Control: 2.14 Ensure EC2 Auto Scaling Groups Propagate Tags to EC2 Instances that it launches
Description
Tags can help with managing, identifying, organizing, searching for, and filtering resources. Additionally, tags can help with security and compliance. Tags can be propagated from an Auto Scaling group to the EC2 instances that it launches.
Remediation
AWS Console
- Login to AWS Console using https://console.aws.amazon.com.
- Click
All servicesand clickEC2underCompute. - Select Auto Scaling Groups.
- Click
Editfor each Auto Scaling Group. - Check the
Tag new instancesBox for the Auto Scaling Group. - Click
Update. - Repeat Steps 1-6 for each AWS Region used.
AWS CLI
- Run
aws autoscaling create-or-update-tagsfor tags that are not set toPropogateAtLaunchfor each Auto Scaling Group that does not have this property set to true.
aws autoscaling create-or-update-tags \--tags ResourceId=example-autoscaling-group,ResourceType=auto-scaling-group,Key=TagKey,Value=TagValue,PropagateAtLaunch=true
- Repeat Step 1 for each AWS Region used.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_14Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_2_14 --shareSQL
This control uses a named query:
with propagate_tags_to_ec2_instance as ( select autoscaling_group_arn, count(*) as count from aws_ec2_autoscaling_group, jsonb_array_elements(tags_src) as t where (t ->> 'PropagateAtLaunch' = 'false') group by autoscaling_group_arn)select p.autoscaling_group_arn as resource, case when count > 0 then 'alarm' else 'ok' end as status, case when count > 0 then title || ' does not propagate all tags to the EC2 instance' else title || ' propagate all tags to the EC2 instance.' end as reason , region, account_idfrom aws_ec2_autoscaling_group as p left join propagate_tags_to_ec2_instance as i on i.autoscaling_group_arn = p.autoscaling_group_arn;