Ensure AWS HTTP and HTTPS target groups define health check

Error: AWS HTTP and HTTPS target groups do not define health check

Bridgecrew Policy ID: BC_AWS_GENERAL_177
Checkov Check ID: CKV_AWS_261
Severity: LOW

AWS HTTP and HTTPS target groups do not define health check


Health checks ensure that a target is reachable before sending traffic from a load balancer to the endpoint. This is a best practice compared to blindly sending traffic to what can be unhealthy targets.

Fix - Runtime

The way you enable health checks varies by the endpoint. If you are using an autoscaling group:

  1. Go to the EC2 console and select Auto Scaling Groups
  2. Select the check box next to an existing group
  3. On the Details tab, choose Health checks and Edit
  4. Select your health check type
  5. Add a Health check grace period
  6. Select update

Or for the load balancer:

  1. Open the Amazon EC2 console
  2. Under Load Balancing, select Load Balancers
  3. Select your load balancer
  4. On the Health Check tab, choose Edit Health Check
  5. On the Configure Health Check page, configure your health check
  6. Select Save

Fix - Buildtime

  • Resource: aws_lb_target_group, aws_alb_target_group
  • Argument: health_check
resource "aws_alb_target_group" "example" {
  name = "target-group-1"
  port = 80
  protocol = "HTTP"

+  health_check {
+    path = "/api/1/resolve/default?path=/service/my-service"
+    ...
+    matcher = "200"  # has to be HTTP 200 or fails
+  }