Merge pull request #531 from turbot/release/v0.54

Release/v0.54

CHANGELOG.md

@@ -1,3 +1,10 @@
+## v0.54 [2022-11-22]
+
+_What's new?_
+
+- New AWS Foundational Security Best Practices control added: ([#529](https://github.com/turbot/steampipe-mod-aws-compliance/pull/529))
+  - AutoScaling.9 (`steampipe check control.foundational_security_autoscaling_9`)
+
 ## v0.53 [2022-11-17]
 
 _Bug fixes_

foundational_security/autoscaling.sp

@@ -13,7 +13,8 @@ benchmark "foundational_security_autoscaling" {
     control.foundational_security_autoscaling_3,
     control.foundational_security_autoscaling_4,
     control.foundational_security_autoscaling_5,
-    control.foundational_security_autoscaling_6
+    control.foundational_security_autoscaling_6,
+    control.foundational_security_autoscaling_9
   ]
 
   tags = merge(local.foundational_security_autoscaling_common_tags, {
@@ -98,3 +99,16 @@ control "foundational_security_autoscaling_6" {
     foundational_security_category = "high_availability"
   })
 }
+
+control "foundational_security_autoscaling_9" {
+  title         = "9 EC2 Auto Scaling groups should use EC2 launch templates"
+  description   = "This control checks whether an Amazon EC2 Auto Scaling group is created from an EC2 launch template. This control fails if an Amazon EC2 Auto Scaling group is not created with a launch template or if a launch template is not specified in a mixed instances policy."
+  severity      = "medium"
+  sql           = query.autoscaling_group_uses_ec2_launch_template.sql
+  documentation = file("./foundational_security/docs/foundational_security_autoscaling_9.md")
+
+  tags = merge(local.foundational_security_autoscaling_common_tags, {
+    foundational_security_item_id  = "autoscaling_9"
+    foundational_security_category = "resource_configuration"
+  })
+}

foundational_security/docs/foundational_security_autoscaling_9.md

@@ -0,0 +1,9 @@
+## Description
+
+This control checks whether an Amazon EC2 Auto Scaling group is created from an EC2 launch template. This control fails if an Amazon EC2 Auto Scaling group is not created with a launch template or if a launch template is not specified in a mixed instances policy.
+
+An EC2 Auto Scaling group can be created from either an EC2 launch template or a launch configuration. However, using a launch template to create an Auto Scaling group ensures that you have access to the latest features and improvements.
+
+## Remediation
+
+To create an Auto Scaling group with an EC2 launch template, see [Create an Auto Scaling group using a launch template](https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-asg-launch-template.html) in the Amazon EC2 Auto Scaling User Guide. For information about how to replace a launch configuration with a launch template, see [Replace a launch configuration with a launch template](https://docs.aws.amazon.com/autoscaling/ec2/userguide/replace-launch-config.html) in the Amazon EC2 User Guide for Windows Instances.

query/autoscaling/autoscaling_group_uses_ec2_launch_template.sql

@@ -0,0 +1,16 @@
+select
+  -- Required Columns
+  autoscaling_group_arn as resource,
+  case
+    when launch_template_id is not null then 'ok'
+    else 'alarm'
+  end as status,
+  case
+    when launch_template_id is not null then title || ' using an EC2 launch template.'
+    else title || ' not using an EC2 launch template.'
+  end as reason,
+  -- Additional Dimensions
+  region,
+  account_id
+from
+  aws_ec2_autoscaling_group;