Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 9 EC2 Auto Scaling groups should use EC2 launch templates

Description

This control checks whether an Amazon EC2 Auto Scaling group is created from an EC2 launch template. This control fails if an Amazon EC2 Auto Scaling group is not created with a launch template or if a launch template is not specified in a mixed instances policy.

An EC2 Auto Scaling group can be created from either an EC2 launch template or a launch configuration. However, using a launch template to create an Auto Scaling group ensures that you have access to the latest features and improvements.

Remediation

To create an Auto Scaling group with an EC2 launch template, see Create an Auto Scaling group using a launch template in the Amazon EC2 Auto Scaling User Guide. For information about how to replace a launch configuration with a launch template, see Replace a launch configuration with a launch template in the Amazon EC2 User Guide for Windows Instances.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_autoscaling_9

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_autoscaling_9 --share

SQL

This control uses a named query:

select
  autoscaling_group_arn as resource,
  case
    when launch_template_id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when launch_template_id is not null then title || ' using an EC2 launch template.'
    else title || ' not using an EC2 launch template.'
  end as reason
  
  , region, account_id
from
  aws_ec2_autoscaling_group;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resource_configuration
foundational_security_item_id = autoscaling_9
plugin = aws
service = AWS/AutoScaling