Skip to main content

Amazon EC2 Auto Scaling Group Uses an EC2 Launch Template

Overview

This check verifies that your EC2 Auto Scaling groups use launch templates instead of the older launch configurations. Launch templates provide versioning, modern instance features, and a single source of truth for your instance settings.

Risk

Without a launch template, your Auto Scaling group lacks a versioned, auditable baseline for instance configuration. This can lead to:

  • Configuration drift across instances launched at different times
  • Inconsistent security settings such as metadata service options (IMDSv2) and encryption
  • Difficulty tracking changes since launch configurations cannot be modified after creation
  • Limited access to newer EC2 features only available through launch templates

Remediation Steps

Prerequisites

You need:

  • AWS Console access with permissions to modify Auto Scaling groups
  • An existing launch template (or you will create one during remediation)
Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:UpdateAutoScalingGroup",
        "ec2:DescribeLaunchTemplates",
        "ec2:CreateLaunchTemplate"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

Step 1: Identify the affected Auto Scaling group

  1. Open the EC2 Console
  2. In the left navigation, scroll down and click Auto Scaling Groups
  3. Find the Auto Scaling group flagged by Prowler
  4. Note whether it currently uses a "Launch configuration" (shown in the details panel)

Step 2: Create a launch template (if needed)

If you do not have a launch template yet:

  1. In the left navigation, click Launch Templates under "Instances"
  2. Click Create launch template
  3. Enter a name (e.g., my-asg-launch-template)
  4. Configure your instance settings:
    • AMI: Select your desired Amazon Machine Image
    • Instance type: Choose the appropriate size
    • Key pair: Select or create one for SSH access
  5. Under Advanced details, set Metadata version to V2 only (token required) for better security
  6. Click Create launch template

Step 3: Update the Auto Scaling group to use the launch template

  1. Go back to Auto Scaling Groups in the EC2 console
  2. Select your Auto Scaling group
  3. Click Edit (or click the Details tab, then Edit)
  4. In the Launch template section:
    • Select your launch template from the dropdown
    • Choose the version (typically "Latest" or a specific version number)
  5. Click Update

New instances will now launch using the template. Existing instances keep their original configuration until replaced.

AWS CLI (optional)

List Auto Scaling groups to find those without launch templates:

aws autoscaling describe-auto-scaling-groups \
  --region us-east-1 \
  --query 'AutoScalingGroups[?LaunchTemplate==`null` && MixedInstancesPolicy==`null`].[AutoScalingGroupName,LaunchConfigurationName]' \
  --output table

Create a launch template with security best practices:

aws ec2 create-launch-template \
  --region us-east-1 \
  --launch-template-name my-secure-launch-template \
  --version-description "Initial version with IMDSv2" \
  --launch-template-data '{
    "ImageId": "ami-0abcdef1234567890",
    "InstanceType": "t3.micro",
    "MetadataOptions": {
      "HttpTokens": "required",
      "HttpEndpoint": "enabled",
      "HttpPutResponseHopLimit": 1
    },
    "BlockDeviceMappings": [
      {
        "DeviceName": "/dev/xvda",
        "Ebs": {
          "Encrypted": true,
          "VolumeType": "gp3",
          "DeleteOnTermination": true
        }
      }
    ]
  }'

Replace ami-0abcdef1234567890 with your actual AMI ID.

Update the Auto Scaling group to use the launch template:

aws autoscaling update-auto-scaling-group \
  --region us-east-1 \
  --auto-scaling-group-name <your-asg-name> \
  --launch-template LaunchTemplateId=<your-template-id>,Version='$Latest'

Replace <your-asg-name> with your Auto Scaling group name and <your-template-id> with the launch template ID.

CloudFormation (optional)

This template creates a secure launch template and Auto Scaling group:

AWSTemplateFormatVersion: '2010-09-09'
Description: Auto Scaling Group with EC2 Launch Template

Parameters:
  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: Subnets for the Auto Scaling group
  InstanceType:
    Type: String
    Default: t3.micro
    Description: EC2 instance type
  AmiId:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: /aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64
    Description: AMI ID for instances

Resources:
  LaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateName: secure-launch-template
      LaunchTemplateData:
        InstanceType: !Ref InstanceType
        ImageId: !Ref AmiId
        MetadataOptions:
          HttpTokens: required
          HttpEndpoint: enabled
          HttpPutResponseHopLimit: 1
        BlockDeviceMappings:
          - DeviceName: /dev/xvda
            Ebs:
              Encrypted: true
              VolumeType: gp3
              DeleteOnTermination: true

  AutoScalingGroup:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      AutoScalingGroupName: my-asg-with-launch-template
      LaunchTemplate:
        LaunchTemplateId: !Ref LaunchTemplate
        Version: !GetAtt LaunchTemplate.LatestVersionNumber
      MinSize: '1'
      MaxSize: '4'
      DesiredCapacity: '2'
      VPCZoneIdentifier: !Ref SubnetIds

Outputs:
  LaunchTemplateId:
    Description: ID of the launch template
    Value: !Ref LaunchTemplate
  AutoScalingGroupName:
    Description: Name of the Auto Scaling group
    Value: !Ref AutoScalingGroup

Deploy the stack:

aws cloudformation deploy \
  --region us-east-1 \
  --template-file template.yaml \
  --stack-name my-asg-stack \
  --parameter-overrides SubnetIds=subnet-abc123,subnet-def456
Terraform (optional)
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "subnet_ids" {
  description = "List of subnet IDs for the Auto Scaling group"
  type        = list(string)
}

variable "instance_type" {
  description = "EC2 instance type"
  type        = string
  default     = "t3.micro"
}

data "aws_ami" "amazon_linux_2023" {
  most_recent = true
  owners      = ["amazon"]

  filter {
    name   = "name"
    values = ["al2023-ami-*-x86_64"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }
}

resource "aws_launch_template" "secure_template" {
  name        = "secure-launch-template"
  description = "Secure launch template with IMDSv2 and encrypted storage"

  image_id      = data.aws_ami.amazon_linux_2023.id
  instance_type = var.instance_type

  metadata_options {
    http_tokens                 = "required"
    http_endpoint               = "enabled"
    http_put_response_hop_limit = 1
  }

  block_device_mappings {
    device_name = "/dev/xvda"

    ebs {
      encrypted             = true
      volume_type           = "gp3"
      delete_on_termination = true
    }
  }

  tag_specifications {
    resource_type = "instance"
    tags = {
      Name = "asg-instance"
    }
  }
}

resource "aws_autoscaling_group" "main" {
  name                = "my-asg-with-launch-template"
  min_size            = 1
  max_size            = 4
  desired_capacity    = 2
  vpc_zone_identifier = var.subnet_ids

  launch_template {
    id      = aws_launch_template.secure_template.id
    version = "$Latest"
  }

  tag {
    key                 = "Name"
    value               = "asg-instance"
    propagate_at_launch = true
  }
}

output "launch_template_id" {
  description = "ID of the launch template"
  value       = aws_launch_template.secure_template.id
}

output "autoscaling_group_name" {
  description = "Name of the Auto Scaling group"
  value       = aws_autoscaling_group.main.name
}

Apply the configuration:

terraform init
terraform plan -var="subnet_ids=[\"subnet-abc123\",\"subnet-def456\"]"
terraform apply -var="subnet_ids=[\"subnet-abc123\",\"subnet-def456\"]"

Verification

After updating your Auto Scaling group:

  1. In the AWS Console, go to EC2 > Auto Scaling Groups
  2. Select your Auto Scaling group
  3. Confirm the Launch template field shows your template name and version
  4. The Launch configuration field should be empty or absent
CLI verification
aws autoscaling describe-auto-scaling-groups \
  --region us-east-1 \
  --auto-scaling-group-names <your-asg-name> \
  --query 'AutoScalingGroups[0].{Name:AutoScalingGroupName,LaunchTemplate:LaunchTemplate,LaunchConfig:LaunchConfigurationName}' \
  --output table

The output should show your launch template ID and version, with no LaunchConfigurationName.

Additional Resources

Notes

  • Existing instances are not affected: When you switch to a launch template, running instances continue with their original configuration. Only new instances use the template.
  • Version control: Use specific template versions in production for stability. Use $Latest or $Default in development for flexibility.
  • Migration from launch configurations: AWS recommends migrating all Auto Scaling groups from launch configurations to launch templates. Launch configurations are a legacy feature.
  • Mixed instances policy: If you use Spot Instances or multiple instance types, configure these in the Auto Scaling group's mixed instances policy while still referencing a launch template.