Compliance

Migrate ASGs from Launch Configurations to Launch Templates

Security Hub AutoScaling.9 — Launch Configurations are deprecated and missing modern features. Move every ASG to Launch Templates.

11 min·10 sections·AWS

Last reviewed 27 May 2026

Remediates AWS Security Hub: AutoScaling.9

Launch Configurations vs Launch Templates: the basics

What is AutoScaling.9 actually checking?

An Auto Scaling Group (ASG) needs a recipe that tells it how to launch new instances — which AMI, which instance type, which key pair, which security groups, which user data. AWS has shipped two versions of that recipe over the years: the original Launch Configuration (LC) from 2011, and Launch Templates (LT) introduced in 2017. LCs are immutable single-version blobs; LTs are versioned, support every modern EC2 feature, and can be referenced by multiple ASGs at once.

Security Hub control AutoScaling.9 fails any ASG that still uses an LC instead of an LT. AWS announced LC deprecation in 2022 and stopped allowing new accounts to create them — if you're in a sufficiently old account you can still create LCs today, but the API is on its way out. AutoScaling.9 is AWS telling you: cut over now, while it's a planned migration, not later when a forced cutoff turns it into an incident.

An ASG "in violation" looks like this: the ASG has LaunchConfigurationName set instead of LaunchTemplate. Functionally it still scales; structurally it's locked out of IMDSv2 enforcement, Mixed Instance Policies, Spot Allocation Strategies, T-instance unlimited mode, Capacity Reservations, and the version pinning that makes safe rollouts possible. Every one of those gaps is a feature your security and FinOps teams already want.

In this lesson you'll learn why AWS deprecated Launch Configurations, what Launch Templates unlock, and how to migrate a running ASG with zero downtime. You'll see the CLI calls to discover LC-backed ASGs, create an equivalent Launch Template from existing settings, attach it to the ASG, and roll the fleet via instance refresh — plus the field-mapping gotchas that trip up most migrations.

Fun fact

Created in 2017, still ignored in 2024

Launch Templates have been available since November 2017. When AWS announced LC deprecation in October 2022 — five years later — they reported that the majority of active ASGs were still LC-backed. The Auto Scaling team's blog post politely called this "unexpected." Operationally it meant most accounts had spent half a decade unable to enforce IMDSv2 on autoscaled fleets, the single biggest hardening move available against SSRF-driven credential theft (see the 2019 Capital One breach). AutoScaling.9 exists because nudging didn't work.

Migrating an ASG in action

Marco runs platform engineering at a fintech. A quarterly Security Hub review hands him a list of 23 AutoScaling.9 findings across production accounts — every ASG older than 2020 still backed by a Launch Configuration. The CISO wants IMDSv2 enforced everywhere by quarter-end, which means the LCs have to go first.

He picks the lowest-risk ASG to migrate first: a stateless API tier with rolling deploys already wired up. The plan is straightforward — inventory the LC's settings, create an equivalent LT with IMDSv2=required, attach it to the ASG, then trigger an instance refresh to roll the fleet.

He starts by listing every ASG and flagging which ones are still LC-backed.

First, find every ASG that still uses a Launch Configuration. The query slices to just the fields that decide whether AutoScaling.9 fires.

$ aws autoscaling describe-auto-scaling-groups --query "AutoScalingGroups[*].{Name:AutoScalingGroupName,LC:LaunchConfigurationName,LT:LaunchTemplate.LaunchTemplateName}" --output table

┌────────────────────────┬──────────────────────┬──────────────────────┐

│ Name │ LC │ LT │

├────────────────────────┼──────────────────────┼──────────────────────┤

│ prod-api-asg │ prod-api-lc-2019 │ None │

│ prod-worker-asg │ prod-worker-lc-v3 │ None │

│ prod-batch-asg │ None │ prod-batch-lt │

│ staging-api-asg │ staging-api-lc-old │ None │

└────────────────────────┴──────────────────────┴──────────────────────┘

# Three ASGs still LC-backed. Each one is an AutoScaling.9 finding.

ASG inventory — anything in the LC column needs migrating.

Next, create a Launch Template that mirrors the existing LC's settings, plus IMDSv2=required and any other modern hardening you want from day one.

$ aws ec2 create-launch-template --launch-template-name prod-api-lt --version-description initial-from-lc --launch-template-data file://prod-api-lt.json

{

"LaunchTemplate": {

"LaunchTemplateId": "lt-0fe3d2c1b4a5968e7",

"LaunchTemplateName": "prod-api-lt",

"DefaultVersionNumber": 1,

"LatestVersionNumber": 1

}

# LT created with IMDSv2 required, same AMI/instance type/SGs as the old LC.

New Launch Template, version 1, ready to attach.

What changes at the ASG API layerdeep dive

An ASG's launch source is one of three mutually exclusive fields: LaunchConfigurationName (the legacy single-version blob), LaunchTemplate (a versioned reference, optionally pinned to a specific version or $Latest/$Default), or MixedInstancesPolicy (a Launch Template plus Spot/On-Demand mixing rules). The migration call is a single update-auto-scaling-group that swaps one for the other — AWS clears the LC reference automatically when you set an LT.

Running instances keep running. The ASG only consults the launch source when it has to launch a new instance — for scale-out, replacement of a terminated host, or an instance refresh. That's what makes the migration safe online: you cut over the recipe at any time, then control rollout speed through instance refresh's MinHealthyPercentage and InstanceWarmup knobs.

Field mapping is mostly 1:1 but watch three gotchas. First, BlockDeviceMappings use a different JSON shape — LC uses string sizes ("VolumeSize": "100"), LT uses integers ("VolumeSize": 100). Second, the IAM instance profile is referenced by name in an LC but by ARN or name in an LT (ARN is safer — names get reused). Third, LCs don't have a MetadataOptions block at all; you add it in the LT to enforce IMDSv2 (HttpTokens: required, HttpPutResponseHopLimit: 1).

# Inspect the source LC's settings before writing the LT JSON.
aws autoscaling describe-launch-configurations \
  --launch-configuration-names prod-api-lc-2019 \
  --query 'LaunchConfigurations[0].{AMI:ImageId,Type:InstanceType,Key:KeyName,SGs:SecurityGroups,Profile:IamInstanceProfile,UserData:UserData}'

# AutoScaling.9 detection — any ASG with a non-null LC name is a finding.
aws autoscaling describe-auto-scaling-groups \
  --query "AutoScalingGroups[?LaunchConfigurationName!=null].AutoScalingGroupName"

What is the impact of staying on Launch Configurations?

The most direct impact is the features you can't have. LCs don't support IMDSv2 enforcement at all — every instance the ASG launches has IMDSv1 reachable, which is the exact attack surface that exfiltrated Capital One's credentials in 2019. AutoScaling.9 and EC2.8 are linked findings; you can't close the second without closing the first.

The second-order impact is FinOps. LCs can't reference a Mixed Instance Policy, which is the only way to combine Spot and On-Demand capacity in one ASG. Teams on LCs end up running parallel ASGs — one Spot, one On-Demand — and reinventing the allocation strategy AWS already provides for free. The Spot Allocation Strategies (price-capacity-optimized, capacity-optimized) that consistently produce 60-90% savings on stateless workloads are LT-only.

The third-order impact is operational. LCs are immutable — every change creates a brand-new LC that you have to re-attach to the ASG manually. LTs are versioned: you create version 2, point the ASG at $Latest, instance refresh rolls the fleet. Roll-back is one CLI call to flip the default version. On LCs, rollback means re-creating the old LC from memory or version control because the original is gone.

And there's the deprecation cliff. AWS has not announced a hard end-of-life date, but new accounts have been blocked from creating LCs since 2023. When the hard cutoff comes (AWS deprecation timelines historically run 18-36 months from announcement), every LC-backed ASG that hasn't migrated stops being able to launch new instances — which means it stops being able to scale or replace failed hosts. Migrating now is planned work; migrating then is an outage.

How do you migrate ASGs to Launch Templates safely?

Migration is a four-step loop per ASG. Done in order, every step is reversible and the fleet keeps serving traffic the whole way through.

1. Inventory every LC-backed ASG and IaC source

Run describe-auto-scaling-groups filtered on non-null LaunchConfigurationName to get the runtime list. Then check your CloudFormation/Terraform/CDK sources — if the LC is managed in IaC, you have to update the source concurrently or the next apply will recreate it. CloudFormation has AWS::EC2::LaunchTemplate; Terraform has aws_launch_template plus launch_template on aws_autoscaling_group. Don't migrate runtime and then let IaC drift it back.

2. Create the Launch Template with hardening built in

Pull the LC's current settings and translate them into LT JSON — AMI, instance type, key pair, security group IDs, user data (base64-encoded), IAM instance profile ARN. Add a MetadataOptions block with HttpTokens: required to enforce IMDSv2 from day one. This is the moment to close AutoScaling.9 and EC2.8 in the same change.

3. Attach the LT and roll the fleet via instance refresh

update-auto-scaling-group --launch-template LaunchTemplateId=lt-...,Version=$Latest swaps the source in place — existing instances keep running. Then start-instance-refresh with a sane MinHealthyPercentage (90 for stateless tiers, higher for stateful) drains and replaces each instance against the new template. Watch the refresh status; abort and roll back the LT version if anything goes wrong.

4. Prevent recurrence with AWS Config and SCPs

Enable the AWS Config managed rule autoscaling-launch-config-prohibited to fail-fast on any newly-created LC-backed ASG. For prevention at the org level, attach a Service Control Policy that denies autoscaling:CreateLaunchConfiguration outright — there's no legitimate reason to create a new LC in 2026. Add an alarm on the AutoScaling.9 control so a fresh finding pages someone before it ages.

# Swap the ASG's launch source from LC to LT — running instances are untouched.
aws autoscaling update-auto-scaling-group \
  --auto-scaling-group-name prod-api-asg \
  --launch-template LaunchTemplateId=lt-0fe3d2c1b4a5968e7,Version='$Latest'

# Roll the fleet to the new template at 90% min-healthy.
aws autoscaling start-instance-refresh \
  --auto-scaling-group-name prod-api-asg \
  --preferences '{"MinHealthyPercentage":90,"InstanceWarmup":120}'

# Verify the LC reference is gone — AutoScaling.9 should clear on next eval.
aws autoscaling describe-auto-scaling-groups \
  --auto-scaling-group-names prod-api-asg \
  --query 'AutoScalingGroups[0].{LC:LaunchConfigurationName,LT:LaunchTemplate}'

Quick quiz

Question 1 of 5

You’ve inventoried 23 LC-backed ASGs. What’s the right first move for the lowest-risk ASG?

Keep learning

Dig deeper into Launch Templates, instance refresh, and AutoScaling hardening.

You've completed Migrate ASGs from Launch Configurations to Launch Templates. You can now find every LC-backed ASG in an account, translate its settings into a Launch Template with IMDSv2 enforced, swap the launch source in place, and roll the fleet via instance refresh without touching running traffic. The next time AutoScaling.9 fires, you'll have a four-step loop ready to run — and you'll close EC2.8 in the same change window.

Back to the library

AutoScaling.9: what it costs to stay on Legacy Launch Configurations

A deprecation risk with a direct FinOps penalty — Spot savings and IMDSv2 hardening are both blocked

Every Auto Scaling Group needs a template that tells EC2 how to launch new instances — instance type, AMI, security groups, and so on. The original format, called a Launch Configuration, is frozen and being deprecated by AWS. The replacement, Launch Templates, is versioned and supports every modern EC2 feature. Security Hub control AutoScaling.9 flags any ASG still running on the old format.

The FinOps angle is concrete: Launch Configurations cannot be used with Mixed Instance Policies, which is the only native mechanism to mix Spot and On-Demand capacity in a single ASG. That means teams still on Launch Configurations are running separate Spot and On-Demand ASGs, or skipping Spot entirely — forgoing the 60–90% compute savings that Spot provides on stateless workloads. The migration to Launch Templates is therefore both a compliance close and a cost unlock.

There is also a deprecation risk on the spend side. AWS has blocked new accounts from creating Launch Configurations since 2023. When the hard cutoff arrives for existing accounts, any ASG that has not migrated loses the ability to launch new instances — it cannot scale out or replace failed hosts. A migration done today is planned work with a controlled cost; one done under deadline pressure is an incident. Finance should treat open AutoScaling.9 findings on production ASGs as a time-limited risk item, not a routine backlog entry.

This lesson is for the finance partner who sees EC2 compute costs and wants to understand what keeping ASGs on Launch Configurations is actually costing. It explains why this control is simultaneously a deprecation risk and a cost unlock, how Mixed Instance Policies and Spot Allocation Strategies are gated behind Launch Templates, and the practical framing for budgeting the migration work as a planned cost-efficiency investment rather than emergency remediation. No CLI commands required.

Fun fact

Created in 2017, still ignored in 2024

How a finance partner frames the ASG migration decision

Dana is the FinOps lead reviewing the quarterly Security Hub report. AutoScaling.9 shows 23 failures across production accounts. Rather than treat it as a binary engineering to-do, Dana maps each ASG to a workload tier and asks two questions: which of these are running stateless workloads that could use Spot, and which are already using Spot but being managed as two separate ASGs because the LC prevents mixing?

The answer shapes the business case immediately. Eight ASGs are stateless API workers currently running 100% On-Demand because Mixed Instance Policies require Launch Templates. Dana models the Spot savings: at 70% average savings on a blended On-Demand rate of $0.25/hour per instance, with an average of 10 instances per ASG running continuously, the migration unlocks roughly $87,600/year in savings across those eight ASGs alone. The engineering cost to migrate is a few sprints.

Dana presents the migration not as a compliance remediation but as a cost initiative with a compliance by-product. The net ROI framing gets it prioritized: “migrating these 8 ASGs to Launch Templates enables Mixed Instance Policies and unlocks approximately $88k/year in Spot savings — and closes 8 AutoScaling.9 findings as a side effect.” The remaining 15 ASGs are assessed for Spot eligibility separately, but the compliance finding is cleared either way.

The cost and risk exposure of staying on Launch Configurations

The most quantifiable impact is the Spot savings gap. Launch Configurations cannot back a Mixed Instance Policy, which is the mechanism that lets an ASG automatically blend Spot and On-Demand capacity with intelligent fallback. The practical result is that every LC-backed ASG running stateless workloads is paying full On-Demand rates for compute that could be running at 60–90% lower cost on Spot. That gap is measurable: take the On-Demand hourly cost of each ASG’s instance type, multiply by average running hours per month, and apply a 70% Spot discount — the result is the annual dollar value sitting behind this single migration.

The operational cost is also real but harder to forecast. Because Launch Configurations are immutable, every change to an ASG’s instance configuration — AMI update, security group change, user data patch — requires creating a brand-new LC and re-attaching it to the ASG by hand. Launch Templates reduce that to a new template version. The engineering time spent managing LC churn is unbudgeted overhead that disappears after migration.

The deprecation exposure is a tail risk with a finite but unknown time horizon. AWS has blocked new-account LC creation since 2023. The hard cutoff for existing accounts has not been announced, but historical AWS deprecation timelines run 18–36 months from announcement. When it arrives, any LC-backed ASG loses the ability to launch new instances — meaning it cannot scale out or replace a failed host. That scenario has a cost: however much it costs to triage and emergency-migrate production ASGs during an incident, under deadline pressure, potentially during a traffic spike. Finance should price that tail risk against the relatively small cost of a planned migration today.

On the compliance side, AutoScaling.9 findings on production ASGs should be reported with their associated Spot savings opportunity, not just as a finding count. That surfaces the full picture: this is not just a security checkbox but an infrastructure debt item with a calculable return on remediation.

What finance can do to accelerate the ASG migration

Finance cannot run CLI commands, but it owns the budget framing, the prioritization signal, and the governance backstop that makes the migration happen at the right pace. Four levers.

1. Quantify the Spot savings opportunity per ASG before prioritizing

For each LC-backed ASG running a stateless workload, model the Spot savings it would unlock after migration: current On-Demand cost multiplied by average Spot discount (typically 60–90% on compute-optimized and general-purpose instance types). This turns the migration backlog from a compliance queue into a prioritized list ranked by financial return — highest-value ASGs migrate first.

2. Budget the migration as a cost-efficiency project, not a security tax

The engineering sprint to migrate 20–30 ASGs costs a few weeks of platform time. The Spot savings unlocked can pay that back in the first month of operation on migrated workloads. Framing the migration budget as a cost-reduction investment with a measurable payback period gets it prioritized alongside revenue work rather than deferred as overhead.

3. Price the deprecation tail risk explicitly

Put a number on the scenario where AWS enforces the LC cutoff while production ASGs are still non-compliant: the cost of an emergency migration under incident conditions, including engineering overtime, potential scaling failures, and SLA exposure. That number, even as a rough estimate, almost always dwarfs the cost of doing the migration as planned work — and makes the case for urgency without requiring a technical argument.

4. Track Spot adoption rate post-migration as the outcome metric

Closing AutoScaling.9 findings is the input; Spot adoption rate on migrated ASGs is the output that reflects whether the savings opportunity was actually captured. Include it on the monthly cloud cost review: “of the ASGs migrated to Launch Templates this quarter, what percentage are now using Mixed Instance Policies with Spot?” That keeps the migration from becoming a checkbox exercise that never unlocks the cost benefit.

Quick quiz

Question 1 of 5

You’re reviewing the cloud cost roadmap. AutoScaling.9 shows 12 production ASGs still on Launch Configurations, all running stateless API workloads On-Demand at roughly $0.20/hour per instance with an average of 8 instances each. Spot discount is typically 70%. What is the most financially sound recommendation?

Keep learning

Dig deeper into Launch Templates, instance refresh, and AutoScaling hardening.

You’ve completed the finance view of AutoScaling.9. You now know that staying on Launch Configurations is not just a compliance gap but a direct cost blocker — Mixed Instance Policies and Spot Allocation Strategies are gated behind the migration. You can quantify the Spot savings opportunity per ASG, frame the migration as a cost-reduction investment with a measurable payback, price the deprecation tail risk against the cost of planned work, and track Spot adoption rate post-migration as the outcome that shows the investment actually landed.

Back to the library

AutoScaling.9: a deprecation clock and a Spot savings gap

Old compute templates block cost savings and carry a hard end-of-life risk

AWS is retiring the original recipe format Auto Scaling Groups use to launch instances. Any group still on the old format — flagged by Security Hub as AutoScaling.9 — is locked out of Spot instance savings and running on infrastructure AWS has already stopped supporting for new customers. The fix is a migration to the modern versioned format, which is executable with no downtime.

The leadership question has two parts. First, are any production workloads at risk of losing the ability to scale when AWS eventually enforces the hard cutoff? Second, is the team capturing the 60–90% compute savings that Spot instances provide on eligible workloads — savings that are only available after migration? Both questions have a clear answer once the AutoScaling.9 list is triaged.

A short read for the executive who wants to know what AutoScaling.9 protects and what the two strategic questions are. You’ll get the plain-English version of Launch Configurations versus Launch Templates, why this is both a deprecation clock and a missed-savings signal, and what good looks like: every production ASG on Launch Templates by design, with Spot savings captured and the deprecation risk eliminated. No implementation detail.

Fun fact

Created in 2017, still ignored in 2024

What it looks like when the org treats this as a migration program

At one company the VP of Infrastructure, Kenji, inherited 31 AutoScaling.9 findings when he joined. Engineering treated it as low-priority compliance noise. Kenji reframed it as two problems: a deprecation clock that would eventually prevent those ASGs from scaling, and a feature gate blocking the Spot strategy the board had approved to reduce cloud costs by 15%.

By reframing from ‘compliance finding’ to ‘blocker on the cost reduction program,’ the migration got resource allocation and a deadline. The team migrated all 31 ASGs in six weeks. AutoScaling.9 findings dropped to zero. More significantly, the eight stateless ASGs moved to Mixed Instance Policies on day one of their migration, and the combined Spot savings showed up in the next monthly bill.

The lesson Kenji drew was about framing: AutoScaling.9 looks like a security control but it’s actually a proxy for infrastructure modernity. When the control is green, your ASG fleet is using the current AWS configuration model and capturing the cost-efficiency levers it unlocks. When it’s red, you’re running on frozen infrastructure that AWS has already end-of-lifed for new customers.

Why AutoScaling.9 is on the leadership agenda

This control surfaces two things at once: a capability gap and a deprecation exposure. The capability gap is that ASGs on Launch Configurations cannot use the Spot instance cost model that AWS designed for stateless workloads — a 60–90% savings lever that is gated behind the migration. The deprecation exposure is that AWS has already stopped letting new customers create Launch Configurations, and a hard end-of-life for existing users will eventually follow.

The leadership read is that every AutoScaling.9 finding on a production ASG is both a missed savings opportunity and a system that could lose the ability to scale when AWS enforces the cutoff. Neither is acceptable for infrastructure the business depends on. The right question to ask is: “are we migrating these as a planned program or are we waiting for an incident to force it?”

The healthy end state is not just green checks on the control. It’s that the ASG fleet is on the current AWS configuration model — which means the organization can actually use the cost efficiency and resilience features AWS builds going forward, rather than being locked out by infrastructure debt that predates them.

The leadership posture on AutoScaling.9

The executive handle is to make the migration a governed program with a deadline, not an open-ended backlog item. Three decisions turn it from noise into a completed initiative.

1. Set a migration deadline tied to the deprecation risk

Without a deadline, LC-backed ASGs age indefinitely while the deprecation clock ticks down. A six-to-twelve-week migration program with a hard cutover date converts this from an always-upcoming task to a completed infrastructure modernization. The deadline also forces prioritization — production workloads first, lower environments after.

2. Connect the migration to the Spot savings target

If the organization has a cloud cost reduction goal, Launch Template migration is a direct dependency for stateless workloads. Making that dependency explicit — ‘we cannot hit the compute savings target until these ASGs are migrated’ — elevates AutoScaling.9 from a compliance finding to a blocker on a strategic objective. That is the framing that gets it resourced.

3. Require prevention controls after migration completes

After the migration program closes, a Service Control Policy blocking autoscaling:CreateLaunchConfiguration ensures no new LC-backed ASGs appear by accident. The one-time cost of migrating should never have to be paid again. That’s the difference between a completed remediation and a recurring maintenance tax.

Quick quiz

Question 1 of 5

Your CISO reports that AutoScaling.9 has been green (zero findings) for two quarters, all production ASGs have been migrated to Launch Templates, and Spot adoption is at 68% across stateless workloads. What is the right leadership read?

Keep learning

Dig deeper into Launch Templates, instance refresh, and AutoScaling hardening.

That’s the lesson. Two outcomes from getting AutoScaling.9 to green: the deprecation risk on production scaling capacity is eliminated, and the Spot savings lever is unlocked for stateless workloads. The leadership question is whether the migration is a governed program with a deadline and a prevention control behind it — or an open backlog item that ages until the cutoff forces an incident. Treat it as the former and it pays for itself in the first billing cycle.

Back to the library

Migrate ASGs from Launch Configurations to Launch Templates

Launch Configurations vs Launch Templates: the basics

Created in 2017, still ignored in 2024

Migrating an ASG in action

What changes at the ASG API layerdeep dive

What is the impact of staying on Launch Configurations?

How do you migrate ASGs to Launch Templates safely?

1. Inventory every LC-backed ASG and IaC source

2. Create the Launch Template with hardening built in

3. Attach the LT and roll the fleet via instance refresh

4. Prevent recurrence with AWS Config and SCPs

Quick quiz

Keep learning

AutoScaling.9: what it costs to stay on Legacy Launch Configurations

Created in 2017, still ignored in 2024

How a finance partner frames the ASG migration decision

The cost and risk exposure of staying on Launch Configurations

What finance can do to accelerate the ASG migration

1. Quantify the Spot savings opportunity per ASG before prioritizing

2. Budget the migration as a cost-efficiency project, not a security tax

3. Price the deprecation tail risk explicitly

4. Track Spot adoption rate post-migration as the outcome metric

Quick quiz

Keep learning

AutoScaling.9: a deprecation clock and a Spot savings gap

Created in 2017, still ignored in 2024

What it looks like when the org treats this as a migration program

Why AutoScaling.9 is on the leadership agenda

The leadership posture on AutoScaling.9

1. Set a migration deadline tied to the deprecation risk

2. Connect the migration to the Spot savings target

3. Require prevention controls after migration completes

Quick quiz

Keep learning

Related compliance lessons