Profile Applicability:
- Level 1
Description:
This rule ensures that tags are automatically propagated from EC2 Auto Scaling groups to the EC2 instances that they launch. Tags are crucial for managing, identifying, organizing, searching for, and filtering resources. In addition, tags help with security and compliance by ensuring proper categorization of resources.
Rationale:
Without proper tagging, EC2 instances created through Auto Scaling groups may lack essential identifiers, making it difficult to track, manage, or enforce security and compliance policies. Automatically propagating tags ensures that every EC2 instance launched by an Auto Scaling group is properly tagged, allowing for better management and compliance.
Impact:
Pros:
Better resource management through consistent tagging across EC2 instances.
Improved compliance and security by ensuring tags are applied to all resources.
Easier cost allocation by categorizing resources properly using tags.
Simplified automation by ensuring that tags are automatically applied when instances are launched by Auto Scaling.
Cons:
Additional overhead for managing tags, though this is outweighed by the benefits of better organization and compliance.
Potential conflicts in tag values if conflicting tags are applied in different layers (Auto Scaling vs Launch Template).
Default Value:
By default, Auto Scaling groups do not propagate tags to EC2 instances automatically. The Tag new instances setting needs to be explicitly enabled.
Pre-requisites:
AWS IAM permissions to manage Auto Scaling groups and EC2 instances:
autoscaling:DescribeAutoScalingGroups,autoscaling:CreateOrUpdateTags,ec2:DescribeInstances, ec2:ModifyInstanceAttribute
Remediation:
Test Plan:
Using AWS Console:
Log in to the AWS Console at AWS Console.
In the Services section, click EC2 under Compute.
In the left-hand menu, click Auto Scaling Groups.
For each Auto Scaling group, click the Details tab and confirm that the Tag new instances option is checked.
If this option is unchecked, refer to the remediation below.
Repeat the steps for all Auto Scaling groups in use across all regions.
Using AWS CLI:
Run the following command to retrieve the Auto Scaling group information:
aws autoscaling describe-auto-scaling-groups
Ensure that the PropagateAtLaunch parameter is set to true under the Tags section for each Auto Scaling group.
Repeat the steps for each AWS region in use.
Implementation Plan:
Using AWS Console:
Log in to the AWS Console at AWS Console.
In the left-hand menu, click EC2 and then select Auto Scaling Groups.
Select each Auto Scaling group you wish to modify.
Click Edit.
In the Tags section, ensure that Tag new instances is checked to Yes.
Click Update to apply the changes.
Repeat for any other Auto Scaling groups in other regions.
Using AWS CLI:
For each Auto Scaling group that does not have PropagateAtLaunch set to true, run the following command to propagate tags to new EC2 instances:
aws autoscaling create-or-update-tags \ --tags ResourceId=<AutoScalingGroupName>,ResourceType=auto-scalinggroup,Key=TagKey,Value=TagValue,PropagateAtLaunch=true
Repeat for all Auto Scaling groups in all AWS regions to ensure tags are propagated.
Backout Plan:
Using AWS Console:
If issues arise after enabling tag propagation, you can disable the Tag new instances setting by unchecking the box in the Auto Scaling Group settings.
Revert any changes and test again to ensure tags are applied correctly.
Using AWS CLI:
If necessary, remove the tag propagation by running:
aws autoscaling create-or-update-tags \ --tags ResourceId=<AutoScalingGroupName>,ResourceType=auto-scalinggroup,Key=TagKey,Value=TagValue,PropagateAtLaunch=false
References:
CIS Controls: