Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Approved AMIs for App-Tier ASG Launch Configurations

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your app-tier Auto Scaling Group (ASG) launch configurations are using approved Amazon Machine Images (AMIs) to launch EC2 instances within the ASG. An approved (golden) AMI is an EC2 image that contains a pre-configured OS and a well-defined software stack, fully configured to run your applications. A list of approved AWS AMIs must be maintained by your organization. This conformity rule assumes that all AWS resources created for your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> represents the tag name and <app_tier_tag_value> represents the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags and the IDs of the approved AMIs maintained by your organization must be configured in the rule settings, on your Cloud Conformity account dashboard.

Reliability

Using golden Amazon Machine Images to launch new EC2 instances within your app-tier Auto Scaling Groups brings security and organizational benefits such as fast application deployment and scaling, secure application stack upgrades and versioning. Ensure that your app-tier ASG launch configuration specifies an approved/golden AMI so that all EC2 instances provisioned within the ASG enforce consistency and follows best practices.

Note: Make sure that you replace all <app_tier_tag>:<app_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the app tier.

Audit

To determine if your app-tier ASG are using launch configurations with approved AMIs, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Use Approved AMIs for App-Tier ASG Launch Configurations conformity rule settings and identify the tags defined for all AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

04 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

05 Select the Auto Scaling Group that you want to examine.

06 Select the Tags tab from the dashboard bottom panel.

07 On the Tags panel, search for the tag set identified at step no. 1 (i.e. <app_tier_tag> : <app_tier_tag_value>). If the two tag sets do not match, or the verified resource is not tagged, the selected ASG is not a part of your app tier and the audit process stops here. If the tag sets match, the selected resource is an app-tier Auto Scaling Group and the audit process continues with the next step.

08 Select the Details tab from the dashboard bottom panel and copy the name of the associated launch configuration set as value for the Launch Configuration attribute.

09 In the navigation panel, under AUTO SCALING, click Launch Configurations.

10 PPaste the value copied at step no. 8 in the Filter launch configurations box and press Enter to return the launch configuration template used by the selected app-tier ASG.

11 Select the launch configuration returned as result and check the value of the AMI ID attribute available on the Details panel. The value represents the ID of the Amazon Machine Image utilized by the selected launch configuration to provision EC2 instances inside the current ASG.

12 Sign in to your Cloud Conformity account, access again the conformity rule settings and compare the ID found at the previous step against each approved AMI ID listed in the rule configuration section. If the verified ID does not match any of the approved AMI IDs listed on your Cloud Conformity console, the selected app-tier ASG launch configuration deploys EC2 instances without using an Amazon Machine Image that has been approved by your organization.

13 Repeat steps no. 5 – 12 to check other app-tier ASG launch configurations, available in the selected region, for golden/approved AMIs.

14 Change the AWS region from the navigation bar and repeat steps no. 5 – 13 for other regions.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Use Approved AMIs for App-Tier ASG Launch Configurations conformity rule settings and identify the tags defined for AWS resources available in your app tier (e.g. <app_tier_tag>:<app_tier_tag_value>).

02 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the names of all Auto Scaling Groups available in the selected AWS region: 

aws autoscaling describe-auto-scaling-groups
	--region us-east-1
	--output table
	--query 'AutoScalingGroups[*].AutoScalingGroupName'

03 The command output should return a table with the requested ASG name(s): 

-----------------------------
| DescribeAutoScalingGroups |
+---------------------------+
| cc-app-auto-scaling-group |
| cc-project9-web-asg       |
+---------------------------+

04 Run describe-tags command (OSX/Linux/UNIX) using the name of the ASG that you want to examine as identifier and custom query filters to describe the tags defined for the selected Auto Scaling Group: 

aws autoscaling describe-tags
	--region us-east-1
	--filters "Name=auto-scaling-group,Values=cc-app-auto-scaling-group"
	--query 'Tags[*].{Value:Value, Key:Key}'

05 The command request should return one of the following outputs:

  1. If the describe-tags command output returns an empty array (i.e. []), as shown in the example below, the verified ASG is not tagged, therefore the audit process for the selected resource ends here: 
    []
  2. If the command output returns a set of tags that is different than the one identified at step no. 1, as shown in the example below, the verified AWS Auto Scaling Group does not belong to your app tier, therefore the audit process for the selected resource stops here: 
    [
    {
        "Value": "Environment",
        "Key": "Prod"
    }
]
  3. If the describe-tags command output returns a set of tags that match the one identified at step no. 1 (e.g. <app_tier_tag>:<app_tier_tag_value>), as shown in the example below, the verified AWS ASG is tagged as an app-tier resource, therefore the audit process continues with the next step: 
    [
    {
        "Key": "<app_tier_tag>",
        "Value": "<app_tier_tag_value>"
    }
]

06 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to describe the name of the launch configuration associated with the selected app-tier ASG: 

aws autoscaling describe-auto-scaling-groups
	--auto-scaling-group-names cc-app-auto-scaling-group
	--region us-east-1
	--query 'AutoScalingGroups[*].LaunchConfigurationName'

07 The command output should return the name of the associated launch configuration: 

[
    "cc-app-asg-launch-configuration"
]

08 Run describe-launch-configurations command (OSX/Linux/UNIX) using the name of the launch configuration returned at the previous step as identifier and custom query filters to get the ID of the Amazon Machine Image (AMI) used by the selected launch configuration to launch EC2 instances within your app-tier ASG: 

aws autoscaling describe-launch-configurations
	--region us-east-1
	--launch-configuration-names cc-app-asg-launch-configuration
	--query "LaunchConfigurations[*].ImageId"

09 The command output should return the requested resource ID: 

[
    "ami-aaaa1234"
]

10 Sign in to your Cloud Conformity account, access Use Approved AMIs for App-Tier ASG Launch Configurations conformity rule settings and compare the ID returned by the command output at the previous step against each approved AMI ID listed in the rule configuration settings. If the verified ID does not match any of the approved AMI IDs listed on your Cloud Conformity console, the selected app-tier ASG launch configuration launches EC2 instances without using an approved Amazon Machine Image.

11 Repeat steps no. 4 – 10 to check other app-tier ASG launch configurations, available in the selected region, for golden/approved AMIs.

12 Change the AWS region by updating the --region command parameter value and repeat steps no. 2 – 11 to perform the entire audit process for other regions.

Remediation / Resolution

To launch EC2 instances inside your app-tier Auto Scaling Group from approved Amazon Machine Images, you must re-create the app-tier ASG launch configuration and configure it to support a golden AMI maintained and approved by your organization. If there are no golden AMIs already available within your AWS account, follow the instructions outlined in this conformity rule to create the necessary AMIs. To set up a new app-tier ASG launch configuration, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under AUTO SCALING, click Launch Configurations.

04 Select the app-tier ASG launch configuration that you want to re-create (see Audit section part I to identify the right launch configuration).

05 Click the Actions dropdown button from the dashboard top menu and select Copy launch configuration option.

06 On Copy Launch Configuration from <LAUNCH_CONFIGURATION_NAME> page, within Launch configuration details section, click Edit AMI and perform the following:

  1. In the left navigation panel, choose My AMIs and select the approved Amazon Machine Image that you want to associate with the selected app-tier ASG launch configuration.
  2. Inside You selected a different AMI dialog box, choose Yes, I want to continue with this AMI (<AMI_NAME> - <AMI_ID>) option and click Next.
  3. Go through the launch configuration setup wizard until you reach the Review panel without changing any configuration settings.
  4. On the Review panel, check the configuration details then click Create launch configuration.
  5. In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the source launch configuration. Click Create launch configuration to make a copy of the specified ASG launch configuration. Click Close to return to the EC2 dashboard.

07 In the navigation panel, under AUTO SCALING, click Auto Scaling Groups.

08 Select the app-tier ASG that you want to reconfigure (see Audit section part I to identify the right resource).

09 Select the Details tab from the dashboard bottom panel and click the Edit button to change the ASG configuration.

10 Select the name of the launch configuration (copy) created at step no. 6 from the Launch configuration dropdown list, then click Save to apply the changes. The selected app-tier Auto Scaling Group is now associated with a launch configuration that utilizes a golden/approved AMI to launch EC2 instances.

11 Repeat steps no. 4 – 10 to re-create other app-tier ASG launch configurations, created in the selected region, and configure them to use approved AMIs to launch EC2 instances.

12 Change the AWS region from the navigation bar and repeat steps no. 4 – 11 for other regions.

Using AWS CLI

01 Run describe-launch-configurations command (OSX/Linux/UNIX) using the name of the app-tier ASG launch configuration that you want to re-create as identifier (see Audit section part II to identify the right resource), to describe its configuration details, information required later when the new launch configuration will be created: 

aws autoscaling describe-launch-configurations
	--region us-east-1
	--launch-configuration-names cc-app-asg-launch-configuration

02 The command output should return the requested details: 

{
    "LaunchConfigurations": [
        {
            "BlockDeviceMappings": [
                {
                    "DeviceName": "/dev/xvda",
                    "Ebs": {
                        "VolumeSize": 100,
                        "VolumeType": "gp2"
                    }
                }
            ],

	      ...

            "SecurityGroups": [
                "sg-12345678"
            ],
            "LaunchConfigurationName": "cc-app-asg-launch-configuration",
            "KernelId": "",
            "RamdiskId": "",
            "ImageId": "ami-aaaa1234",
            "InstanceType": "c3.large"
        }
    ]
}

03 Run create-launch-configuration command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to create a new launch configuration that will replace the one currently associated with your app-tier Auto Scaling Group. The following command example creates an ASG launch configuration named "cc-app-asg-launch-config", that uses an approved AWS AMI identified by the ID "ami-aabbccdd" (the command does not return an output): 

aws autoscaling create-launch-configuration
	--region us-east-1
	--launch-configuration-name cc-app-asg-launch-config
	--image-id ami-aabbccdd
	--instance-type c3.large
	--key-name cc-ssh-access-key
	--security-groups sg-12345678
	--iam-instance-profile cc-iam-instance-profile
	--block-device-mappings "[{\"DeviceName\": \"/dev/xvda\",\"Ebs\":{\"VolumeSize\":100}}]"

04 Run update-auto-scaling-group command (OSX/Linux/UNIX) to update the configuration for your app-tier Auto Scaling Group (see Audit section part II to identify the right ASG), in order to replace the reference to its launch configuration with the new one created at the previous step (the command does not produce an output): 

aws autoscaling update-auto-scaling-group
	--region us-east-1
	--auto-scaling-group-name cc-app-auto-scaling-group
	--launch-configuration-name cc-app-asg-launch-config

05 Repeat steps no. 1 – 4 to re-create other app-tier ASG launch configurations, available in the selected region, and configure them to use golden AMIs to launch EC2 instances.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire remediation process for other regions.

References

Publication date Apr 1, 2018

Related AutoScaling rules