How can I schedule my Amazon EC2 instances to start and stop using Systems Manager maintenance windows?

Last updated: 2021-05-07

I want to use an AWS Systems Manager maintenance window to start and stop my Amazon Elastic Compute Cloud (Amazon EC2) managed instances.

Resolution

To schedule Amazon EC2 managed instances to start or stop using Systems Manager maintenance windows, register AWS-StartEC2Instance or AWS-StopEC2Instance Automation tasks to a maintenance window. The maintenance window targets the configured EC2 instances and stops or starts the instances using the provided Automation document steps on the chosen schedule.

Create an IAM role and policy

To schedule maintenance window start or stop actions, you must use an AWS Identity and Access Management (IAM) role with ec2:StartInstances and ec2:StopInstances permissions.

Note: The IAM role requires permissions only for the Automation task that you register to the maintenance window. For example, if you choose to register AWS-StartEC2Instance and you choose not to register AWS-StopEC2Instance, the IAM role requires only ec2:StartInstances permissions.

  1. Open the IAM console, choose Roles from the navigation pane, and then choose Create role.
    For Select type of trusted entity, choose AWS service.
    For Choose a use case, choose Systems Manager.
    For Select your use case, choose Systems Manager.
  2. Choose Next: Permissions.
  3. Choose Create policy. Note: The Create policy page opens in a new tab. You will return to the original tab in step 7.
    For Service, choose EC2.
    For Actions, search for and select either or both StartInstances and StopInstances, depending on your use case.
    For Resources, it’s a security best practice to select Specific and then add the instance resource ARN. Selecting specific instances allows you to define permissions only for specific resources in specific accounts.
    For Request conditions, to restrict the conditions under which the start and stop actions can be used, choose Add condition. Then, configure the condition details. If no conditions are required, don’t change Request conditions.
  4. Choose Next: Tags. (Optional) Add tags.
  5. Choose Next: Review.
    For Name, enter a policy name. For example, SSM_StartStopEC2Policy.
  6. Choose Create policy.
  7. Return to the Create role page that is still open in the previous tab from step 3. Choose Next: Tags. (Optional) Add tags.
  8. Choose Next: Review.
    For Role name, enter a name. For example, SSM_StartStopEC2Role.
  9. Choose Create role.

For more information, see Creating a role for an AWS service (console).

Create a maintenance window

If you don’t already have a maintenance window, then create a maintenance window.

Note: To run the maintenance window on managed instances that you haven’t registered as targets, you must select Allow unregistered targets.

If you already have a maintenance window, proceed to Register an Automation task.

Register the Automation task

  1. Open the Systems Manager console, and then choose Maintenance Windows from the navigation pane.
  2. Select the radio button for the target maintenance window, and then choose Actions, Register Automation task.
  3. (Optional) For Maintenance window task details, enter a name and description.
  4. For Automation document, search for and choose either of the following documents depending on your use case:
    AWS-StartEC2Instance
    AWS-StopEC2Instance

    Note: You can register only one Automation document at a time. To register both, you must repeat the full Register the Automation task process for each document.
  5. For Document version, choose Default version at runtime.
  6. (Optional) The task priority is set to 1 by default. If you have other tasks registered to the same maintenance window, you can change the task priority to determine the order that the tasks run.
  7. For Targets, if you registered target instances for the maintenance window, choose Selecting registered target groups. If you haven’t registered target instances for the maintenance window, choose Selecting unregistered targets. Then, specify tags, select instances manually, or specify a resource group to identify the instances that you want to run the Automation task.
  8. For Rate control, specify a Concurrency and Error threshold.
  9. For IAM service role, choose Use the service-linked role for Systems Manager.
  10. For Input parameters, specify the following parameters:
    InstanceId: Enter the pseudo parameter {{RESOURCE_ID}} to target more than one resource.
    AutomationAssumeRole: Enter the complete role ARN for the IAM role that has the required ec2:StartInstances or ec2:StopInstances permissions. For example, "arn:aws:iam::123456789101:role/SSM_StartStopEC2Role".
  11. Choose Register Automation task.
  12. (Optional) To register Automation tasks to schedule both stop and start actions, repeat the Register an Automation task steps for the second document.

For more information, see Assign tasks to a maintenance window (console).