AutoScaling.9: Deprecated launch configurations are still in use

What does AWS Security Hub AutoScaling.9 check?

AutoScaling.9 fails when an Auto Scaling group is still backed by a launch configuration rather than a launch template. The control checks whether the group references a LaunchConfigurationName instead of a LaunchTemplate.

Why does AutoScaling.9 matter?

AWS deprecated launch configurations in 2022, and they cannot express newer capabilities — pinned IMDSv2 metadata options, mixed instance policies, and current instance generations. A group stuck on a launch configuration is unable to enforce the single biggest hardening move, IMDSv2, on its fleet. Migrating to launch templates unblocks that and keeps the group on a supported provisioning path.

How do I fix AutoScaling.9?

1. Discover which groups still reference a launch configuration.
2. Create an equivalent launch template from the existing settings, watching the field-mapping differences.
3. Attach the launch template to the group as its launch source.
4. Run an instance refresh to roll the fleet onto the template with zero downtime.

# Swap the ASG's launch source from LC to LT — running instances are untouched.
aws autoscaling update-auto-scaling-group \
  --auto-scaling-group-name prod-api-asg \
  --launch-template LaunchTemplateId=lt-0fe3d2c1b4a5968e7,Version='$Latest'

# Roll the fleet to the new template at 90% min-healthy.
aws autoscaling start-instance-refresh \
  --auto-scaling-group-name prod-api-asg \
  --preferences '{"MinHealthyPercentage":90,"InstanceWarmup":120}'

# Verify the LC reference is gone — AutoScaling.9 should clear on next eval.
aws autoscaling describe-auto-scaling-groups \
  --auto-scaling-group-names prod-api-asg \
  --query 'AutoScalingGroups[0].{LC:LaunchConfigurationName,LT:LaunchTemplate}'