Profile Applicability:
- Level 1
Description:
This rule ensures that Amazon Elastic Block Store (EBS) volumes attached to Amazon EC2 instances are configured to be deleted automatically when the instance is terminated. If an EBS volume is not deleted upon instance termination, it may lead to unused resources and unintended data storage, potentially increasing costs and complicating resource management.
Rationale:
Automatically deleting EBS volumes when an EC2 instance is terminated adheres to the principle of least functionality and reduces the risk of:
Accidental data retention: Storing data that is no longer required.
Increased costs: Retaining volumes that incur storage charges without providing value.
Cluttered infrastructure: Unused volumes can accumulate, making resource management more complex.
Impact:
Pros:
Ensures unused EBS volumes are automatically removed, reducing costs.
Minimizes clutter by automatically cleaning up resources no longer in use.
Improves overall resource management and cost optimization in AWS environments.
Cons:
Data loss: Once an EBS volume is deleted, its data is permanently lost. Make sure to back up important data before instance termination if necessary.
Requires manual configuration to ensure the Delete on Termination setting is enabled for all EBS volumes.
Default Value:
By default, EBS volumes are not marked for deletion upon instance termination. This must be explicitly configured.
Pre-requisites:
AWS IAM permissions to manage EC2 instances and EBS volumes:
ec2:DescribeInstances, ec2:ModifyInstanceAttribute, ec2:ModifyVolume
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
In the left pane, click Instances, then click Instances from the dropdown.
Select an EC2 instance for review.
In the Storage tab, scroll down to the Volume ID and review the setting for Delete on termination.
If the value is set to No, refer to the remediation below.
Repeat steps 3–5 for other instances and regions where this setting needs to be reviewed.
Using AWS CLI:
Run the following command to list EC2 instances that have Delete on Termination set to false:
aws ec2 describe-instances --region us-east-1 --output json --filters "Name=block-device-mapping.delete-on-termination,Values=false" --query "Reservations[*].Instances[*].{Instance:InstanceId}"The command will return a list of EC2 instances that are not configured to delete EBS volumes upon termination.
Implementation Plan:
Using AWS Console:
Log in to the EC2 Console at AWS EC2 Console.
In the left pane, click Network & Security, then click Instances.
Select the EC2 instance that you want to update.
In the Storage tab, click Actions, then Modify Volume.
For each attached EBS volume, ensure that the Delete on termination checkbox is selected.
Save changes and repeat for any other EC2 instances.
Using AWS CLI:
To configure the EBS volume to be deleted upon instance termination, run the following command:
aws ec2 modify-instance-attribute --instance-id i-1234567abcdefghi0 --block-device-mappings "[{\"DeviceName\":\"/dev/sda\",\"Ebs\":{\"DeleteOnTermination\":true}}]"Repeat this step for all EC2 instances that need to be updated with this setting.
Backout Plan:
Using AWS Console:
If enabling the Delete on termination setting causes issues, you can revert the setting by deselecting the Delete on termination checkbox for the affected volumes.
Ensure that important data is backed up before reverting the setting to avoid potential data loss.
Using AWS CLI:
To remove the Delete on termination setting, run the following command:
aws ec2 modify-instance-attribute --instance-id i-1234567abcdefghi0 --block-device-mappings "[{\"DeviceName\":\"/dev/sda\",\"Ebs\":{\"DeleteOnTermination\":false}}]"
References:
CIS Controls: