# Delete your Auto Scaling infrastructure
To completely delete your scaling infrastructure, complete the following tasks.
**Topics**
+ [Delete your Auto Scaling group](#as-shutdown-lbs-delete-asg-cli)
+ [(Optional) Delete the launch configuration](#as-shutdown-lbs-delete-lc-cli)
+ [(Optional) Delete the launch template](#as-shutdown-lbs-delete-lt-cli)
+ [(Optional) Delete the load balancer and target groups](#as-shutdown-lbs-delete-lbs-cli)
+ [(Optional) Delete CloudWatch alarms](#as-shutdown-delete-alarms-cli)
+ [Configure deletion protection for your Amazon EC2 Auto Scaling resources](resource-deletion-protection.md)
## Delete your Auto Scaling group
When you delete an Auto Scaling group, its desired, minimum, and maximum values are set to 0. As a result, the instances are terminated. Deleting an instance also deletes any associated logs or data, and any volumes on the instance. If you do not want to terminate one or more instances, you can detach them before you delete the Auto Scaling group. If the group has scaling policies, deleting the group deletes the policies, the underlying alarm actions, and any alarm that no longer has an associated action.
**To delete your Auto Scaling group (console)**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/), and choose **Auto Scaling Groups** from the navigation pane.
1. Select the check box next to your Auto Scaling group and choose **Actions**, **Delete**.
1. When prompted for confirmation, type **delete** to confirm deleting the specified Auto Scaling group and then choose **Delete**.
A loading icon in the **Name** column indicates that the Auto Scaling group is being deleted. The **Desired**, **Min**, and **Max** columns show `0` instances for the Auto Scaling group. It takes a few minutes to terminate the instance and delete the group. Refresh the list to see the current state.
**To delete your Auto Scaling group (AWS CLI)**
Use the following [delete-auto-scaling-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/delete-auto-scaling-group.html) command to delete the Auto Scaling group. This operation does not work if the group has any EC2 instances; it is for group's with zero instances only.
```
aws autoscaling delete-auto-scaling-group --auto-scaling-group-name my-asg
```
If the group has instances or scaling activities in progress, use the [delete-auto-scaling-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/delete-auto-scaling-group.html) command with the `--force-delete` option. This will also terminate the EC2 instances. When you delete an Auto Scaling group from the Amazon EC2 Auto Scaling console, the console uses this operation to terminate any EC2 instances and delete the group at the same time.
```
aws autoscaling delete-auto-scaling-group --auto-scaling-group-name my-asg --force-delete
```
## (Optional) Delete the launch configuration
You can skip this step to keep the launch configuration for future use.
**To delete the launch configuration (console)**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. On the left navigation pane, under **Auto Scaling**, choose **Auto Scaling Groups**.
1. Choose **Launch configurations** near the top of the page. When prompted for confirmation, choose **View launch configurations** to confirm that you want to view the **Launch configurations** page.
1. Select your launch configuration and choose **Actions**, **Delete launch configuration**.
1. When prompted for confirmation, choose **Delete**.
**To delete the launch configuration (AWS CLI)**
Use the following [delete-launch-configuration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/delete-launch-configuration.html) command.
```
aws autoscaling delete-launch-configuration --launch-configuration-name my-launch-config
```
## (Optional) Delete the launch template
You can delete your launch template or just one version of your launch template. When you delete a launch template, all its versions are deleted.
You can skip this step to keep the launch template for future use.
**To delete your launch template (console)**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. On the navigation pane, under **Instances**, choose **Launch Templates**.
1. Select your launch template and then do one of the following:
+ Choose **Actions**, **Delete template**. When prompted for confirmation, type **Delete** to confirm deleting the specified launch template and then choose **Delete**.
+ Choose **Actions**, **Delete template version**. Select the version to delete and choose **Delete**.
**To delete the launch template (AWS CLI)**
Use the following [delete-launch-template](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-launch-template.html) command to delete your template and all its versions.
```
aws ec2 delete-launch-template --launch-template-id lt-068f72b72934aff71
```
Alternatively, you can use the [delete-launch-template-versions](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-launch-template-versions.html) command to delete a specific version of a launch template.
```
aws ec2 delete-launch-template-versions --launch-template-id lt-068f72b72934aff71 --versions 1
```
## (Optional) Delete the load balancer and target groups
Skip this step if your Auto Scaling group is not associated with an Elastic Load Balancing load balancer, or if you want to keep the load balancer for future use.
**To delete your load balancer (console)**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. On the navigation pane, under **Load Balancing**, choose **Load Balancers**.
1. Choose the load balancer and choose **Actions**, **Delete**.
1. When prompted for confirmation, choose **Yes, Delete**.
**To delete your target group (console)**
1. On the navigation pane, under **Load Balancing**, choose **Target Groups**.
1. Choose the target group and choose **Actions**, **Delete**.
1. When prompted for confirmation, choose **Yes, Delete**.
**To delete the load balancer associated with the Auto Scaling group (AWS CLI)**
For Application Load Balancers and Network Load Balancers, use the following [delete-load-balancer](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/delete-load-balancer.html) and [delete-target-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/delete-target-group.html) commands.
```
aws elbv2 delete-load-balancer --load-balancer-arn my-load-balancer-arn
aws elbv2 delete-target-group --target-group-arn my-target-group-arn
```
For Classic Load Balancers, use the following [delete-load-balancer](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elb/delete-load-balancer.html) command.
```
aws elb delete-load-balancer --load-balancer-name my-load-balancer
```
## (Optional) Delete CloudWatch alarms
To delete the CloudWatch alarms associated with your Auto Scaling group, complete the following steps. For example, you might have alarms associated with step scaling or simple scaling policies.
**Note**
Deleting an Auto Scaling group automatically deletes the CloudWatch alarms that Amazon EC2 Auto Scaling manages for a target tracking scaling policy.
You can skip this step if your Auto Scaling group is not associated with any CloudWatch alarms, or if you want to keep the alarms for future use.
**To delete the CloudWatch alarms (console)**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. On the navigation pane, choose **Alarms**.
1. Choose the alarms and choose **Action**, **Delete**.
1. When prompted for confirmation, choose **Delete**.
**To delete the CloudWatch alarms (AWS CLI)**
Use the [delete-alarms](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html) command. You can delete one or more alarms at a time. For example, use the following command to delete the `Step-Scaling-AlarmHigh-AddCapacity` and `Step-Scaling-AlarmLow-RemoveCapacity` alarms.
```
aws cloudwatch delete-alarms --alarm-name Step-Scaling-AlarmHigh-AddCapacity Step-Scaling-AlarmLow-RemoveCapacity
```
# Configure deletion protection for your Amazon EC2 Auto Scaling resources
Protect your Amazon EC2 Auto Scaling infrastructure from accidental deletion by configuring multiple layers of protection. Auto Scaling provides several approaches to prevent unwanted resource deletion for your Auto Scaling groups and the Amazon EC2 instances that it manages.
**Topics**
+ [Configure Auto Scaling group deletion protection](#asg-deletion-protection)
+ [Control deletion permissions with IAM policies](#deletion-protection-iam-policies)
## Configure Auto Scaling group deletion protection
Deletion protection is a resource-level setting that prevents your Amazon EC2 Auto Scaling group from accidental deletion. When enabled, deletion protection blocks the [ DeleteAutoScalingGroup ](https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_DeleteAutoScalingGroup.html) API operation from succeeding, requiring you to first update the deletion protection setting to a less restrictive level before you can delete the Auto Scaling group.
Amazon EC2 Auto Scaling offers three levels of deletion protection:
**None** (default)
No deletion protection is enabled, meaning your Auto Scaling group can be deleted with or without using the `ForceDelete` option. When `ForceDelete` is used, all Amazon EC2 instances managed by your Auto Scaling group will also be forcibly terminated without executing termination lifecycle hooks.
**Prevent force deletion**
Your Auto Scaling group can't be deleted when using the `ForceDelete` option. This configuration allows deletion of empty Auto Scaling groups (groups with no instances). This option is recommended for production workloads where you want to prevent mass instance termination but allow cleanup of empty groups.
**Prevent all deletion**
Your Auto Scaling group can't be deleted regardless of whether the `ForceDelete` option is used. This option provides the strongest protection against accidental deletion. It requires explicitly disabling deletion protection before your Auto Scaling group can be deleted. This is recommended for mission-critical Auto Scaling groups that should rarely or never be deleted.
### How deletion protection works
When you attempt the [ DeleteAutoScalingGroup ](https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_DeleteAutoScalingGroup.html) API operation with deletion protection enabled:
1. Amazon EC2 Auto Scaling validates the deletion protection setting before processing the request.
1. If the configured deletion protection level blocks the deletion attempt, Amazon EC2 Auto Scaling returns a `ValidationError`.
1. Your Auto Scaling group and its Amazon EC2 instances remain unchanged.
1. You must update the deletion protection setting to a less restrictive level before you can delete your Auto Scaling group.
Deletion protection does not prevent other operations such as:
+ Updating the Auto Scaling group configuration.
+ Terminating individual instances.
+ Scaling operations (manual or automatic).
+ Suspending or resuming processes.
For more information on how to gracefully handle instance termination, see [Design your applications to gracefully handle instance termination](gracefully-handle-instance-termination.md).
### Configure deletion protection
You can set deletion protection when you create an Auto Scaling group or update the setting on an existing Auto Scaling group.
------
#### [ Console ]
**To create an Auto Scaling group with deletion protection**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/), and choose **Auto Scaling Groups** from the navigation pane.
1. Choose **Create Auto Scaling group**.
1. Complete the configuration steps for your Auto Scaling group.
1. On the **Configure group size and scaling** page, expand **Additional settings**.
1. For **Auto Scaling group deletion protection**, choose your desired protection level:
+ **None** - No deletion protection (default)
+ **Prevent force deletion** - Block force delete operations
+ **Prevent all deletion** - Block all delete operations
1. Complete the remaining steps to create your Auto Scaling group.
**To update deletion protection on an existing Auto Scaling group**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/), and choose **Auto Scaling Groups** from the navigation pane.
1. Select the check box next to your Auto Scaling group.
1. Choose **Actions**, **Edit**.
1. Under **Additional settings**, update the **Auto Scaling group deletion protection** setting.
1. Choose **Update**.
------
#### [ AWS CLI ]
**To create an Auto Scaling group with deletion protection**
Use the [create-auto-scaling-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/create-auto-scaling-group.html) command with the `--deletion-protection` parameter:
```
aws autoscaling create-auto-scaling-group \
--auto-scaling-group-name my-asg \
--launch-template LaunchTemplateName=my-template,Version='$Latest' \
--min-size 1 \
--max-size 5 \
--desired-capacity 2 \
--vpc-zone-identifier "subnet-12345678,subnet-87654321" \
--deletion-protection prevent-force-deletion
```
Valid values for `--deletion-protection` are: `none` \$1 `prevent-force-deletion` \$1 `prevent-all-deletion`
**To update deletion protection on an existing Auto Scaling group**
Use the [update-auto-scaling-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/update-auto-scaling-group.html) command:
```
aws autoscaling update-auto-scaling-group \
--auto-scaling-group-name my-asg \
--deletion-protection prevent-all-deletion
```
**To disable deletion protection**
Set deletion protection to `none`:
```
aws autoscaling update-auto-scaling-group \
--auto-scaling-group-name my-asg \
--deletion-protection none
```
**To verify deletion protection status**
Use the [describe-auto-scaling-groups](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/autoscaling/describe-auto-scaling-groups.html) command:
```
aws autoscaling describe-auto-scaling-groups \
--auto-scaling-group-names my-asg
```
------
## Control deletion permissions with IAM policies
Use AWS Identity and Access Management (IAM) policies to control which users and roles can delete Auto Scaling groups. IAM-based controls provide an additional layer of security by restricting permissions at the identity level.
IAM policies are particularly useful when you want to:
+ Allow different users different levels of access to Auto Scaling operations.
+ Prevent specific users from using the `ForceDelete` option even if they can perform other Auto Scaling operations.
+ Restrict deletion permissions to specific Auto Scaling groups.
The following policy allows deletion of an Auto Scaling group only if the group has the tag `environment=development`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "autoscaling:DeleteAutoScalingGroup",
"Resource": "*",
"Condition": {
"StringEquals": { "aws:ResourceTag/environment": "development" }
}
}]
}
```
------
The following policy uses the `autoscaling:ForceDelete` condition key to control access to the `DeleteAutoScalingGroup` API action. This can prevent certain users from using the `ForceDelete` operation, which terminates all Amazon EC2 instances within an Auto Scaling group.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "autoscaling:DeleteAutoScalingGroup",
"Resource": "*",
"Condition": {
"Bool": {
"autoscaling:ForceDelete": "true"
}
}
}]
}
```
------
Alternatively, if you are not using condition keys to control access to Auto Scaling groups, you can specify the ARNs of resources in the `Resource` element to control access instead.
The following policy gives users permissions to use the `DeleteAutoScalingGroup` API action, but only for Auto Scaling groups whose name begins with `devteam-`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "autoscaling:DeleteAutoScalingGroup",
"Resource": "arn:aws:autoscaling:us-east-1:111122223333:autoScalingGroup:*:autoScalingGroupName/devteam-*"
}
]
}
```
------
You can also specify multiple ARNs by enclosing them in a list. Including the UUID ensures that access is granted to the specific Auto Scaling group. The UUID for a new group is different from the UUID for a deleted group with the same name.
```
"Resource": [
"arn:aws:autoscaling:region:account-id:autoScalingGroup:uuid:autoScalingGroupName/devteam-1",
"arn:aws:autoscaling:region:account-id:autoScalingGroup:uuid:autoScalingGroupName/devteam-2",
"arn:aws:autoscaling:region:account-id:autoScalingGroup:uuid:autoScalingGroupName/devteam-3"
]
```
For additional examples of IAM policies for Amazon EC2 Auto Scaling, including policies that control deletion permissions, see [Identity-based policy examples](security_iam_id-based-policy-examples.md).