feat(autoscaling): add new check `autoscaling_group_multiple_instance…

…_types` (#5325)

Co-authored-by: Sergio <[email protected]>

prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_instance_types/autoscaling_group_multiple_instance_types.metadata.json

@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "autoscaling_group_multiple_instance_types",
+  "CheckTitle": "EC2 Auto Scaling Group should use multiple instance types in multiple Availability Zones.",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
+  "ServiceName": "autoscaling",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:autoscaling:region:account-id:autoScalingGroupName/resource-name",
+  "Severity": "medium",
+  "ResourceType": "AwsAutoScalingAutoScalingGroup",
+  "Description": "This control checks whether an Amazon EC2 Auto Scaling group uses multiple instance types in all the Availability Zones, meaning that there should be multiple Availability Zones with multiple instances on each one. The control fails if the Auto Scaling group has only one instance type defined.",
+  "Risk": "Using only one instance type in an Auto Scaling group reduces the flexibility to launch new instances when there is insufficient capacity for that specific type, potentially affecting the availability of the application.",
+  "RelatedUrl": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws autoscaling create-auto-scaling-group --mixed-instances-policy ...",
+      "NativeIaC": "",
+      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-6",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Configure your EC2 Auto Scaling group to use multiple instance types across multiple Availability Zones.",
+      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AutoScaling/asg-multiple-instance-type-az.html"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/aws/services/autoscaling/autoscaling_group_multiple_instance_types/autoscaling_group_multiple_instance_types.py

@@ -0,0 +1,34 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.autoscaling.autoscaling_client import (
+    autoscaling_client,
+)
+
+
+class autoscaling_group_multiple_instance_types(Check):
+    def execute(self):
+        findings = []
+        for group in autoscaling_client.groups:
+            report = Check_Report_AWS(self.metadata())
+            report.region = group.region
+            report.resource_id = group.name
+            report.resource_arn = group.arn
+            report.resource_tags = group.tags
+            report.status = "FAIL"
+            report.status_extended = f"Autoscaling group {group.name} does not have multiple instance types in multiple Availability Zones."
+
+            failing_azs = []
+
+            for az, types in group.az_instance_types.items():
+                if len(types) < 2:
+                    failing_azs.append(az)
+
+            if not failing_azs and len(group.az_instance_types) > 1:
+                report.status = "PASS"
+                report.status_extended = f"Autoscaling group {group.name} has multiple instance types in each of its Availability Zones."
+            elif failing_azs:
+                azs_str = ", ".join(failing_azs)
+                report.status_extended = f"Autoscaling group {group.name} has only one or no instance types in Availability Zone(s): {azs_str}."
+
+            findings.append(report)
+
+        return findings

prowler/providers/aws/services/autoscaling/autoscaling_service.py

@@ -66,13 +66,25 @@ def _describe_auto_scaling_groups(self, regional_client):
                             self.audit_resources,
                         )
                     ):
+                        instance_types = []
+                        az_instance_types = {}
+                        for instance in group.get("Instances", []):
+                            az = instance["AvailabilityZone"]
+                            instance_type = instance["InstanceType"]
+                            instance_types.append(instance_type)
+                            if az not in az_instance_types:
+                                az_instance_types[az] = set()
+                            az_instance_types[az].add(instance_type)
+
                         self.groups.append(
                             Group(
                                 arn=group.get("AutoScalingGroupARN"),
                                 name=group.get("AutoScalingGroupName"),
                                 region=regional_client.region,
                                 availability_zones=group.get("AvailabilityZones"),
                                 tags=group.get("Tags"),
+                                instance_types=instance_types,
+                                az_instance_types=az_instance_types,
                                 launch_template=group.get("LaunchTemplate", {}),
                                 mixed_instances_policy_launch_template=group.get(
                                     "MixedInstancesPolicy", {}
@@ -154,6 +166,8 @@ class Group(BaseModel):
     region: str
     availability_zones: list
     tags: list = []
+    instance_types: list = []
+    az_instance_types: dict = {}
     launch_template: dict = {}
     mixed_instances_policy_launch_template: dict = {}
     health_check_type: str