Amazon EC2 Auto Scaling controls
These controls are related to Amazon EC2 Auto Scaling resources.
These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.
[AutoScaling.1] Auto Scaling groups associated with a Classic Load Balancer should use load balancer health checks
Related requirements: PCI DSS v3.2.1/2.2, NIST.800-53.r5 CA-7, NIST.800-53.r5 CP-2(2), NIST.800-53.r5 SI-2
Category: Identify > Inventory
Severity: Low
Resource type:
AWS::AutoScaling::AutoScalingGroup
AWS Config rule:
autoscaling-group-elb-healthcheck-required
Schedule type: Change triggered
Parameters: None
This control checks whether your Auto Scaling groups that are associated with a Classic Load Balancer are using Elastic Load Balancing health checks.
This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups.
Remediation
To add Elastic Load Balancing health checks, see Add Elastic Load Balancing health checks in the Amazon EC2 Auto Scaling User Guide.
[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-2(2), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)
Category: Recover > Resilience > High Availability
Severity: Medium
Resource type:
AWS::AutoScaling::AutoScalingGroup
AWS Config rule:
autoscaling-multiple-az
Schedule type: Change triggered
Parameters:
| Parameter | Description | Type | Allowed custom values | Security Hub default value |
|---|---|---|---|---|
|
|
Minimum number of Availability Zones |
Enum |
|
|
This control checks whether an Amazon EC2 Auto Scaling group spans at least the specified number of Availability Zones (AZs). The control fails if an Auto Scaling group doesn't span at least the specified number of AZs. Unless you provide a custom parameter value for the minimum number of AZs, Security Hub uses a default value of two AZs.
An Auto Scaling group that doesn't span multiple AZs can't launch instances in another AZ to compensate if the configured single AZ becomes unavailable. However, an Auto Scaling group with a single Availability Zone may be preferred in some use cases, such as batch jobs or when inter-AZ transfer costs need to be kept to a minimum. In such cases, you can disable this control or suppress its findings.
Remediation
To add AZs to an existing Auto Scaling group, see Add and remove Availability Zones in the Amazon EC2 Auto Scaling User Guide.
[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)
Related requirements: NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2
Category: Protect > Secure network configuration
Severity: High
Resource type:
AWS::AutoScaling::LaunchConfiguration
AWS Config rule:
autoscaling-launchconfig-requires-imdsv2
Schedule type: Change triggered
Parameters: None
This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled.
IMDS provides data about your instance that you can use to configure or manage the running instance.
Version 2 of the IMDS adds new protections that weren't available in IMDSv1 to further safeguard your EC2 instances.
Remediation
An Auto Scaling group is associated with one launch configuration at a time. You cannot modify a launch configuration after you create it. To change the launch configuration for an Auto Scaling group, use an existing launch configuration as the basis for a new launch configuration with IMDSv2 enabled. For more information, see Configure instance metadata options for new instances in the Amazon EC2 User Guide for Linux Instances.
[AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1
Important
Security Hub retired this control in April 2024. For more information, see Change log for Security Hub controls.
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2)
Category: Protect > Secure network configuration
Severity: High
Resource type:
AWS::AutoScaling::LaunchConfiguration
AWS Config rule:
autoscaling-launch-config-hop-limit
Schedule type: Change triggered
Parameters: None
This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1.
The Instance Metadata Service (IMDS) provides metadata information about an Amazon EC2 instance and is useful for application configuration.
Restricting the HTTP PUT response for the metadata service to only the EC2 instance protects the IMDS from unauthorized use.
The Time To Live (TTL) field in the IP packet is reduced by one on every hop. This reduction can be used to ensure that the packet
does not travel outside EC2. IMDSv2 protects EC2 instances that may have been misconfigured as open routers, layer 3 firewalls, VPNs, tunnels, or NAT
devices, which prevents unauthorized users from retrieving metadata. With IMDSv2, the PUT response that contains the secret token cannot travel outside
the instance because the default metadata response hop limit is set to 1. However, if this value is greater than 1, the token can leave the EC2 instance.
Remediation
To modify the metadata response hop limit for an existing launch configuration, see Modify instance metadata options for existing instances in the Amazon EC2 User Guide for Linux Instances.
[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses
Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration
Severity: High
Resource type:
AWS::AutoScaling::LaunchConfiguration
AWS Config rule:
autoscaling-launch-config-public-ip-disabled
Schedule type: Change triggered
Parameters: None
This control checks whether an Auto Scaling group's associated launch configuration assigns a public IP address to the group's instances. The control fails if the associated launch configuration assigns a public IP address.
Amazon EC2 instances in an Auto Scaling group launch configuration should not have an associated public IP address, except for in limited edge cases. Amazon EC2 instances should only be accessible from behind a load balancer instead of being directly exposed to the internet.
Remediation
An Auto Scaling group is associated with one launch configuration at a time. You cannot modify a launch configuration after you create it. To change the launch configuration for an Auto Scaling group, use an existing launch configuration as the basis for a new launch configuration. Then, update the Auto Scaling group to use the new launch configuration. For step-by-step instructions, see Change the launch configuration for an Auto Scaling group in the Amazon EC2 Auto Scaling User Guide. When creating the new launch configuration, under Additional configuration, for Advanced details, IP address type, choose Do not assign a public IP address to any instances.
After you change the launch configuration, Auto Scaling launches new instances with the new configuration options. Existing instances aren't affected. To update an existing instance, we recommend that you refresh your instance, or allow automatic scaling to gradually replace older instances with newer instances based on your termination policies. For more information about updating Auto Scaling instances, see Update Auto Scaling instances in the Amazon EC2 Auto Scaling User Guide.
[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-2(2), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)
Category: Recover > Resilience > High Availability
Severity: Medium
Resource type:
AWS::AutoScaling::AutoScalingGroup
AWS Config rule:
autoscaling-multiple-instance-types
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon EC2 Auto Scaling group uses multiple instance types. The control fails if the Auto Scaling group has only one instance type defined.
You can enhance availability by deploying your application across multiple instance types running in multiple Availability Zones. Security Hub recommends using multiple instance types so that the Auto Scaling group can launch another instance type if there is insufficient instance capacity in your chosen Availability Zones.
Remediation
To create an Auto Scaling group with multiple instance types, see Auto Scaling groups with multiple instance types and purchase options in the Amazon EC2 Auto Scaling User Guide.
[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2)
Category: Identify > Resource Configuration
Severity: Medium
Resource type:
AWS::AutoScaling::AutoScalingGroup
AWS Config rule:
autoscaling-launch-template
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon EC2 Auto Scaling group is created from an EC2 launch template. This control fails if an Amazon EC2 Auto Scaling group is not created with a launch template or if a launch template is not specified in a mixed instances policy.
An EC2 Auto Scaling group can be created from either an EC2 launch template or a launch configuration. However, using a launch template to create an Auto Scaling group ensures that you have access to the latest features and improvements.
Remediation
To create an Auto Scaling group with an EC2 launch template, see Create an Auto Scaling group using a launch template in the Amazon EC2 Auto Scaling User Guide. For information about how to replace a launch configuration with a launch template, see Replace a launch configuration with a launch template in the Amazon EC2 User Guide for Windows Instances.
