🔌 AWS EC2 Auto Scaling Group - object.extracts.yaml
- 🧪 test-data.json

Description

Description

This policy identifies AWS EC2 Auto Scaling Groups (ASGs) that are not configured to launch instances across multiple Availability Zones (AZs).

Rationale

Configuring an Auto Scaling Group to operate across multiple Availability Zones is a key best practice for ensuring high availability and fault tolerance. By distributing instances across multiple AZs, you minimize the risk of downtime caused by failures in a single zone, helping maintain application continuity during infrastructure disruptions.

Impact

If an Auto Scaling Group is restricted to a single Availability Zone, any outage within that zone, such as power failures, network disruptions, or natural disasters, can render all instances in the group unavailable, leading to potential service interruptions.

When modifying the number of Availability Zones for an Auto Scaling Group, ensure that the associated load balancer is also updated to reflect the new zone configuration.

Audit

This policy flags an AWS EC2 Auto Scaling Group as INCOMPLIANT if it is configured with fewer than two Availability Zones.

Remediation

Open File

Remediation

Change Availability Zones

From Command Line

To configure your Auto Scaling Group to span multiple Availability Zones, update it with subnets that belong to different AZs using the update-auto-scaling-group command:
aws autoscaling update-auto-scaling-group \
    --auto-scaling-group-name {{asg-name}} \
    --vpc-zone-identifier "subnet-xxxxxxxx,subnet-yyyyyyyy,subnet-zzzzzzzz"
After updating the Auto Scaling Group, ensure the associated load balancer is also configured to use subnets from multiple Availability Zones:
aws elbv2 set-subnets \
    --load-balancer-arn {{lb-arn}} \
    --subnets "subnet-xxxxxxxx" "subnet-yyyyyyyy" "subnet-zzzzzzzz"

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones		1	no data
💼 AWS Well-Architected → 💼 REL06-BP04 Automate responses (Real-time processing and alarming)		3	no data
💼 AWS Well-Architected → 💼 REL07-BP02 Obtain resources upon detection of impairment to a workload		3	no data
💼 AWS Well-Architected → 💼 REL11-BP03 Automate healing on all layers		3	no data
💼 AWS Well-Architected → 💼 SUS02-BP01 Scale workload infrastructure dynamically		2	no data
💼 Cloudaware Framework → 💼 System Configuration		45	no data
💼 FedRAMP High Security Controls → 💼 CP-2(2) Capacity Planning (H)		3	no data
💼 FedRAMP High Security Controls → 💼 CP-6(2) Recovery Time and Recovery Point Objectives (H)		12	no data
💼 FedRAMP High Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	2	12	no data
💼 FedRAMP Low Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)		12	no data
💼 FedRAMP Moderate Security Controls → 💼 CP-10 System Recovery and Reconstitution (L)(M)(H)	1	12	no data
💼 NIST CSF v2.0 → 💼 PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations		15	no data
💼 NIST CSF v2.0 → 💼 RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process		12	no data
💼 NIST CSF v2.0 → 💼 RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed		12	no data
💼 NIST CSF v2.0 → 💼 RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed		12	no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-2(2) Contingency Plan _ Capacity Planning		3	no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives		12	no data
💼 NIST SP 800-53 Revision 5 → 💼 CP-10 System Recovery and Reconstitution	6	12	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy		11	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-36 Distributed Processing and Storage	2	6	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-13(5) Predictable Failure Prevention _ Failover Capability		11	no data

Logic​

Description​

Description​

Rationale​

Impact​

Audit​

Remediation​

Remediation​

Change Availability Zones​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Impact

Audit

Remediation

Remediation

Change Availability Zones

From Command Line

policy.yaml

Linked Framework Sections