By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SSM EC2Stop automation

0

I'm trying to test out using ssm automation doc " AWS-StopEC2Instance " but getting error message: " Automation Step Execution fails when it is changing the state of each instance. Get Exception from StopInstances API of ec2 Service. Exception Message from StopInstances API: [You are not authorized to perform this operation. Encoded authorization failure message: "

I added this to the service role for ssm

{ "Sid": "GrantsAccessToIAMRoles", "Effect": "Allow", "Action": [ "iam:" ], "Resource": [ "arn:aws-us-gov:iam::<acct #>:role/" ] }

What am i missing?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Systems ManagerIAM Policies
Language
English
rePost-User-4136916
asked 10 months ago269 views
1 Answer
2
Accepted Answer

Please refer this re:Post article

It has step by step guide to achieve the ask here, you can omit the maintenance window part from this doc in your implementation.

If the answer is helpful, please click "Accept Answer" and upvote it.

profile pictureAWS
EXPERT
secondabhi_aws
answered 10 months ago
profile picture
EXPERT
Sedat Salman
reviewed 10 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 10 months ago
profile picture
EXPERT
Hiroki Takahashi
reviewed 10 months ago
  • rePost-User-4136916
    10 months ago

    Awesome, works like a charm

  • rePost-User-4136916
    10 months ago

    What do you suggest for this part "Resource": "Instance ARN 1", "Instance ARN 2"; if we have multiple instances, can I just leave it as *?

  • secondabhi_aws EXPERT
    10 months ago

    If there is a pattern common in EC2 instance arn, then you can use that pattern instead of specifying each instance arn. Also ”*” is not recommended as it opens up for all the ec2 instances in the account. If this account is for personal use then "*" is fine as well. Since, instance arn(arn:aws:ec2:<REGION>:<ACCOUNT_ID>:instance/<instance-id>) contains EC2 Instance ids and there is not control on EC2 Instance ID, so either use "*" or each instance id. Hope it helps.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content