How do I use AWS CLI commands to list the attachments or detachments history of a specific Amazon EBS volume?

4 minute read
0

I want to use AWS Command Line Interface (AWS CLI) to list the attachments or detachments history of an Amazon Elastic Block Storage (Amazon EBS) volume.

Short description

Amazon Elastic Compute Cloud (Amazon EC2) and Amazon EBS resources don't store attachment or detachment histories. To get an attachment or detachment history, use AWS CloudTrail. CloudTrail is a service that records AWS API calls and events for AWS accounts. You can use the AWS CloudTrail API through the AWS CLI to get the attachment and detachment logs.

If you use RunInstances and TerminateInstances API calls to attach and detach Amazon EBS volumes, then the volumes don't have individual CloudTrail events. These events don't appear in the CloudTrail lookup-events API output.

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

Run the CloudTrail lookup-events API. This command uses the AWS CLI JSON processor, JMESPath, to search for Attach and Detach events.

You can use either of the following methods to get the data:

  • Print Unix Epoch timestamp
  • Print human-readable timestamp in UTC time zone

Print Unix Epoch timestamp

1. Run the following command:

$ aws cloudtrail lookup-events \--lookup-attributes AttributeKey=ResourceName,AttributeValue=VOLUME_ID \
--max-results 3 \
--region REGION_ID \
--query 'Events[?EventName == `DetachVolume` || EventName == `AttachVolume`].{EventTime:EventTime,EventName:EventName,InstanceID:(Resources[1].ResourceName)}'

Note: Replace VOLUME_ID with your Amazon EBS volume ID and REGION_ID with your AWS Region. Use the max-results variable to set the number of Amazon EBS volume events to return. 50 is the the default and maximum number of results that are returned.

2. CloudTrail displays the timestamps in Unix Epoch time. To convert the timestamp into UTC, use one of the following methods:

macOS

Remove the decimal point from the timestamp, and then run the following command:

$ date -r 1571065747 -uMon Oct 14 15:09:07 UTC 2019

Linux

Run the following command:

$ date -d @1571065747.0 -uMon Oct 14 15:09:07 UTC 2019

Windows

Use a converter. To choose a converter, see Epoch and Unix timestamp conversion tools on the EpochConverter website.

Print human-readable timestamp in UTC time zone

Note: This method uses the sed utility and the jq processor. Use jq only for Linux.

The sed utility can transform the CloudTrail Event value into a JSON-compatible layout. Most Linux distributions come with the sed utility already installed. If it's not installed, then download the utility from the GNU Operating System website.

The jq processor can search for and return the values for EventName, InstanceID, and EventTime. If it's not installed, then download the processor from the jq website. 

Run the following command:

$ aws cloudtrail lookup-events \--lookup-attributes AttributeKey=ResourceName,AttributeValue=VOLUME_ID \
--max-results 3 \
--region REGION_ID \
--query 'Events[?EventName == `DetachVolume` || EventName == `AttachVolume`].CloudTrailEvent' | \sed 's/\\//g' | sed 's/"}"/"}/g' | 
sed 's/"{"/{"/g' | \
jq '.[] | {EventName:.eventName, InstanceID:.requestParameters.instanceId, EventTime:.eventTime}'

Note: Replace VOLUME_ID with your Amazon EBS volume ID and REGION_ID with your AWS Region. Use the max-results variable to set the number of Amazon EBS volume events to return. 50 is the default and maximum number of results that are returned.

Example output:

{  "EventName": "AttachVolume",
  "InstanceID": "i-00a49ef5dd45af31b",
  "Time": "2019-10-02T15:36:18Z"
}
{
  "EventName": "DetachVolume",
  "InstanceID": "i-0554d4452aa4cf91b",
  "Time": "2019-10-02T14:26:04Z"
}
{
  "EventName": "AttachVolume",
  "InstanceID": "i-0554d4452aa4cf91b",
  "Time": "2019-10-02T14:25:42Z"
}

Note: The default search history length of CloudTrail is 90 days. Any event older than 90 days doesn't appear. To retain your event logs longer than 90 days, complete the following steps:

  1. Create your own trail in CloudTrail.
  2. Store the logs in an Amazon Simple Storage Service (Amazon S3) bucket.
  3. Use Amazon Athena to query the logs in your Amazon S3 bucket.

Related information

Lookup-events

Viewing CloudTrail events with the AWS CLI

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago