Ensure that the EC2 instances provisioned outside of the AWS Auto Scaling Groups (ASGs) have Termination Protection safety feature enabled in order to protect your instances from being accidentally terminated.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
For EC2 instances provisioned manually, once the Termination Protection feature is enabled you will not be able to terminate your EC2 instances using the AWS Management Console, the AWS API or the CLI until the termination protection has been disabled. However, this will not prevent your instances from getting terminated if these have set the Shutdown Behavior flag to 'Terminate' when an OS-level shutdown is performed. To make sure your instances cannot be accidentally terminated, you need to set first the instance Shutdown Behavior value to 'Stop' (which sets the InstanceInitiatedShutdownBehavior attribute value to 'stop') then enable Termination Protection safety precaution (which sets the DisableApiTermination attribute value to true).
For EC2 instances provisioned automatically via AWS Cloudformation, once the Termination Protection feature is enabled you will not be able to delete the stack containing the instance until the feature has been disabled (which sets the DisableApiTermination attribute value to false) in your CloudFormation template.
By default, the volumes associated with the EC2 instances are deleted when these are terminated (the DeletionOnTermination attribute value is set to true). With Termination Protection feature enabled, you have the guarantee that your instances cannot be terminated (permanently deleted) accidentally and make sure that your EBS data remains safe.
Audit
To determine if your existing EC2 instances (provisioned manually or automatically via AWS CloudFormation) have termination protection enabled, perform the following:
Remediation / Resolution
Case A: To enable Termination Protection for your EC2 instances launched manually using the AWS Management Console, AWS API or CLI, perform the following:
Case B: To enable Termination Protection for EC2 instances launched automatically within a CloudFormation stack, perform the following:
References
- AWS Documentation
- Amazon EC2 FAQs
- Terminate Your Instance
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-instances
- describe-instance-attribute
- modify-instance-attribute
- cloudformation
- update-stack
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
EC2 Instance Termination Protection
Risk level: Medium