How can I find who stopped, rebooted, or terminated my EC2 Windows instance?
Last updated: 2021-03-17
My Amazon Elastic Compute Cloud (Amazon EC2) Windows instance was unexpectedly stopped, rebooted, or terminated. How can I identify who stopped, restarted, or terminated the instance?
An EC2 Windows instance can be stopped or rebooted through AWS or through the Windows operating system. An EC2 Windows instance can be terminated only through AWS.
If the instance was stopped, rebooted, or terminated through AWS
An instance can be stopped, rebooted, or terminated through AWS using the AWS Management Console, the AWS Command Line Interface (AWS CLI), AWS PowerShell, AWS APIs or an AWS SDK. If the event occurred in the last 90 days, then you can get more information about the event using AWS CloudTrail logs. To view the event on CloudTrail, follow these steps:
- Open the CloudTrail console.
- In the navigation pane, choose Event history.
- In the Lookup attributes dropdown menu, select Event name.
- For Enter an event name, enter StopInstances if your instance was stopped. Enter RebootInstances if your instance was rebooted. Enter TerminateInstances if your instance was terminated.
- To see more information about an event, choose the event name. On the StopInstances, RebootInstances, or TerminateInstances event details page, you can see the user name of the AWS Identity and Access Management (IAM) user that initiated the event.
If the instance was stopped or rebooted within the Windows OS
If the instance wasn't stopped or rebooted through AWS, then the event was likely initiated within the Windows OS. To find more information about this event within the Windows OS, follow these steps while logged in to the instance:
- Open Event Viewer.
- On the navigation pane, expand Windows Logs and then choose System.
- On the Actions pane, choose Filter Current Log.
- In the All Event IDs field, enter 1074 or 1076.
- The event log indicates which user initiated the event in the Source field.
Note: An EC2 Windows stop or reboot can occur at the Windows OS level if a user is logged into the instance and a Windows update, an unexpected hardware failure, an AWS planned maintenance event, or a third-party tool issued the command. AWS sends notifications about planned instance retirements and unexpected hardware failure over email or on your Personal Health Dashboard.