How do I use CloudTrail to search for actions on a specific resource, such as who deleted an EBS volume on an EC2 instance?

4 minute read

I want to use AWS CloudTrail to search a specific resource for information.

Resolution

Important:

The rate of lookup requests is limited to one request per second for each account. If you exceed this limit, then a throttling error occurs.
Confirm that CloudTrail logging is turned on before an event occurs. Otherwise, you can't look up the event during the time range that it occurred.
AWS services might continue to add events. CloudTrail records the events in Event history.
If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

The following examples are run from the AWS CLI. Most of these commands use the command-line JSON processor, jq. For more information on jq, see the jq website.

To install jq on Amazon Linux, use yum:

yum install jq

Note: There are jq installation options for other platforms. For information on jq installation options, see Download jq on the jq website.

List all event names for a specific resource

The following example uses an Amazon Elastic Block Store (Amazon EBS) volume ID to get a list of recent events for any API action. Replace the AttributeValue of vol-0f59a355c2example with your volume ID and the us-east-1 with your Region.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=vol-0f59a355c2example --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1

Note: CloudTrail might take longer than expected to populate recent calls.

You can use different resource IDs, such as an EBS snapshot, to run the same example. Replace the AttributeValue of snap-0993c0d9a8example with your snapshot ID and us-east-1 with your Region.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=snap-0993c0d9a8example --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1

List events for a specific API action for a specific resource

The following example shows how to get a list of recent events for the DeleteVolume API action for an EBS volume. Replace the AttributeValue of vol-0f59a355c2example with your volume ID.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=vol-0f59a355c2example --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output json --region us-east-1 | jq -r '.[] | select(.event == "DeleteVolume")'

Example output:

{  "username": "jdoe",
  "eventid": "e3ec4051-9999-4e87-9999-9cc72example",
  "resource": "vol-0f59a355c2example",
  "accesskey": "ASIAXUZVKEUACEXAMPLE",
  "time": 1550191014,
  "event": "DeleteVolume"
}

List a specific event name for all resources

The following example uses the DeleteVolume event name as a filter to list deleted EBS volumes. Replace us-east-1 with your Region.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteVolume --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1

List terminated EC2 instances for all resources

The following example lists recent EC2 TerminateInstances. Replace -region us-east-1 with your Region.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=TerminateInstances --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1

View details for a specific event ID

After you find an event ID, you can view the details about this event. Replace the AttributeValue of 0840b15f-75b5-4082-a194-86e15example with your event ID and us-east-1 with your Region.

$ aws cloudtrail lookup-events --query "Events[0].CloudTrailEvent" --output text --lookup-attribute AttributeKey=EventId,AttributeValue=0840b15f-75b5-4082-a194-86e15example --region us-east-1 | jq -r '.'

Example output:

{  "eventVersion": "1.05",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "AROAJ3THTCWDOKEXAMPLE:jdoe",
    "arn": "arn:aws:sts::52570EXAMPLE:assumed-role/Admin/jdoe",
    "accountId": "52570example",
    "accessKeyId": "ASIAXUZVKEUAKEXAMPLE",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2019-02-14T23:55:15Z"
      },
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AROAJ3THTCWDOKEXAMPLE",
        "arn": "arn:aws:iam::52570EXAMPLE:role/Admin",
        "accountId": "52570EXAMPLE",
        "userName": "Admin"
      }
    }
  },
  "eventTime": "2019-02-15T00:48:05Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "DeleteVolume",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "999.999.999.999",
  "userAgent": "aws-cli/1.16.999 Python/2.7.15 Darwin/17.7.0 botocore/1.12.91",
  "requestParameters": {
    "volumeId": "vol-0c50d65c6eexample"
  },
  "responseElements": {
    "_return": true
  },
  "requestID": "a8a43ccd-736d-4b09-ba75-24b9cexample",
  "eventID": "0840b15f-75b5-4082-a194-86e15example",
  "eventType": "AwsApiCall",
  "recipientAccountId": "52570EXAMPLE"
}

Specify a date range

To specify a date range of events, use the --start-time and --end-time parameters:

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteVolume --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1 --start-time 2019-01-01T13:00Z --end-time 2019-03-01T14:00Z

Note: Choose your preferred timestamp from the list at Valid timestamp formats.

The listed events occur after the start time and up to, and including, the end time.

The default start time is the earliest date that data is available within the last 90 days. The default end time is the time of the event that occurred closest to the current time. If the specified start time is after the specified end time, then an InvalidTimeRangeException error is returned.

Topics

Storage

Relevant content

Partitioning the EBS Root Volume of an AWS EC2 Instance
rePost-User-7835478
asked 9 months ago
How do you find the EBS Volume IDS for a Volume that was created and attached at EC2 Instance Launch Time ?
jamestr
asked 2 years ago
How to identify when an EBS volume is detached from the Instance ?
Bhargav Kommineni
asked 2 months ago
How to attach an S3 bucket as a VOLUME to an EC2 instance
rePost-User-9130985
asked 6 months ago
Finding Specific Actions in CloudTrail
rePost-User-4475545
asked a year ago
How do I use AWS CLI commands to list the attachments or detachments history of a specific Amazon EBS volume?
AWS OFFICIALUpdated 4 months ago
How do I create an LVM logical volume on a partition created on an EBS volume?
AWS OFFICIALUpdated a year ago
How can I expand an existing EBS volume on my Amazon EC2 Windows instance?
AWS OFFICIALUpdated a year ago
How do I restore an EBS volume that's attached to an EC2 instance from an EBS snapshot?
AWS OFFICIALUpdated a month ago
How do you run the Petrel software on AWS?
EXPERT
Alberto-AWS
published 2 months ago