EC2 Launch Template Discipline

Launch templates standardise instance configuration. The discipline that keeps them current and used.

Required for ASGs

EC2 instance launch template discipline is the practice of using launch templates correctly. Launch configurations are deprecated; templates are versioned; the team's discipline uses templates consistently across the fleet.

What "required for ASGs" provides:

• All ASGs use launch templates.: Auto Scaling Groups in production use launch templates. The discipline is consistent; no ASG uses the legacy launch configuration.
• Launch configurations are deprecated.: AWS deprecated launch configurations. New ASGs cannot be created with them; existing ASGs should migrate; the discipline is forced by AWS.
• Launch templates are versioned.: Each template can have many versions. New version per change; old versions retained; rollback is fast.
• New version per change.: Even small changes get new versions. The version history captures every change; rollback is precise.
• Old versions retained for rollback.: The team's discipline keeps old versions. If a change is wrong, ASG can be reverted to a previous version; the recovery is fast.
• IaC-managed.: Templates are managed by Terraform or CloudFormation. No click-built templates in production; the discipline is consistent.

The required practices are foundational. The discipline scales with the team's fleet.

Standard defaults

Standard defaults make the team's templates consistent. Each new template inherits the standard; the team's discipline is built into the foundation.

• Encrypted volumes always.: Every EBS volume in templates is encrypted. The discipline matches AWS security baselines; the team's data is protected.
• IMDSv2 required, hop-limit 1.: Instance metadata uses v2 with hop limit 1. The configuration prevents SSRF-based credential theft; the discipline is security-first.
• Detailed monitoring enabled.: CloudWatch detailed monitoring captures finer-grained metrics. The team's observability is better; the cost is bounded.
• Standard security group with restricted ingress.: The default security group is restrictive. Only necessary ports; specific source CIDRs; the team's discipline is consistent.
• Document the defaults.: The team's template documentation captures defaults and rationale. New templates inherit; deviations are documented; the discipline is preserved.

The standard defaults are the discipline encoded. New templates start from a known-good baseline.

Version management

Version management is the operational discipline for templates. Tags, deprecation, and review keep the version inventory healthy.

• Tag versions with change description.: Each version's description captures what changed. Searchable; auditable; the team's history is preserved.
• Deprecate old versions after migration.: Once ASGs migrate to a new version, old versions are deprecated. The clean up keeps the inventory navigable.
• Clean up after rollout.: The discipline includes cleanup. Old versions accumulate without action; the team periodically removes obsolete versions.
• Quarterly review.: The team reviews version inventory quarterly. Versions in use; versions available; drift surfaces; remediation follows.
• Drift surfaces.: ASGs using non-current versions are visible. The team's compliance scan surfaces them; the discipline drives migration.

Version management is the ongoing discipline. Without it, version inventory becomes unwieldy.

Operating templates

Operational discipline includes per-environment templates, per-team customizations, and compliance scans. The team's launch template program scales with the fleet.

• Per-environment templates.: Production, staging, dev have their own templates. They share the base; differ in tags and sizes; the discipline matches the environment's needs.
• Prod, staging, dev share base.: Common configuration is shared. Encryption, monitoring, security defaults all are inherited; the discipline is consistent.
• Differ in tags and sizes.: Per-environment differences are explicit. Production uses larger instances; dev uses smaller; the templates reflect this.
• Per-team customisations via overlays.: Team A's template extends the platform base. The overlay pattern keeps the platform discipline while accommodating team-specific needs.
• Periodic compliance scan.: The team scans for ASGs using non-current versions. The drift is surfaced; remediation follows; the discipline maintains.

EC2 instance launch template discipline is one of those AWS operational practices that pays off across many instances and many years. Nova AI Ops integrates with EC2 inventory, surfaces template patterns, and supports the team's discipline.