Control: 6 Auto Scaling groups should use multiple instance types in multiple Availability Zones
Description
This control checks whether an Amazon EC2 Auto Scaling group uses multiple instance types. The control fails if the Auto Scaling group has only one instance type defined.
You can enhance availability by deploying your application across multiple instance types running in multiple Availability Zones. Security Hub recommends using multiple instance types so that the Auto Scaling group can launch another instance type if there is insufficient instance capacity in your chosen Availability Zones.
Remediation
For detailed instructions on how to modify the metadata response hop limit for an existing launch configuration, see Modify instance metadata options for existing instances in the Amazon EC2 User Guide for Linux Instances and Modify instance metadata options for existing instances in the Amazon EC2 User Guide for Windows Instances.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_autoscaling_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_autoscaling_6 --shareSQL
This control uses a named query:
with autoscaling_groups as ( select autoscaling_group_arn, title, mixed_instances_policy_launch_template_overrides, region, tags, _ctx, account_id from aws_ec2_autoscaling_group),distinct_instance_types_count as ( select autoscaling_group_arn, count(distinct(e -> 'InstanceType')) as distinct_instance_typesfrom autoscaling_groups, jsonb_array_elements(mixed_instances_policy_launch_template_overrides) as egroup by autoscaling_group_arn, title, mixed_instances_policy_launch_template_overrides)select a.autoscaling_group_arn as resource, case when b.distinct_instance_types > 1 then 'ok' else 'alarm' end as status, case when b.distinct_instance_types > 1 then title || ' uses ' || b.distinct_instance_types || ' instance types.' else title || ' does not use multiple instance types.' end as reason , a.region, a.account_idfrom autoscaling_groups as a left join distinct_instance_types_count as b on a.autoscaling_group_arn = b.autoscaling_group_arn;