Exercise: EC2 termination protection, security groups and resizing

Natasha Ong
This is some text inside of a div block.
4 min read

Exercise overview:

In this exercise, you will gain a basic overview of launching, resizing, managing, and monitoring an Amazon EC2 instance.


By the end of this exercise, you should be able to do the following:

Launch a web server with termination protection enabled.
Monitor your EC2 instance.
Modify the security group that your web server is using to allow HTTP access.
Resize your Amazon EC2 instance to scale.
Test termination protection.
Terminate your EC2 instance.

Task 0: Login and Select the N.Virginia region

  • Click here to log in to the AWS Management Console. Sign in using the IAM user that you've created from
  • Before you start, you must know if the AWS service is a regional service or a global service by just looking at the region selector at the upper right. One example of a global service is AWS IAM (refer to the first image below). As you can see you can't select any region (greyed-out) because AWS IAM is a global service. If you take a good look at Amazon EC2 (refer to the second image below) - you'll notice it's a regional service. You can choose what region you will launch your virtual server or your EC2 instance. In this exercise, ensure you are in N.Virginia (us-east-1) region.

Task 1: Launch your Amazon EC2 instance

In this task, you will launch an Amazon EC2 instance with termination protection enabled. Termination protection prevents you from accidentally stopping an EC2 instance. You will also use a user data script* to create a simple web page.

An extra note, for the curious *What is a user data script? A user data script is a set of code that helps to customise your EC2 instance from the moment it gets launched. For example, you might provide a script to install software, download files, or make changes to the settings the moment it gets launched.
  1. From the AWS Management Console, use the AWS search bar to search for EC2 and then choose the service from the list of results.
  2. At the top left of the screen ensure New EC2 Experience is selected. No worries if you don't see this - AWS recently started making New EC2 the default experience for all accounts!
  • If you don't have the Management Console open in a full window, you'll find this by clicking the ≡ menu button at the top left

3. Choose Launch instance in the main EC2 page.

4. In the Name and tags section, enter "Web Server" in the Name box.

5. For Amazon Machine Image (AMI), select Amazon Linux 2023 AMI

6. In the Instance Type section, choose the Instance type drop-down menu and choose t2.micro.

An extra note, for the curious A t2.micro instance type has 1 virtual vCPUs and 1 GiB of memory, and it's part of AWS Free Tier. If you select the other instance type that is not part of the Free Tier, there will be a dollar cost in your AWS account.

7. In the Key pair (login) section, locate the Key pair name drop-down menu and choose Proceed without a key pair (Not recommended).

An extra note, for the curious Why? A key-pair helps encrypt login information, and is important if you will need to log in to your instance. In this exercise you will not log into your instance, so you do not require a key pair.

8. In the Network settings section, choose the Edit button on the right hand corner. Make the following selections:

a) VPC: Choose the default VPC for now (we don't need to create a custom VPC on this exercise)

b) Subnet: Choose the Subnet with the Availability Zone <xxx-1a>. For example, us-east-1a (if you can't find this, it might be because you have not changed your region to N. Virginia back in Task 0)

9. In the Firewall (security groups) section, choose Create security group.

a) Security group name: Web Server security group

b) Description: Security group for my web server.

An extra note, for the curious A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allows traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.

c) Choose the Remove button to remove the existing SSH rule.

An extra note, for the curious You should have no security group rules. In this lab, you will not log into your instance using SSH. Removing SSH access will improve the security of the instance. Removing SSH access improves the security of an EC2 instance because it reduces the potential entry points for attackers. SSH is commonly used for secure remote administration, and if the SSH is misconfigured, outdated, or uses weak authentication methods, it can be controlled by cybercriminals (cybercriminals = people that attack computer systems, networks, or devices to steal, alter or or destroy data). By eliminating SSH access, you lessen the risk of unauthorised access, brute force attacks, and potential data breaches.

10. In the Configure storage section, leave all as default.

11. Expand the Advanced details section. Scroll down to the Termination protection drop-down menu and set to Enable.

When an Amazon EC2 instance is no longer required, it can be terminated, which means that the instance is stopped and its resources are released.

A terminated instance cannot be started again. If you want to prevent the instance from being accidentally terminated, you can enable termination protection for the instance (what we're doing by clicking Enable).

12. Scroll all the way to the bottom of the Advanced details section, until you see a field for User data.

When you launch an instance, you can pass user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts. Your instance is running Amazon Linux, so you will provide a shell script that will run when the instance starts.

Copy the following text and paste it into the User data field:

The script will:

  • Install an Apache web server (httpd)
  • Configure the web server to automatically start on boot
  • Activate the Web server
  • Create a simple web page
  1. Choose Launch instance.
  2. You should see an expected output Success.
  3. Choose Instances from the menu on the left hand side. You may need to expand the menu to see this option.
  4. Refresh the page if you don't see your instance show up.
  • When creating a new instance, there will usually be a short time before you can access the instance. The instance might appear in a pending state, which means it is being launched. It will then change to running, which indicates that the instance has started getting ready.

5. Wait for your instance to display the following:

6. Instance state: Running

7. Status check: 2/2 checks passed

Periodically refresh the page if you don’t see a change in the Instance state or Status check values.

Congratulations! You have successfully launched your first Amazon EC2 instance.

Task 2: Monitor your instance

Monitoring is an important part of maintaining the reliability, availability, and performance of your Amazon Elastic Compute Cloud (Amazon EC2) instances and your AWS solutions. In this exercise, you will monitor the EC2 instance that you launched from the previous task.

  1. Select the EC2 instance (click on the checkbox next to it) that you launched from the previous task, scroll down, and click the Status and alarms tab.

Note: can't seem to find this extra panel? It might be hiding, click on the text "Instance: ..." at the bottom to see it.

With instance status monitoring, you can quickly determine whether Amazon EC2 has detected any problems that might prevent your instances from running applications. Amazon EC2 performs automated checks on every running EC2 instance to identify hardware and software issues. Notice that both the System status checks and Instance status checks checks have passed.

2. Click on the Monitoring tab.

This tab displays metrics for your instance. Currently, there are not many metrics to display because the instance was recently launched.

You can click on a graph to see an expanded view.

Amazon EC2 sends metrics to Amazon CloudWatch (we'll learn about them later this course) for your EC2 instances.

Basic (every five minutes) monitoring is enabled by default. You can enable detailed (one-minute) monitoring.

3. Click the Actions menu in the upper right corner of the console, choose Monitor and troubleshoot and select Get system log.

Expected output:

Note: If you do not see a system log, wait a couple of minutes and refresh the log screen until it appears.

4. Scroll through the output. There's a log that shows the https package was installed from the user data you added when you created the instance. This is the line that starts with httpd-filesystem. Great! That's why system logs are super helpful - it gives us awareness of what's happening with our instance.

5. Scroll down to the bottom of the browser window and select Cancel.

6. Select the checkbox next to your Web Server, then select the Actions menu, choose Monitor and troubleshoot and select Get instance screenshot

Expected output:

This shows you what your Amazon EC2 instance console would look like if a screen were attached to it. This is helpful if you ever want to see what your web server looks like but can't reach it via SSH or RDP. Getting a quick screenshot shows you the instance and allows for quicker troubleshooting.

8. Scroll down to the bottom of the browser window and select Cancel.

Congratulations! You have explored several ways to monitor your instance.

Task 3: Update your security group and access the web server

In this task, you will update your security group to gain access to your web server.

  1. Select the checkbox next to your Web Server, then choose the Details tab.
  2. Copy the Public IPv4 address of your instance to your clipboard.
  • Note: Don't click the open address link because it will give you a different output later on the next steps.

3. Open a new tab in your web browser, paste the IP address you just copied, then press Enter. Or, simply click the open address button next to your Public IPv4 address

Now let's pause and think: Are you able to access your web server? Why not?
You are not currently able to access your web server because the security group you set up in Step 9 (of Task 1) is not permitting inbound traffic on port 80, which is used for HTTP web requests. This is a demonstration of using a security group as a firewall to restrict the network traffic that is allowed in and out of an instance. To correct this, you will now update the security group to permit web traffic on port 80.

4. Keep the browser tab open, but return to the EC2 Management Console tab.

5. In the left navigation pane, scroll down to the Network & Security section and select Security Groups.

6. Select the Security group ID with the Security group name Web Server security group.

The security group currently has no rules.

  1. Choose the Inbound rules tab.
  2. Choose Edit inbound rules
  3. Choose Add rule then configure:
  4. Type: HTTP
  5. Source type: Anywhere-IPv4
  6. Select Save rules


In adding a rule in the inbound rule, you will choose the HTTP  type of protocol because your the website/webapp you're hosting on your EC2 instance needs to be accessible to users on the internet. You can choose other types of protocol depending on the use cases.
Using “Anywhere”, or more specifically, using is not a recommended best practice for production workloads. Using (for IPv4) in security groups or network access control lists (NACLs) means allowing access from any IP address in the world.
This is not considered best practice because it exposes resources to potential security threats from the entire internet. It's always recommended to restrict access to only the necessary IP addresses or ranges to enhance security. We're using it for this exercise because we'll be deleting our security group and web server later.

7. Return to the web server tab that you previously opened and refresh the page. You should see the message: Hello From Your Web Server!

Note: If the expected output is different, see below the process for resolving the error.

If you click the open address link in your Public IPv4 address, the output will be different. Refer to the image below.

The reason for this is that when you click the open address link, that link is secured which means the URL has HTTPS. You only added a rule of HTTP (see step 9a on this task). To solve this you have to remove "s" in "https" (see images below).

An alternative way is to copy only the Public IPv4 address of the EC2 instance to skip the steps above about removing the "s" in "HTTPS".

Congratulations! You have successfully modified your security group to permit HTTP traffic into your Amazon EC2 Instance.

Task 4: Resize your instance: Instance types and EBS volume

Note: This is very critical to know. In this task, you will resize your instance type and EBS volume. Before you start resizing, you must stop your instance first. This is just like your local computer/laptop when you want to upgrade the disk of your laptop/computer.

In the AWS cloud, as your needs change, you might find that your instance is over-utilized (too small for what you need) or under-utilized (too large for what you need). If so, you can change the instance type. For example, if a t3.micro instance is too small for its workload, you can change it to a t3.small instance (a bigger instance than t3.micro). You can also change the size of a disk.

When you stop an instance, it is shut down. There is no charge for a stopped EC2 instance, but the storage charge for attached Amazon EBS volumes remains.


  1. On the EC2 Management Console, in the left navigation pane, choose Instances.
  2. If it is not already selected, select the Web Server.
  3. Click Instance state, then choose Stop instance.

Your instance will perform a normal shutdown and then will stop running. This may take a couple of minutes.

  1. Wait for the Instance State to display: Stopped. If it's not stopped yet, you won't be able to do Step 6!


  1. If it is not already selected, select the Web Server.
  2. Select the Actions menu, select Instance settings and Change instance type, then configure:
  3. Instance type: t3.small
  4. Choose Apply.


  1. In the left navigation pane, scroll to the Elastic Block Store section and select Volumes
  2. Select the volume there.
  3. Select Modify.

The disk volume currently has a size of 8 GiB. You will now increase the size of this disk.

  1. Change the size (GiB) to 10
  2. Click Modify
  3. A modal pops up asking you to confirm your decision. Click Modify to confirm.


You will now start the instance again, which will now have more memory and more disk space.

  1. In the left navigation pane, select Instances.
  2. Select your Web Server.
  3. Select Instance state and then Start instance.

Note: An EBS volume being modified goes through a sequence of states: Modifying, Optimizing, and finally Complete.

Congratulations! You have successfully resized your Amazon EC2 Instance. In this task, you changed your instance type from t3.micro to t3.small. You also modified your root disk volume from 8 GiB to 10 GiB.

Task 5: Test termination protection

In this task, you will learn how to use termination protection. You can delete your instance when you no longer need it. This is referred to as terminating your instance. You cannot connect to or restart an instance after it has been terminated.

  1. In the left navigation pane, select Instances.
  2. Select your Web Server.
  3. Select Instance state and then choose Terminate instance.
  4. A confirmation modal pops up. Select Terminate.

At this point, you see the following error message on top of the page:

Failed to terminate an instance: The instance ‘i-xxxxxxxx’ may not be terminated. Modify its ‘disableApiTermination’ instance attribute and try again.

The above error is expected, and this is a safeguard to prevent the accidental termination of an instance. If you really want to terminate the instance, you will need to disable the termination protection.

  1. Select Actions, choose Instance settings, and Change termination protection.
  2. Unselect Enable.
  3. Choose Save

You can now terminate the instance.

  1. Refresh the instance console screen.
  2. Select the Web Server
  3. Choose Instance state, and click Terminate instance.
  4. A confirmation modal pops up. Select Terminate.

Expected output:

In the page you're on, the Instance state of the Web Server instance should change to Terminated. You may have to refresh the page a few times!

Congratulations! You have successfully tested termination protection and terminated your instance.

You have successfully done the following:

  • Launched a web server with termination protection enabled.
  • Monitored Your EC2 instance.
  • Modified the security group that your web server is using to allow HTTP access.
  • Resize your Amazon EC2 instance to scale.
  • Tested termination protection.