docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.89
Public Scan
Submitted URL: https://docs.aws.amazon.com/console/securityhub/AutoScaling.2/remediation
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html
Submission: On September 21 via api from IN — Scanned from DE
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html
Submission: On September 21 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Security Hub
5. User Guide
Feedback
Preferences
AWS SECURITY HUB
USER GUIDE
* What is AWS Security Hub?
* Terminology and concepts
* Prerequisites and recommendations
* Using Organizations
* Enabling AWS Config
* Setting up Security Hub
* Enabling Security Hub manually
* Managing accounts
* Effects of an administrator-member relationship
* Restrictions and recommendations
* Making the transition to Organizations
* Allowed actions for accounts
* Designating a Security Hub administrator account
* Managing organization member accounts
* Enabling new accounts automatically
* Enabling member accounts
* Disassociating member accounts
* Managing member accounts by invitation
* Adding and inviting member accounts
* Responding to an invitation
* Disassociating member accounts
* Deleting member accounts
* Disassociating from your administrator account
* Effect of account actions on Security Hub data
* Cross-Region aggregation
* How cross-Region aggregation works
* Viewing the current configuration
* Enabling cross-Region aggregation
* Updating the configuration
* Stopping cross-Region aggregation
* Findings
* Creating and updating findings
* Using BatchImportFindings
* Using BatchUpdateFindings
* Viewing a cross-Region finding summary
* Viewing finding lists and details
* Filtering and grouping findings (console)
* Viewing finding details
* Taking action on findings
* Setting the workflow status of findings
* Sending findings to a custom action
* Finding format
* ASFF syntax
* Consolidation and ASFF
* ASFF examples
* Required attributes
* Optional top-level attributes
* Resources
* Resource attributes
* AwsAmazonMQ
* AwsApiGateway
* AwsAppSync
* AwsAthena
* AwsAutoScaling
* AwsBackup
* AwsCertificateManager
* AwsCloudFormation
* AwsCloudFront
* AwsCloudTrail
* AwsCloudWatch
* AwsCodeBuild
* AwsDynamoDB
* AwsEc2
* AwsEcr
* AwsEcs
* AwsEfs
* AwsEks
* AwsElasticBeanstalk
* AwsElasticSearch
* AwsElb
* AwsEventBridge
* AwsGuardDuty
* AwsIam
* AwsKinesis
* AwsKms
* AwsLambda
* AwsNetworkFirewall
* AwsOpenSearchService
* AwsRds
* AwsRedshift
* AwsS3
* AwsSageMaker
* AwsSecretsManager
* AwsSns
* AwsSqs
* AwsSsm
* AwsStepFunctions
* AwsWaf
* AwsXray
* Container
* Other
* Insights
* Viewing and filtering the list of insights
* Viewing insight results and findings
* Managed insights
* Custom insights
* Automations
* Automation rules
* Automated response and remediation
* Types of EventBridge integration
* EventBridge event formats
* Configuring a rule for automatically sent findings
* Configuring and using custom actions
* Product integrations
* Managing product integrations
* AWS service integrations
* Third-party product integrations
* Using custom product integrations
* Standards and controls
* IAM permissions for standards and controls
* Security checks and scores
* AWS Config rules and security checks
* Required AWS Config resources for control findings
* Schedule for running security checks
* Generating and updating control findings
* Determining the control status
* Determining security scores
* Standards reference
* AWS FSBP
* CIS AWS Foundations Benchmark v1.2.0 and v1.4.0
* NIST SP 800-53 Rev. 5
* PCI DSS
* Service-managed standards
* Service-Managed Standard: AWS Control Tower
* Viewing and managing security standards
* Enabling and disabling standards
* Viewing details for a standard
* Enabling and disabling controls in specific standards
* Controls reference
* AWS account controls
* AWS Certificate Manager controls
* API Gateway controls
* AWS AppSync controls
* Athena controls
* CloudFormation controls
* CloudFront controls
* CloudTrail controls
* CloudWatch controls
* CodeBuild controls
* AWS Config controls
* AWS DMS controls
* Amazon DocumentDB controls
* DynamoDB controls
* Amazon ECR controls
* Amazon ECS controls
* Amazon EC2 controls
* Amazon EC2 Auto Scaling controls
* Amazon EC2 Systems Manager controls
* Amazon EFS controls
* Amazon EKS controls
* ElastiCache controls
* Elastic Beanstalk controls
* Elastic Load Balancing controls
* Amazon EMR controls
* Elasticsearch controls
* GuardDuty controls
* IAM controls
* Kinesis controls
* AWS KMS controls
* Lambda controls
* Neptune controls
* Network Firewall controls
* OpenSearch Service controls
* Amazon RDS controls
* Amazon Redshift controls
* Amazon S3 controls
* SageMaker controls
* Secrets Manager controls
* Amazon SNS controls
* Amazon SQS controls
* Step Functions controls
* AWS WAF controls
* Viewing and managing security controls
* Control categories
* Enabling and disabling controls in all standards
* Enabling new controls in enabled standards automatically
* Controls that you might want to disable
* Viewing details for a control
* Filtering and sorting controls
* Viewing and taking action on control findings
* Viewing finding and resource details
* Sample control findings
* Filtering and sorting findings
* Taking action on control findings
* Creating resources with CloudFormation
* Subscribing to Security Hub announcements
* Security
* Data protection
* AWS Identity and Access Management
* How AWS Security Hub works with IAM
* Using service-linked roles
* AWS managed policies
* Compliance validation
* Infrastructure security
* VPC endpoints (AWS PrivateLink)
* Logging API calls
* Quotas
* Regional limits
* Disabling Security Hub
* Controls change log
* Document history
Amazon EC2 Auto Scaling controls - AWS Security Hub
AWSDocumentationAWS Security HubUser Guide
[AutoScaling.1] Auto Scaling groups associated with a Classic Load Balancer
should use load balancer health checks[AutoScaling.2] Amazon EC2 Auto Scaling
group should cover multiple Availability Zones[AutoScaling.3] Auto Scaling group
launch configurations should configure EC2 instances to require Instance
Metadata Service Version 2 (IMDSv2)[AutoScaling.4] Auto Scaling group launch
configuration should not have a metadata response hop limit greater than
1[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch
configurations should not have Public IP addresses[AutoScaling.6] Auto Scaling
groups should use multiple instance types in multiple Availability
Zones[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch
templates
AMAZON EC2 AUTO SCALING CONTROLS
PDFRSS
These controls are related to Amazon EC2 Auto Scaling resources.
These controls may not be available in all AWS Regions. For more information,
see Availability of controls by Region.
[AUTOSCALING.1] AUTO SCALING GROUPS ASSOCIATED WITH A CLASSIC LOAD BALANCER
SHOULD USE LOAD BALANCER HEALTH CHECKS
Related requirements: PCI DSS v3.2.1/2.2, NIST.800-53.r5 CA-7, NIST.800-53.r5
CP-2(2), NIST.800-53.r5 SI-2
Category: Identify > Inventory
Severity: Low
Resource type: AWS::AutoScaling::AutoScalingGroup
AWS Config rule: autoscaling-group-elb-healthcheck-required
Schedule type: Change triggered
Parameters: None
This control checks whether your Auto Scaling groups that are associated with a
Classic Load Balancer are using Elastic Load Balancing health checks.
This ensures that the group can determine an instance's health based on
additional tests provided by the load balancer. Using Elastic Load Balancing
health checks can help support the availability of applications that use EC2
Auto Scaling groups.
REMEDIATION
To add Elastic Load Balancing health checks, see Add Elastic Load Balancing
health checks in the Amazon EC2 Auto Scaling User Guide.
[AUTOSCALING.2] AMAZON EC2 AUTO SCALING GROUP SHOULD COVER MULTIPLE AVAILABILITY
ZONES
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-2(2),
NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2),
NIST.800-53.r5 SI-13(5)
Category: Recover > Resilience > High Availability
Severity: Medium
Resource type: AWS::AutoScaling::AutoScalingGroup
AWS Config rule: autoscaling-multiple-az
Schedule type: Change triggered
Parameters: None
This control checks whether an Auto Scaling group spans multiple Availability
Zones. The control fails if an Auto Scaling group does not span multiple
Availability Zones.
Amazon EC2 Auto Scaling groups can be configured to use multiple Availability
Zones. An Auto Scaling group with a single Availability Zone is preferred in
some use cases, such as batch-jobs or when inter-AZ transfer costs need to be
kept to a minimum. However, an Auto Scaling group that does not span multiple
Availability Zones will not launch instances in another Availability Zone to
compensate if the configured single Availability Zone becomes unavailable.
REMEDIATION
For information on how to add Availability Zones to an existing auto scaling
group, see Availability zones in the Amazon EC2 Auto Scaling User Guide.
[AUTOSCALING.3] AUTO SCALING GROUP LAUNCH CONFIGURATIONS SHOULD CONFIGURE EC2
INSTANCES TO REQUIRE INSTANCE METADATA SERVICE VERSION 2 (IMDSV2)
Related requirements: NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15),
NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, NIST.800-53.r5 CA-9(1),
NIST.800-53.r5 CM-2
Category: Protect > Secure network configuration
Severity: High
Resource type: AWS::AutoScaling::LaunchConfiguration
AWS Config rule: autoscaling-launchconfig-requires-imdsv2
Schedule type: Change triggered
Parameters: None
This control checks whether IMDSv2 is enabled on all instances launched by
Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata
Service (IMDS) version is not included in the launch configuration or if both
IMDSv1 and IMDSv2 are enabled.
IMDS provides data about your instance that you can use to configure or manage
the running instance.
Version 2 of the IMDS adds new protections that weren't available in IMDSv1 to
further safeguard your EC2 instances.
REMEDIATION
An Auto Scaling group is associated with one launch configuration at a time. You
cannot modify a launch configuration after you create it. To change the launch
configuration for an Auto Scaling group, use an existing launch configuration as
the basis for a new launch configuration with IMDSv2 enabled. For more
information, see Configure instance metadata options for new instances in the
Amazon EC2 User Guide for Linux Instances.
[AUTOSCALING.4] AUTO SCALING GROUP LAUNCH CONFIGURATION SHOULD NOT HAVE A
METADATA RESPONSE HOP LIMIT GREATER THAN 1
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2,
NIST.800-53.r5 CM-2(2)
Category: Protect > Secure network configuration
Severity: High
Resource type: AWS::AutoScaling::LaunchConfiguration
AWS Config rule: autoscaling-launch-config-hop-limit
Schedule type: Change triggered
Parameters: None
This control checks the number of network hops that a metadata token can travel.
The control fails if the metadata response hop limit is greater than 1.
The Instance Metadata Service (IMDS) provides metadata information about an
Amazon EC2 instance and is useful for application configuration. Restricting the
HTTP PUT response for the metadata service to only the EC2 instance protects the
IMDS from unauthorized use.
The Time To Live (TTL) field in the IP packet is reduced by one on every hop.
This reduction can be used to ensure that the packet does not travel outside
EC2. IMDSv2 protects EC2 instances that may have been misconfigured as open
routers, layer 3 firewalls, VPNs, tunnels, or NAT devices, which prevents
unauthorized users from retrieving metadata. With IMDSv2, the PUT response that
contains the secret token cannot travel outside the instance because the default
metadata response hop limit is set to 1. However, if this value is greater than
1, the token can leave the EC2 instance.
REMEDIATION
To modify the metadata response hop limit for an existing launch configuration,
see Modify instance metadata options for existing instances in the Amazon EC2
User Guide for Linux Instances.
[AUTOSCALING.5] AMAZON EC2 INSTANCES LAUNCHED USING AUTO SCALING GROUP LAUNCH
CONFIGURATIONS SHOULD NOT HAVE PUBLIC IP ADDRESSES
Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration
Severity: High
Resource type: AWS::AutoScaling::LaunchConfiguration
AWS Config rule: autoscaling-launch-config-public-ip-disabled
Schedule type: Change triggered
Parameters: None
This control checks whether an Auto Scaling group's associated launch
configuration assigns a public IP address to the group's instances. The control
fails if the associated launch configuration assigns a public IP address.
Amazon EC2 instances in an Auto Scaling group launch configuration should not
have an associated public IP address, except for in limited edge cases. Amazon
EC2 instances should only be accessible from behind a load balancer instead of
being directly exposed to the internet.
REMEDIATION
An Auto Scaling group is associated with one launch configuration at a time. You
cannot modify a launch configuration after you create it. To change the launch
configuration for an Auto Scaling group, use an existing launch configuration as
the basis for a new launch configuration. Then, update the Auto Scaling group to
use the new launch configuration. For step-by-step instructions, see Change the
launch configuration for an Auto Scaling group in the Amazon EC2 Auto Scaling
User Guide. When creating the new launch configuration, under Additional
configuration, for Advanced details, IP address type, choose Do not assign a
public IP address to any instances.
After you change the launch configuration, Auto Scaling launches new instances
with the new configuration options. Existing instances aren't affected. To
update an existing instance, we recommend that you refresh your instance, or
allow automatic scaling to gradually replace older instances with newer
instances based on your termination policies. For more information about
updating Auto Scaling instances, see Update Auto Scaling instances in the Amazon
EC2 Auto Scaling User Guide.
[AUTOSCALING.6] AUTO SCALING GROUPS SHOULD USE MULTIPLE INSTANCE TYPES IN
MULTIPLE AVAILABILITY ZONES
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-2(2),
NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2),
NIST.800-53.r5 SI-13(5)
Category: Recover > Resilience > High Availability
Severity: Medium
Resource type: AWS::AutoScaling::AutoScalingGroup
AWS Config rule: autoscaling-multiple-instance-types
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon EC2 Auto Scaling group uses multiple
instance types. The control fails if the Auto Scaling group has only one
instance type defined.
You can enhance availability by deploying your application across multiple
instance types running in multiple Availability Zones. Security Hub recommends
using multiple instance types so that the Auto Scaling group can launch another
instance type if there is insufficient instance capacity in your chosen
Availability Zones.
REMEDIATION
To create an Auto Scaling group with multiple instance types, see Auto Scaling
groups with multiple instance types and purchase options in the Amazon EC2 Auto
Scaling User Guide.
[AUTOSCALING.9] AMAZON EC2 AUTO SCALING GROUPS SHOULD USE AMAZON EC2 LAUNCH
TEMPLATES
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2,
NIST.800-53.r5 CM-2(2)
Category: Identify > Resource Configuration
Severity: Medium
Resource type: AWS::AutoScaling::AutoScalingGroup
AWS Config rule: autoscaling-launch-template
Schedule type: Change triggered
Parameters: None
This control checks whether an Amazon EC2 Auto Scaling group is created from an
EC2 launch template. This control fails if an Amazon EC2 Auto Scaling group is
not created with a launch template or if a launch template is not specified in a
mixed instances policy.
An EC2 Auto Scaling group can be created from either an EC2 launch template or a
launch configuration. However, using a launch template to create an Auto Scaling
group ensures that you have access to the latest features and improvements.
REMEDIATION
To create an Auto Scaling group with an EC2 launch template, see Create an Auto
Scaling group using a launch template in the Amazon EC2 Auto Scaling User Guide.
For information about how to replace a launch configuration with a launch
template, see Replace a launch configuration with a launch template in the
Amazon EC2 User Guide for Windows Instances.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Amazon EC2 controls
Amazon EC2 Systems Manager controls
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
Amazon EC2 Systems Manager controls
PREVIOUS TOPIC:
Amazon EC2 controls
NEED HELP?
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* [AutoScaling.1] Auto Scaling groups associated with a Classic Load Balancer
should use load balancer health checks
* [AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple
Availability Zones
* [AutoScaling.3] Auto Scaling group launch configurations should configure EC2
instances to require Instance Metadata Service Version 2 (IMDSv2)
* [AutoScaling.4] Auto Scaling group launch configuration should not have a
metadata response hop limit greater than 1
* [Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch
configurations should not have Public IP addresses
* [AutoScaling.6] Auto Scaling groups should use multiple instance types in
multiple Availability Zones
* [AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch
templates
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback