- Newest
- Most votes
- Most comments
First of all right syntax for command is as below:
aws ec2 modify-instance-attribute --instance-id <instance_id> --block-device-mappings "[{\"DeviceName\": \"/dev/xvda\",\"Ebs\":{\"DeleteOnTermination\":false}}]" --profile <cli_profile_name> --region <region_name>
Refer modify-instance-attribute CLI Command for more details.
Since you mentioned that you don't want to use athena or cloudwatch. Here is how you can see directly from cloudtrail console:
- Go to Cloudtrail Console
- Click Event History from left pane
- Lookup Attribute: Event Name
- Lookup value: ModifyInstanceAttribute
This will give you all the succeeded and failed attempt for modifying instance attributes. I'm attaching couple of snapshots for your reference to show how it would appear in cloudtrail:
In second snapshot, you can see my attempts to modify instance attribute was failed but that's logged with event name "ModifyInstanceAttribute", which I knowingly let it failed. Note that successful event will also have same eventname, it's just you need to check that event detail to see whether that's succeeded or not. Also note the error code just for additional context,
Sorry for small font in snapshot but to fit into a single screen, I had to take snapshot this way. You can zoom your browser window to see the snapshot clearer.
Hope you find this information useful.
Comment here if you have additional questions.
Happy to help.
Abhishek
In fact you can see that error in the Cloud Trail without using Athena.
Command:
ec2 modify-instance-attribute --instance-id i-1234 --block-device-mappings '[{"DeviceName": "/dev/sda1","Ebs":{"DeleteOnTermination":false}}]'
In the Cloud Trail you can find it with the filter Event Source=ec2.amazonaws.com
. You will see it with the error code Client.InvalidInstanceID.NotFound
Following this page, you can search the cloudtrail logs. https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html Search for the Error Message using SQL to match AccessDeined :-
SELECT
useridentity.arn,
eventname,
sourceipaddress,
eventtime
FROM cloudtrail_logs
WHERE errorcode = 'AccessDenied'
LIMIT 100;
To do this without Athena, you can turn on the Error Code Column and manually search for the error or download the CSV/JSON and search
You can use the CLi to search, be sure to adjust the max-items or specify a timeline and ensure you are in the CORRECT region.
aws cloudtrail lookup-events --max-items 500 | jq '.Events[] | select(.ErrorCode=="AccessDenied")'
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
Do you have additional questions, happy to help.
Is there a bug or something, coz yesterday after posting this question i was able to see the failed attempts. Today i am trying again but couldnt see the failed attempts for modifyinstanceattribute
No, to best of my knowledge there is no bug. I still see yesterday's failed attempt in cloudtrail console. Can you make sure, if you are checking for correct time window where you attempted this action and it failed.
Do you have any further questions, happy to help.