Starting a stopped AWS EC2 instance on request

Question

I have a stopped AWS EC2 instance. It is of a rather expensive type and does not need to run all the time, so we stop it when it is not used. Its usage is irregular, so running it on a schedule would not be very efficient. In my use case, the users do not and should not have access to the AWS console or to the AWS CLI, and I would like to allow them to somehow flexibly start the EC2 instance when needed, ideally without having to ask someone with access to the AWS console to do it.

Is this possible to do?

Matt-B · Answer

Hi There

Another option would be to allow the users to stop/start from the CLI.

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/start-instances.html

You could create a role that allows them to ONLY perform start/stop actions on their own EC2 instance using tags.  See:

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_tag-owner.html

Carl Ostrand · Answer

If you don't want to authenticate with AWS IAM (and I am guessing you don't want to make this feature public), you need to authenticate the user one way or the other. The "correct answer" here would be to use Cognito or a similar service to authenticate to a lightweight website backed by lambda to orchestrate the EC2.

I can think of one different hack that could work, BUT IT'S A HACK!

If your organization uses a VPN or Bastian, you should have a predictable IP or be able to work from a VPC. You should be able to give them access to S3 or SNS using a condition with "aws:SourceIp" or "aws:VpcSourceIp" or similar. Then use that service (ex, upload a dummy file to s3 using curl) to trigger a lambda that starts the EC2.

But I think you are better off using Cognito or an AWS IAM User!

Starting a stopped AWS EC2 instance on request

Relevant content