How do I use Systems Manager Maintenance Windows to schedule my EC2 instances to start and stop?

Short description

To schedule your instance to start or stop, register either the AWS-StartEC2Instance or AWS-StopEC2Instance runbook to a maintenance window. you must have the necessary permissions to run your runbook.

Note: When you use Automation, a function of AWS Systems Manager, to run a runbook, your instance doesn't need to be a managed instance.

To immediately restart your instance after it's stopped, set both stop and start tasks in the same maintenance window. To keep your instance stopped for a predetermined amount of time before your instance starts, set each task to a separate maintenance window.

Resolution

Use an IAM role with the necessary permissions for your runbook

To schedule maintenance window to start or stop actions, you must use an AWS Identity and Access Management (IAM) role with the necessary permissions to run your runbook. The IAM role requires permissions only for the Systems Manager runbook that you register to the maintenance window. For example, if you choose to register AWS-StartEC2Instance and not AWS-StopEC2Instance, then the IAM role requires only ec2:StartInstances permissions.

If your IAM role doesn't have the necessary permissions, then create an IAM role. When you do, for Service or use case, select Systems Manager, or use an existing Systems Manager role. Then, add the following permissions policy to the role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:StartAutomationExecution",
        "ec2:DescribeInstanceStatus"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "arn:aws:ec2:example_region:example_account_number:instance/example_instance_ID"
    }
  ]
}

Note: Replace example_region with your AWS region. Replace example_account_number with your AWS account number. Replace example_instance_ID with the ID number for your instance. You can add multiple ARNs separated by a comma. The following example names two ARNs as resources:

"Resource": "arn:aws:ec2:example_region:example_account_number:instance/example_instance_ID_1", "arn:aws:ec2:example_region:example_account_number:instance/example_instance_ID_2"

Important: For ec2:StartInstances and ec2:StopInstances, it's a best practice to add the resource ARNs of the instances you want to provide access to. For more information, see Policy syntax. If you encrypted volumes in your instance with an AWS Key Management Service key, then add permissions for that key to your role. For more information, see When I start my Amazon EC2 instance that has encrypted volumes attached, why do I get the "client error on launch" error?

Create a maintenance window

If you don't have a maintenance window, then create one. In the maintenance window, order your tasks in the Task Priority field, with 0 as the highest priority. If you have an existing maintenance window, then continue to Register an Automation task.

To register targets with the maintenance window, select the Choose instances manually or Choose a resource group options as a target option. To run the maintenance window on managed instances that you didn't register as targets, select Allow unregistered targets. Don't select Specify instance tags as a target option.

For more information, see Assign targets to a maintenance window using the console.

Register the Automation task

Complete the following steps:

1. Open the Systems Manager console.
2. In the navigation pane, choose Maintenance Windows.
3. In the list of maintenance windows, choose the target maintenance window.
4. Choose Actions and then choose Register Automation task.
5. (Optional) For Maintenance window task details, enter a name and description.
6. For Automation document, choose either AWS-StartEC2Instance or AWS-StopEC2Instance.
7. For Document version, choose Default version at runtime.
8. The Task priority is set to 1 by default. If you registered multiple tasks to the same maintenance window, then give them different priority levels to establish a run order.
9. For Targets, if you registered target instances for the maintenance window, then choose Selecting registered target groups. If you didn't register target instances for the maintenance window, then choose Selecting unregistered targets. Then, either manually select your instances, or specify a resource group to identify the instances that you want to run the automation document.
   Note: Tags for targets are supported only for instances that Systems Manager manages.
10. For Rate control, specify Concurrency and Error threshold.
11. For IAM service role, select the service role for Systems Manager from the dropdown list. If you didn't create a service role for Systems Manager, then create one.
    Note: Don't use the AWSServiceRoleForAmazonSSM role.
12. For Input parameters, specify the following parameters:
    InstanceId: Enter the {{RESOURCE_ID}} pseudo parameter to target more than one resource.
    AutomationAssumeRole: Enter the complete role Amazon Resource Name (ARN) for the IAM role that has the ec2:StartInstances or ec2:StopInstances permissions. For example, arn:aws:iam::123456789101:role/SSM_StartStopEC2Role.
13. Choose Register Automation task.

Important: To register Automation documents to schedule both stop and start actions, repeat the previous steps for the second document.

Related information

AWS Systems Manager Maintenance Windows

Actions, resources, and condition keys for Amazon EC2

Why isn't Systems Manager showing my Amazon EC2 instance as a managed instance?