How do I find which user stopped, rebooted, or terminated my Amazon EC2 Windows instance?

Resolution

Note: To troubleshoot unexpected EC2 instance stops or reboots, see Why did my Amazon EC2 Linux instance reboot or restart itself? The process to check unexpected instance reboots is the same for Windows and Linux instances.

Check the CloudTrail Event history

If the instance event occurred in the previous 90 days, then check the AWS CloudTrail Event history for the instance for the following event names:

• StopInstances
• RebootInstances
• TerminateInstances

On the Details page, you can see the username of the AWS Identity and Access Management (IAM) identity that initiated the event.

If CloudTrail doesn't show StopInstances or RebootInstances events that occurred for your instance, then the user initiated the instance event in Windows. To find the user who initiated the event, check the Windows logs.

Note: You can use CloudTrail only for events that occurred in the last 90 days. To keep events for longer, configure CloudTrail to send events to an Amazon Simple Storage Service (Amazon S3) bucket. For more information, see Working with CloudTrail trails.

Check the Windows logs

Note: Users can't terminate instances from within the Windows operating system (OS). They can use the Windows OS only to stop or reboot instances.

Complete the following steps:

1. Connect to your instance.
2. Choose Start, and then enter Event Viewer. Then, choose Event Viewer.
3. In the navigation pane, expand Windows Logs, and then choose System.
4. For Actions, choose Filter Current Log.
5. In the Filter Current Log dialog box, for All Event IDs, enter 1074 or 1076, and then choose OK.
6. To identify the user who initiated the event, check the event log.