Enable managedTerminationProtection on the capacity provider. Ensure managed scaling is also enabled — protection only works when ECS drives desired capacity. Verify the Auto Scaling group has instance scale-in protection allowed so ECS can apply it.

Compliance Medium severity

AWS Security Hub · ECS

ECS.19: Capacity providers managed termination protection

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub ECS.19 check?

ECS.19 evaluates each ECS capacity provider and fails when managedTerminationProtection is not ENABLED. With it on, ECS — not the Auto Scaling group — controls scale-in and will only terminate instances that have zero running tasks.

Why does ECS.19 matter?

Left to the Auto Scaling group's default policy, scale-in can terminate an instance that is actively running tasks. Those tasks are killed without draining, in-flight requests fail, and ECS has to reschedule the work. On a cluster that scales in several times a day, that becomes a recurring source of intermittent 5xx errors and latency during off-peak windows — failures that look like application bugs and burn hours to diagnose.

How do I fix ECS.19?

Enable managedTerminationProtection on the capacity provider.
Ensure managed scaling is also enabled — protection only works when ECS drives desired capacity.
Verify the Auto Scaling group has instance scale-in protection allowed so ECS can apply it.

Remediation script · bash

# Enable deletion protection on every unprotected standalone RDS instance in a region.
for id in $(aws rds describe-db-instances \
  --query 'DBInstances[?DeletionProtection==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --deletion-protection --apply-immediately
  echo "Protected RDS instance: $id"
done

# Termination-protect every production-tagged CloudFormation stack (eyeball the list first).
aws cloudformation describe-stacks \
  --query "Stacks[?Tags[?Key=='Environment' && Value=='production']].StackName" \
  --output text | tr '\t' '\n' | while read -r stack; do
  aws cloudformation update-termination-protection \
    --stack-name "$stack" --enable-termination-protection
  echo "Protected stack: $stack"
done

# Deletion-protect a production load balancer.
aws elbv2 modify-load-balancer-attributes --load-balancer-arn "$LB_ARN" \
  --attributes Key=deletion_protection.enabled,Value=true

Full walkthrough (console steps, edge cases and verification) in the lesson Enable deletion and termination protection.

Is ECS.19 a false positive?

Turning on managed termination protection without managed scaling looks safe but is a silent no-op: ECS has no hook into the scale-in path, so busy nodes can still be terminated. The two settings are a pair.

Full lesson Enable deletion and termination protection Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for ECS controls ↗ Check your own account for ECS.19 →

Part of the learning path Lock down access

ECS.2 An ECS service auto-assigns public IPs to tasks
ECS.3 A task definition shares the host PID namespace
ECS.4 A container runs in privileged mode
ECS.5 A container has a writable root filesystem
ECS.8 Secrets are passed as plaintext container env vars
ECS.9 A task definition has no logging configuration
ECS.10 Fargate services should run latest platform version
ECS.12 ECS clusters should use Container Insights
ECS.16 An ECS task set auto-assigns public IPs
ECS.18 ECS task defs should encrypt EFS volumes in transit
ECS.20 Linux containers should run as non-root users
ECS.21 Windows containers should run as non-admin users