How can I schedule my Amazon EC2 instances to start and stop using Systems Manager Maintenance Windows?

Resolution

To schedule Amazon EC2 managed instances to start or stop using Systems Manager maintenance windows, register AWS-StartEC2Instance or AWS-StopEC2Instance Automation tasks to a maintenance window. The maintenance window targets the configured EC2 instances, and then stops or starts the instances using the provided Automation document steps on the chosen schedule.

To restart your instance immediately after stopping it, set both stop and start tasks in the same maintenance window.

To keep your instance stopped for a predetermined amount of time before it starts, set each task in a separate maintenance window. This prevents the instance from running during times when it's not needed, which can reduce costs.

Create an IAM role and policy

To schedule maintenance window start or stop actions, you must use an AWS Identity and Access Management (IAM) role with ec2:StartInstances and ec2:StopInstances permissions.

Note: The IAM role requires permissions only for the Automation task that you register to the maintenance window. For example, if you choose to register AWS-StartEC2Instance and you choose not to register AWS-StopEC2Instance, then the IAM role requires only ec2:StartInstances permissions.

1. Open the IAM console, choose Roles from the navigation pane, and then choose Create role.
   For Select type of trusted entity, choose AWS service.
   For Choose a use case, choose Systems Manager.
   For Select your use case, choose Systems Manager.
2. Choose Next: Permissions.
3. Choose Create policy. Note: The Create policy page opens in a new tab. You will return to the original tab in step 7.
   For Service, choose EC2.
   For Actions, search for and select DescribeInstanceStatus and either or both StartInstances and StopInstances, depending on your use case.
   For Resources, it’s a security best practice to select Specific and then add the instance resource ARN. Selecting specific instances allows you to define permissions only for specific resources in specific accounts.
   For Request conditions, to restrict the conditions under which the start and stop actions can be used, choose Add condition. Then, configure the condition details. If no conditions are required, then don’t change Request conditions.
4. Choose Next: Tags. (Optional) Add tags.
5. Choose Next: Review.
   For Name, enter a policy name. For example, SSM_StartStopEC2Policy.
6. Choose Create policy.
7. Return to the Create role page that is still open in the previous tab from step 3. Choose Next: Tags. (Optional) Add tags.
8. Choose Next: Review.
   For Role name, enter a name. For example, SSM_StartStopEC2Role.
9. Choose Create role.

For more information, see Creating a role for an AWS service (console).

Create a maintenance window

If you don’t already have a maintenance window, then create a maintenance window. If you are registering targets with the Maintenance Window, then don't use the Specify instance tags as a target option because this option doesn't allow the instances to start. Choose the options Choose instances manually or Choose a resource group instead.

To run the maintenance window on managed instances that you haven’t registered as targets, you must select Allow unregistered targets.

If you already have a maintenance window, then proceed to Register an Automation task.

Register the Automation task

1. Open the Systems Manager console, and then choose Maintenance Windows from the navigation pane.
2. Select the radio button for the target maintenance window, and then choose Actions, Register Automation task.
3. (Optional) For Maintenance window task details, enter a name and description.
4. For Automation document, search for and choose either of the following documents depending on your use case:
   AWS-StartEC2Instance
   AWS-StopEC2Instance
   Note: You can register only one Automation document at a time. To register both, you must repeat the full Register the Automation task process for each document.
5. For Document version, choose Default version at runtime.
6. The task priority is set to 1 by default. If you have multiple tasks registered to the same maintenance window, then you must give them different priority levels. This establishes a run order.
7. For Targets, if you registered target instances for the maintenance window, then choose Selecting registered target groups. If you haven’t registered target instances for the maintenance window, choose Selecting unregistered targets. Then, select instances manually or specify a resource group to identify the instances that you want to run the Automation task.
   Note: Tags for targets are supported only for instances managed under Systems Manager.
8. For Rate control, specify a Concurrency and Error threshold.
9. For IAM service role, choose Use the service-linked role for Systems Manager.
   If you already created a Service Role for Systems Manager, then select it from the dropdown list.
   If you haven't created a Service Role for Systems Manager, then create one.
   Note: Don't use the value AWSServiceRoleForAmazonSSM because this role isn't available for new tasks.
10. For Input parameters, specify the following parameters:
    InstanceId: Enter the pseudo parameter {{RESOURCE_ID}} to target more than one resource.
    AutomationAssumeRole: Enter the complete role ARN for the IAM role that has the required ec2:StartInstances or ec2:StopInstances permissions. For example, "arn:aws:iam::123456789101:role/SSM_StartStopEC2Role".
11. Choose Register Automation task.
12. (Optional) To register Automation tasks to schedule both stop and start actions, repeat the Register an Automation task steps for the second document.

For more information, see Assign tasks to a maintenance window (console).

Related information

AWS Systems Manager Maintenance Windows

Actions, resources, and condition keys for Amazon EC2

Why is my EC2 instance not appearing under Managed Instances in the Systems Manager console?