01 Run create-security-group command (OSX/Linux/UNIX) to re-create the missing security group required by your Auto Scaling Group. Make sure that the new security group and the selected ASG share the same VPC network:
aws ec2 create-security-group
--region us-east-1
--group-name cc-asg-security-group
--description "Security Group for AWS ASG"
--vpc-id vpc-0abcd1234abcd1234
02 The command output should return the ID of the new security group:
{
"GroupId": "sg-01234abcd1234abcd"
}
03 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the security group returned at the previous step as the identifier parameter, to create the necessary inbound rule, based on your application requirements:
aws ec2 authorize-security-group-ingress
--region us-east-1
--group-id sg-01234abcd1234abcd
--protocol tcp
--port 80
--cidr 0.0.0.0/0
04 The command output should return the metadata available for the inbound rule:
{
"Return": true,
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-01234abcd1234abcd",
"GroupId": "sg-01234abcd1234abcd",
"GroupOwnerId": "123456789012",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv4": "0.0.0.0/0"
}
]
}
05 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter to configure the necessary outbound rule, based on your application requirements:
aws ec2 authorize-security-group-egress
--region us-east-1
--group-id sg-01234abcd1234abcd
--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'
06 The command output should return the metadata available for the outbound rule:
{
"Return": true,
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-01234abcd1234abcd",
"GroupId": "sg-01234abcd1234abcd",
"GroupOwnerId": "123456789012",
"IsEgress": true,
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIpv4": "0.0.0.0/0"
}
]
}
07 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to get the ID of the launch template associated with the Auto Scaling group (ASG) that you want to reconfigure:
aws autoscaling describe-auto-scaling-groups
--region us-east-1
--auto-scaling-group-name cc-production-asg
--query 'AutoScalingGroups[*].LaunchTemplate[].LaunchTemplateId'
08 The command output should return the requested ASG information:
[
"lt-0abcd1234abcd1234"
]
09 Run create-launch-template-version command (OSX/Linux/UNIX) using the ID of the ASG launch template described at the previous step as the identifier parameter, to create a new version for the selected launch template. The --source-version parameter value represents the version number of the launch template on which to base the new version. The new version inherits the same launch parameters as the source version, except for parameters that you specify for --launch-template-data. Use the ID of the new security group for the "SecurityGroupIds" command parameter:
aws ec2 create-launch-template-version
--region us-east-1
--launch-template-id lt-0abcd1234abcd1234
--source-version 3
--launch-template-data '{"SecurityGroupIds":["sg-01234abcd1234abcd"]}'
10 The command output should return the information available for the new template version:
{
"LaunchTemplateVersion": {
"LaunchTemplateId": "lt-0abcd1234abcd1234",
"LaunchTemplateName": "cc-asg-launch-template",
"VersionNumber": 3,
"LaunchTemplateData": {
"SecurityGroupIds": [
"sg-01234abcd1234abcd"
]
},
"CreateTime": "2022-09-12T11:00:00.000Z"
}
}
11 Run update-auto-scaling-group command (OSX/Linux/UNIX) to apply the new launch template configuration to your Auto Scaling Group (ASG) in order to replace the missing security group with the new, compliant security group (the command does not produce an output):
IMPORTANT: The following reconfiguration process can impact application availability. Ensure that the selected Auto Scaling Group is NOT currently used in production or for critical operations.
aws autoscaling update-auto-scaling-group
--region us-east-1
--auto-scaling-group-name cc-production-asg
--launch-template LaunchTemplateId=lt-0abcd1234abcd1234,Version=3
12 Repeat steps no. 1 – 11 for each ASG that you want to reconfigure, available in the selected AWS region.
13 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.