[Turbot On] EC2 Termination Protection

Protect your Amazon EC2 Instances from accidental termination.

Amazon EC2 instances are easy to manage through the AWS console, CLI, or API; simple commands exist to create new instances, change attributes as they are running, stop instances, etc.  However, mistakes with these powerful tools can easily terminate the wrong EC2 instance. 

To prevent critical infrastructure from being accidentally terminated, you can enable termination protection for the instance.  This week we will look at how Turbot can help ensure termination protection is enabled across all of your instances in your AWS Accounts.

Defense in depth

Termination protection is related to the DisableApiTermination attribute control which dictates whether the instance can be terminated using the console, CLI, or API. By default, termination protection is disabled for all instances. You can set the value of this attribute when you launch the instance, or after you create the instance (even while it is running).  When enabled, termination protection will prevent user actions from deleting the instance and require the additional step of removing termination protection before someone can delete the instance.

Configuring this setting can be an additional layer of protection from accidental deletion as part of a defense in depth approach to data protection that should include:

  • Automated backups & snapshots.

  • Requiring elevated privileges to delete resources.

  • Proper naming, tagging and isolation of workloads.

Get it done with Turbot

In Turbot, EC2 Instance guardrails are readily available to control your cloud resource configurations.  We can set the existing `EC2 > Instance > Termination Protection` policy in a few clicks:

After setting this policy, Turbot automation will identify all instances without this setting enabled, and then handle remediation (i.e. update the instance attribute to `DisableApiTermination`).

If you are not yet ready to enforce remediation, you can assess the impact of this in your environment by setting the value to `Check: Enabled` at the Turbot level.  You can then selectively apply the enforcement setting as desired.

Make it happen

See for yourself how easy it is to enable Amazon EC2 termination protection across your environment. The policy settings necessary to apply these settings are available to download as a Terraform template in the Turbot Development Kit (TDK). If you need any assistance getting this configured please reach out to Turbot Support, and keep an eye on your inbox for another Turbot tip next week!