Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Launch Configuration Referencing Missing AMI

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ASG-006

Ensure that your Amazon Auto Scaling Groups (ASGs) are referencing active Amazon Machine Images (AMIs) in order to maintain the auto-scaling process healthy.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Operational
excellence

When your Amazon Auto Scaling Groups (ASGs) fail to launch new EC2 instances due to invalid (deleted) AMIs, the scaling mechanism is unable to add more compute resources to handle the load, and this will cause a significant negative impact on your application performance.

Audit

To identify Auto Scaling Groups that are missing Amazon Machine Images (AMIs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to examine.

05 Choose the Details tab to view the ASG resource configuration details.

06 In the Launch template section, copy the ID of the AMI used by the selected ASG, listed under AMI ID.

07 In the main navigation panel, under Images, choose AMIs.

08 Select Owned by me, click inside the Find AMI by attribute or tag box, select AMI ID, choose the Equals operator, paste the image ID copied at step no. 6, and press Enter. If no results matching your search criteria are returned, the referenced AMI is no longer available, therefore the selected Auto Scaling Group (ASG) is configured with a missing AMI.

09 Repeat steps no. 4 – 6 for each ASG available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the name of each Auto Scaling Group (ASG) available in the selected AWS region: 

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --output table
  --query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG name(s): 

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|   cc-production-asg     |
|   cc-internal-app-asg   |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to describe the launch template (and the template version) associated with the Auto Scaling group (ASG) that you want to examine: 

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-name cc-production-asg
  --query 'AutoScalingGroups[*].LaunchTemplate'

04 The command output should return the requested ASG information: 

[
	{
		"LaunchTemplateName": "cc-asg-launch-template",
		"Version": "2",
		"LaunchTemplateId": "lt-0abcd1234abcd1234"
	}
]

05 Run describe-launch-template-versions command (OSX/Linux/UNIX) to describe the ID of the Amazon Machine Image (AMI) used by the latest version of the ASG launch template: 

aws ec2 describe-launch-template-versions
  --region us-east-1
  --launch-template-id lt-0abcd1234abcd1234
  --versions 2
  --query 'LaunchTemplateVersions[*].LaunchTemplateData[].ImageId'

06 The command output should return the requested image ID: 

[
	"ami-01234abcd1234abcd"
]

07 Run describe-images command (OSX/Linux/UNIX) using the AMI ID returned at the previous step as the identifier parameter, to describe the information available for the specified AMI: 

aws ec2 describe-images
  --region us-east-1
  --image-ids ami-01234abcd1234abcd

08 The command output should return the requested AMI information if the image is still available or an error message otherwise: 

An error occurred (InvalidAMIID.NotFound) when calling the DescribeImages operation: The image id '[ami-01234abcd1234abcd]' does not exist.

If the describe-images command output returns an InvalidAMIID.NotFound error, as shown in the output example above, the specified image is no longer available, therefore the selected Auto Scaling Group (ASG) is configured with a missing AMI.

09 Repeat steps no. 3 – 8 for each ASG available in the selected AWS region.

10 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To fix misconfigured Auto Scaling Groups (ASGs) that are missing AMIs, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to reconfigure.

05 Choose the Details tab to view the ASG resource configuration details.

06 In the Launch template section, choose Edit to modify the launch template configuration.

07 Under Version, choose Create a launch template version to create a new launch template version from the existing version.

08 In the Application and OS Images (Amazon machine Image) section, choose Browse more AMIs, select My AMIs tab, and choose the image that you want to use to replace the missing AMI. You can also use an AMI from AWS, AWS Marketplace, or AWS Community. Select Confirm Changes to apply the changes. Once the desired AMI is selected, choose Create template version to save the new launch template version.

09 Navigate back to your ASG configuration page, use the Refresh button next to the Version dropdown list to load the new template version, and choose the launch template version created at the previous step. Choose Update to apply the configuration changes.

10 Repeat steps no. 4 – 9 for each ASG that you want to reconfigure, available within the current AWS region.

11 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-launch-template-version command (OSX/Linux/UNIX) using the ID of the ASG launch template that you want to reconfigure as the identifier parameter, to create a new version for the selected launch template. The --source-version parameter value represents the version number of the launch template on which to base the new version. The new version inherits the same launch parameters as the source version, except for parameters that you specify for --launch-template-data. Use the ID of the new AMI for the "ImageId" command parameter: 

aws ec2 create-launch-template-version
  --region us-east-1
  --launch-template-id lt-0abcd1234abcd1234
  --source-version 3
  --launch-template-data '{"ImageId":"ami-0abcd1234abcd1234"}'

02 The command output should return the information available for the new launch template version: 

{
	"LaunchTemplateVersion": {
		"LaunchTemplateId": "lt-0abcd1234abcd1234",
		"LaunchTemplateName": "cc-asg-launch-template",
		"VersionNumber": 3,
		"CreateTime": "2022-09-12T20:26:56+00:00",
		"CreatedBy": "arn:aws:sts::123456789012:assumed-role/compute-manager/i-0abcd1234abcd1234",
		"DefaultVersion": false,
		"LaunchTemplateData": {
			"EbsOptimized": false,
			"NetworkInterfaces": [
				{
					"DeviceIndex": 0,
					"Groups": [
						"sg-01234abcd1234abcd"
					],
					"SubnetId": "subnet-abcd1234"
				}
			],
			"ImageId": "ami-0abcd1234abcd1234",
			"InstanceType": "t3.large"
		}
	}
}

03 Run update-auto-scaling-group command (OSX/Linux/UNIX) to apply the new launch template configuration to your Auto Scaling Group (ASG) in order to replace the missing AMI with the new image (the command does not produce an output):
IMPORTANT: The following reconfiguration process can impact application availability. Ensure that the selected Auto Scaling Group is NOT currently used in production or for critical operations. 

aws autoscaling update-auto-scaling-group
  --region us-east-1
  --auto-scaling-group-name cc-production-asg
  --launch-template LaunchTemplateId=lt-0abcd1234abcd1234,Version=3

04 Repeat steps no. 1 – 3 for each ASG that you want to reconfigure, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

References

Publication date Feb 6, 2017

Related AutoScaling rules