I have created an AWS lambda function to shut down an EC2 instance in my account. The function is called from CloudWatch at a certain time.
Suppose you have to accomplish the same task in an AWS Organization. You have full control over the master account and you are the owner of the Organization.
If you want to shut down all the EC2 instances in the organization at a certain time, first of all, it is possible to control that from your master account? If it is, then what would be the approach?
Master CloudWatch --calls--> Master Lambda --> shuts down EC2 instances in the organization
Member CloudWatch --> Member Lambda --> shuts down EC2 in their organization.
If 2. is the only option, is it possible to push CloudWatch rules and Lambda functions from the Master account into each member account?
Any other approach to address this problem?
Many thanks!
Option one is probably the better of the two, as it's a bit simpler (no cross-account events to deal with).
To do this you'll need to understand AWS Security Token Service's Assume Role.
This would allow your lambda to systematically:
Assume a role in Account 1 that can list and shutdown EC2 instances
Shutdown EC2 instances
Assume a role in Account 2 ... etc.
To do this you'll have to make an IAM role to be assumed in each 'slave' account, and an IAM role that is allowed to use sts:AssumeRole in the master account to invoke that lambda with.
I would challenge you to make sure this is what you need. Typically life is much easier in AWS if you can keep your accounts with only very loose dependencies on each other; instead considering an approach where each account is responsible for shutting down their own EC2 instances based on a trigger.
Related
We have individual teams that are launching ec2/rds/s3 instances and they are not choosing right instances or leaving instances running for long time, so how do I build a simple alert system that tells me what was launched?
I am trying to looking into building something on top of cloudwatch but I have to use SNS to do it. Is this the right approach?
they are not choosing right instances or leaving instances running for long time
You can simply introduce an IAM policy that will restrict the instance launch with specific Instance types
Long-running Servers: you can make use of CW metrics and take necessary action
For RDS, S3 and other resources, I would recommend AWS Config so that you can keep track of all of your resources.
I want to terminate my member account(child account) in AWS organizations.
Will I still be charged for resources, that weren't manually deleted, owned by this account? or it will remove all resources? for example instances, backup, etc.
The best practice when closing an AWS account is to delete first all the resources because AWS might not automatically terminate all the active resources and will incur in additional cost.
Delete on-demand resources should not be a problem but any other types (e.g Reserved Instances, Saving Plans) will be still charged until the plan term ends.
The same concept apply to accounts that belongs to an Organization.
Reference:
Terminate resources on account closure
Closed account billing
I have several EC2 instances in my AWS amazon account. I have one specific EC2 instance that I want an outsourcer to use (stop,start, manage security group, resize disk space, etc).
I tried to do it with IAM policies, but from what I see, the DescribeInstances allows the user to see all instances in my account. And when I try to edit the policy for a specific resource it shows error because it DescribeInstances is not a resource-level policy, so it must have Resource '*'.
I was thinking maybe allow him access to a different region, and put the instance there. Another option is using organizations (a little complex, but looks promising, would be happy to understand if this is the way to go).
Am I missing something? What is the best solution to achieve what I need?
If you want to give the outsourcer permission to call AWS services in your account, then from a security perspective, it would be much safer to put those resources in a child account.
That way, you are guaranteed that their credentials are not able to impact any of your other resources and services.
The alternative would be way too complex to manage. For example, security groups can be associated with many instances and one instance can have many security groups. That would not be possible to code within an IAM policy.
Just looking the way to start/stop a AWS EC2 instance in case of CPU utilization increase or decrease on another EC2 instacne. I know there is service available Auto Scaling in AWS but I have a scenario where I can't take advantage of this service.
So just looking if it is possible or anyone can help me on this.
Just detailing the concern like suppose I have 2 EC2 instance on AWS account by name EC21 and EC22. By default, EC22 instance is stopped.
Now I need to setup CloudWatch or any other service to check if load/CPU utilization increase on EC21 instance by 70% then need to start EC22 server and similarly if load decrease on EC21 instance by 30% then stop EC22 server.
Please advice!
When your CloudWatch alarm is triggered, it will notify an SNS topic. You can have that SNS topic then invoke a Lambda function, which can then start your EC2 instance.
Create an AWS Lambda function that starts your EC2 instance.
Configure your SNS topic to invoke your Lambda function when it receives messages. You can read about that here: Invoking Lambda functions using Amazon SNS notifications
Finally, ensure your CloudWatch alert sends messages to the SNS topic.
Yes this is possible for certain types of EC2 instances. Check this detailed guide using which you can set up the triggers in your EC2 instances based on AWS Cloud Watch metrics.
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingAlarmActions.html
I think your problem might fit the scenario which I'm also trying to solve now - I have some functionality which cannot be solved with Lambdas because of their low lifetime, so I need a relatively short-lived EC2 instance to accomplish the task.
The solution is similar to the one described by Matt, but without SNS, using AWS triggers to launch a lambda function to start the instance. Added benefit is that the lambda function can itself verify whether the EC2 start is really needed.
How do I stop and start Amazon EC2 instances at regular intervals using AWS Lambda?
Issue
I want to reduce my Amazon Elastic Cloud Compute (Amazon EC2) usage by
stopping and starting instances at predefined times or utilization
thresholds. Can I configure AWS Lambda and Amazon CloudWatch to help
me do that automatically?
Short Description
You can use a CloudWatch Event to trigger a Lambda function to start
and stop your EC2 instances at scheduled intervals.
Source: AWS Knowledge Center
I try to use one AWS EC2 instance to start another EC2 instance automatically so that it could be started automatically if this monitoring EC2 instance keeps running. I could use SSH to connect to my instance . However ,when I try to use ec2-start-instance . I failed with following bugs:
The instance ID 'i-XXXXXXXX' does not exist
These two instances are in different availability zone so I think it is networking settings problem but I don't know how to solve it.Anyone could help me?
I suspect your answer lies in Roles. i.e. Account A's EC2 instance needs to have a Role Right on Account B to start EC2 instances in Account B. And it needs to somehow be assigned this role. Not sure that's possible?
Check into:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
"The access policy for the role specifies what the role allows someone to do. For example, you could specify that the role allows someone to manage only your Amazon EC2 and Amazon RDS resources but not your IAM users or groups. In our sample scenario, you use the access policy to give Example Corp read-only access to all of the resources in your account."
#Mark B
I fixed because I used the wrong credentials. One AWS account was set up for my personal website and the other was other uses so I considered using this continuously running instance to do something for me.
Thank you