Classic Load Balancer has connection draining enabled
elb_connection_draining_enabled
Classic Load Balancer has connection draining enabled, so deregistering or unhealthy instances stop receiving new requests while existing connections are allowed to complete within the configured drain window.
Risk
Without connection draining, instance removals or health failures can terminate in-flight requests, leading to partial transactions, broken sessions, and inconsistent application state. This reduces availability and can impact data integrity during deployments, scaling, or failover events.
prowler aws --checks elb_connection_draining_enabled
Recommendation
Enable connection draining on all Classic Load Balancers and set a drain interval aligned to typical request latency. Coordinate autoscaling and deployments to allow graceful instance shutdowns. Monitor errors and retries to validate behavior and adjust the timeout conservatively to protect availability and integrity.
Remediation
aws elb modify-load-balancer-attributes --load-balancer-name <example_resource_name> --load-balancer-attributes '{"ConnectionDraining":{"Enabled":true}}'
- Open the EC2 console and go to Load Balancers (Classic)
- Select the Classic Load Balancer
- Choose the Attributes tab, then click Edit
- Check Enable connection draining (leave default timeout or set as needed)
- Click Save changes
Source Code
Resource Type
AwsElbLoadBalancer
References
- https://aws.amazon.com/blogs/aws/elb-connection-draining-remove-instances-from-service-with-care/
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/ELB/elb-connection-draining-enabled.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/elb-controls.html#elb-7
- https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html