Auto Scaling Group Protection

Policy Description

What this SCP does

This Service Control Policy (SCP) restricts who can modify or delete Auto Scaling groups, ensuring that production scaling configurations are not changed without proper authorization. This helps maintain application availability.

By limiting Auto Scaling group modifications to only principals with the InfrastructureAdmin role tag, this policy protects your scaling infrastructure from unauthorized changes, ensuring that only designated infrastructure administrators can adjust scaling parameters that might affect application performance and resilience.

Validation Strategy

How to test this SCP works

To validate this SCP, try to create and modify an Auto Scaling group with and without the required role tag.

Valid test: Create IAM roles with and without the InfrastructureAdmin role tag
Valid test: Create an Auto Scaling group (should succeed for all roles)
Expected result: Updating or deleting the Auto Scaling group should succeed for roles tagged with Role=InfrastructureAdmin, but fail for other roles

This testing approach confirms that only properly tagged roles can make changes to Auto Scaling infrastructure, while all other principals are prevented from modifying or removing these critical scaling resources.

SCP Policy & Validation Scenarios

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAutoScalingGroupModification",
      "Effect": "Deny",
      "Action": [
        "autoscaling:DeleteAutoScalingGroup",
        "autoscaling:UpdateAutoScalingGroup"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "aws:PrincipalTag/Role": "InfrastructureAdmin"
        }
      }
    }
  ]
}

# Create a launch template
aws ec2 create-launch-template \
    --launch-template-name test-template \
    --version-description test-v1 \
    --launch-template-data '{"ImageId":"ami-0c55b159cbfafe1f0","InstanceType":"t2.micro"}'

# Create an Auto Scaling group
aws autoscaling create-auto-scaling-group \
    --auto-scaling-group-name test-asg \
    --launch-template "LaunchTemplateName=test-template,Version=1" \
    --min-size 1 \
    --max-size 3 \
    --desired-capacity 1 \
    --vpc-zone-identifier "subnet-12345678,subnet-87654321"

# Try to update the Auto Scaling group (this should be denied without the proper tag)
aws autoscaling update-auto-scaling-group \
    --auto-scaling-group-name test-asg \
    --max-size 5

# Try to delete the Auto Scaling group (this should be denied without the proper tag)
aws autoscaling delete-auto-scaling-group \
    --auto-scaling-group-name test-asg \
    --force-delete

import boto3
import json

# Initialize clients
ec2_client = boto3.client('ec2')
autoscaling_client = boto3.client('autoscaling')
iam_client = boto3.client('iam')

# Create test resources
try:
    # Create a launch template
    response = ec2_client.create_launch_template(
        LaunchTemplateName='test-template',
        VersionDescription='test-v1',
        LaunchTemplateData={
            'ImageId': 'ami-0c55b159cbfafe1f0',  # Update with a valid AMI for your region
            'InstanceType': 't2.micro'
        }
    )
    print("Created launch template")
    
    # Find a valid subnet to use
    vpc_response = ec2_client.describe_vpcs(MaxResults=5)
    if not vpc_response['Vpcs']:
        raise Exception("No VPCs found")
    
    vpc_id = vpc_response['Vpcs'][0]['VpcId']
    subnet_response = ec2_client.describe_subnets(
        Filters=[{'Name': 'vpc-id', 'Values': [vpc_id]}],
        MaxResults=5
    )
    
    if not subnet_response['Subnets']:
        raise Exception("No subnets found")
    
    subnet_id = subnet_response['Subnets'][0]['SubnetId']
    
    # Create an Auto Scaling group
    autoscaling_client.create_auto_scaling_group(
        AutoScalingGroupName='test-asg',
        LaunchTemplate={
            'LaunchTemplateName': 'test-template',
            'Version': '$Latest'
        },
        MinSize=1,
        MaxSize=3,
        DesiredCapacity=1,
        VPCZoneIdentifier=subnet_id
    )
    print("Created Auto Scaling group")
    
    # Create roles with and without required tag
    trust_policy = {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {"Service": "ec2.amazonaws.com"},
                "Action": "sts:AssumeRole"
            }
        ]
    }
    
    # Create admin role with required tag
    iam_client.create_role(
        RoleName='InfraAdmin',
        AssumeRolePolicyDocument=json.dumps(trust_policy),
        Tags=[{
            'Key': 'Role',
            'Value': 'InfrastructureAdmin'
        }]
    )
    print("Created admin role with required tag")
    
    # Create regular role without required tag
    iam_client.create_role(
        RoleName='RegularUser',
        AssumeRolePolicyDocument=json.dumps(trust_policy)
    )
    print("Created regular role without required tag")
    
    print("Note: To fully test this SCP, you'd need to:")
    print("1. Assume each role and attempt to modify or delete the Auto Scaling group")
    print("2. Operations should succeed with InfraAdmin role but fail with RegularUser role")
    
    # Try to update the Auto Scaling group directly (before role assumption)
    try:
        autoscaling_client.update_auto_scaling_group(
            AutoScalingGroupName='test-asg',
            MaxSize=5
        )
        print("Successfully updated Auto Scaling group - SCP not yet effective or not working")
    except Exception as e:
        print(f"Error updating Auto Scaling group: {e}")
    
    # Clean up
    try:
        autoscaling_client.delete_auto_scaling_group(
            AutoScalingGroupName='test-asg',
            ForceDelete=True
        )
        print("Deleted Auto Scaling group")
    except Exception as e:
        print(f"Error deleting Auto Scaling group: {e}")
    
    try:
        ec2_client.delete_launch_template(LaunchTemplateName='test-template')
        print("Deleted launch template")
    except Exception as e:
        print(f"Error deleting launch template: {e}")
    
    try:
        iam_client.delete_role(RoleName='InfraAdmin')
        iam_client.delete_role(RoleName='RegularUser')
        print("Deleted IAM roles")
    except Exception as e:
        print(f"Error deleting IAM roles: {e}")
        
except Exception as e:
    print(f"Error during test setup: {e}")