Why can't I find the user name that created an EBS volume by searching CloudTrail events logs?

Last updated: 2019-07-29

I want to find out who created an Amazon Elastic Block Store (Amazon EBS) volume so that I can safely delete it.

Short Description

AWS CloudTrail event logs CreateVolume aren't available for EBS volumes created during an Amazon Elastic Compute Cloud (Amazon EC2) launch.

To determine the user name that created the EBS volume:

  • EBS volumes created manually can use the volume ID to view CloudTrail event logs for CreateVolume.
  • EBS volumes created during EC2 launch can use the EC2 instance ID to view CloudTrail event logs for RunInstances.

For more information, see Viewing CloudTrail Events in the CloudTrail Console.

Note: This only applies to EBS volumes that were created after activating AWS Config and CloudTrail.

Resolution

Verify that the EBS volume was created during EC2 launch or manually created

  1. Open the Amazon EC2 console, expand Elastic Block Store, and then choose Volumes.
  2. Copy the Volume ID of your EBS volume.
  3. Open the AWS Config console, and then choose Resources.
  4. In Resource type, under EC2, choose Volume.
  5. In Resource identifier, paste the Volume ID from step 2, and then choose Look up.
  6. In Resource identifier, choose your volume ID.
  7. Choose Configure timeline.
  8. Expand Relationships.
  9. If you don't see an EC2 instance ID, this means that your EBS volume was created manually.
  10. If you see an EC2 instance ID, this means that your EBS volume was created during EC2 launch or attached afterwards. Copy the EC2 Instance ID.

Find the user name that created the EBS volume

If the EBS volume was created manually, do this:

  1. Open the CloudTrail console, and then choose Event history.
  2. In Filter, choose Resource name.
  3. In Enter resource name, paste the volume ID of your EBS volume, and then press Enter from your device.
  4. Expand the Event, and take note of the User name.

If the EBS volume was created during EC2 launch, do this:

  1. Open the CloudTrail console, and then choose Event history.
  2. In Filter, choose Resource name.
  3. In Enter resource name, paste the EC2 instance ID, and then press Enter from your device.
  4. Expand the Event, and note the User name.

Note: You can't delete an EBS volume if the DeleteonTermination attribute is set to false. For more information, see Preserving Amazon EBS Volumes on Instance Termination.


Did this article help you?

Anything we could improve?


Need more help?