Skip to main content

πŸ“ AWS EC2 Auto Scaling Group uses Launch Configuration instead of Launch Template 🟒

  • Contextual name: πŸ“ Auto Scaling Group uses Launch Configuration instead of Launch Template 🟒
  • ID: /ce/ca/aws/autoscaling/group-uses-launch-configuration
  • Located in: πŸ“ AWS Auto Scaling

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-b49c24651

Logic​

Description​

Open File

Description​

This policy checks whether an AWS EC2 Auto Scaling Group is configured to use no longer supported Launch Configurations. AWS does not release new EC2 features to Launch Configurations and strongly recommends migrating to Launch Templates.

Launch Templates are a newer mechanism for EC2 instance provisioning, providing support for all current and future EC2 features, as well as integrated version control and heterogeneous instance type support.

Rationale​

AWS is phasing out support for Launch Configurations. They no longer receive updates for new EC2 instance types or platform enhancements. Using Launch Templates provides several key benefits:

  • Launch Templates unlock new EC2 capabilities, including: Systems Manager parameters, the current generation of EBS Provisioned IOPS volumes (io2), EBS volume tagging, T2 Unlimited instances, Capacity Reservations, Capacity Blocks, Dedicated Hosts, etc.
  • Version management, which simplifies testing of new configurations and rollbacks to previous versions.
  • Launch Templates allow you to provision both On-Demand and Spot Instances within the same Auto Scaling group and define multiple instance types.

... see more

Remediation​

Open File

Remediation​

Follow these steps to migrate an Auto Scaling Group from a legacy Launch Configuration to a Launch Template.

From Command Line​

Export the Existing Launch Configuration​
aws autoscaling describe-launch-configurations \
    --launch-configuration-names {{launch-configuration-name}} \
    --query 'LaunchConfigurations[0]' \
    --output json > {{lc-export.json}}

Note: Modify the JSON schema to match the Launch TempTemplate since the configuration object includes extra fields that EC2’s create-launch-template will reject, and some keys need renaming.

Create the Launch Template​
aws ec2 create-launch-template \
    --launch-template-name {{launch-template-name}} \
    --version-description {{version-description}}  \
    --launch-template-data file://{{lc-export.json}}
Update the Auto Scaling Group to Use the Launch Template​
aws autoscaling update-auto-scaling-group \
    --auto-scaling-group-name {{asg-name}} \
    --launch-template LaunchTemplateId={{launch-template-id}},Version='$Latest'

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Infrastructure Modernization10
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3116
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)14
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)15
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)316
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)14
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks17
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration715
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency14