Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

EC2 Instance Termination Protection

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-030

Ensure that Amazon EC2 instances provisioned outside Auto Scaling Groups (ASGs) have the Termination Protection safety feature enabled in order to protect them from being accidentally terminated. For Amazon EC2 instances provisioned manually, once the Termination Protection feature is enabled you will not be able to terminate your instances using the AWS Management Console, the AWS API, or the AWS CLI until the Termination Protection has been disabled. However, this will not prevent your instances from getting terminated if these have set the Shutdown Behavior flag to "Terminate" when an OS-level shutdown is performed. To make sure your EC2 instances cannot be accidentally terminated, you need to set first the instance Shutdown Behavior value to "Stop" (which sets the InstanceInitiatedShutdownBehavior attribute value to stop) then enable Termination Protection safety feature (which sets the DisableApiTermination attribute value to true). For Amazon EC2 instances provisioned automatically via AWS CloudFormation, once the Termination Protection feature is enabled, you will not be able to delete the stack containing the instance until the feature has been disabled (which sets the DisableApiTermination attribute value to false) in your CloudFormation template.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

By default, the EBS volumes associated with the Amazon EC2 instances are deleted when these are terminated (when the DeletionOnTermination attribute value is set to true). With Termination Protection feature enabled, you have the guarantee that your Amazon EC2 instances can't be terminated accidentally and make sure that your data remains safe.

Audit

To determine if your existing Amazon EC2 instances (provisioned manually or automatically via AWS CloudFormation) have Termination Protection enabled, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to examine.

05 Choose the Details tab from the console split panel to access the instance configuration information.

06 In the Instance details section, check the Termination protection attribute value to determine the feature status. If the attribute value is set to Disabled, the Termination Protection safety feature is not enabled for the selected Amazon EC2 instance.

07 Repeat steps no. 4 – 6 for each Amazon EC2 instance available within the current AWS cloud region.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom output filters to list the IDs of the Amazon EC2 instances provisioned in the selected AWS cloud region: 

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested EC2 instance identifiers (IDs): 

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Run describe-instance-attribute ommand (OSX/Linux/UNIX) with the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom output filters to describe the Termination Protection feature status for the selected EC2 instance: 

aws ec2 describe-instance-attribute
	--region us-east-1
	--instance-id i-01234abcd1234abcd
	--attribute disableApiTermination
	--query 'DisableApiTermination.Value'

04 The command output should return the requested feature status (true for enabled, false for disabled): 

false

If the describe-instance-attribute command output returns false, as shown in the example above, the Termination Protection safety feature is not enabled for the selected Amazon EC2 instance.

05 Repeat steps no. 3 and 4 for each Amazon EC2 instance available in the selected AWS cloud region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

Case A: To enable Termination Protection for the Amazon EC2 instances launched manually using the AWS Management Console, AWS API, or AWS CLI, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Parameters": {
		"SSHKeyName": {
			"Type": "AWS::EC2::KeyPair::KeyName",
			"Description": "Instance SSH key"
		},
		"SecurityGroupId": {
			"Type": "AWS::EC2::SecurityGroup::Id",
			"Description": "Security group ID"
		}
	},
	"Resources": {
		"EC2Instance": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": "ami-0123456789abcdefa",
				"InstanceType": "c5.xlarge",
				"KeyName": {
					"Ref": "SSHKeyName"
				},
				"SubnetId": "subnet-0123456789abcdef0",
				"SecurityGroupIds": [
					{
						"Ref": "SecurityGroupId"
					}
				],
				"BlockDeviceMappings": [
					{
						"DeviceName": "/dev/xvda",
						"Ebs": {
							"VolumeSize": "30",
							"VolumeType": "gp2"
						}
					}
				],
				"DisableApiTermination": true
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Parameters:
	SSHKeyName:
		Type: AWS::EC2::KeyPair::KeyName
		Description: Instance SSH key
	SecurityGroupId:
		Type: AWS::EC2::SecurityGroup::Id
		Description: Security group ID
	Resources:
	EC2Instance:
		Type: AWS::EC2::Instance
		Properties:
		ImageId: ami-0123456789abcdefa
		InstanceType: c5.xlarge
		KeyName: !Ref 'SSHKeyName'
		SubnetId: subnet-0123456789abcdef0
		SecurityGroupIds:
			- !Ref 'SecurityGroupId'
		BlockDeviceMappings:
			- DeviceName: /dev/xvda
			Ebs:
				VolumeSize: '30'
				VolumeType: gp2
		DisableApiTermination: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}
provider "aws" {
	profile = "default"
	region  = "us-east-1"
}
resource "aws_instance" "ec2-instance" {
	ami = "ami-0123456789abcdefa"
	instance_type = "c5.xlarge"
	key_name = "ssh-key"
	subnet_id = "subnet-0123456789abcdef0"
	vpc_security_group_ids = [ "sg-0123456789abcdefa" ]
	ebs_block_device {
		device_name = "/dev/xvda"
		volume_size = 30
		volume_type = "gp2"
	}

	disable_api_termination = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to protect against accidental termination.

05 Choose Actions, select Instance settings, and choose Change termination protection.

06 In the Change termination (deletion) protection configuration box, select the Enable setting checkbox available under Termination protection to enable the feature. Choose Save to apply the changes.

07 Repeat steps no. 4 – 6 for each Amazon EC2 instance that you want to configure, available within the current AWS cloud region.

08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run modify-instance-attribute command (OSX/Linux/UNIX) with the ID of the Amazon EC2 instance that you want to protect against accidental termination as the identifier parameter, to enable the Termination Protection safety feature for the selected EC2 instance (the command does not produce an output): 

aws ec2 modify-instance-attribute
	--region us-east-1
	--instance-id i-01234abcd1234abcd
	--disable-api-termination

02 Repeat step no. 1 for each Amazon EC2 instance that you want to configure, available in the selected AWS cloud region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

Case B: To enable Termination Protection for Amazon EC2 instances launched automatically using an AWS CloudFormation stack, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS CloudFormation console available at https://console.aws.amazon.com/cloudformation/.

03 In the left navigation panel, under CloudFormation, choose Stacks.

04 Select the AWS CloudFormation stack that you want to configure, choose Stack actions, and select Edit termination protection.

05 Inside the Edit termination protection for <stack-name>? configuration box, select Activated under Termination protection to enable the Termination Protection safety feature for the EC2 instances within the stack. Choose Save to apply the changes.

06 Repeat steps no. 4 and 5 for each CloudFormation stack that you want to configure, available within the current AWS cloud region.

07 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run update-termination-protection command (OSX/Linux/UNIX) with the name of the AWS CloudFormation stack that you want to configure as the identifier parameter, to enable the Termination Protection safety feature for the EC2 instances deployed within the selected stack: 

aws cloudformation update-termination-protection
	--region us-east-1
	--stack-name cc-production-web-stack
	--enable-termination-protection

02 The command output should return the ID of the modified CloudFormation stack: 

{
	"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/cc-production-web-stack/abcd1234-abcd-1234-abcd-1234abcd1234"
}

03 Repeat steps no. 1 and 2 for each Amazon EC2 instance that you want to configure, available in the selected AWS cloud region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jun 8, 2016

Related EC2 rules