Skip to content
Ask AI about this
Help improve this page

EC2 instances should have termination protection enabled

Accidental instance termination causes immediate data loss on instance store volumes and service outages that take significant time to recover from. Termination protection adds a deliberate two-step process: someone must first disable the protection, then terminate. This friction prevents fat-finger mistakes in the Console, errant aws ec2 terminate-instances calls, and overly broad automation from destroying production workloads.

The cost of enabling termination protection is zero dollars and near-zero operational overhead. The cost of not enabling it on a stateful production instance can be hours of downtime and unrecoverable ephemeral data.

Retrofit consideration

Enabling termination protection on running instances requires a modify-instance-attribute call or Terraform apply but causes no downtime. For Auto Scaling groups, use Auto Scaling instance scale-in protection separately if you need to prevent scale-in termination.

Implementation

Choose the approach that matches how you manage Terraform.

If you use terraform-aws-modules/ec2-instance/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "ec2_instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
  version = ">=6.0.0"

  ami_ssm_parameter = "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-arm64"
  instance_type     = "t4g.nano"
  subnet_id         = "subnet-abc123"

  disable_api_termination = true
}

Use AWS provider resources directly. See docs for the resources involved: aws_instance.

resource "aws_instance" "this" {
  ami                    = "ami-abc12345"
  instance_type          = "t4g.nano"
  subnet_id              = element(["subnet-abc123", "subnet-def456"], 0)
  vpc_security_group_ids = ["sg-abc12345"]

  disable_api_termination = true
}

What this control checks

The aws_instance resource must set disable_api_termination = true. When omitted, the argument defaults to false and the control fails. For instances launched via aws_launch_template, set disable_api_termination = true inside the template resource block. Launch templates only apply this setting at instance launch time; instances created before the template change are not retroactively updated.

Common pitfalls

  • Auto Scaling groups conflict with termination protection

    EC2 API termination protection (DisableApiTermination) does not prevent Auto Scaling from terminating instances during scale-in, rebalancing, or health replacement. If you need to block scale-in for specific instances, use Auto Scaling instance scale-in protection instead.

  • Default value is false when argument is omitted

    Most existing Terraform configs omit disable_api_termination entirely, and the default is false. A retrofit means explicitly adding the argument, not just confirming no conflicting value is set.

  • Spot Instances ignore termination protection

    Spot Instance interruptions bypass DisableApiTermination entirely. When AWS reclaims capacity, the instance is terminated regardless of the protection setting, so this control offers no defense against capacity-driven termination of Spot workloads.

  • Launch templates vs. running instances

    Setting disable_api_termination in an aws_launch_template only affects instances launched after that change. Instances already running retain whatever value was active at launch. Fix existing instances with aws ec2 modify-instance-attribute --disable-api-termination or a targeted Terraform apply.

Audit evidence

Config rule evaluation results showing all EC2 instances pass ec2-instance-termination-protection-enabled, or equivalent output from a posture management tool. Console screenshots of the instance details page showing "Termination protection: Enabled" under "Instance settings" work as point-in-time evidence. CloudTrail logs for ModifyInstanceAttribute events with the disableApiTermination attribute show when the setting changed and who changed it.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: ec2_instance_termination_protection_enabled

  • Powerpipe Control: aws_compliance.control.ec2_instance_termination_protection_enabled

Last reviewed: 2026-03-09