Auto Start Stop EC2 Instances – Step By Step Guide

Cloud service providers charges us on the bases of what resources we use and run. For the organizations there might be possibility that their few servers are unused during the nights and weekends. But if your instances are running, you would be charged no matter you use them or not. To overcome this issue and save the overall cost, you should think to stop your unused EC2 instances in the night as well as in the weekends. This can reduce 30-40% over all cost. You can either stop your EC2 instances manually or you can set a schedule to Auto Start Stop EC2 instance. If you have a large number of running instances the manual method cannot be possible or might be too irritating. However, you can schedule auto start stop EC2 instances at regular intervals using Lambda functions. In this article, we are going to explain a step by step guide how to start and stop your EC2 instance at specific time, nights, and/or weekends.

To Schedule Auto Start Stop EC2 Instance, you need to perform the following tasks.

  1. Create a Lambda Function
  2. Create an Event Schedule
  3. Test and Validate your EC2 Schedule

 

Create a Auto Start EC2 Instance Lambda Function

To create a Lambda function you need to perform the following steps:

  • Open the AWS Lambda Console and click Create a Lambda Function as shown in the following figure to create a Lambda function.Creating Lambda function
  • On the Select Blueprint page, click on Blank Function to choose it as shown in the following figure.Selecting Lambda Function Blueprint function
  • On the Configure Triggers page, click Next to proceed.
  • On the Configure Function page, set the following values:
    • Name: AutoStartEC2Insatnce
    • Description: Auto Start EC2 Instance
    • Runtime: Python 2.7.
  • On the Code entry type area, type the following script carefully.
import boto3
# Specify the region where your insatnces are running. For example 'ap-southeast-1'
region = 'ap-southeast-1'
# Specify the insatnce IDs that you want to start at specific time. For example, ['i-abcd01234567', 'i-efgh01234567']
instances = ['i-00bc7ba840f6a6520']
def lambda_handler(event, context):
    ec2 = boto3.client('ec2', region_name=region)
    ec2.start_instances(InstanceIds=instances)
    print 'started your instances: ' + str(instances)

Configure Lambda Function details

Note: Replace your instance ID and region appropriately.

  • On the same page, scroll-down to the Lambda function and handler section and select Create a custom role as shown in the following figure.Create Lambda Function role for auto stop start ec2 insatnce
  • The IAM management console will be opened in a new tab, type a Role name. Click View policy document and then click Edit to edit it.
  • Type the following script as-is in the edit policy box. Remove the existing script text.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Start*",
        "ec2:Stop*"
      ],
      "Resource": "*"
    }
  ]
}
  • Click save to save the changes. Click Allow and return to the Lambda Function console.
  • On the same page, scroll-down to the Advanced Settings section and set the Timeout value more than 1 minutes.
    Auto Start Stop EC2 insatnce python script
  • Finally click Next to proceed. On the Review page, click Create Function to complete the wizard.
  • To test that your function works properly, make sure that the instance you mentioned during creating the Lambda function is stopped.
  • Click on the Test tab and then click Save and Test, if everything goes fine, you will see the the script execution result something like below.

Note: If you get any error, please check the Lambda Function script code or let us know in the comment box.

To verify that instance is started, go to EC2 running instance list and check the status of instance you mentioned in the script.

Creating an Auto Start Stop Event Schedule Rule

Till now, you have created the Lambda function and IAM role, however, you have still not defined the time when this instance should start. For this, you need to create an Event scheduler.

  • Open the CloudWatch console, click Rules in the left pane.
  • On the Create Rule page, select the Schedule button.
  • In the Cron expression box, set the desired time when you want to start your instances. In our case, we have set it to start at 01:25 GMT at daily.For more information about event scheduler, click here.
  • In the right pane, select the Lambda Function as Targets and then select the Lambda function name you have created previously.AWS EC2 Instance Auto Stop Start in nights
  • Click Configure details to proceed. On the Configure details page, specify the rule name, description, and complete wizard.

Test and Validate Auto Start Stop EC2 Schedule

Now you have done all the steps. Just wait for the time you mentioned in the schedule expression and verify that your instance starts automatically.

Using the similar process you can also schedule auto stop event for specific instances at specific time. The only difference is that you need to use the following Lambda Function script as shown in the following figure.

In addition, you also do not need to create the custom IAM role as it is one time activity.

In this article, we have explained a step by step guide how to schedule auto start stop EC2 instances. Please let us know, if you get stuck anywhere, your suggestions are also invited to improve the quality of articles.

Posted in AWS Cloud Tagged with: , , ,

How To Enable MFA For AWS IAM And Root Users

Google Authenticator for AWS User Accounts

Security for AWS console is the prime concern for Cloud administrator. Every user including AWS Root Account should be enabled with Multi-Factor Authentication (MFA) for secure AWS console login. The MFA feature adds an additional layer of security while login to AWS console. You can enable MFA for AWS IAM or root user using either a hardware-based MFA device or a virtual MFA application. There are various virtual MFA applications are available to use. The following virtual MFA applications are available for mobile devices:

Recommended articles: Recover EC2 Linux Instance if the private key is lost.

You can also use the hardware-based MFA device, however you may need to pay something to purchase it. This article
is focused on virtual MFA application.

Before proceeding to the next, process, make sure you have installed the appropriate virtual MFA application for your mobile device.

Enabling Multi-factor Authentication for AWS User

To enable MFA for AWS IAM user, you need to perform the following steps:

  1. Login in to the AWS Management Console with admin privileges.
  2. Search and open the IAM users dashboard.
  3.  In the left pane, click Users and select an IAM user for which you want to enable MFA.
  4. In the IAM user Summary page, select the Security Credentials tab and then click Assign MFA device edit button as shown in the following figure.Enable MFA for AWS IAM users
  5. On the Manage MFA Device window, select the type of MFA device to activate. For this exercise, we will select A virtual MFA device option as shown in the following figure.Hardware MFA for AWS IAM user
  6. Click Next Step to proceed. On the warning message box, read the instruction and click the Next Step button to proceed.
  7. On the next page, you will see a scan code that you need to scan using the Virtual MFA Application such as Google Authenticator.
  8. Once the code is scanned, the virtual MFA device (in our case Android mobile) should be able to detect the AWS user account.
  9. On the Scan Code page of AWS console, you also need to type two consecutive codes displayed on the Google Authenticator application.
  10. Now click Activate MFA Device button to proceed as shown in the following figure.Virtual MFA using Google AuthenticatorNote: The authentication code changes after every few seconds so be careful while typing correct authentication code.
  11. Once the process is completed “The MFA device was successfully associated.” message will be displayed. Click Finish to complete wizard.
  12. Now, whenever the IAM user will try to login to AWS console, he will need the dynamic security code along with user name and password.

That’s all you need to do to enable MFA for AWS IAM user. The same process can be followed to enable MFA for AWS root account. However, you must be logged in with root account to do so.

Hope, you have loved this article. in the next article we will discuss what to do if the associated MFA device is lost. You should know this specially in case of AWS root account. Because IAM user cannot not manage MFA for AWS root account.

Posted in AWS Cloud Tagged with: , , ,

How To Connect EC2 Linux Instance If Private Key Lost

We know that EC2 Linux instances are accessible through the private keys by default. However, SSH is allowed but you cannot use SSH password authentication to access Linux instance as it is disabled by default. So, what would happen if you lose the private key of your Linux instance? Here are few things that you should know before to proceed to this topic:

  • You cannot recover the private key for Linux instance, if you have chosen Root Device Type as Instance Store.
  • You can connect and access your Linux instance, in case of private key lost, if you have chosen Root Device Type as EBS Store.

Keeping the above guidelines in the mind, lets begin the whole process “How can we connect EC2 Linux Instance, if we lost the private key?

You need to perform the following steps in order to connect EC2 Linux instance, if the private key is lost:

  1. Stop the EC2 Linux Instance
  2. Detach the Root Volume
  3. Launching a new Temporary Instance
  4. Attach the Root Volume to New Instance
  5. Modify the authorized_keys File
  6. Reattach the Root Volume to the Original Instance
  7. Start and Connect the Original Instance with New Private Key

Before starting this exercise, we need to note down the following key information:

  • Instance ID, AMI ID, and Availability Zone of original Instance
  • Name of Root Device volume such as /dev/sda1
  • Volume ID of Root Volume

Stopping Original EC2 Linux Instance

  1. In order to stop an EC2 instance, login to AWS console and select the instance.
  2. Right-click instance and select Instance State and then select Stop to stop it.

Launching New Temporary Instance

In this task, we need to create a new EC2 instance with exact same settings and in the same availability zone.

  • Instance Name: Temporary
  • AMI: Same as original instance
  • Security Group: Select same Security Group that is attached to the original instance
  • Key pair: Create a new key pair named it as new-key-pair.pem and store it in safe location

Note: You may refer this article if you face any issue during creating and launching the instance.

Detaching Root Volume from Original Instance

To detach a root volume, you need to perform the following steps:

  1. Select the Volumes section in the left pane, type the volume ID of root volume of original instance in the search box.
  2. Select the Root Volume, click Actions and then select Detach Volume to detach it as shown in the following figure.Detaching EC2 EBS Volume
  3. On the Warning message box, click Yes Detach.

Attaching Root Volume to Temporary Instance

We assume that the Root Volume is still selected that you had detached in the previous steps. To attach Root Volume to Temporary instance, you need to perform the following steps:

  1. Click Actions and then select Attach Volume to attach a volume.
  2. In the Attach Volume dialog box, type new instance name “Temporary” in the Instance name box. Alternatively, you can also type instance ID if you remember or noted-down it somewhere.
  3. Note down the new volume name and then click Attach to proceed.

Note: Make sure the new instance and attaching volume both are in the same availability zone.

Detaching Volume form EC2 Instance

Mounting Attached Volume

To mount the attached volume, you need to perform the following steps:

  1. Select and right-click the new instance (Temporary) and open it’s console. We assume that the volume name was /dev/sdf.
  2. Use the lsblk command to view the partitions.
  3. Use the following commands to create a mount point named as /tempvol and mount the attached volume under it.
lsblk
sudo mkdir /tempvol
sudo mount /dev/xvdf1 /tempvol

Recover EC2 Linux Instance

Note: The volume may appear with different name depending on the Linux variant you use. For this demo, it shows as /dev/xvdf1.

Modifying the authorized_keys File and Updating the New Private Key

Use the following command to update the new key pair  and to access the original instance:

cp .ssh/authorized_keys /tempvol/home/ubuntu/.ssh/authorized_keys

If the above command failed to execute, you may need to change the permission of /home/user/.ssh file with write permission.

Note: The user name may vary depend on the instance variant. For example, ubuntu for Ubuntu Linux and ec2-user and Amazon Linux.

Next, unmount the attached volume using the following command as shown in the below figure.

sudo umount /tempvol

Modifying EC2 SSH Key file

Detaching Volume From Temporary Instance and Reattaching With the Original Instance

  1. Go to the Volumes section, select the root volume (of original instance), click Actions and select Detach Volume to detach volume.
  2. Once the volume is detached, click again Actions, and select Attach Volume to attach it.
  3. In the Attach Volume window, type the original instance name or ID, change the volume name as /dev/sda1 and then click Attach as shown in the following figure.

Attaching detaching EC2 volumes

Connect EC2 Linux Instance (Original Instance )With New Private Key

Now, you have done all the neccessory tasks to recover lost key pair. You can connect the original insatnce with newly created private key. For this, start the original instance and connect it with the key pair you created for Temporary instance that is in our case: new-key-pair.pem

You should be able to access and connect EC2 Linux instance as shown in the following figure.Connect EC2 Linux instance with different key pair

Recommended: Various ways to connect EC2 Linux instance

That’s all you need to do to connect EC2 Linux instance if the private key is lost. Hope, this article has helped and you loved it. Please provide your valuable feedback to improve the article quality.

Posted in AWS Cloud Tagged with: , , ,