Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Instance Termination Protection

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-030

Ensure that the Amazon EC2 instances provisioned outside the Auto Scaling Groups (ASGs) have Termination Protection safety feature enabled in order to protect them from being accidentally terminated.
For Amazon EC2 instances provisioned manually, once the Termination Protection feature is enabled you will not be able to terminate your EC2 instances using the AWS Management Console, the AWS API, or the AWS CLI until the Termination Protection has been disabled. However, this will not prevent your instances from getting terminated if these have set the Shutdown Behavior flag to 'Terminate' when an OS-level shutdown is performed. To make sure your EC2 instances cannot be accidentally terminated, you need to set first the instance Shutdown Behavior value to 'Stop' (which sets the InstanceInitiatedShutdownBehavior attribute value to 'stop') then enable Termination Protection safety feature (which sets the DisableApiTermination attribute value to true).
For Amazon EC2 instances provisioned automatically via AWS CloudFormation, once the Termination Protection feature is enabled, you will not be able to delete the stack containing the instance until the feature has been disabled (which sets the DisableApiTermination attribute value to false) in your CloudFormation template.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

By default, the EBS volumes associated with the Amazon EC2 instances are deleted when these are terminated (when the DeletionOnTermination attribute value is set to true). With Termination Protection feature enabled, you have the guarantee that your EC2 instances can't be terminated accidentally and make sure that your data remains safe.


Audit

To determine if your existing Amazon EC2 instances (provisioned manually or automatically via AWS CloudFormation) have Termination Protection enabled, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to examine.

05 Choose the Details tab from the console bottom panel to access the instance configuration details.

06 In the Instance details section, check the Termination protection attribute value to determine the feature status. If the attribute value is set to Disabled, the Termination Protection safety feature is not enabled for the selected Amazon EC2 instance.

07 Repeat steps no. 4 – 6 for each Amazon EC2 instance available within the current AWS cloud region.

08 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of the Amazon EC2 instances available in the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested instance identifiers (IDs):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Run describe-instance-attribute ommand (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom query filters to describe the Termination Protection status, available for the selected EC2 instance:

aws ec2 describe-instance-attribute
  --region us-east-1
  --instance-id i-01234abcd1234abcd
  --attribute disableApiTermination
  --query 'DisableApiTermination.Value'

04 The command output should return the requested feature status (true for enabled, false for disabled):

false

If the describe-instance-attribute command output returns false, as shown in the example above, the Termination Protection safety feature is not enabled for the selected Amazon EC2 instance.

05 Repeat step no. 3 and 4 for each Amazon EC2 instance launched in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

Case A: To enable Termination Protection for the Amazon EC2 instances launched manually using the AWS Management Console, AWS API, or AWS CLI, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Parameters": {
		"SSHKeyName": {
			"Type": "AWS::EC2::KeyPair::KeyName",
			"Description": "Instance SSH key"
		},
		"SecurityGroupId": {
			"Type": "AWS::EC2::SecurityGroup::Id",
			"Description": "Security group ID"
		}
	},
	"Resources": {
		"EC2Instance": {
			"Type": "AWS::EC2::Instance",
			"Properties": {
				"ImageId": "ami-0123456789abcdefa",
				"InstanceType": "c5.xlarge",
				"KeyName": {
					"Ref": "SSHKeyName"
				},
				"SubnetId": "subnet-0123456789abcdef0",
				"SecurityGroupIds": [
					{
						"Ref": "SecurityGroupId"
					}
				],
				"BlockDeviceMappings": [
					{
						"DeviceName": "/dev/xvda",
						"Ebs": {
							"VolumeSize": "30",
							"VolumeType": "gp2"
						}
					}
				],
				"DisableApiTermination": true
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Parameters:
	SSHKeyName:
		Type: AWS::EC2::KeyPair::KeyName
		Description: Instance SSH key
	SecurityGroupId:
		Type: AWS::EC2::SecurityGroup::Id
		Description: Security group ID
	Resources:
	EC2Instance:
		Type: AWS::EC2::Instance
		Properties:
		ImageId: ami-0123456789abcdefa
		InstanceType: c5.xlarge
		KeyName: !Ref 'SSHKeyName'
		SubnetId: subnet-0123456789abcdef0
		SecurityGroupIds:
			- !Ref 'SecurityGroupId'
		BlockDeviceMappings:
			- DeviceName: /dev/xvda
			Ebs:
				VolumeSize: '30'
				VolumeType: gp2
		DisableApiTermination: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}
provider "aws" {
	profile = "default"
	region  = "us-east-1"
}
resource "aws_instance" "ec2-instance" {
	ami = "ami-0123456789abcdefa"
	instance_type = "c5.xlarge"
	key_name = "ssh-key"
	subnet_id = "subnet-0123456789abcdef0"
	vpc_security_group_ids = [ "sg-0123456789abcdefa" ]
	ebs_block_device {
		device_name = "/dev/xvda"
		volume_size = 30
		volume_type = "gp2"
	}

	disable_api_termination = true
}

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to protect against accidental termination.

05 Click on the Actions dropdown button from the console top menu, choose Instance settings, and select Change termination protection.

06 On the Change termination protection configuration page, select the Enable checkbox available under Termination protection to enable the feature. Choose Save to apply the changes.

07 Repeat steps no. 4 – 6 to enable the safety feature for other Amazon EC2 instances available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run modify-instance-attribute command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to protect against accidental termination as the identifier parameter, to enable the Termination Protection safety feature for the selected EC2 instance (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
  --region us-east-1
  --instance-id i-01234abcd1234abcd
  --disable-api-termination

02 Repeat step no. 1 to enable the feature for other Amazon EC2 instances available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

Case B: To enable Termination Protection for Amazon EC2 instances launched automatically using an AWS CloudFormation stack, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/.

03 In the navigation panel, under CloudFormation, choose Stacks.

04 Select the AWS CloudFormation stack that you want to reconfigure.

05 Click on the Stack actions dropdown button from the console top menu and choose Edit termination protection.

06 Inside the Edit termination protection for <stack-name>? configuration box, select Enabled under Termination protection to enable the safety feature. Choose Save to apply the configuration changes.

07 Repeat steps no. 4 – 6 to enable protection against accidental termination for other Amazon EC2 instances provisioned within AWS CloudFormation stacks.

08 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run modify-instance-attribute command (OSX/Linux/UNIX) using the name of the AWS CloudFormation stack that you want to reconfigure as the identifier parameter, to enable the Termination Protection safety feature for the EC2 instance(s) deployed within the selected stack (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
  --region us-east-1
  --instance-id i-01234abcd1234abcd
  --disable-api-termination

02 The command output should return the ID of the modified CloudFormation stack:

{
	"StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/cc-production-web-stack/abcd1234-abcd-1234-abcd-1234abcd1234"
}

03 Repeat steps no. 1 and 2 to enable the feature for other Amazon EC2 instances available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Jun 8, 2016