Managed Instance Group has autohealing enabled with a valid health check
compute_instance_group_autohealing_enabled
Managed Instance Groups (MIGs) should have autohealing enabled with a valid health check configured. Autohealing automatically recreates unhealthy instances based on application-level health checks, ensuring continuous availability.
Risk
Without autohealing, MIGs cannot detect application-level failures such as crashes, freezes, or memory issues. Instances experiencing problems remain undetected and unreplaced, leading to service degradation, extended downtime, and requiring manual intervention to detect and replace failed instances.
prowler gcp --checks compute_instance_group_autohealing_enabled
Recommendation
Enable autohealing on all Managed Instance Groups by configuring a health check that validates application-level health. Set an appropriate initial delay to allow instances time to start before health checks begin.
Remediation
gcloud compute instance-groups managed update INSTANCE_GROUP_NAME --health-check=HEALTH_CHECK_NAME --initial-delay=300 --zone=ZONE
- Navigate to Compute Engine > Instance groups
- Select the Managed Instance Group
- Click 'Edit'
- Under 'Autohealing', click 'Add health check'
- Select or create a health check
- Set an appropriate initial delay (e.g., 300 seconds)
- Click 'Save'
Source Code
Resource Type
compute.googleapis.com/InstanceGroupManager