How do I search CloudTrail logs for API calls to run, stop, start, and terminate EC2 instances?

Last updated: 2019-09-03

I want to track API calls that run, stop, start, and terminate my Amazon Elastic Compute Cloud (Amazon EC2) instances.

Short Description

AWS CloudTrail enables you to view and track API calls made to your account. You can track the following API calls for security and compliance:

Resolution

Use CloudTrail event history, Amazon Athena queries, or download CloudTrail logs from Amazon Simple Storage Service S3 buckets.

CloudTrail event history

1.    Open the CloudTrail console, and then choose Event history.

2.    In Filter, select the drop-down menu, and then choose Event name.

3.    In the Enter event name text box, enter the event name that you want to search for (RunInstances, StopInstances, StartInstances, or TerminateInstances), and then choose the event name.

4.    In Time range, enter the desired time range, and then choose Apply.

Note: You can view event history for the last 90 days.

For more information, see Viewing Events with CloudTrail Event History.

Athena query

1.    Follow the instructions for Querying AWS CloudTrail Logs.

2.    Open the Athena console, and then choose Query Editor.

3.   Enter the following example query to return all available event information for the RunInstances API call, and then choose Run Query.

Note: Replace "cloudtrail-logs" with your Athena table name that you created in step 1.

SELECT *
FROM cloudtrail-logs
WHERE eventName = 'RunInstances'

4.    Enter the following example query to return filtered event information for the RunInstances API call, and then choose Run Query.

SELECT userIdentity.username, eventTime, eventName
FROM cloudtrail-logs
WHERE eventName = 'RunInstances'

5.    Enter the following example query to return event information for the APIs that end with the string Instances, from April 1, 2019 to the current date, and then choose Run Query.

SELECT userIdentity.username, eventTime, eventName
FROM cloudtrail-logs
WHERE (eventName LIKE '%Instances') AND eventTime > '2019-04-01T00:00:01Z'

Download CloudTrail logs from Amazon S3

Use jq or your favorite JSON command line processor to parse through the logs.

Note: You must have a trail enabled to log to an S3 bucket.

1.    Follow the instructions for Finding Your CloudTrail Log Files.

2.    Follow the instructions for Downloading Your CloudTrail Log Files.

3.    Open a Bash terminal, and then create this directory to store the log files:

$ mkdir cloudtrail-logs

4.    Go to the new directory, and then download the CloudTrail logs:

$ cd cloudtrail-logs

$ aws s3 cp s3://my_cloudtrail_bucket/AWSLogs/012345678901/CloudTrail/eu-west-1/2019/08/07 ./ --recursive

5.    Decompress the log files:

$ gzip -d *

The following example query returns each event in full for the API RunInstances:

cat * | jq '.Records[] | select(.eventName=="RunInstances")'

The following example query returns each event in full for the APIs StopInstances and TerminateInstances:

cat * | jq '.Records[] | select(.eventName=="StopInstances" or .eventName=="TerminateInstances" )'