Ensure ELB has cross-zone-load-balancing enabled

Error: AWS ELB has cross-zone load balancing disabled

Bridgecrew Policy ID: BC_AWS_NETWORKING_43
Checkov Check ID: CKV_AWS_138
Severity: MEDIUM

AWS ELB has cross-zone load balancing disabled

Description

Cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled Availability Zone, and improves your application's ability to handle the loss of one or more instances.
This would also guarantee better fault tolerance and more consistent traffic flow. If one of the availability zones registered with the ELB fails (as result of network outage or power loss), the load balancer with the Cross-Zone Load Balancing activated would act as a traffic guard, stopping any request being sent to the unhealthy zone and routing it to the other zones.

Fix - Buildtime

Terraform

  • Resource: xyz
  • Argument: xyz [this will be for composite checks and will indicate a specific resource]
resource "aws_elb" "test_success" {
              name               = "foobar-terraform-elb"
              availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
              access_logs {
                bucket        = "foo"
                bucket_prefix = "bar"
                interval      = 60
              }
              listener {
                instance_port     = 8000
                instance_protocol = "http"
                lb_port           = 80
                lb_protocol       = "http"
              }
              listener {
                instance_port      = 8000
                instance_protocol  = "http"
                lb_port            = 443
                lb_protocol        = "https"
                ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
              }
              health_check {
                healthy_threshold   = 2
                unhealthy_threshold = 2
                timeout             = 3
                target              = "HTTP:8000/"
                interval            = 30
              }
              instances                   = [aws_instance.foo.id]
              idle_timeout                = 400
              connection_draining         = true
              connection_draining_timeout = 400
            }
            """)
        resource_conf = hcl_res['resource'][0]['aws_elb']['test_success']
        scan_result = check.scan_resource_conf(conf=resource_conf)
        self.assertEqual(CheckResult.PASSED, scan_result)

    def test_success(self):
        hcl_res = hcl2.loads("""
            resource "aws_elb" "test_success" {
              name               = "foobar-terraform-elb"
              availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
              access_logs {
                bucket        = "foo"
                bucket_prefix = "bar"
                interval      = 60
              }
              listener {
                instance_port     = 8000
                instance_protocol = "http"
                lb_port           = 80
                lb_protocol       = "http"
              }
              listener {
                instance_port      = 8000
                instance_protocol  = "http"
                lb_port            = 443
                lb_protocol        = "https"
                ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
              }
              health_check {
                healthy_threshold   = 2
                unhealthy_threshold = 2
                timeout             = 3
                target              = "HTTP:8000/"
                interval            = 30
              }
              instances                   = [aws_instance.foo.id]
+             cross_zone_load_balancing   = true
              idle_timeout                = 400
              connection_draining         = true
              connection_draining_timeout = 400
            }