Why can't I search CloudTrail event logs to find the username that created an EBS volume?

Short description

For CloudTrail event logs, the CreateVolume field isn't available for Amazon EBS volumes that you create during an Amazon Elastic Compute Cloud (Amazon EC2) launch.

To find the username that created the EBS volume, first determine how the EBS volume was created. Then, complete one of the following tasks:

• For manually created EBS volumes, use the volume ID to view CloudTrail event logs for CreateVolume.
• For EBS volumes created during an Amazon EC2 launch, use the EC2 instance ID to view CloudTrail event logs for RunInstances.

For more information, see Viewing recent management events with the console.

Note: This resolution applies only to EBS volumes that you create after you activate AWS Config and CloudTrail.

Resolution

Determine how the EBS volume was created

Complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, under Elastic Block Store, choose Volumes.
3. Copy the Volume ID of your EBS volume.
4. Open the AWS Config console, and then choose Resources.
5. Under Resource type, choose AWS EC2 Volume.
6. Under Resource identifier, enter the Volume ID.
7. Select Resource Timeline.
8. Under Events, expand the Configuration Change. Then, choose View full record.
9. Expand Relationships, and then copy the EC2 Instance ID.
   Note: If you don't see an EC2 instance ID, then you manually created the EBS volume.

Find the username that created the EBS volume

Manually created EBS volumes

Complete the following steps:

1. Open the CloudTrail console.
2. In the navigation pane, choose Event history.
3. Under Filter, choose Resource name.
4. Under Enter resource name, enter the volume ID of your EBS volume, and then press Enter from your device.
5. Choose the Event to expand and show the full event record. Note the Amazon Resource Name (ARN) and userName to identify the user that created the EBS volume.

EBS volumes created during an Amazon EC2 launch

Complete the following steps:

1. Open the CloudTrail console.
2. In the navigation pane, choose Event history.
3. Under Filter, choose Resource name.
4. Under Enter resource name, enter the EC2 instance ID. Then, press Enter from your device.
5. Choose the Event to expand and show the full event record. Note the ARN and userName to identify the user that launched the EC2 instance.

Note: If the DeleteonTermination attribute is set to false, then you can't delete an EBS volume. For more information, see Preserve data when an instance is terminated.