We have a customer who has predictable load volatility between 9 am to 6 pm and uses specific large EC2 instances during office hours for analysis, they use “c4.8xlarge” for that purpose. Their IT wanted to control launch of such large instance class post office hours and during nights to control costs, currently there is no way to restrict or control this action using Amazon IAM. In short we cannot create complex IAM policy with conditions that user A belonging to group A cannot launch instance type C every day between X and Y.
Some stop gap followed is to have a job running which removes the policy from an IAM user when certain time conditions are met. So basically what we would do is, to have a job that calls an API that removes the policy which restricts an IAM user or group from launching instances. This will make the IAM policy management complex and tough to assess/govern drifts between versions.
After the introduction of the CloudWatch events our Cloud operations started controlling it with lambda functions. Whenever a Instance type is launched it will trigger a lambda function, the function will filter whether it is a specific “C” type and check for the current time, if the time falls after office hours, it will terminate the EC2 instance launched immediately.
As a first step, we will be creating a rule in Amazon CloudWatch Events dashboard. We have chosen AWS API Call as an Event to be processed by an AWSCloudTrail Lambda function as a target.
The next step would be configuring rule details with Rule definition
Finally we will review the Rules Summary
Amazon Lambda Function Code Snippet (Python)
def lambda_handler(event, context):
#print ("Received event: " + json.dumps(event, indent=2))
ec2_client = boto3.client("ec2")
print "Event Region :", event['region']
event_time = event['detail']['eventTime']
print "Event Time :", event_time
time = event_time.split('T')
t = time
t = t.split(':')
hour = t
instance_type = event['detail']['requestParameters']['instanceType']
print "Instance Type:", instance_type
instance_id = event['detail']['responseElements']['instancesSet']['items']['instanceId']
print "Instance Id:",instance_id
if( instance_type.startswith( 't' ) and hour > 18 or hour < 8 ):
print ec2_client.terminate_instances( InstanceIds = [ instance_id ] )
GitHub Gist URL: https://github.com/cloud-automaton/automaton/blob/master/aws/events/TerminateAWSEC2.py
This post was co authored with Priya and Ramprasad of 8KMiles
Sunday, January 31, 2016
All posts, comments, views expressed in this blog are my own and does not represent the positions or views of my past, present or future employers. The intention of this blog is to share my experience and views. Content is subject to change without any notice. While I would do my best to quote the original author or copyright owners wherever I reference them, if you find any of the content / images violating copyright, please let me know and I will act upon it immediately. Lastly, I encourage you to share the content of this blog in general with other online communities for non-commercial and educational purposes.