How do I use CloudTrail to search for actions on a specific resource, such as who deleted an EBS volume on an EC2 instance?

4 minute read

How do I use AWS CloudTrail to search a given resource for information, such as all event names for a resource, or who deleted an Amazon Elastic Block Store (Amazon EBS) volume or snapshot on an Amazon Elastic Compute Cloud (Amazon EC2) instance?

Short description

You can use AWS CloudTrail to log and monitor account activity across your AWS infrastructure. To do so, you must have CloudTrail turned on, and enable logging in the AWS Region where the EC2 resource you want to query resides.

Important

The rate of lookup requests is limited to one request per second per account. If this limit is exceeded, a throttling error occurs.
Events that occurred during a selected time range aren't available for lookup if CloudTrail logging wasn't enabled when the events occurred.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

The following examples are run from the AWS CLI. Note that most of these commands use jq.

Use yum to install jq in Amazon Linux.

yum install jq

Note: There are jq install options for other platforms.

List all event names for a given resource

The following example uses an EBS volume ID to get a list of recent events for any API action. Replace the AttributeValue of vol-0f59a355c2example and the --region of us-east-1 with your own values.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=vol-0f59a355c2example --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1

Note: CloudTrail might take longer than expected to populate recent calls.

The same example can be run using different resource IDs, such as an EBS snapshot. Replace the AttributeValue of snap-0993c0d9a8example and the --region of us-east-1 with your values.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=snap-0993c0d9a8example --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1

List events for a specific API action for a given resource

The following example shows how to get a list of recent events for the DeleteVolume API action for an EBS volume. Replace the AttributeValue of vol-0f59a355c2example with your volume ID.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=vol-0f59a355c2example --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output json --region us-east-1 | jq -r '.[] | select(.event == "DeleteVolume")'

The following is an example of the resulting output:

{
  "username": "jdoe",
  "eventid": "e3ec4051-9999-4e87-9999-9cc72example",
  "resource": "vol-0f59a355c2example",
  "accesskey": "ASIAXUZVKEUACEXAMPLE",
  "time": 1550191014,
  "event": "DeleteVolume"
}

List a specific event name for all resources

The following example lists deleted EBS volumes by using the DeleteVolume event name as a filter. Replace --region us-east-1 with your Region.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteVolume --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1

List terminated EC2 instances for all resources

The following example lists recent EC2 TerminateInstances. Replace –region us-east-1 with your Region.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=TerminateInstances --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1

View details for a specific event id

After you find an event ID, you can view the details about this event. Replace the AttributeValue of 0840b15f-75b5-4082-a194-86e15example with your event ID and replace --region us-east-1 with your Region.

$ aws cloudtrail lookup-events --query "Events[0].CloudTrailEvent" --output text --lookup-attribute AttributeKey=EventId,AttributeValue=0840b15f-75b5-4082-a194-86e15example --region us-east-1 | jq -r '.'

The following is the example output:

{
  "eventVersion": "1.05",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "AROAJ3THTCWDOKEXAMPLE:jdoe",
    "arn": "arn:aws:sts::52570EXAMPLE:assumed-role/Admin/jdoe",
    "accountId": "52570example",
    "accessKeyId": "ASIAXUZVKEUAKEXAMPLE",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2019-02-14T23:55:15Z"
      },
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AROAJ3THTCWDOKEXAMPLE",
        "arn": "arn:aws:iam::52570EXAMPLE:role/Admin",
        "accountId": "52570EXAMPLE",
        "userName": "Admin"
      }
    }
  },
  "eventTime": "2019-02-15T00:48:05Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "DeleteVolume",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "999.999.999.999",
  "userAgent": "aws-cli/1.16.999 Python/2.7.15 Darwin/17.7.0 botocore/1.12.91",
  "requestParameters": {
    "volumeId": "vol-0c50d65c6eexample"
  },
  "responseElements": {
    "_return": true
  },
  "requestID": "a8a43ccd-736d-4b09-ba75-24b9cexample",
  "eventID": "0840b15f-75b5-4082-a194-86e15example",
  "eventType": "AwsApiCall",
  "recipientAccountId": "52570EXAMPLE"
}

Specify a date range

You can use the --start-time and --end-time parameters to specify a date range of events. The listed events occurred after the start-time, as well as up to, and including, the end-time.

The default start time is the earliest date that data is available within the last 90 days. The default end time is the time of the event that occurred closest to the current time.

If the specified start time is after the specified end time, an InvalidTimeRangeException error is returned.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteVolume --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1 --start-time 2019-01-01T13:00Z --end-time 2019-03-01T14:00Z

Note: Choose your preferred timestamp from the list at Valid timestamp formats.

Related information

AWS CLI command reference

Amazon EC2 API reference

Topics

Storage

Relevant content

Finding Specific Actions in CloudTrail
rePost-User-4475545
asked 6 months ago
Need information about who and from where my instances deleted.
rePost-User-3309721
asked a year ago
AWS Backup - two ec2 instances are assigned as the protected services - but I see an EBS snapshot in the vault?
AWS-User-4761960
asked a year ago
How do you find the EBS Volume IDS for a Volume that was created and attached at EC2 Instance Launch Time ?
jamestr
asked a year ago
Partitioning the EBS Root Volume of an AWS EC2 Instance
rePost-User-7835478
asked 3 months ago
How do I back up an instance store volume on my Amazon EC2 instance to Amazon EBS?
AWS OFFICIALUpdated 3 years ago
How can I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created?
AWS OFFICIALUpdated 8 months ago
Why can't I find the user name that created an EBS volume by searching CloudTrail events logs?
AWS OFFICIALUpdated 10 months ago
How do I use CloudTrail to review what API calls and actions have occurred in my AWS account?
AWS OFFICIALUpdated a year ago
How to use re:Post to help you harness generative AI on AWS
EXPERT
Stuart Myles
published 12 days ago