Patch, Update and Run Maintenance on RDS with AWS Systems Manager Maintenance Windows

Introduction

This pattern shows how to use AWS System Manager Maintenance Windows to automatically stop and start an Amazon Relational Database Service (Amazon RDS) DB instance on a given schedule (for example, shutting down the DB instance during the night to decrease cost for the company). We can use AWS System Manager Automation to automatically start and stop an RDS DB instance without writing any code in the lambda.

AWS System Manager provides two capabilities for scheduling tasks: State Manager and Maintenance Windows.

Prerequisites

• An Active AWS Account
• An existing Amazon RDS DB instance that you want to stop and start on a specific schedule
• Required IAM roles and policies

Step-by-Step Guide

Steps to Configure two separate Maintenance Windows that use cron expressions to stop and then start an Amazon RDS DB instance

I. Create and configure the IAM service role for system manager automation

Step 1: Create a service role for automation.

Step 2: Attach the iam: PassRole policy to your Automation role

Step 3: Configure user access to Automation

Step 1: Use the following to create a service role

• Activate the IAM console.
• Select Roles from the navigation pane, then select Create role.
• Choose AWS service under “Select type of trustworthy entity”.
• Select System Manager from the use case area, then select Permissions from the next menu.
• Search for AmazonSSMAutomationRole Policy on the page for the attached permissions. policy, select it and then click Next: Review.
• Put a name in the Role name box on the Review page.
• Decide on creating a position. It takes you back to the Roles page.
• To access the summary page, select the newly established role from the Roles page. Keep in mind the role name and role ARN. In the following step, you will attach the iam:PassRole policy to your IAM account and specify the role ARN.

Step 2: Attach the iam:PassRole policy to your Automation role

• Select the permissions tab in the role’s summary page after you’ve just created it.
• Decide on Add inline policy.
• Pick the visual editor tab on the create policy page.
• first choose service, then IAM.
• select appropriate actions
• Enter “PassRole” in the “Filter actions” text box before selecting the “PassRole” option.
• Select Resources. Make sure Specific is chosen, then select Add ARN.
• Paste the automation role ARN that you copied after task 1 into the “Specify ARN for role” section. The system provides fields with the names of the Account and Roles.
• Decide to add.
• Select Review policy.
• Enter a name on the review policy page and then select Create Policy.

Step 3: Configure user access to automation

• Select users, then the user account you want to configure, from the IAM navigation pane.
• Make sure that either the AmazonSSMFullAccess policy is mentioned on the permissions tab’s policies list or that there is a comparable policy that grants the account access to the System Manager.
• the Add Inline Policy option
• Select the visual editor tab and then select Choose a service on the create policy page.
• Enter IAM in the search box or scroll down to find IAM further down the page and select IAM.
• Enter PassRole in the search box for Actions and select Pass Role.
• Copy the ARN for the automation service role and paste it at the end of task1 before expanding the Resources area, choosing Add ARN, and finally selecting Add.
• Choose Review policy and provide a name for the policy and then choose Create Policy.

You have finished configuring the required roles for automation. You can now use the automation service role ARN in your runbooks.

Fig 1: Represents the Created RDS policy in the IAM console

Fig 2: Represents the RDS policy in the JSON format

II. Create a Resource Group

• To add an Amazon RDS DB instance to the resource group, open the Amazon RDS console and tag it. A tag is a piece of metadata made up of a Key-value pair that is attached to an AWS resource. Use Action as the Tag key and StartStop as the value, as per our advice.
• Open the AWS Resources Groups Console, and based on the tag you’ve made for your Amazon RDS DB instances, create a resource group.
• Make sure to select AWS:: under Grouping Criteria. Give RDS::DBInsatnce for the resource type and then the key-value pair for the tag. This makes sure the service only searches for Amazon RDS DB instances and doesn’t look for other resources with this tag. Make sure you write down the name of the resource group.

Fig 3: Represents RDS Resource Group

III. Configure a maintenance window to stop the Amazon RDS DB instances

Create maintenance window:

• Select Maintenance windows from the AWS System Manager console, then select Create a maintenance window. Give your maintenance window a name, provide a brief description, and then deselect Allow unregistered targets.
• To specify the schedule expression for when the Amazon RDS DB instances should be stopped, select CRON/Rate expression. Put 1 in the Duration field and 0 in the Stop initiating tasks field. The Time zone by default displays UTC. To start UTC, simply change the time zone. To start the maintenance window based on the timestamp specified in your cron expression, you can alter the time zone.
• Create a maintenance window by selecting it. Your maintenance window’s status is Enabled when the system brings you back to the maintenance window page.

Fig 4: Represents the maintenance window

IV. Assign a target to the maintenance window

• Select the maintenance window, and actions, and then register targets from the AWS System Manager console.
• Select Choose a resource group and then choose the name of an existing resource group in your account in the register targets section.
• Select AWS::RDS:DBinstance under Resource types, and then select Register target.

Fig 5: Represents the target assigned to the window

V. Assign a task to the maintenance window

• Select your maintenance window from the maintenance windows menu on the AWS System Manager console. After selecting Actions, select Register Automation Task.
• Click on AWSStopRdsinstance under Documents.
• Select the maintenance window target that you registered with the current maintenance window by clicking Selecting registered target groups in the Target section.
• For rate control, set the Concurrency and Error threshold to 100%. The Rate control variables can be modified to meet your needs for task concurrency and error threshold.
• You have the option to utilize a custom service role or create and use a service-linked position for Systems Manager in the IAM service role area.

Fig 6: Represents the task assigned to the window

Configure a maintenance window to start the Amazon RDS DB instance:

Retrace your steps from configuring a maintenance window to stop Amazon RDS DB instances to configuring a second maintenance window to start them at the appointed time.

When setting up the maintenance window to start the DB instances, you must make the following adjustments

• Give the maintenance window a new name.
• To start the DB instances, replace the cron expression that you want to utilize.
• Change the AWS-StartRdsInstance runbook in Task to replace the AWS-StopRdsInstance runbook.

Conclusion

The hours of the database instance will be billed by AWS while it is functioning. Therefore, you will be charged for provisioned storage, manual snapshots, and automated backup storage within your specified retention window while the database instance is stopped. This way, the customer can at least save some money by stopping the database instance during the night and starting it automatically by setting up a cron expression during the maintenance window without writing any lambda code.

About CloudThat

CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding AWS Systems Manager Maintenance Windows and I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.