How can I schedule my EC2 instances to start and stop using Systems Manager Maintenance Windows?

Resolution

Register either the AWS-StartEC2Instance or AWS-StopEC2Instance Automation automation tasks to a maintenance window. The maintenance window targets the configured EC2 instances, and then uses the Automation document steps on the chosen schedule to stop or start the instances.

Note: To restart your instance immediately after stopping it, set both stop and start tasks in the same maintenance window.

To keep your instance stopped for a predetermined amount of time before it starts, set each task to a separate maintenance window. This keeps the instance from running when it's not needed and reduces costs.

Create an IAM role and policy

To schedule maintenance window start or stop actions, use an AWS Identity and Access Management (IAM) role with ec2:StartInstances and ec2:StopInstances permissions.

Note: The IAM role requires permissions only for the Automation task that you register to the maintenance window. For example, if you choose to register AWS-StartEC2Instance and not AWS-StopEC2Instance, then the IAM role requires only ec2:StartInstances permissions.

1.    Open the IAM console.

2.    In the navigation pane, choose Roles, and then choose Create role.
On the Select trusted entity page, for Trusted entity type, choose AWS service.
For Use case, choose Systems Manager from the Use cases for other AWS services dropdown. Then, choose Systems Manager.
Choose Next.

3.    On the Add permissions page, choose Create policy. A new window opens to create an IAM policy.

4.    On the Specify permissions page, paste the following policy into the JSON Policy editor:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:StartAutomationExecution",
        "ec2:DescribeInstanceStatus"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "Instance ARN 1", "Instance ARN 2"
    }
  ]
}

Note: For ec2:StartInstances and ec2:StopInstances, it's a best practice to add the resource ARNs of the EC2 instances you want to provide access to. For more information, see Policy structure.

5.    Choose Next.

6.    On the Review and Create page, under Policy details, enter a policy name. For example, SSM_StartStopEC2Role.

7.    Choose Create policy.

8.    Return to the Create role page. For Permissions policies, choose the IAM policy that you created. Then, choose Next.

9.    Choose Next: Review.
For Role name, enter a name. For example, SSM_StartStopEC2Role.

10.    On the Name, review, and create page, under Role details, enter a role name. Optionally, add tags for the role.

11.    Choose Create role.

For more information, see Creating a role for an AWS service (console).

Create a maintenance window

If you don’t have a maintenance window, then create a maintenance window. If you register targets with the Maintenance Window, then don't use the Specify instance tags as a target option. This option doesn't allow the instances to start. Choose the options Choose instances manually or Choose a resource group instead.

Note: If you have an existing maintenance window, then continue to Register an Automation task.

To run the maintenance window on managed instances that you haven't registered as targets, you must select Allow unregistered targets.

Register the Automation task

1. Open the Systems Manager console.
2. In the navigation pane, choose Maintenance Windows.
3. On the Maintenance windows page, choose the target maintenance window. Choose Actions, and then choose Register Automation task.
4. (Optional) For Maintenance window task details, enter a name and description.
5. For Automation document, search for and choose either of the following documents depending on your use case:
   AWS-StartEC2Instance
   AWS-StopEC2Instance
   Note: To register multiple Automation documents, repeat the process for each document.
6. For Document version, choose Default version at runtime.
7. The Task priority is set to 1 by default. If you have multiple tasks registered to the same maintenance window, then give them different priority levels. This establishes a run order.
8. For Targets, if you registered target instances for the maintenance window, then choose Selecting registered target groups. If you haven't registered target instances for the maintenance window, then choose Selecting unregistered targets. Then, select instances manually or specify a resource group to identify the instances that you want to run the Automation task.
   Note: Tags for targets are supported only for instances managed under Systems Manager.
9. For Rate control, specify a Concurrency and Error threshold.
10. For IAM service role, select the service role for Systems Manager from the dropdown list. If you didn't create a Service Role for Systems Manager, then create one.
    Note: Don't use the value AWSServiceRoleForAmazonSSM because this role isn't available for new tasks.
11. For Input parameters, specify the following parameters:
    InstanceId: Enter the pseudo parameter {{RESOURCE_ID}} to target more than one resource.
    AutomationAssumeRole: Enter the complete role ARN for the IAM role that has the required ec2:StartInstances or ec2:StopInstances permissions. For example, "arn:aws:iam::123456789101:role/SSM_StartStopEC2Role".
12. Choose Register Automation task.
13. (Optional) To register Automation tasks to schedule both stop and start actions, repeat the Register an Automation task steps for the second document.

For more information, see Assign tasks to a maintenance window (console).

Related information

AWS Systems Manager Maintenance Windows

Actions, resources, and condition keys for Amazon EC2

Why is my EC2 instance not displaying as a managed node or showing a "Connection lost" status in Systems Manager?