Automatically Start and Stop Amazon EC2 Instances using AWS Systems Manager (SSM) Maintenance Windows

In this blog, we are going to configure the following scenario: Two selected EC2 Instances should automatically start at 9am and stop at 6pm during office hours from Monday to Friday . The architecture diagram is shown as above.

First thing we are going to do is to launch two EC2 instances with name Server1 and Server2

Then navigate towards IAM Console, then to role and create a role.

Under use cases for other AWS Services select Systems Manager (Allows SSM to call AWS services on your behalf), click next.

Search for ‘SSM’ for permissions policies and select AmazonSSMAutomationRole and click on next. In this policy, we are specifically looking for action to Start and Stop ec2 instances among other default available action permissions.

We will then give the name to role AutomationSSMRole and create role.

Now tag the instances with ‘Env’ as Key and ‘Dev’ as Value for both the instances.

Create AWS Resource Groups

Group type: Tag based

Grouping criteria

Resource types: AWS::EC2::Instance

Tags key is Env, value is Dev and click on add.

Next click on Preview group resources then it will appear below.

Further lets name the Group name ‘DevServers’ with same group description.

Proceed to Create group.

Search AWS Systems Manager on services then click on Maintenance Windows under Change Management on left side of the console. Click on create maintenance window

Lets provide a name and description on maintenance window:


Uncheck the “Allow Unregistered Targets”

On Schedule section, select CRON/Rate expression

Now type the schedule in CRON expression. For example: “cron(0 9 ? * MON-FRI * )” if you need to start your EC2 instance every monday to friday at 9 am.

Duration of maintenance windows is a required parameter and you can enter 2 hours.

Now Stop initiating tasks is the time to stop scheduled task before maintenance window ends, this should be less than duration of maintenance window, so lets put it 1 hour.

Now since I am in Asia/Kathmandu time zone, I will select the schedule timezone as GMT + 05:45

We will then create on the maintenance window.

Once we create the maintenance window there are two other things that we need to setup. One is register targets and second one is to register a task.

Lets register a target first.

Click on just created window ID link and on Targets section. Click on register target.

Now we have to give targets a name, we will put ‘DevServers’ name and description.

For Targets we will be choosing a resource group, it should appear as ‘DevServers’ resource group that we created earlier.

And for Resource types, we will select ‘AWS::EC2::Instance’.

And click on register target.

Now again lets go one step back to select the windows ID, on top right section, drop down the Actions and Register Automation Tasks.

First give the name ‘StartEC2Instances’ and copy it to the Description too.

Further scrolling below, at Automation document, carefully, select

Document name prefix: the select Equals: then type ‘AWS-Start’, it will filter the options in the table and select ‘AWS-StartEC2Instance’.

Since this maintenance window has only one task, select the task priority to 1.

For Targets, check the ‘Selecting registered target groups’, below, select the target that we just created earlier named DevServers.

For Input Parameters,

InstnaceID is a required parameter, in our case, we have two instances to start, so we will use the concept of Pseudo parameters. Basically what pseudo parameters does is it passes the correct values instead of the pseudo parameters place-holders when resolving the resource group targets. We will copy the “{{RESOURCE_ID}}” and paste in as value on InstanceID parameter. For AutomationSSMRole, we will copy the ARN of the role, that we created earlier and paste it here.

For rate control settings, we will set both concurrency and Error threshold as 100 percentage.

We will leave IAM service role as default and finally click on Register Automation task to create the task.

Likewise, we will create another maintenance windows repeating similar process to create ‘StopEC2Instances’ maintenance window. CRON expression as “cron(0 18 ? * MON-FRI *)” to stop the EC2 instances at 6pm from Monday- Friday.

While creating automation tasks, we will select different automation document this time. i.e. “AWS-StopEC2Instance”.

Now, for testing whether it works, or not, lets go to EC2 dashboard then ensure both instances are running.

Edit the StopEC2Instances CRON expression to your next minute. And after the minute, we shall see both instances shutting down as we had scheduled and configured on maintenance windows. Then again change the CRON expression on StartEC2Instances to next current minute and verify our configuration works. We can keep an eye on history tab on selected Windows ID to see the progress.

In this way we can automate start and stop EC2 instances and RDS instances as well. Default AWS SSM Automation policy that already includes EC2 start and stop policy. We can select more restrictive policy just to start and stop the instances following the AWS best practices.





Leave a Reply

Your email address will not be published. Required fields are marked *