By default, new and existing EKS clusters do not have deletion protection enabled. You can switch it on when creating a cluster or activate it later at any point in time.
Accidentally deleting an Amazon EKS cluster can be costly—resulting in downtime, lost configurations, and recovery headaches. To safeguard critical workloads, AWS recently introduced Deletion Protection for EKS clusters, a feature that ensures one must consciously disable protection before deletion is allowed
How It Works
When deletion protection is enabled, any attempt to delete the cluster will fail with an InvalidRequestException. To proceed, you must:
- Disable deletion protection, then
- Execute the delete command
Also note, IAM permissions must include both UpdateClusterConfig and DeleteCluster to perform the disable-and-delete sequence.(AWS Documentation)
Enabling & Disabling Deletion Protection
You can toggle deletion protection using the AWS CLI:
# Enable deletion protection on an active cluster
aws eks update-cluster-config --name YOUR_CLUSTER_NAME --region YOUR_REGION --deletion-protection# Disable deletion protection
aws eks update-cluster-config --name YOUR_CLUSTER_NAME --region YOUR_REGION --no-deletion-protectionOr You can change it using AWS Console. go to EKS > Overview and find : Deletion protection
Pro Tips
- Enable for production clusters—make this a standard step in your Kubernetes governance checklist.
- Enforce IAM controls—ensure only authorized roles can disable protection.
- Monitor changes via AWS CloudTrail or AWS Config to track status updates.
Final Word
AWS’s new deletion protection feature introduces a critical safeguard for mission-critical EKS clusters, adding deliberate friction to prevent accidental destruction. Whether you’re managing shared environments or automating cluster lifecycle tasks, enabling this protection is a small toggle that delivers huge peace of mind.