VM instance has deletion protection enabled
compute_instance_deletion_protection_enabled
This check verifies whether GCP Compute Engine VM instances have deletion protection enabled to prevent accidental termination of production or critical workloads.
Risk
Without deletion protection enabled, VM instances are vulnerable to accidental deletion by users with sufficient permissions.
This could result in:
- Service disruption and downtime for critical applications
- Data loss if persistent disks are also deleted
- Recovery delays while recreating instances and restoring configurations
prowler gcp --checks compute_instance_deletion_protection_enabled
Recommendation
Enable deletion protection on all production and business-critical VM instances to prevent accidental termination. Regularly review instances to ensure critical workloads are protected.
Remediation
gcloud compute instances update INSTANCE_NAME --deletion-protection --zone=ZONE
- Open the Google Cloud Console
- Navigate to Compute Engine > VM instances
- Select the target VM instance
- Click Edit
- Under Deletion protection, check the box to enable
- Click Save
Source Code
Resource Type
compute.googleapis.com/Instance