Open in app

Sign up

Sign in

Write

Sign up

Sign in

Mastodon

How to prevent the (EC2) instances from being terminated

Park Sehun
2 min readJul 27, 2021

By default, you can terminate your instance using the EC2 console, CLI, or API. I will talk about how to prevent the instance from being ‘accidentally’ or ‘intentionally’ terminated.

Enable Termination protection

Enable EC2 configuration.

Terminate your instance

You can delete your instance when you no longer need it. This is referred to as terminating your instance. As soon as…

docs.aws.amazon.com

If you enable termination protection, you can protect instances from any ‘unintentional’ termination. There are limitations like

  • You cannot enable termination protection for Spot instances.
  • To prevent instances in Auto Scaling Group from terminating, you need to use instance protection.

Add Resource level permission

You can also assign tags to the EC2 (In fact, can apply to any resources) with a production identifying tags and add resource-level permissions to the user who has API permission with an explicit denial on the terminate API call.

Ref: https://aws.amazon.com/blogs/security/resource-level-permissions-for-ec2-controlling-management-access-on-specific-instances/

Use multi Factor Authentication

The user will use credentials to log in to get the privileged permissions, which means the user will have the account with enough permission to terminate any resources. We can enforce MFA on logging into the accounts and keep the MFA devices in other teams like security.

Therefore, whenever the user logs in with privileged accounts, they will be with somebody else as supervisor. (e.g. four-eyes principle, separation of duties)

Shift Left

If you are using IaC to provision & change the cloud resources, you can prevent the user from terminating in the IaC tool. For instance, AWS CloudFormation stack, you can set the deletionPolicy attribute to prevent the deletion of an individual resource at the stack level.

Protect Resources in an AWS CloudFormation Stack from Accidental Deletion or Updates

I want to prevent the resources in my AWS CloudFormation stack from getting deleted or updated. How can I do this? To…

aws.amazon.com

Prepare for corrective, detective controls

We learned how to prevent the resources from being terminated, but there must be an accident and we eventually need other controls to handle this.

Corrective?

  • Regularly back up your data (Don’t forget HA (High Availability), redundancy, replication is really different from backup)
  • Backup/Restore Runbooks
  • Troubleshoot guides

Detectives?

  • Monitoring/Alert system (Whenever any critical resource is terminated, the administrator will be informed)
  • Audit logs

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Sign up for free

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Try for $5/month
Ec2
Prevent
Deletion
Termination
Aw
Park Sehun
Park Sehun
Follow

Written by Park Sehun

148 Followers
24 Following

https://www.linkedin.com/in/park-sehun-1097b140

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams