Ensure EBS volumes attached to an EC2 instance is marked for deletion upon instance termination¶

This rule ensures that Amazon Elastic Block Store volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances are marked for deletion when an instance is terminated. If an Amazon EBS volume isn't deleted when the instance that it's attached to is terminated, it may violate the concept of least functionality.

How to fix¶

Attribute root_block_device[0].delete_on_termination of aws_instance must be true.

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Open source module (terraform-aws-modules)¶

If you use terraform-aws-modules/ec2-instance/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "ec2_instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
  version = ">=6.0.0"

  instance_type = "t3.nano"
  subnet_id     = "subnet-abc123"

  root_block_device = {
    delete_on_termination = true
  }
}

Option 2: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_instance.

resource "aws_instance" "this" {
  ami                    = "ami-abc12345"
  instance_type          = "t4g.nano"
  subnet_id              = element(["subnet-abc123", "subnet-def456"], 0)
  vpc_security_group_ids = ["sg-abc12345"]

  root_block_device {
    delete_on_termination = true
  }
}

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

• Compliance.tf (CTF) Control: ec2_instance_attached_ebs_volume_delete_on_termination_enabled

• Powerpipe Controls: aws_compliance.control.ebs_attached_volume_delete_on_termination_enabled, aws_compliance.control.ec2_instance_attached_ebs_volume_delete_on_termination_enabled