App-Tier/ Web-Tier ASG Launch Configurations Using Unapproved AMIs

This plugin ensures that App-Tier or Web-Tier Auto Scaling Group Launch Configurations are using approved AMIs.

Risk Level: High

Description

This plugin ensures that App-Tier or Web-Tier Auto Scaling Group Launch Configurations are using approved AMIs. AMIs are required by Auto Scaling groups to launch EC2 instances to scale the infrastructure. 

About the Service

AWS Auto Scaling: As the name suggests, AWS AutoScaling monitors the running resources and if required, increases the scaling capability at the lowest possible costs. AutoScaling is easy to set up and automatically maintains performance of your cloud infrastructure.

Impact

Unapproved AMIs can contain malicious information or cannot be compatible with the already existing infrastructure. Attaching unapproved AMIs can disrupt the cloud infrastructure and can also create a pathway for attackers to compromise your data.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon EC2 Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Scroll down and select Auto Scaling Groups under the Auto Scaling section from the left pane.
  4. A list of Auto Scaling Groups will be displayed, select the app/web tiered group you want to investigate by clicking on its Name.
  5. Move to the Details tab. Verify if the AMI ID mentioned under the Launch Configuration section is approved or not. If not, then the vulnerability exists.
  6. Repeat steps 3 to 5 for all the Auto Scaling groups you want to investigate.

Steps for Remediation

Update App-Tier/ Web-Tier ASG Launch Configurations to use approved AMIs only.

  1. Log In to your AWS Console.
  2. Open the Amazon EC2 Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Scroll down and select Auto Scaling Groups under the Auto Scaling section from the left pane.
  4. A list of Auto Scaling Groups will be displayed, select the Launch Configuration of the vulnerable Auto Scaling Group by clicking on its Launch template/configuration column.
  5. Since, we cannot Edit the Launch Configuration, create a new Launch Configuration by clicking on the Copy Launch Configuration button.
  6. Type a new name for the configuration. In the Amazon Machine Image (AMI) section, select an approved AMI from the dropdown list. Click on Create Launch Configuration when done.
  7. Now edit the vulnerable auto scaling group by attaching this new configuration to it.
  8. Repeat steps 3 to 7 for all the vulnerable Auto Scaling groups.