Termination Protection Should Be Enabled

​

More Info:

Ensuring Termination Protection feature is enabled for EC2 instances that are not part of ASGs.

​

Risk Level

Low

​

Address

Reliability, Security

​

Compliance Standards

CBP

​

Remediation

​

Using Console

To remediate the Termination Protection Should Be Enabled misconfiguration in AWS using the AWS console, follow these steps:

1. Login to the AWS Management Console.

2. Navigate to the EC2 Dashboard.

3. Select the instance that you want to enable termination protection for.

4. Click on the “Actions” button and select “Instance Settings”.

5. Click on “Change Termination Protection”.

6. Select the “Enable” option and click “Save”.

7. A confirmation message will appear indicating that the termination protection has been enabled.

8. Repeat steps 3-7 for each instance that needs termination protection enabled.

By following these steps, you will have successfully remediated the Termination Protection Should Be Enabled misconfiguration for your AWS environment.

​

Using CLI

To remediate the misconfiguration “Termination Protection Should Be Enabled” for an EC2 instance in AWS using AWS CLI, follow the below steps:

1. Open the AWS CLI on your local machine.

2. Run the following command to enable termination protection for an EC2 instance:

   aws ec2 modify-instance-attribute --instance-id <instance-id> --no-disable-api-termination
   

   Replace <instance-id> with the ID of the EC2 instance for which you want to enable termination protection.

3. Verify that the termination protection is enabled for the instance by running the following command:

   aws ec2 describe-instance-attribute --instance-id <instance-id> --attribute disableApiTermination
   

   If the output shows "Value": false, it means that termination protection is enabled for the instance.

4. Repeat the above steps for all the EC2 instances in your AWS account to ensure that termination protection is enabled for all of them.

Note: Enabling termination protection is a safety measure to prevent accidental termination of instances. However, it should not be used as a substitute for proper backup and disaster recovery planning.

​

Using Python

The following steps can be followed to remediate the “Termination Protection Should Be Enabled” misconfiguration in AWS using Python:

1. Import the necessary libraries:

import boto3

2. Create an EC2 client:

ec2 = boto3.client('ec2')

3. Get a list of all instances:

response = ec2.describe_instances()
instances = []
for reservation in response['Reservations']:
    for instance in reservation['Instances']:
        instances.append(instance['InstanceId'])

4. Enable termination protection for each instance:

for instance in instances:
    ec2.modify_instance_attribute(InstanceId=instance, DisableApiTermination={'Value': True})

This will enable termination protection for all instances in your AWS account.

​

Additional Reading:

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#Using_ChangingDisableAPITermination
• https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html