How to configure "Instance Protection" over CloudFormation in AWS?

It can be done using CloudFormation, but it's not easy.

CloudFormation still (as of 6/29/2020) does not officially support the Auto Scaling Instance Protection feature. This feature was launched back in 12/7/2015 and was unfortunately never integrated with CloudFormation.

For future reference, to confirm whether features have been integrated with CloudFormation, in addition to the resource documentation you can also refer to the CloudFormation release history to see if the desired feature is mentioned.

Other AWS SDKs tend to have more complete API coverage and are updated more frequently, so as a workaround you could create your AutoScaling Group using e.g. the AWS CLI create-auto-scaling-group command with the --new-instances-protected-from-scale-in flag.

If going outside CloudFormation to create your autoscaling group is not an option, another (more complicated) workaround would be to patch a Custom Resource on top of the existing CloudFormation resource to update the newly-created autoscaling group with the new feature setting using one of the updated SDKs. It works, but you'll need to create a lambda function and all supporting IAM roles and permissions, and hook them all together into a custom resouce. For an example of how to do this to support another CloudFormation-unsupported feature (attaching ACM certificates to a CloudFront distribution), see my SO answer here.

Of course, it's easiest to wait for AWS to add official support for this feature to CloudFormation, as they eventually will. [Update 06/2020] OK, after four years I've given up waiting. I'll admit I was wrong about this one!

It doesn't look like this is currently supported by CloudFormation.

If you look at the CFN documentation for Autoscaling, it has a element for TerminationProtection, which is a list of strings. I can't find a list of available options in the documentation, but when I use the CLI there doesn't seem to be anything related:

$> aws autoscaling describe-termination-policy-types
{
    "TerminationPolicyTypes": [
        "ClosestToNextInstanceHour", 
        "Default", 
        "NewestInstance", 
        "OldestInstance", 
        "OldestLaunchConfiguration"
    ]
}