By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

powershell cloudtrail trying to get instance id from requestparameters

0

I am trying to pull instance Id and other parameters from cloudtrail using ps like so

$results = Find-CTEvent -StartTime (Get-Date).AddMinutes(-30) | ? {$_.EventName -eq "TerminateInstances"}

{"eventVersion":"1.08","userIdentity":{"type":"IAMUser","principalId":"xx","arn":"arn:aws:iam::462518063128:user/awslab1","accountId":"xxx","acces sKeyId":"xx","userName":"awslab1","sessionContext":{"sessionIssuer":{ },"webIdFederationData":{},"attributes":{"creationDate":"2022-05-27T14:28:44Z","mfaAuth enticated":"false"}}},"eventTime":"2022-05-27T17:04:12Z","eventSource":"ec2.amazonaws.c om","eventName":"TerminateInstances","awsRegion":"us-west-1","sourceIPAddress":"AWS Internal","userAgent":"AWS Internal","requestParameters":{"instancesSet":{"items":[{"in stanceId":"i-07efe3d31ef2cef02"}]}},"responseElements":{"requestId":"dde64a51-2fd6-40ef -b9d6-06fde8a2abd9","instancesSet":{"items":[{"instanceId":"i-07efe3d31ef2cef02","curre ntState":{"code":32,"name":"shutting-down"},"previousState":{"code":16,"name":"running" }}]}},"requestID":"dde64a51-2fd6-40ef-b9d6-06fde8a2abd9","eventID":"dfc1fa38-c5db-401d- 9ac9-11cd5ab41dd8","readOnly":false,"eventType":"AwsApiCall","managementEvent":true,"re cipientAccountId":"462518063038","eventCategory":"Management","sessionCredentialFromCon sole":"true"}

then convertfrom json

$results.CloudTrailEvent | ConvertFrom-Json

eventVersion : 1.08 userIdentity : @{type=IAMUser; principalId=xxxx; arn=arn:aws:iam::462518063128user/awslab1; accountId=xx; accessKeyId=xxxx; userName=awslab1; sessionContext=} eventTime : 5/27/2022 5:04:12 PM eventSource : ec2.amazonaws.com eventName : TerminateInstances awsRegion : us-west-1 sourceIPAddress : AWS Internal userAgent : AWS Internal requestParameters : @{instancesSet=} responseElements : @{requestId=dde64a51-2fd6-40ef-b9d6-06fde8a2abd9; instancesSet=} requestID : dde64a51-2fd6-40ef-b9d6-06fde8a2abd9 eventID : dfc1fa38-c5db-401d-9ac9-11cd5ab41dd8 readOnly : False eventType : AwsApiCall managementEvent : True recipientAccountId : 462518061234 eventCategory : Management sessionCredentialFromConsole : true

But the requestParameters : @{instancesSet=} is missing instance id and other values

any idea?

Topics
ComputeManagement & Governance
Tags
Amazon EC2AWS CloudTrailAWS Tools for Windows PowerShell
Language
English
rePost-User-0085875
asked 2 years ago286 views
1 Answer
0

When you describe the object, you don't see the value but the instance ID exists under the requestParameters. Please see below for how to describe the instance IDs.

$results = Find-CTEvent -StartTime (Get-Date).AddMinutes(-30) | ? {$_.EventName -eq "TerminateInstances"}
($results.CloudTrailEvent |convertfrom-json).requestParameters.instancesSet.items
AWS
Taka_M
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content