More Info:

This rule checks the number of network hops that the metadata token can travel. This rule is NON_COMPLIANT if the Metadata response hop limit is greater than 1.

Risk Level

Medium

Address

Configuration

Compliance Standards

CBP

Remediation

Using Console

To remediate the “Autoscaling Hop Limit Should Be Checked” misconfiguration for AWS EC2 using the AWS console, follow these steps:

  1. Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and login with your credentials.

  2. Navigate to EC2 Dashboard: Click on the “Services” dropdown menu at the top left corner and select “EC2” under the Compute section.

  3. Select Auto Scaling Groups: In the EC2 Dashboard, locate and click on “Auto Scaling Groups” from the navigation pane on the left.

  4. Select the Auto Scaling Group: Identify the Auto Scaling Group that you want to remediate and click on its name to select it.

  5. Edit Auto Scaling Group: In the Auto Scaling Group details page, click on the “Edit” button to modify the group settings.

  6. Configure Auto Scaling Group: Scroll down to find the “Advanced Details” section and look for the “Instance Protection” settings.

  7. Enable Instance Protection: In the “Instance Protection” settings, you should find an option related to “Autoscaling Hop Limit”. Enable this option by checking the box or setting an appropriate value based on your requirements.

  8. Save Changes: Once you have enabled the Autoscaling Hop Limit or set the appropriate value, scroll to the bottom of the page and click on the “Save” button to apply the changes.

  9. Verify Configuration: After saving the changes, it is recommended to verify that the Autoscaling Hop Limit setting has been successfully applied. You can do this by checking the configuration details of the Auto Scaling Group.

By following these steps, you can remediate the “Autoscaling Hop Limit Should Be Checked” misconfiguration for AWS EC2 using the AWS console.

Using CLI

To remediate the misconfiguration of Autoscaling Hop Limit not being checked for AWS EC2 using AWS CLI, follow these steps:

  1. Open your terminal or command prompt.

  2. Run the following AWS CLI command to describe the Auto Scaling groups in your AWS account:

aws autoscaling describe-auto-scaling-groups

  1. Identify the Auto Scaling group that you want to update with the Autoscaling Hop Limit.

  2. Run the following AWS CLI command to update the Auto Scaling group with the Autoscaling Hop Limit:

aws autoscaling update-auto-scaling-group --auto-scaling-group-name <your-auto-scaling-group-name> --health-check-type ELB --health-check-grace-period 300

Replace <your-auto-scaling-group-name> with the actual name of your Auto Scaling group.

  1. Verify that the Autoscaling Hop Limit has been successfully updated by running the following AWS CLI command:
aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names <your-auto-scaling-group-name> --query "AutoScalingGroups[].HealthCheckType"

Replace <your-auto-scaling-group-name> with the actual name of your Auto Scaling group.

  1. Ensure that the output of the above command shows “ELB” as the HealthCheckType, which indicates that the Autoscaling Hop Limit has been successfully updated.

By following these steps, you can remediate the misconfiguration of Autoscaling Hop Limit not being checked for AWS EC2 using AWS CLI.

Using Python

To remediate the “Autoscaling Hop Limit Should Be Checked” misconfiguration for AWS EC2 using Python, you can use the AWS SDK for Python (Boto3) to update the Auto Scaling Group settings. Here are the step-by-step instructions:

  1. Install Boto3:
pip install boto3
  1. Use the following Python script to update the Auto Scaling Group settings to check the “Autoscaling Hop Limit”:
import boto3

# Initialize the Boto3 client for Auto Scaling
client = boto3.client('autoscaling')

# Specify the name of the Auto Scaling Group you want to update
auto_scaling_group_name = 'YOUR_AUTO_SCALING_GROUP_NAME'

# Update the Auto Scaling Group to check the "Autoscaling Hop Limit"
response = client.update_auto_scaling_group(
    AutoScalingGroupName=auto_scaling_group_name,
    NewInstancesProtectedFromScaleIn=True
)

print(f"Auto Scaling Group {auto_scaling_group_name} updated successfully to check Autoscaling Hop Limit.")

  1. Replace 'YOUR_AUTO_SCALING_GROUP_NAME' with the name of your Auto Scaling Group.

  2. Run the Python script to update the Auto Scaling Group settings. This will enable the “Autoscaling Hop Limit” check for the specified Auto Scaling Group.

By following these steps, you can remediate the “Autoscaling Hop Limit Should Be Checked” misconfiguration for AWS EC2 using Python and Boto3.