EC2 Instance Termination Protection

Risk level: Medium (should be achieved)

Rule ID: EC2-030

Ensure that the EC2 instances provisioned outside of the AWS Auto Scaling Groups (ASGs) have Termination Protection safety feature enabled in order to protect your instances from being accidentally terminated.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

For EC2 instances provisioned manually, once the Termination Protection feature is enabled you will not be able to terminate your EC2 instances using the AWS Management Console, the AWS API or the CLI until the termination protection has been disabled. However, this will not prevent your instances from getting terminated if these have set the Shutdown Behavior flag to 'Terminate' when an OS-level shutdown is performed. To make sure your instances cannot be accidentally terminated, you need to set first the instance Shutdown Behavior value to 'Stop' (which sets the InstanceInitiatedShutdownBehavior attribute value to 'stop') then enable Termination Protection safety precaution (which sets the DisableApiTermination attribute value to true).
For EC2 instances provisioned automatically via AWS Cloudformation, once the Termination Protection feature is enabled you will not be able to delete the stack containing the instance until the feature has been disabled (which sets the DisableApiTermination attribute value to false) in your CloudFormation template.
By default, the volumes associated with the EC2 instances are deleted when these are terminated (the DeletionOnTermination attribute value is set to true). With Termination Protection feature enabled, you have the guarantee that your instances cannot be terminated (permanently deleted) accidentally and make sure that your EBS data remains safe.

Audit

To determine if your existing EC2 instances (provisioned manually or automatically via AWS CloudFormation) have termination protection enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Select the EC2 instance that you want to examine.

05 Select the Description tab from the dashboard bottom panel.

06 In the right column, check the Termination Protection flag value to determine if the feature is enabled or disabled. If the Termination Protection current value is set to False, the feature is not enabled and the selected EC2 instance is not protected against accidental termination.

07 Repeat steps no. 4 – 6 to verify the termination protection current status for the rest of the EC2 instances provisioned in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using appropriate filtering to list the IDs of all the existing EC2 instances currently available in the selected region:

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance IDs:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0712622d696813002  |
|  i-08c5346e06d9425e7  |
|  i-033801b9c55f55f5d  |
|  i-0b3cdfa00d01f7d0c  |
+-----------------------+

03 Run describe-instance-attribute command (OSX/Linux/UNIX) using an instance ID returned at the previous step as identifier and EC2 attribute filtering to determine the current status of the Termination Protection feature for the selected instance:

aws ec2 describe-instance-attribute
	--region us-east-1
	--instance-id i-0712622d696813002
	--attribute disableApiTermination

04 The command output should return the selected instance attribute metadata:

{
    "InstanceId": "i-0712622d696813002",
    "DisableApiTermination": {
        "Value": false
    }
}

If the DisableApiTermination attribute value is set to false (as shown in the example above), the Termination Protection feature is not enabled for the selected EC2 instance.

05 Repeat steps no. 3 and 4 to verify the feature current status for other EC2 instances available in the current region.

06Repeat steps no. 1 – 5 to repeat the audit process for the other AWS regions.

Remediation / Resolution

Case A: To enable Termination Protection for your EC2 instances launched manually using the AWS Management Console, AWS API or CLI, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 Select the EC2 instance that you want to protect against accidental termination.

05 Click on the Actions dropdown button from the dashboard top menu, select Instance Settings and click Change Shutdown Behavior.

06 In the Change Shutdown Behavior dialog box, select Stop from the Shutdown behavior dropdown list and click Apply to apply the changes. Setting the Shutdown Behavior attribute value to 'Stop' will ensure that the instance won’t be terminated if an OS-level shutdown is performed.

07 Click again on the same Actions dropdown button, select Instance Settings and click Change Termination Protection.

08 In the Enable Termination Protection dialog box, review the feature status and click Yes, Enable to confirm the action and turn on the feature. The Termination Protection status should change now from False to True.

09 Repeat steps no. 4 – 8 to enable termination protection for the rest of the EC2 instances provisioned in the current region.

10 Change the AWS region from the navigation bar to repeat the entire process for instances available in the other regions.

Using AWS CLI

01 Run modify-instance-attribute command (OSX/Linux/UNIX) using the instance ID as identifier (see the Audit section to get the necessary instance ID) to update the selected instance configuration and set the Shutdown Behavior attribute value to 'Stop' (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
	--region us-east-1
	--instance-id i-0712622d696813002
	--instance-initiated-shutdown-behavior "{\"Value\": \"stop\"}"

02 Now run modify-instance-attribute command (OSX/Linux/UNIX) to enable the Termination Protection feature for the selected EC2 instance. The following command example turn on termination protection (sets DisableApiTermination attribute value to true) for an EC2 instance with the ID i-0712622d696813002 within the US East region (if successful, the command does not return an output):

aws ec2 modify-instance-attribute
	--region us-east-1
	--instance-id i-0712622d696813002
	--disable-api-termination

03 Repeat steps no. 1 and 2 to enable termination protection for the rest of the EC2 instances provisioned in the current region.

04 Change the AWS region from the navigation bar and repeat the entire process for your instances available in the other regions.

Case B: To enable Termination Protection for EC2 instances launched automatically within a CloudFormation stack, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/cloudformation/.

03 Select the AWS CloudFormation stack that you want update in order to protect its instances against accidental termination.

04 Click on the Actions dropdown button from the dashboard top menu and select Update Stack.

05 Edit your CloudFormation template file to enable Termination Protection by setting the "DisableApiTermination" attribute to "true" in the Properties section of your EC2 Resources definition:

setting the 'DisableApiTermination' attribute to 'true' in the Properties section of your EC2 Resources definition

06 On the Select Template page, under Choose a template section, select Upload a template to Amazon S3, click the Browse button and select the Cloudformation template file updated at the previous step.

07 Click the Next button and go through the next pages, without changing any configuration, until you reach the Review page then click Update to apply your changes for the selected stack.

08 Select the Events tab from the dashboard bottom panel. The last event status for the CloudFormation stack should be "UPDATE_COMPLETE", which means that the stack has been successfully updated to enable termination protection for the EC2 instances within the environment.

09 Repeat steps no. 3 – 8 to enable termination protection for the EC2 instances launched within other CloudFormation stacks.

10 Change the AWS region to repeat the entire process for any CloudFormation environments available in the other regions.

Using AWS CLI

01 Run update-stack command (OSX/Linux/UNIX) to update the selected CloudFormation stack in order to protect its EC2 instances against accidental termination. The following command example updates an AWS CloudFormation stack named MyWebStack using a template file stored in a S3 bucket at s3.amazonaws.com/cf-templates-x00o3usmazcu-us-east-1/my-web-stack-updated.template using KeyName, InstanceType and SSHLocation as input parameters (replace the highlighted values with your own values):

aws cloudformation update-stack
	--region us-east-1
	--stack-name MyWebStack
	--template-url https://s3.amazonaws.com/cf-templates-x00o3usmazcu-us-east-1/my-web-stack-updated.template
	--parameters ParameterKey=KeyName,ParameterValue=web-app-key-pair ParameterKey=InstanceType,ParameterValue=c4.large ParameterKey=SSHLocation,ParameterValue= 54.82.233.140/32

02 The command output should return the unique identifier (ARN) of the updated stack:

{
    "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/
                MyWebStack/456a6220-2cc8-11e6-b272-50d5cd2758d2"
}

03 Repeat step no. 1 to enable termination protection for the EC2 instances launched within other CloudFormation environments.

04 Change the AWS region to repeat the entire process for any CloudFormation stacks available in the other regions.

References

AWS Command Line Interface (CLI) Documentation
ec2
describe-instances
describe-instance-attribute
modify-instance-attribute
cloudformation
update-stack

Publication date Jun 8, 2016

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

EC2 Instance Termination Protection

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

Using AWS Console

Using AWS CLI

References

Related EC2 rules