ELBv2 Deletion Protection

Overview

This check verifies that AWS Elastic Load Balancing v2 (ELBv2) load balancers have deletion protection enabled. ELBv2 includes Application Load Balancers (ALB), Network Load Balancers (NLB), and Gateway Load Balancers (GWLB).

Deletion protection is a safeguard that prevents a load balancer from being accidentally deleted. When enabled, any attempt to delete the load balancer through the console, CLI, or API will fail until protection is explicitly disabled.

Risk

Without deletion protection:

Service outages: Deleting a load balancer immediately breaks all traffic routing to your applications
Accidental deletion: A simple click or misconfigured automation could remove critical infrastructure
Malicious deletion: An attacker with delete permissions could cause a denial-of-service
Deployment failures: Blue/green deployments or rollbacks may fail if the load balancer is unexpectedly removed
Extended recovery time: Recreating a load balancer requires reconfiguring listeners, target groups, and DNS records

Enabling deletion protection adds a deliberate two-step process to delete a load balancer, reducing the chance of unintended destruction.

Remediation Steps

Prerequisites

You need permission to modify load balancer attributes. Specifically, you need the elasticloadbalancing:ModifyLoadBalancerAttributes permission.

AWS Console Method

Open the EC2 console
In the left navigation under Load Balancing, click Load Balancers
Select the load balancer you want to protect (click the checkbox next to it)
Click the Attributes tab in the lower panel
Click Edit (in the Attributes section)
Find Deletion protection and toggle it to On
Click Save changes

You should see a confirmation message, and the load balancer's deletion protection status will update.

AWS CLI (optional)

Use the following command to enable deletion protection on a load balancer:

aws elbv2 modify-load-balancer-attributes \
    --load-balancer-arn <your-load-balancer-arn> \
    --attributes Key=deletion_protection.enabled,Value=true \
    --region us-east-1

Replace <your-load-balancer-arn> with the ARN of your load balancer.

Example:

aws elbv2 modify-load-balancer-attributes \
    --load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-production-alb/50dc6c495c0c9188 \
    --attributes Key=deletion_protection.enabled,Value=true \
    --region us-east-1

Expected output:

{
    "Attributes": [
        {
            "Key": "deletion_protection.enabled",
            "Value": "true"
        },
        {
            "Key": "access_logs.s3.enabled",
            "Value": "false"
        }
    ]
}

To find your load balancer ARN:

aws elbv2 describe-load-balancers \
    --names my-production-alb \
    --region us-east-1 \
    --query "LoadBalancers[0].LoadBalancerArn" \
    --output text

CloudFormation (optional)

When creating a load balancer with CloudFormation, you can enable deletion protection using the LoadBalancerAttributes property.

Application Load Balancer example:

AWSTemplateFormatVersion: '2010-09-09'
Description: Application Load Balancer with deletion protection enabled

Resources:
  ApplicationLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: my-production-alb
      Type: application
      Scheme: internet-facing
      Subnets:
        - !Ref PublicSubnet1
        - !Ref PublicSubnet2
      SecurityGroups:
        - !Ref ALBSecurityGroup
      LoadBalancerAttributes:
        - Key: deletion_protection.enabled
          Value: "true"
      Tags:
        - Key: Environment
          Value: Production

Network Load Balancer example:

Resources:
  NetworkLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: my-production-nlb
      Type: network
      Scheme: internet-facing
      Subnets:
        - !Ref PublicSubnet1
        - !Ref PublicSubnet2
      LoadBalancerAttributes:
        - Key: deletion_protection.enabled
          Value: "true"

For existing load balancers: Update your stack template to include the deletion_protection.enabled attribute and run a stack update.

Terraform (optional)

Use the enable_deletion_protection argument in the aws_lb resource:

Application Load Balancer example:

resource "aws_lb" "production_alb" {
  name               = "my-production-alb"
  internal           = false
  load_balancer_type = "application"
  security_groups    = [aws_security_group.alb.id]
  subnets            = [aws_subnet.public_1.id, aws_subnet.public_2.id]

  enable_deletion_protection = true

  tags = {
    Environment = "Production"
  }
}

Network Load Balancer example:

resource "aws_lb" "production_nlb" {
  name               = "my-production-nlb"
  internal           = false
  load_balancer_type = "network"
  subnets            = [aws_subnet.public_1.id, aws_subnet.public_2.id]

  enable_deletion_protection = true

  tags = {
    Environment = "Production"
  }
}

For existing resources: Add enable_deletion_protection = true to your existing aws_lb resource and run terraform apply.

Verification

After enabling deletion protection, verify it is active:

Go to the EC2 console
Click Load Balancers in the left navigation
Select your load balancer
Click the Attributes tab
Confirm Deletion protection shows Enabled

CLI verification

aws elbv2 describe-load-balancer-attributes \
    --load-balancer-arn <your-load-balancer-arn> \
    --region us-east-1 \
    --query "Attributes[?Key=='deletion_protection.enabled']"

Expected output:

[
    {
        "Key": "deletion_protection.enabled",
        "Value": "true"
    }
]

To check all load balancers at once:

aws elbv2 describe-load-balancers \
    --region us-east-1 \
    --query "LoadBalancers[*].LoadBalancerArn" \
    --output text | tr '\t' '\n' | while read arn; do
    echo "Load Balancer: $arn"
    aws elbv2 describe-load-balancer-attributes \
        --load-balancer-arn "$arn" \
        --region us-east-1 \
        --query "Attributes[?Key=='deletion_protection.enabled'].Value" \
        --output text
done

Additional Resources

Deletion Protection for Application Load Balancers - AWS Documentation
Deletion Protection for Network Load Balancers - AWS Documentation
Elastic Load Balancing Best Practices

Notes

All ELBv2 types supported: Deletion protection works for Application Load Balancers (ALB), Network Load Balancers (NLB), and Gateway Load Balancers (GWLB).
Must disable to delete: If you need to delete a protected load balancer, you must first disable deletion protection, then delete it. This intentional two-step process prevents accidental deletions.
Does not prevent modifications: Deletion protection only blocks deletion. You can still modify listeners, rules, target groups, and other settings.
IAM restriction recommended: Use IAM policies to restrict who can disable deletion protection in production environments. Limit the elasticloadbalancing:ModifyLoadBalancerAttributes permission to authorized personnel.
Consider for all production resources: Deletion protection is especially important for load balancers that serve production traffic, as recreation requires DNS updates and can cause extended outages.

Overview​

Risk​

Remediation Steps​

Prerequisites​

AWS Console Method​

Verification​

Additional Resources​

Notes​