Cyber Defense Advisors

Automatically Stop VMs on AWS

ACM.117 Avoid unnecessary charges by stopping AWS EC2 instances when not in use

In the last post we considered how someone might bypass the controls we created for user-specific VMs.

User-Specific EC2 Instance

Now what if we wanted to automatically stop the VM after it has been created? It doesn’t need to be running until the user actually logs in to use it. There are a couple of ways to go about doing this.

Triggering Shut Down of VMs after a period of inactivity

Here’s a great post on automatically shutting down an EC2 instance and sending an email after an hour of inactivity.

How to Automatically Turn Off your EC2 Instance in 2021

Funny thing happened when someone at a company I worked at tried to use that approach. When the auto-shut off rule got implemented, one developer had an EC2 instance running that would perform backups once per day. He couldn’t figure out why his EC2 instance kept randomly stopping and the backup jobs didn’t run…if you’re going to implement a policy or rule like this in your account, make sure you understand how each host is used. You may require an exception for some.

In today’s cloud environment, you can schedule those backup jobs so this shouldn’t be an issue— possibly with AWS Batch as we are trying to get to in this series — or even a Lambda function. The developer probably could have scheduled the instance to run at a certain time back then as well to resolve this problem, but we were just getting started with all things cloud.

Of course we would want to automate the above rather than manually clicking buttons on the console. Maybe we’ll save that option for another post because right now I just want to stop the instance after it is created. I don’t want to pay for an hour before it stops.

Stopping an instance after creation

In order to immediately stop our EC2 instance, we can use the AWS CLI stop-instances command.

stop-instances – AWS CLI 2.8.12 Command Reference

We can do a lot of different things with the stop-instances command but for our purposes all we need is the instance ID to stop the instance we just created.

We may also want to check to see if the instance should be stopped in case the person running the script doesn’t want to stop a particular instance.

We can add a function to stop an instance to our shared functions file.

Next we can call our new function after creating our VM in the function for that purpose.

That code uses the generic function we wrote in a prior post to get an output from a CloudFormation stack.

Run the deploy scritp again and we can see that the stop command gets issued if we indicate y to stop the instance.

As always, verify it worked. Head over the the EC2 instances screen. Check to make sure the instance that was running after creation is now stopped.

One less thing to worry about and cost us money!

In the next post we’ll think through some user-specific IAM Policies for EC2 instances and cloud VMs in general.

Follow for updates.

Teri Radichel

If you liked this story please clap and follow:

******************************************************************

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

******************************************************************

© 2nd Sight Lab 2022

All the posts in this series:

Automating Cybersecurity Metrics (ACM)GitHub – tradichel/SecurityMetricsAutomation

____________________________________________

Author:

Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts

Automatically Stop VMs on AWS was originally published in Cloud Security on Medium, where people are continuing the conversation by highlighting and responding to this story.