Launch Configuration Referencing Missing Security Groups

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features

Knowledge Base Amazon Web Services AWS Auto Scaling Launch Configuration Referencing Missing Security Groups

Risk level: High (not acceptable risk)

Rule ID: ASG-008

Ensure that your AWS Auto Scaling Groups (ASGs) launch configuration is referencing one or more active Security Groups (SGs) in order to maintain the auto-scaling process healthy

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Operational
excellence

When your ASGs fail to launch new EC2 instances due to inactive (deleted) Security Groups, the scaling mechanism is unable to add compute resources to handle the traffic load and this will cause a significant negative impact on your application performance and can lead to downtime.

Audit

To identify any unhealthy Auto Scaling Groups (i.e. ASGs that reference inactive Security Groups), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

03 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Auto Scaling Groups.

04 Select the AWS ASG that you want to examine.

05 Select Details tab from the dashboard bottom panel and copy the Launch Configuration attribute value.

06 In the navigation panel, select Launch Configurations.

07 In the Filter search box, paste the name of the ASG launch configuration copied at step no. 5 and press Enter.

08 Select the ASG launch configuration returned as result and copy the Security Groups attribute value(s): https://goo.gl/CWhSSm, available on the Details panel.

09 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

10 On the Security Groups (SGs) page, click inside the main search box, select Group ID from the Resource Attributes list, paste the SG ID copied at step no. 8 then press Enter. If no results matching your filter criteria are returned, the referenced Security Group is no longer available in your AWS VPC, therefore the selected Auto Scaling Group will fail to launch new instances during the auto-scaling process.

11 Repeat steps no. 3 - 10 to identify other ASGs with missing SGs, available in the selected region.

12 Repeat steps no. 3 - 10 to identify other ASGs with missing SGs, available in the selected region.

Using AWS CLI

01 Run describe-launch-configurations command (OSX/Linux/UNIX) to list the names of the ASG launch configurations available within the selected AWS region:

aws autoscaling describe-launch-configurations
	--region us-east-1
	--output table
	--query 'LaunchConfigurations[*].LaunchConfigurationName'

02 The command output should return a table with the requested launch configuration names:

--------------------------------
| DescribeLaunchConfigurations |
+------------------------------+
|    ASGProdLaunchConfig       |
|    ASGStagingLaunchConfig    |
+------------------------------+

03 Run again describe-launch-configurations command (OSX/Linux/UNIX) using the name of the launch configuration returned at the previous step and custom query filters to describe the ID(s) of the Security Group(s) used by the selected configuration:

aws autoscaling describe-launch-configurations
	--region us-east-1
	--launch-configuration-names ASGProdLaunchConfig
	--query 'LaunchConfigurations[*].SecurityGroups[]'

04 The command output should return the ID of the SG referenced within the specified launch configuration:

[
	"sg-0ccf7970"
]

05 Run describe-security-groups command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier to describe the configuration metadata for the selected SG:

aws ec2 describe-security-groups
	--region us-east-1
	--group-names sg-0ccf7970

06 The command output should return the requested Security Group metadata if the group is still available within the VPC or an error message otherwise:

An error occurred (InvalidGroup.NotFound) when calling the DescribeSecurityGroups operation: The security group 'sg-0ccf7970' does not exist in default VPC 'vpc-2fb56548'

If the command respond with an InvalidGroup.NotFound error message (as shown in the example above), the requested Security Group has been deleted after creating the launch configuration, therefore any ASG that utilizes the selected launch configuration will fail to launch new EC2 instances when needed.

07 Repeat steps no. 3 - 6 to identify other ASGs that are referencing missing Security Groups, available in the selected region

08 Repeat steps no. 1 – 7 to repeat the entire audit process for other AWS regions.

Remediation / Resolution

To fix the unhealthy AWS Auto Scaling Groups by replacing their invalid launch configuration, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under AUTO SCALING section, choose Launch Configurations.

04 Select the invalid ASG launch configuration that you want to replace (see Audit section part I to identify the right resource).

05 Click on the Actions dropdown button from the dashboard top menu and choose Copy launch configuration command.

06 On the Review page, in the Launch configuration details section, click the Edit Details link to rename the copied configuration name.

07 On the Configure details page, rename the launch configuration by updating the value inside the Name box, then click the Skip to review button to go back to the Review page.

08 Back to the Review page, in the Security Groups section, click Edit Security Groups:

to change the SG reference.

09 On the Configure Security Group page, select Create a new security group, provide a name and a description (optional) for the new SG then add the necessary rules based on your application requirements using the Add Rule button. Once the SG setup is complete, click Review to continue.

10 On the Review page, verify the configuration details to make sure the ASG resource is using the right attributes then click Create launch configuration to create the new (valid) launch configuration.

11 In the Select an existing key pair or create a new key pair dialog box, select Choose an existing key pair and use the existing SSH key pair. Check I acknowledge that I have access to the selected private key file option and click Create launch configuration.

12 Click Close to return to the ASG dashboard.

13 In the left navigation panel, choose Auto Scaling Groups.

14 Select the Auto Scaling Group that you want to update (see Audit section part I to identify the right ASG).

15 Select the Details tab from the dashboard bottom panel and click the Edit button from the top right corner to edit the selected ASG configuration.

16 Select the new launch configuration from the Launch configuration dropdown list then click Save to apply the changes. The selected Auto Scaling Group can launch now new instances using the new launch configuration that is referencing the active SG.

17 Repeat steps no. 3 – 16 to create new launch configurations and fix other unhealthy Auto Scaling Groups, available in the current region.

18 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-launch-configurations command (OSX/Linux/UNIX) using the name of the launch configuration that you want to replace to describe its attributes, required later when the new ASG launch configuration will be created:

aws autoscaling describe-launch-configurations
	--region us-east-1
	--launch-configuration-names ASGProdLaunchConfig

02 The command output should return the requested configuration details:

{
	"LaunchConfigurations": [
		{
			"UserData": "",
			"IamInstanceProfile": "ec2-admin",
			"EbsOptimized": false,
			"LaunchConfigurationARN": "arn:aws: ... ",
			"InstanceMonitoring": {
				"Enabled": false
			},
			"ClassicLinkVPCSecurityGroups": [],
			"CreatedTime": "2016-03-25T17:03:37.579Z",
			"BlockDeviceMappings": [
				{
					"DeviceName": "/dev/xvda",
					"Ebs": {
						"DeleteOnTermination": true,
						"VolumeSize": 45,
						"VolumeType": "gp2"
					}
				}
			],
			"KeyName": "gpav",
			"SecurityGroups": [
				"sg-0ccf7970"
			],
			"LaunchConfigurationName": "ASGProdLaunchConfig",
			"KernelId": "",
			"RamdiskId": "",
			"ImageId": "ami-0b33d91d",
			"InstanceType": "c3.large"
		}
	]
}

03 Run create-security-group command (OSX/Linux/UNIX) to set up the security group that will be referenced by the new ASG launch configuration. The following command example creates a security group called ASGProdSecurityGroup inside a VPC identified with the ID vpc-3ad56bd9, available within the US East region:

aws ec2 create-security-group
	--region us-east-1
	--group-name ASGProdSecurityGroup
	--description "Production ASG Security Group"
	--vpc-id vpc-3ad56bd9

04 The command output should return the new security group ID:

{
	"GroupId": "sg-49883e35"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier, to set up the inbound rules based on your application requirements (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-49883e35
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

06 No run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the custom security group as identifier to configure the outbound rules based on your application requirements (the command does not return an output):

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-49883e35
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Now run create-launch-configuration command (OSX/Linux/UNIX) using the metadata returned at step no. 2 and no. 4 to create the new launch configuration that will replace the invalid one within your AWS Auto Scaling Group. The following command example creates an ASG launch configuration named NewProdASGLaunchConfig, configuration that will reference a Security Group with the ID sg-49883e35 (the command does not produce an output):

aws autoscaling create-launch-configuration
	--region us-east-1
	--launch-configuration-name NewProdASGLaunchConfig
	--image-id ami-0b33d91d
	--instance-type c3.large
	--key-name prod-ssh-key
	--security-groups sg-49883e35
	--iam-instance-profile ec2-admin
	--block-device-mappings "[{\"DeviceName\": \"/dev/xvda\",\"Ebs\":{\"VolumeSize\":45}}]"

08 Now run update-auto-scaling-group command (OSX/Linux/UNIX) to update the configuration for the specified Auto Scaling Group in order to replace the reference to its launch configuration with the new one created at the previous step (the command does not return an output):

aws autoscaling update-auto-scaling-group
	--region us-east-1
	--auto-scaling-group-name WebProductionASG
	--launch-configuration-name NewProdASGLaunchConfig

09 Repeat steps no. 1 – 8 to create new launch configurations and repair other unhealthy Auto Scaling Groups, available in the current region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 9 to perform the entire process for other regions.

References

AWS Command Line Interface (CLI) Documentation
autoscaling
describe-launch-configurations
create-launch-configuration
update-auto-scaling-group
ec2
describe-security-groups
create-security-group
authorize-security-group-ingress
authorize-security-group-egress

Launch Configuration Referencing Missing Security Groups

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related AutoScaling rules