How can I find who stopped, rebooted, or terminated my EC2 Windows instance?
Last updated: 2022-09-01
My Amazon Elastic Compute Cloud (Amazon EC2) Windows instance was unexpectedly stopped, rebooted, or terminated. How can I identify who stopped, restarted, or terminated the instance?
An EC2 Windows instance can be stopped or rebooted either through AWS or through the Windows operating system. An EC2 Windows instance can be terminated only through AWS.
If the instance was stopped, rebooted, or terminated through AWS
You can stop, reboot, or terminate your instance through AWS from:
- The AWS Management Console
- The AWS Command Line Interface (AWS CLI)
- AWS Tools for PowerShell
- AWS APIs
- AWS SDK
If the event occurred in the last 90 days, then you can get more information about the event using AWS CloudTrail logs. To view the event on CloudTrail, follow these steps:
- Open the CloudTrail console.
- In the navigation pane, choose Event history.
- In the Lookup attributes dropdown menu, select Event name.
- For Enter an event name, enter StopInstances if your instance was stopped. Enter RebootInstances if your instance was rebooted. Enter TerminateInstances if your instance was terminated.
- To see more information about an event, choose the event name. On the StopInstances, RebootInstances, or TerminateInstances details page, you can see the user of the AWS Identity and Access Management (IAM) that initiated the event.
If the instance was stopped or rebooted within the Windows OS
If the instance wasn't stopped or rebooted through AWS, then the event was likely initiated within the Windows OS. To find more information about this event within the Windows OS, follow these steps while logged in to the instance:
- Open Event Viewer.
- On the navigation pane, expand Windows Logs and then choose System.
- On the Actions pane, choose Filter Current Log.
- In the All Event IDs field, enter 1074 or 1076.
- The event log indicates which user initiated the event in the Source field.
Note: An EC2 Windows stop or reboot can occur at the Windows OS level when:
- A user is logged into the instance and a Windows update reboots the OS.
- An unexpected hardware failure occurs.
- An AWS planned maintenance event stops or restarts the instance.
- A third-party tool issued the command.