Summary Prerequisites and limitations Architecture Tools Epics Related resources

Automatically stop and start an Amazon RDS DB instance using AWS Systems Manager Maintenance Windows

Created by Ashita Dsilva (AWS)

Environment: Production

Technologies: Management & governance; Cost management; Databases

AWS services: AWS Systems Manager; Amazon RDS

Summary

This pattern demonstrates how to automatically stop and start an Amazon Relational Database Service (Amazon RDS) DB instance on a specific schedule (for example, shutting down a DB instance outside of business hours to reduce costs) by using AWS Systems Manager Maintenance Windows.

AWS Systems Manager Automation provides the AWS-StopRdsInstance and AWS-StartRdsInstance runbooks to stop and start Amazon RDS DB instances. This means that you don’t need to write custom logic with AWS Lambda functions or create an Amazon CloudWatch Events rule.

Systems Manager provides two capabilities for scheduling tasks: State Manager and Maintenance Windows. State Manager sets and maintains the required state configuration for resources in your Amazon Web Services (AWS) account one time or on a specific schedule. Maintenance Windows runs tasks on the resources in your account during a specific time window. Although you can use this pattern’s approach with State Manager or Maintenance Windows, we recommend that you use Maintenance Windows because it can run one or more tasks based on assigned priority and can also run AWS Lambda functions and AWS Step Functions tasks. For more information about State Manager and Maintenance Windows, see Choosing between State Manager and Maintenance Windows in the Systems Manager documentation.

This pattern provides detailed steps to configure two separate maintenance windows that use cron expressions to stop and then start an Amazon RDS DB instance.

Prerequisites and limitations

Prerequisites

An active AWS account.
An existing Amazon RDS DB instance that you want to stop and start on a specific schedule.
Cron expressions for your required schedule. For example, the expression cron(0 9 ? * MON-FRI *) runs the task at 09:00 on every Monday, Tuesday, Wednesday, Thursday, and Friday. For more information, see Cron and rate expressions for maintenance windows in the Systems Manager documentation.
Familiarity with Systems Manager.
Permissions to start and stop the RDS instance. For more information, see the Epics section.

Limitations

An Amazon RDS DB instance can be stopped for up to seven days at one time. After seven days, the DB instance automatically restarts to ensure that it receives any required maintenance updates.
You can’t stop a DB instance that is a read replica or that has a read replica.
You can’t stop an Amazon RDS for SQL Server DB instance in a Multi-AZ configuration.
Service quotas apply to Maintenance Windows and Systems Manager Automation. For more information about service quotas, see AWS Systems Manager endpoints and quotas in the AWS General Reference documentation.
Some AWS services aren’t available in all AWS Regions. For Region availability, see AWS services by Region. For specific endpoints, see the Service endpoints and quotas page, and choose the link for the service.

Architecture

The following diagram shows the workflow to automatically stop and start an Amazon RDS DB instance.

The workflow has the following steps:

1. Create a maintenance window and use cron expressions to define the stop and start schedule for your Amazon RDS DB instances.

2. Register a Systems Manager Automation task to the maintenance window by using the AWS-StopRdsInstance or AWS-StartRdsInstance runbook.

3. Register a target with the maintenance window by using a tag-based resource group for your Amazon RDS DB instances.

Technology stack

AWS CloudFormation
AWS Identity and Access Management (IAM)
Amazon RDS
Systems Manager

Automation and scale

You can stop and start multiple Amazon RDS DB instances at the same time by tagging the required Amazon RDS DB instances, creating a resource group that includes all the tagged DB instances, and registering this resource group as a target for the maintenance window.

Tools

AWS CloudFormation is a service that helps you model and set up your AWS resources.
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources.
Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud.
AWS Resource Groups helps you organize AWS resources into groups, tag resources, and manage, monitor, and automate tasks on grouped resources.
AWS Systems Manager is an AWS service that you can use to view and control your infrastructure on AWS. This pattern uses the following features of Systems Manager:
- AWS Systems Manager Automation simplifies common maintenance and deployment tasks of Amazon Elastic Compute Cloud (Amazon EC2) instances and other AWS resources.
- AWS Systems Manager Maintenance Windows helps you define a schedule for when to perform potentially disruptive actions on your instances.

Epics

Task Description Skills required

Task	Description	Skills required
Configure the IAM service role for Systems Manager Automation.	Sign in to the AWS Management Console and create a service role for Systems Manager Automation. You can use one of the following two methods to create this service role: Use AWS CloudFormation to configure a service role for Systems Manager Automation Use IAM to configure roles for Systems Manager Automation The Systems Manager Automation workflow invokes Amazon RDS by using a service role to perform start and stop actions on the Amazon RDS DB instance. The service role must be configured with the following inline policy that has permissions to start and stop the Amazon RDS DB instance: `{ "Version": "2012-10-17", "Statement": [ { "Sid": "RdsStartStop", "Effect": "Allow", "Action": [ "rds:StopDBInstance", "rds:StartDBInstance" ], "Resource": "<RDS_Instance_ARN>" }, { "Sid": "RdsDescribe", "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "" } ] }` Make sure that you replace `<RDS_Instance_ARN>` with the Amazon Resource Name (ARN) of your Amazon RDS DB instance. If you are unfamiliar with using IAM policies and roles, follow the instructions in the Solution Overview* section of the Schedule Amazon RDS stop and start using AWS Systems Manager blog post. Important: Make sure that you record the ARN of the service role.	AWS administrator

Configure the IAM service role for Systems Manager Automation.

Sign in to the AWS Management Console and create a service role for Systems Manager Automation. You can use one of the following two methods to create this service role:

The Systems Manager Automation workflow invokes Amazon RDS by using a service role to perform start and stop actions on the Amazon RDS DB instance.

The service role must be configured with the following inline policy that has permissions to start and stop the Amazon RDS DB instance:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RdsStartStop",
            "Effect": "Allow",
            "Action": [
                "rds:StopDBInstance",
                "rds:StartDBInstance"
            ],
            "Resource": "<RDS_Instance_ARN>"               
        },
        {
            "Sid": "RdsDescribe",
            "Effect": "Allow",
            "Action": "rds:DescribeDBInstances",
            "Resource": "*"
        }
    ]
}

Make sure that you replace <RDS_Instance_ARN> with the Amazon Resource Name (ARN) of your Amazon RDS DB instance.

If you are unfamiliar with using IAM policies and roles, follow the instructions in the Solution Overview section of the Schedule Amazon RDS stop and start using AWS Systems Manager blog post.

Important: Make sure that you record the ARN of the service role.

AWS administrator

Task	Description	Skills required
Tag the Amazon RDS DB instances.	Open the Amazon RDS console and tag the Amazon RDS DB instances that you want to add to the resource group. A tag is metadata assigned to an AWS resource and consists of a key-value pair. We recommend that you use Action as the Tag key and StartStop as the Value. For more information about this, see Adding, listing, and removing tags in the Amazon RDS documentation.	AWS administrator
Create a resource group for your tagged Amazon RDS DB instances.	Open the AWS Resource Groups console and create a resource group based on the tag that you created for your Amazon RDS DB instances. Under Grouping Criteria, make sure that you choose AWS::RDS::DBInstance for the resource type and then provide the tag's key-value pair (for example, "Action-StartStop"). This ensures that the service only checks for Amazon RDS DB instances and not other resources that have this tag. Make sure that you record the resource group’s name. For more information and detailed steps, see Build a tag-based query and create a group in the AWS Resource Groups documentation.	AWS administrator

Task

Description

Skills required

Tag the Amazon RDS DB instances.

Open the Amazon RDS console and tag the Amazon RDS DB instances that you want to add to the resource group. A tag is metadata assigned to an AWS resource and consists of a key-value pair. We recommend that you use Action as the Tag key and StartStop as the Value.

For more information about this, see Adding, listing, and removing tags in the Amazon RDS documentation.

AWS administrator

Create a resource group for your tagged Amazon RDS DB instances.

Open the AWS Resource Groups console and create a resource group based on the tag that you created for your Amazon RDS DB instances.

Under Grouping Criteria, make sure that you choose AWS::RDS::DBInstance for the resource type and then provide the tag's key-value pair (for example, "Action-StartStop"). This ensures that the service only checks for Amazon RDS DB instances and not other resources that have this tag. Make sure that you record the resource group’s name.

For more information and detailed steps, see Build a tag-based query and create a group in the AWS Resource Groups documentation.

AWS administrator

Task Description Skills required

Task	Description	Skills required
Create a maintenance window.	Open the Systems Manager console, choose Maintenance Windows, and then choose Create a maintenance window. Provide a name for your maintenance window (for example, "StopRdsInstance"), enter a description, and then uncheck Allow unregistered targets. Choose CRON/Rate expression and provide the schedule expression to define when the Amazon RDS DB instances should be stopped. Enter 1 for the Duration and 0 for Stop initiating tasks. By default, the Time zone shows UTC. You can change the time zone to initiate the maintenance window based on the timestamp defined in your cron expression. Choose Create maintenance window. The system returns you to the maintenance window page and the state of your maintenance window is Enabled. Important: The task to stop the DB instance runs almost instantly when initiated and doesn't span the entire duration of the maintenance window. This pattern provides the minimum values for Duration and Stop initiating tasks because they are the required parameters for a maintenance window. For more information and detailed steps, see Create a maintenance window (console) in the Systems Manager documentation.	AWS administrator
Assign a target to the maintenance window.	On the Systems Manager console, choose Maintenance Windows, choose Actions, and then choose Register targets. In the Targets area, specify Choose a resource group and then choose the name of an existing resource group in your account. For Resource types, choose AWS::RDS::DBInstance and then choose Register target. For more information and detailed steps, see Assign targets to a maintenance window (console) in the Systems Manager documentation.	AWS administrator
Assign a task to the maintenance window.	On the Systems Manager console, choose Maintenance Windows, and then choose your maintenance window. Choose Actions, and then choose Register Automation task. For Document, choose AWS-StopRdsInstance. In the Targets section, choose Selecting registered target groups, and then choose the maintenance window target that you registered with the current maintenance window. For Rate control, specify 100 percent for Concurrency and Error threshold. You can change the Rate control values according to your requirements for task concurrency and error threshold. For more information about this, see About concurrency and error thresholds in the Systems Manager documentation. In the IAM service role section, for Service role, leave this box blank or create your own custom role. If you leave the box blank, Systems Manager automatically creates the service-linked role AWSServiceRoleForAmazonSSM and then associates the role with the task. To create your own custom role, see Create a custom service role for maintenance windows (console), and then associate that custom role with the task. In the Input Parameters section, specify the following parameters for the runbook: InstanceId: `{{RESOURCE_ID}}` Note: For InstanceId, a pseudo parameter is used to extract the Amazon RDS DB resource ID from the ARN. To learn more about pseudo parameters, see About pseudo parameters in the Systems Manager documentation. AutomationAssumeRole: Provide the ARN of the service role that you created for Systems Manager Automation. Choose Register Automation task. Important: The Service role option defines the service role required for the maintenance window to run tasks. However, this role is not identical to the service role that you created earlier for Systems Manager Automation. For more information and detailed steps, see Assign tasks to a maintenance window (console) in the Systems Manager documentation.	AWS administrator

Create a maintenance window.

Open the Systems Manager console, choose Maintenance Windows, and then choose Create a maintenance window. Provide a name for your maintenance window (for example, "StopRdsInstance"), enter a description, and then uncheck Allow unregistered targets.
Choose CRON/Rate expression and provide the schedule expression to define when the Amazon RDS DB instances should be stopped. Enter 1 for the Duration and 0 for Stop initiating tasks. By default, the Time zone shows UTC. You can change the time zone to initiate the maintenance window based on the timestamp defined in your cron expression.
Choose Create maintenance window. The system returns you to the maintenance window page and the state of your maintenance window is Enabled.

Important: The task to stop the DB instance runs almost instantly when initiated and doesn't span the entire duration of the maintenance window. This pattern provides the minimum values for Duration and Stop initiating tasks because they are the required parameters for a maintenance window.

For more information and detailed steps, see Create a maintenance window (console) in the Systems Manager documentation.

AWS administrator

Assign a target to the maintenance window.

On the Systems Manager console, choose Maintenance Windows, choose Actions, and then choose Register targets.
In the Targets area, specify Choose a resource group and then choose the name of an existing resource group in your account.
For Resource types, choose AWS::RDS::DBInstance and then choose Register target.

For more information and detailed steps, see Assign targets to a maintenance window (console) in the Systems Manager documentation.

AWS administrator

Assign a task to the maintenance window.

On the Systems Manager console, choose Maintenance Windows, and then choose your maintenance window. Choose Actions, and then choose Register Automation task.
For Document, choose AWS-StopRdsInstance.
In the Targets section, choose Selecting registered target groups, and then choose the maintenance window target that you registered with the current maintenance window.
For Rate control, specify 100 percent for Concurrency and Error threshold. You can change the Rate control values according to your requirements for task concurrency and error threshold. For more information about this, see About concurrency and error thresholds in the Systems Manager documentation.
In the IAM service role section, for Service role, leave this box blank or create your own custom role. If you leave the box blank, Systems Manager automatically creates the service-linked role AWSServiceRoleForAmazonSSM and then associates the role with the task. To create your own custom role, see Create a custom service role for maintenance windows (console), and then associate that custom role with the task.
In the Input Parameters section, specify the following parameters for the runbook:
- InstanceId: {{RESOURCE_ID}}
  Note: For InstanceId, a pseudo parameter is used to extract the Amazon RDS DB resource ID from the ARN. To learn more about pseudo parameters, see About pseudo parameters in the Systems Manager documentation.
- AutomationAssumeRole: Provide the ARN of the service role that you created for Systems Manager Automation.
Choose Register Automation task.

Important: The Service role option defines the service role required for the maintenance window to run tasks. However, this role is not identical to the service role that you created earlier for Systems Manager Automation.

For more information and detailed steps, see Assign tasks to a maintenance window (console) in the Systems Manager documentation.

AWS administrator

Task Description Skills required

Task	Description	Skills required
Configure a maintenance window to start the Amazon RDS DB instances.	Repeat the steps from the Configure a maintenance window to stop the Amazon RDS DB instances epic to configure another maintenance window to start the Amazon RDS DB instances at a scheduled time. Important: You must make the following changes when you configure the maintenance window to start the DB instances: Use a new name for the maintenance window (for example, "StartRdsInstance"). Replace the cron expression with the cron expression that you want to use to start the DB instances. Replace the `AWS-StopRdsInstance` runbook with `AWS-StartRdsInstance` in Task.	AWS administrator

Configure a maintenance window to start the Amazon RDS DB instances.

Repeat the steps from the Configure a maintenance window to stop the Amazon RDS DB instances epic to configure another maintenance window to start the Amazon RDS DB instances at a scheduled time.

Important: You must make the following changes when you configure the maintenance window to start the DB instances:

Use a new name for the maintenance window (for example, "StartRdsInstance").
Replace the cron expression with the cron expression that you want to use to start the DB instances.
Replace the AWS-StopRdsInstance runbook with AWS-StartRdsInstance in Task.

AWS administrator

Related resources

Use Systems Manager Automation documents to manage instances and cut costs off-hours (AWS blog post)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Automate adding or updating Windows registry entries

Centralize software package distribution in AWS Organizations by using Terraform