EC2 termination protection

AWS-EC2-005 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for running EC2 instances without API termination protection enabled.

Why it matters

Without termination protection, instances can be accidentally deleted by a single API call, a Terraform destroy, a misconfigured auto-scaling policy, or a misclick in the console. AWS Support reports that accidental instance termination is one of their top 5 most common support cases. In 2020, a GitLab engineer accidentally terminated a production database instance during maintenance, causing a 6-hour outage. Termination protection adds a deliberate two-step process - you must first disable protection, then terminate. This is especially critical for stateful workloads like databases, CI/CD runners, and legacy applications that store data on instance storage rather than EBS.

Common causes

Termination protection is not enabled by default, and most Terraform modules and CloudFormation templates do not include it unless explicitly requested. Engineers creating instances for quick testing or development skip this setting, and those instances sometimes get promoted to production without hardening. Teams that rely on infrastructure-as-code assume the code itself prevents accidental deletion, not realizing that terraform destroy bypasses nothing.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws ec2 modify-instance-attribute --instance-id INSTANCE_ID --disable-api-termination --region REGION

Remediation: Terraform

resource "aws_instance" "example" {
  disable_api_termination = true
}