I have created an AWS lambda function to shut down an EC2 instance in my account. The function is called from CloudWatch at a certain time.
Suppose you have to accomplish the same task in an AWS Organization. You have full control over the master account and you are the owner of the Organization. If you want to shut down all the EC2 instances in the organization at a certain time, first of all, it is possible to control that from your master account? If it is, then what would be the approach?
Master CloudWatch --calls--> Master Lambda --> shuts down EC2 instances in the organization
Member CloudWatch --> Member Lambda --> shuts down EC2 in their organization.
If 2. is the only option, is it possible to push CloudWatch rules and Lambda functions from the Master account into each member account?
Many thanks!
Option one is probably the better of the two, as it's a bit simpler (no cross-account events to deal with).
To do this you'll need to understand AWS Security Token Service's Assume Role.
This would allow your lambda to systematically:
To do this you'll have to make an IAM role to be assumed in each 'slave' account, and an IAM role that is allowed to use sts:AssumeRole in the master account to invoke that lambda with.
I would challenge you to make sure this is what you need. Typically life is much easier in AWS if you can keep your accounts with only very loose dependencies on each other; instead considering an approach where each account is responsible for shutting down their own EC2 instances based on a trigger.