Exercise: Automating tasks using AWS Lambda with Amazon EventBridge

Natasha Ong
This is some text inside of a div block.
4 min read

Exercise overview:

In this hands-on exercise, you will create an AWS Lambda function*. You will also set up an Amazon EventBridge** that activates the function every minute. The function operates under an IAM role, granting it permission to stop an active EC2 instance within the AWS account.

*Recap: A Lambda function is a small program or code that AWS runs for you without needing a server. You just give it the code and tell it when to run, and AWS takes care of the rest.
*Amazon EventBridge: Ooo, a new service - what's this?!
Amazon EventBridge is like a messenger that tells your AWS Lambda function when to do its job. EventBridge important to learn because it helps us automate tasks.
In this exercise, it makes sure our Lambda function runs every minute to turn off an active EC2 instance.
Think of it as a regular alarm clock that wakes up your Lambda function to do its work.

We'll dive into Amazon EventBridge later in the course. This is just the beginning. 😉


In this exercise, you should be able to do the following:

  • Create a Lambda function
  • Configure an EventBridge rule.
  • Use a Lambda function with EventBridge to stop the EC2 instance

Task 0: Accessing the AWS Management Console

  1. Sign in to your IAM user and open the AWS Management Console.
  2. Select your preferred region for doing this exercise. We recommend picking the region that's closest to you.

Task 1: Create an EC2 instance

In this task, you will create a simple EC2 instance which you will use in the later task. You will use this EC2 instance as your test instance for your Lambda function.

  1. In the search box next to the right of Services, search for and choose EC2 to open the Amazon EC2 console.
  2. Choose Launch instance.
  3. Configure the following settings in your EC2 instance:
  4. Name: My Test Instance
  5. AMI: Amazon Linux
  6. Instance type: t2.micro (Free tier eligible)
  7. Key pair: Proceed without a key pair (Not recommended) (we don't have to access the EC2 instance later, so we don't need to create a key pair)
  8. Network settings: Choose Edit, under Inbound Security Group Rules, choose Remove

9. Choose Launch Instance

10. You should see your running EC2 instance.

In the next task, you will create an IAM role that allows the function to stop an EC2 instance.

Task 2: Create an IAM role

In this task, you will create an IAM role that we'll use in the next task. This IAM role allows the Lambda function to stop an EC2 instance (that you've created from the previous task).

  1. In the search box at the top of the page, search for and choose IAM to open the AWS IAM console.
  2. On the left side, choose Roles
  3. Choose Create role
  4. Select AWS service, and under the Use case drop-down, find Lambda. You'll spot Lambda at the top, under 'Common used services'. Choose Next.
  5. Let's skip the 'Add permissions' step for now. Choose Next.
  6. Enter myStopRoleforEC2Instance for the role name. Choose Create role.
  7. Click into the role that you've created i.e. myStopRoleforEC2Instance. Under the Permissions tab, choose Add permissions, and choose Create Inline policy.
  8. Under the Policy editor header, select JSON

9. Copy the JSON policy* and paste it into the Policy editor.

*A JSON policy gives permission to the user, group, or role it's connected to. In this case, the role it's attached to will get permission to:
Creating and managing CloudWatch Logs.
Starting or stopping EC2 instances.
Oo, what's CloudWatch? In this exercise, CloudWatch lets us keep a close eye on AWS resources and, if needed, trigger actions like starting or stopping EC2 instances. Think of logs as CloudWatch's diary - detailed records of the events and activities in your AWS environment. We'll see much more of CloudWatch when we learn about AWS' monitoring services.

Curious what this JSON policy is saying? Let's break it down:

  1. "Version": "2012-10-17", - This means  2012-10-17 is the date of the latest policy version. This tells you whether the policy is up to date with the latest standards and practises.
  2. The "Statement" is a main part of the policy structure and includes an array of individual permissions.
  3. Within the "Statement", there are two blocks (i.e. the curly braces {}). Each block grants permissions for specific actions.
  4. The first statement relates to permissions for CloudWatch. This policy allows users to perform specific tasks like creating logs and adding events within AWS CloudWatch Logs for all resources in all regions of the account. Let's break it down further:
  5. "Action" refers to a specific task that users can do. In this case, "logs:CreateLogGroup", "logs:CreateLogStream", and "logs:PutLogEvents" means actions like creating logs and adding events to them within AWS CloudWatch Logs.
  6. "Resource": "arn:aws:logs:::*". This means that the policy applies to all CloudWatch Logs resources in all regions in the account.
  7. "Effect": "Allow". This emphasises that the actions in this policy are permitted, not denied.
  8. The second statement relates to permissions for EC2 instances:
  9. "Action" refers to a specific task that users can do. In this case, "ec2:Start*" and "ec2:Stop*" mean all actions related to starting starting and stopping EC2 instances.
  10. "Resource": "*". This means this policy applies to all EC2 resources within the scope of the policy. Note that * is a wildcard, meaning "all."
  11. "Effect": "Allow". This emphasises that the actions in this policy are allowed, not denied.

10. Choose Next

11. Enter the Policy name AllowStopEC2 and choose Create Policy.

Nice! First Policy done.

Create another inline policy - let's repeat Steps 7 to 8. Copy the below JSON policy for your new policy, and paste it into the Policy editor. The following policy grants permissions exclusively for AWS CloudWatch Logs. It does not include permissions for starting and stopping EC2 instances.

  • This following policy allows the user, group, or role to create and manage AWS CloudWatch Logs for all AWS resources, helping them track and access log files from various AWS services.
  • "Action": Here, the policy specifies what activities are allowed within the AWS services. The actions "logs:CreateLogGroup", "logs:CreateLogStream", and "logs:PutLogEvents" are permissions related to AWS CloudWatch Logs. They mean the user can create logging groups, logging streams, and send data to those streams, respectively. These are essential activities for monitoring AWS resources.
  • "Resource": "*", - This part specifies which AWS resources the policy applies to. The asterisk * is a wildcard, meaning that these permissions are granted regardless of the specific AWS resource. In the context of this policy, it means the user can perform the allowed "Actions" on any CloudWatch Logs resources.
  • "Effect": "Allow" - This is the outcome of the policy. "Allow" means the specified "Actions" are permitted. It's what makes the activities listed under "Action" possible for the user.
  1. Choose Next
  2. Enter the Policy name AWSLambdaBasicExecutionRole and choose Create Policy

Create another inline policy (last one!) - let's repeat Steps 7 to 8. Copy the below JSON policy and paste it into the Policy editor.

  • This policy grants permissions to manage specific aspects of CloudWatch Logs (like creating log groups and streams) and to handle network interfaces in EC2 (create, describe, delete) for any resource in the AWS account.

  1. Choose Next
  2. Enter the Policy name AWSLambdaVPCAccessExecutionRole and choose Create Policy

Ay nice! That's three policies done.

Check: you should have three IAM policies in your IAM role.

Task 3: Create a Lambda function

In this task, you will create a Lambda function.

  1. In the search box at the top of the page, search for and choose Lambda to open the AWS Lambda console.
  2. Choose Create function
  3. In the Create function screen, configure these settings:
  4. Choose Author from scratch
  5. Function name: myEC2Stopinator
  6. Runtime: Python 3.8

Runtime = the specific version of the programming language (in this case, Python) you'll be using to run your code. It's like choosing a particular model of a toy (Python 3.8) to play with. This version of Python comes with its own set of rules and capabilities, just like different toy models have their unique features.

  1. Expand Change default execution role
  2. Choose Use an existing role
  3. Existing role: From the dropdown list, choose myStopRoleforEC2Instance. Remember that all three of the policies we've created are in this role.
  4. Choose Create function.

Task 4: Configure the trigger

In this task, you will configure a scheduled event to trigger the Lambda function. EventBridge will be the event source (or trigger).

  1. Let's stay on the page we finished on in the previous step. To set up the trigger, choose Add trigger.
  1. Choose the Select a trigger dropdown menu, and select EventBridge (CloudWatch Events).
  2. For the rule, choose Create a new rule and configure these settings:
  3. Rule name: everyMinute
  4. Rule type: Schedule expression
  • A scheduled expression is like setting a timer for your function to run at specific times or intervals, just like setting an alarm or a reminder on your phone.
  1. Schedule expression: rate(1 minute)

Note: A more realistic, schedule-based myStopRoleforEC2Instance Lambda function would probably be triggered by using a cron expression instead of a rate expression. However, for the purposes of this activity, using a rate expression is enough to see the a Lambda function in action. Cron is about specific calendar dates, while rate is about regular intervals:

  • A cron expression in Lambda is a format that lets you specify the exact times, days, months, or even years you want your function to run. For example, "at 12:00 pm on the 15th day of every month."
  • On the other hand, a rate expression is simpler and specifies a function to run at regular intervals. For example, "every 5 minutes" or "once a day," without concern for specific times or dates.
  1. Choose Add.

Task 5: Configure the Lambda function

In this task, you will paste a few lines of code to update two values in the function code. You do not need to write code to complete this task.

  1. Below the Function overview pane, choose Code tab, and then double-click lambda_function.py to display and edit the Lambda function code.
  2. In the Code source pane, delete the existing code (this is just placeholder code that we won't need). Copy the following code, and paste it into the box:
  • This script is written in Python and is designed for a Lambda function to automate the process of stopping specific EC2 instances. Here's a breakdown of the script:
  • import boto3: This line imports the Boto3 library into the script. Boto3 is what lets us interact with AWS services.
  • region = '<REPLACE_WITH_REGION>': Here, you're expected to replace <REPLACE_WITH_REGION> with the actual AWS region code (e.g., 'us-west-1') where the EC2 instances are located.
  • instances = ['<REPLACE_WITH_INSTANCE_ID>']: This line requires you to input the specific IDs of the EC2 instances you intend to stop. These IDs are unique identifiers assigned by AWS to every instance upon creation.
  • ec2 = boto3.client('ec2', region_name=region): This creates a client object representing the EC2 service. It is initialized with the region you've specified, indicating that any actions performed by this client will apply to that region.
  • def lambda_handler(event, context): This line defines a function named lambda_handler that will be invoked by AWS Lambda when the function is triggered. The event parameter contains information about the trigger event and context provides information about the runtime the function is operating within.
  • Within the lambda_handler function, the script calls ec2.stop_instances(InstanceIds=instances), instructing AWS to stop the EC2 instances specified by the instances list.
  • print('stopped your instances: ' + str(instances)): This line is a debugging statement that logs the IDs of the instances that have been stopped. It helps to confirm that the function has performed its intended task.

Note: After pasting the code into the Code source box, review lines 5, 7, and 8. If a period (.) was added to any of those lines, delete them.

  1. Replace the <REPLACE_WITH_REGION> placeholder with the actual Region that you are using. To do this, choose the region in the top right corner and use the region code. For example, the region code for US East Asia Pacific (Sydney) is ap-southeast-2
  • Important: Keep the single quotation marks (' ') around the Region in your code.
  1. Verify that an EC2 instance named My Test Instance is running in your account, and copy the My Test Instance instance ID. You are encouraged to figure out how to do this task without specific step-by-step guidance.
  2. Return to the AWS Lambda console browser tab, and replace <REPLACE_WITH_INSTANCE_ID> with the actual instance ID that you just copied. The formatting should be similar to something like this: i-04289bad0356a36b8.
  • Important: Keep the single quotation marks (' ') around the instance ID in your code.
  • Your code should now look similar to the following example. You might have a different value for the Region, and you will have a different value for the instance ID:
  1. Choose the File menu and Save the changes. Then, in the top-right corner of the Code source box, choose Deploy.

Your Lambda function is now fully configured. It should attempt to stop your instance every minute.

  1. Choose Monitor (the tab near the top of the page).
  • Note that one of the charts shows you how many times your function has been invoked. There is also a chart that shows the error count and the success rate as a percentage. Developers use these graphs to monitor usage, check for problems, and ensure their function is relialbe.

Task 6: Verify that the Lambda function worked

  1. Return to the Amazon EC2 console browser tab and see if your instance was stopped.

2. Try starting the instance again. What do you think will happen? Select your EC2 instance that has been stopped. On the Instance state drop-down, choose Start instance.

  • Try clicking the refresh button to refresh the state of your EC2 instance. What do you notice? Is your EC2 instance stopped? If yes, the reason for that is you set the Schedule expression for rate(1 minute) from Task 4. Every time you start your EC2 instance, it will trigger the Lambda function that you've created and after one minute your EC2 instance will stop.

You can modify this rate by navigating to the Configuration tab, under Triggers, and expanding the details of your EventBridge. You will see the summary settings that you've set up from the previous task.

Choose the name of your EventBridge

Under Event schedule tab, click Edit.

You can modify the Rate expression.

Once you're finished modifying the Rate expression, choose Next 3 times, and choose Updated rule.

Task 7: Delete the resources

In this task, you will delete the Lambda function and the EC2 instance.

  1. Head back to the page with you Lambda function, and choose Actions. From the drop-down, choose Delete function.

Choose Delete to confirm.

2. Next, go back to the Amazon EC2, select your instance, and from the Instance state drop-down, choose Terminate instance.

3. Next, look for Amazon EventBridge in your Console's search bar.

2. On the left hand pane, click Rules

3. Select the rules that you've created (everyMinute), and choose Delete.

4. Type delete to confirm the deletion, and choose Delete.

5. You can also delete the IAM role that you've created.

6. Note that it's not always best practice to delete an IAM role in AWS. Imagine if a role was actually still being used by other resources/services!

7. But, it's totally okay to delete roles that were made for short exercises like this. 😉 Removing completely unused roles is good for security.

Congratulations! You have completed the hands-on exercise. You have successfully:

  • Created a Lambda function
  • Configured an EventBridge rule.
  • Used a Lambda function with EventBridge to stop the EC2 instance.