How do I find which user stopped, rebooted, or terminated my EC2 Windows instance?

Resolution

You can stop or reboot an EC2 Windows instance either through AWS or the Windows operating system (OS). You can terminate an EC2 Windows instance only through AWS.

The instance is stopped, rebooted, or terminated through AWS

You can use the following tools to stop, reboot, or terminate your instance through AWS:

• AWS Management Console
• AWS Command Line Interface (AWS CLI)
• AWS Tools for PowerShell
• AWS APIs
• AWS SDKs
• AWS CloudShell

If the instance event happened in the last 90 days, then use AWS CloudTrail Event history to get more information about the event.

To see your instance event in CloudTrail, complete the following steps:

1. Open the CloudTrail console.
2. In the navigation pane, choose Event history.
3. On the Lookup attributes menu, choose Event name.
4. For Event name, enter one of the following event names:
   StopInstances to check when your instance was stopped.
   RebootInstances to check when your instance was rebooted.
   TerminateInstances to check when your instance was terminated.
5. In the events list, choose the event name.
6. On the Details page, find the username of the AWS Identity and Access Management (IAM) identity that initiated the event.

The instance is stopped or rebooted in Windows

If CloudTrail doesn't show StopInstances or RebootInstances events for your instance, then the instance event is likely initiated in Windows.

To see more information about the instance event in Windows, connect to your instance, and then complete the following steps:

1. On the Windows taskbar, choose Search, enter Event Viewer, and then choose Event Viewer to open the tool.
2. In the navigation pane, expand Windows Logs, and then choose System.
3. In Actions, choose Filter Current Log.
4. In the Filter Current Log dialog box, in the All Event IDs field, enter 1074 or 1076, and then choose OK.
5. To identify the user who initiated the event, view the event log.

An EC2 Windows instance might also stop or reboot in Windows in the following situations:

• A user is logged in to the instance and a Windows update reboots the OS.
• Hardware unexpectedly fails.
• An AWS planned maintenance event stops or restarts the instance.
• A third-party tool issues the command.

Note: AWS sends notifications about planned instance retirements and unexpected hardware failures through email messages or your AWS Health Dashboard.