Why can't I find the user name that created an EBS volume by searching CloudTrail events logs?

Last updated: 2022-08-02

I want to find out who created an Amazon Elastic Block Store (Amazon EBS) volume so that I can safely delete it.

Short description

AWS CloudTrail event logs CreateVolume aren't available for EBS volumes created during an Amazon Elastic Compute Cloud (Amazon EC2) launch.

To determine the user name that created the EBS volume:

  • EBS volumes created manually can use the volume ID to view CloudTrail event logs for CreateVolume.
  • EBS volumes created during EC2 launch can use the EC2 instance ID to view CloudTrail event logs for RunInstances.

For more information, see Viewing CloudTrail events in the CloudTrail console.

Note: This only applies to EBS volumes that were created after activating AWS Config and CloudTrail.

Resolution

Determine if the EBS volume was created during EC2 launch or manually created

  1. Open the Amazon EC2 console, expand Elastic Block Store, and then choose Volumes.
  2. Copy the Volume ID of your EBS volume.
  3. Open the AWS Config console, and then choose Resources.
  4. In the Resource type dropdown list, choose AWS EC2 Volume.
  5. In Resource identifier, paste the Volume ID from step 2. Then, select the radio button and choose Resource Timeline to open the timeline of the resource as captured by AWS Config.
  6. In Events, expand the Configuration Change. Then, choose View full record.
  7. Expand Relationships.
  8. If you don't see an EC2 instance ID, this means that your EBS volume was created manually.
  9. If you see an EC2 instance ID, this means that your EBS volume was created during EC2 launch or attached afterwards. Copy the EC2 Instance ID.

Find the user name that created the EBS volume

If the EBS volume was created manually, then follow these steps:

  1. Open the CloudTrail console, and then choose Event history.
  2. In Filter, choose Resource name.
  3. In Enter resource name, paste the volume ID of your EBS volume, and then press Enter from your device.
  4. Choose the Event to expand and show the full event record. Note the arn and userName to identify the user who manually created the EBS volume.

If the EBS volume was created during EC2 launch, then follow these steps:

  1. Open the CloudTrail console, and then choose Event history.
  2. In Filter, choose Resource name.
  3. In Enter resource name, paste the EC2 instance ID that you copied from the AWS Config console. Then, press Enter from your device.
  4. Choose the Event to expand and show the full event record. Note the arn and userName to identify the user who launched the EC2 Instance.

Note: You can't delete an EBS volume if the DeleteonTermination attribute is set to false. For more information, see Preserve Amazon EBS volumes on instance termination.


Did this article help? 


Do you need billing or technical support?