powershell cloudtrail trying to get instance id from requestparameters

Question

I am trying to pull instance Id and other parameters from cloudtrail using ps like so

$results = Find-CTEvent -StartTime (Get-Date).AddMinutes(-30) | ? {$_.EventName -eq "TerminateInstances"}

`
{"eventVersion":"1.08","userIdentity":{"type":"IAMUser","principalId":"xx","arn":"arn:aws:iam::462518063128:user/awslab1","accountId":"xxx","acces
                  sKeyId":"xx","userName":"awslab1","sessionContext":{"sessionIssuer":{
                  },"webIdFederationData":{},"attributes":{"creationDate":"2022-05-27T14:28:44Z","mfaAuth
                  enticated":"false"}}},"eventTime":"2022-05-27T17:04:12Z","eventSource":"ec2.amazonaws.c
                  om","eventName":"TerminateInstances","awsRegion":"us-west-1","sourceIPAddress":"AWS 
                  Internal","userAgent":"AWS Internal","requestParameters":{"instancesSet":{"items":[{"in
                  stanceId":"i-07efe3d31ef2cef02"}]}},"responseElements":{"requestId":"dde64a51-2fd6-40ef
                  -b9d6-06fde8a2abd9","instancesSet":{"items":[{"instanceId":"i-07efe3d31ef2cef02","curre
                  ntState":{"code":32,"name":"shutting-down"},"previousState":{"code":16,"name":"running"
                  }}]}},"requestID":"dde64a51-2fd6-40ef-b9d6-06fde8a2abd9","eventID":"dfc1fa38-c5db-401d-
                  9ac9-11cd5ab41dd8","readOnly":false,"eventType":"AwsApiCall","managementEvent":true,"re
                  cipientAccountId":"462518063038","eventCategory":"Management","sessionCredentialFromCon
                  sole":"true"}
`

then convertfrom json

$results.CloudTrailEvent | ConvertFrom-Json

eventVersion                 : 1.08
userIdentity                 : @{type=IAMUser; principalId=xxxx; 
                               arn=arn:aws:iam::462518063128user/awslab1; accountId=xx; 
                               accessKeyId=xxxx; userName=awslab1; sessionContext=}
eventTime                    : 5/27/2022 5:04:12 PM
eventSource                  : ec2.amazonaws.com
eventName                    : TerminateInstances
awsRegion                    : us-west-1
sourceIPAddress              : AWS Internal
userAgent                    : AWS Internal
requestParameters            : @{instancesSet=}
responseElements             : @{requestId=dde64a51-2fd6-40ef-b9d6-06fde8a2abd9; instancesSet=}
requestID                    : dde64a51-2fd6-40ef-b9d6-06fde8a2abd9
eventID                      : dfc1fa38-c5db-401d-9ac9-11cd5ab41dd8
readOnly                     : False
eventType                    : AwsApiCall
managementEvent              : True
recipientAccountId           : 462518061234
eventCategory                : Management
sessionCredentialFromConsole : true

But the requestParameters            : @{instancesSet=} is missing instance id and other values

any idea?

Answer

When you describe the object, you don't see the value but the instance ID exists under the requestParameters. Please see below for how to describe the instance IDs.

```
$results = Find-CTEvent -StartTime (Get-Date).AddMinutes(-30) | ? {$_.EventName -eq "TerminateInstances"}
($results.CloudTrailEvent |convertfrom-json).requestParameters.instancesSet.items
```

powershell cloudtrail trying to get instance id from requestparameters

相关内容