How can I use Systems Manager Maintenance Windows to schedule my EC2 instances to start and stop?

5 minute read

I want to use AWS Systems Manager Maintenance Windows to schedule my Amazon Elastic Compute Cloud (Amazon EC2) managed instances to start or stop.


Register either the AWS-StartEC2Instance or AWS-StopEC2Instance Systems Manager Automation runbook to a maintenance window. The maintenance window targets the configured EC2 instances and uses the automation document steps on the chosen schedule to stop or start the instances.

Note: To immediately restart your instance after it's stopped, set both stop and start tasks in the same maintenance window. To keep your instance stopped for a predetermined amount of time before it starts, set each task to a separate maintenance window.

Create an IAM role and policy

To schedule maintenance window start or stop actions, use an AWS Identity and Access Management (IAM) role with ec2:StartInstances and ec2:StopInstances permissions.

Note: The IAM role requires permissions only for the Systems Manager runbook that you register to the maintenance window. For example, if you choose to register AWS-StartEC2Instance and not AWS-StopEC2Instance, then the IAM role requires only ec2:StartInstances permissions.

  1. Open the IAM console.
  2. In the navigation pane, choose Roles, and then choose Create role.
  3. On the Select trusted entity page, for Trusted entity type, choose AWS service.
  4. From the Use cases for other AWS Services dropdown list, choose Systems Manager
  5. Choose Next.
  6. On the Add permissions page, choose Create policy.
  7. On the Specify permissions page, paste the following policy into the JSON policy editor:
    {  "Version": "2012-10-17",
      "Statement": [
          "Effect": "Allow",
          "Action": [
          "Resource": "*"
          "Effect": "Allow",
          "Action": [
          "Resource": "Instance ARN 1", "Instance ARN 2"
    Note: For ec2:StartInstances and ec2:StopInstances, it's a best practice to add the resource ARNs of the instances you want to provide access to. For more information, see Policy structure.
  8. Choose Next.
  9. On the Review and Create page, under Policy details, enter a policy name. For example, SSM_StartStopEC2Role.
  10. Choose Create policy.
  11. Return to the Create role page. For Permissions policies, choose the IAM policy. Then, choose Next.
  12. Choose Next: Review.
  13. For Role name, enter a name. For example, SSM_StartStopEC2Role.
  14. On the Name, review, and create page, under Role details, enter a role name. (Optional) Add tags for the role.
  15. Choose Create role.

For more information, see Creating a role for an AWS service (console).

Create a maintenance window

If you don't have a maintenance window, then create one. In the maintenance window, order your tasks in the Task Priority field, with 0 as the highest priority.

To register targets with the maintenance window, use the Choose instances manually or Choose a resource group options as a target option. Don't use Specify instance tags as a target option because this option doesn't allow the instances to start.

Note: If you have an existing maintenance window, then continue to Register an Automation task.

To run the maintenance window on managed instances that you didn't register as targets, select Allow unregistered targets.

For more information, see Assign targets to a maintenance window (console).

Register the Automation task

  1. Open the Systems Manager console.
  2. In the navigation pane, choose Maintenance Windows.
  3. On the Maintenance windows page, choose the target maintenance window. Choose Actions, and then choose Register Automation task.
  4. (Optional) For Maintenance window task details, enter a name and description.
  5. For Automation document, choose either AWS-StartEC2Instance or AWS-StopEC2Instance.
    Note: To register multiple automation documents, repeat the process for each document.
  6. For Document version, choose Default version at runtime.
  7. The Task priority is set to 1 by default. If you registered multiple tasks to the same maintenance window, then give them different priority levels to establish a run order.
  8. For Targets, if you registered target instances for the maintenance window, then choose Selecting registered target groups. If you didn't register target instances for the maintenance window, then choose Selecting unregistered targets. Then, manually select instances. Or, specify a resource group to identify the instances that you want to run the automation document.
    Note: Tags for targets are supported only for instances that Systems Manager manages.
  9. For Rate control, specify Concurrency and Error threshold.
  10. For IAM service role, select the service role for Systems Manager from the dropdown list. If you didn't create a service role for Systems Manager, then create one.
    Note: Don't use the AWSServiceRoleForAmazonSSM role because this role isn't available for new tasks.
  11. For Input parameters, specify the following parameters:
    InstanceId: Enter the {{RESOURCE_ID}} pseudo parameter to target more than one resource.
    AutomationAssumeRole: Enter the complete role ARN for the IAM role that has the ec2:StartInstances or ec2:StopInstances permissions. For example, arn:aws:iam::123456789101:role/SSM_StartStopEC2Role.
  12. Choose Register Automation task.
  13. (Optional) To register automation documents to schedule both stop and start actions, repeat the Register an Automation task steps for the second document.

For more information, see Assign tasks to a maintenance window (console).

Related information

AWS Systems Manager Maintenance Windows

Actions, resources, and condition keys for Amazon EC2

Why is my EC2 instance not displaying as a managed node or showing a "Connection lost" status in Systems Manager?

AWS OFFICIALUpdated 8 months ago

Is there any way to restart EC2 instance under ASG using Systems Manager Maintenance Windows?

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed

profile pictureAWS
replied a year ago

If we select a registered target group, do we still need to input each individual instance id?

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied a year ago