🛡️ AWS ELB Classic Load Balancer Connection Draining is disabled🟢

Contextual name: 🛡️ Classic Load Balancer Connection Draining is disabled🟢
ID: /ce/ca/aws/elb/load-balancer-connection-draining
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: RELIABILITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS ELB Load Balancer
- 🔌 AWS ELB Load Balancer - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [ELB.7] Classic Load Balancers should have connection draining enabled
Cloud Conformity: ELB Connection Draining Enabled

Description

Description

This policy identifies AWS Classic Load Balancers that have Connection Draining disabled. Connection Draining allows a load balancer to stop routing new requests to instances that are being deregistered or marked unhealthy, while allowing existing in-flight requests to complete within a configured timeout period.

Rationale

Enabling Connection Draining is critical during instance termination events caused by scale-in activities, maintenance operations, or when the load balancer detects an unhealthy instance and reroutes traffic.

Without Connection Draining, active connections may be terminated abruptly, which can lead to 5xx errors and negatively impact the end-user experience.

Audit

This policy flags an AWS Classic Load Balancer as INCOMPLIANT when the Connection Draining Enabled is set to false.

Other Load Balancer types are marked as INAPPLICABLE.

Remediation

Open File

Remediation

Enable Connection Draining

Connection Draining ensures that in-flight requests are allowed to complete before instances are deregistered or terminated.

From Command Line

Run the following AWS CLI command to enable Connection Draining and configure the timeout period (in seconds) for the selected Classic Load Balancer:
aws elb modify-load-balancer-attributes \
    --load-balancer-name {{lb-name}} \
    --load-balancer-attributes ConnectionDraining={Enabled=true,Timeout={{300}}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.7] Classic Load Balancers should have connection draining enabled			1	no data
💼 Cloudaware Framework → 💼 System Configuration			69	no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	47	no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			45	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		47	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		46	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Enable Connection Draining​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Enable Connection Draining

From Command Line

policy.yaml

Linked Framework Sections