Logo of Trend Micro

Launch Configuration Referencing Missing AMI

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: ASG-006

Ensure that your AWS Auto Scaling Groups (ASGs) launch configuration is referencing an active Amazon Machine Image (AMI) in order to maintain the auto-scaling process healthy

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Operational
excellence

When your ASGs fail to launch new EC2 instances due to invalid (removed) AMIs, the scaling mechanism is unable to add compute resources to handle the load and this will cause a significant negative impact on your application performance.

Audit

To identify any unhealthy Auto Scaling Groups (i.e. ASGs that reference invalid AMIs), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the AWS ASG that you want to examine.

05 Select Details tab from the dashboard bottom panel and copy the Launch Configuration attribute value.

06 In the navigation panel, select Launch Configurations.

07 In the Filter search box, paste the name of the ASG launch configuration copied at step no. 5 and press Enter.

09 Select the ASG launch configuration returned as result and copy the AMI ID:

AMI ID

displayed on the Details panel.

10 In the left navigation panel, under IMAGES section, choose AMIs.

11 On the Amazon Machine Images (AMIs) page, click inside the main search box, select AMI ID from the Resource Attributes list, paste the ID copied at step no. 8 then press Enter.

12 Change the search parameters by selecting Owned by me, Public images or Private images from the dropdown menu available next to the search box. If no result matching your filter criteria is returned, the referenced AMI is no longer available, therefore the selected AWS ASG will fail to launch new instances during the scaling process.

13 Repeat steps no. 3 - 11 to identify other unhealthy ASGs available in the selected region.

14 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-launch-configurations command (OSX/Linux/UNIX) to list the names of the ASG launch configurations available within the selected AWS region: 

aws autoscaling describe-launch-configurations
	--region us-east-1
	--output table
	--query 'LaunchConfigurations[*].LaunchConfigurationName'

02 The command output should return a table with the requested identifiers (names): 

------------------------------
|DescribeLaunchConfigurations|
+----------------------------+
|   ASGLaunchConfig          |
|   CacheASGLaunchConfig     |
+----------------------------+

03 Run again describe-launch-configurations command (OSX/Linux/UNIX) using the name of the launch configuration returned at the previous step and custom query filters to describe the Amazon Machine Image ID used by the selected configuration: 

aws autoscaling describe-launch-configurations
	--region us-east-1
	--launch-configuration-names ASGLaunchConfig
	--query 'LaunchConfigurations[*].ImageId'

04 The command output should return the ID of the AMI referenced within the specified launch configuration: 

[
	"ami-ca56f44b"
]

05 Run describe-images command (OSX/Linux/UNIX) using the image ID returned at the previous step as identifier to describe the configuration metadata for the selected AMI: 

aws ec2 describe-images --region us-east-1 --image-ids ami-ca56f44b

06 The command output should return the requested AMI metadata or an error message: 

An error occurred (InvalidAMIID.NotFound) when calling the DescribeImages operation: The image id '[ami-ca56f44b]' does not exist.

If the command respond with an InvalidAMIID.NotFound error message (as shown in the example above), the requested AMI might have been deleted after creating the launch configuration, therefore any ASG that utilizes the selected launch configuration will fail to launch new instances when needed.

07 Repeat steps no. 3 - 6 to identify other unhealthy ASGs and their invalid launch configuration, available in the selected region.

08 Repeat steps no. 1 – 7 to repeat the entire audit process for other AWS regions.

Remediation / Resolution

To fix any unhealthy AWS Auto Scaling Groups by replacing their invalid launch configuration with a valid one, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Launch Configurations.

04 Select the invalid ASG launch configuration that you want to replace (see Audit section part I to identify the right resource).

05 Click on the Actions dropdown button from the dashboard top menu and choose Copy launch configuration command.

06 On the Review page, in the AMI Details section click the Edit AMI link to change the AMI reference.

07 On the Choose AMI page, choose My AMIs tab then select the image that will be used by the new ASG launch configuration.

08 Inside the You selected a different AMI dialog box, select Yes, I want to continue with this AMI (>AMI_NAME - AMI_ID>) option, then click Next.

09 On the Choose Instance Type page, select the EC2 instance type for your launch configuration then click Next: Configure details.

10 On the Configure details page, rename the launch configuration by updating the value inside the Name box, then click the Skip to review button to go back to the Review page.

11 On the Review page, verify the configuration details to make sure the resource is using the right attributes then click Create launch configuration to instantiate the launch configuration.

12 In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the same key pair as the old (deleted) AMI. Check I acknowledge that I have access to the selected private key file option and click Create launch configuration.

13 Click the Close button to return to the ASG dashboard.

14 In the left navigation panel, choose Auto Scaling Groups.

15 Select the Auto Scaling Group that you want to update (see Audit section part I to identify the right ASG).

16 Select the Details tab from the dashboard bottom panel and click the Edit button from the top right corner to edit the selected ASG configuration.

17 Select the new launch configuration from the Launch configuration dropdown list then click Save to apply the changes. The selected ASG can launch now new instances using the new active AMI.

18 Repeat steps no. 3 – 17 to create new launch configurations and repair other unhealthy Auto Scaling Groups available in the current region.

19 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-launch-configurations command (OSX/Linux/UNIX) using the name of the launch configuration that you want to replace to describe its attributes, required later when the new ASG launch configuration will be created: 

aws autoscaling describe-launch-configurations
	--region us-east-1
	--launch-configuration-names ASGLaunchConfig

02 The command output should return the requested configuration details: 

{
	"LaunchConfigurations": [
		{
			"UserData": "",
			"IamInstanceProfile": "ec2-manager",
			"EbsOptimized": false,
			"LaunchConfigurationARN": "arn:aws: ... ",
			"InstanceMonitoring": {
				"Enabled": false
			},
			"ClassicLinkVPCSecurityGroups": [],
			"CreatedTime": "2016-04-24T17:03:37.579Z",
			"BlockDeviceMappings": [
				{
					"DeviceName": "/dev/xvda",
					"Ebs": {
						"DeleteOnTermination": true,
						"VolumeSize": 30,
						"VolumeType": "gp2"
					}
				}
			],
			"KeyName": "gpav",
			"SecurityGroups": [
				"sg-c96fc1b5"
			],
			"LaunchConfigurationName": "ASGLaunchConfig",
			"KernelId": "",
			"RamdiskId": "",
			"ImageId": "ami-ca56f44b",
			"InstanceType": "c3.xlarge"
		}
	]
}

03 Run create-launch-configuration command (OSX/Linux/UNIX) using the metadata returned at the previous step to create the new launch configuration that will replace the existing (invalid) one within your AWS Auto Scaling Group. The following CLI command example creates an ASG launch configuration named NewASGLaunchConfig, based on a active AMI with the ID ami-8cd6f21a (the command does not produce an output): 

aws autoscaling create-launch-configuration
	--region us-east-1
	--launch-configuration-name NewASGLaunchConfig
	--image-id ami-8cd6f21a
	--instance-type c3.xlarge
	--key-name ssh-access-key
	--security-groups sg-c96fc1b5
	--iam-instance-profile ec2-manager
	--block-device-mappings "[{\"DeviceName\": \"/dev/xvda\",\"Ebs\":{\"VolumeSize\":30}}]"

04 Now run update-auto-scaling-group command (OSX/Linux/UNIX) to update the configuration for the specified Auto Scaling Group in order to replace the reference to its launch configuration with the valid one created at the previous step (the command does not return an output): 

aws autoscaling update-auto-scaling-group
	--region us-east-1
	--auto-scaling-group-name CloudConformityASG
	--launch-configuration-name NewASGLaunchConfig

05 Repeat steps no. 1 – 4 to create new launch configurations and repair other unhealthy Auto Scaling Groups available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire process for other regions.

References

Publication date Feb 6, 2017

Related AutoScaling rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Launch Configuration Referencing Missing AMI

Risk level: High