- Newest
- Most votes
- Most comments
Hello.
Is it possible to find the event in which that EC2 instance was created from CloudTrail's event history?
You should be able to find a "RunInstances" event in CloudTrail's event history if it was created within the last 90 days.
I think the event also includes information such as which IAM user created it.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html
You can also search for EC2 deletion events using the "TerminateInstances" event.
If these operations are being performed by a user you do not know, there is a possibility that unauthorized access is being performed, so please delete the IAM user in question.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deleting
Or please deactivate the IAM user.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deactivating
You may be looking at a different region, so try searching for EC2 in global view from the URL below.
https://us-east-1.console.aws.amazon.com/ec2globalview/home?region=us-east-1#
If EC2 has been deleted, if a backup of EC2 such as a snapshot remains, it is possible to restore data up to the time period when the snapshot was created.
However, please note that you will not be able to restore if there are no snapshots left.
https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/restore.html
Relevant content
- asked 3 years ago
- asked a year ago
AWS OFFICIALUpdated 2 years ago
In general, if you determine that there is a possibility that your AWS account has been compromised, I recommend that you check the contents of the URL below. https://repost.aws/knowledge-center/potential-account-compromise