Which user launched EC2 instance?

amazon-web-services amazon-ec2 amazon-iam
Vame picture Vame · May 6, 2014 · Viewed 17.6k times · Source

I have some EC2 instances that I don't really know who launched them.

Is there a way to know who launched a specific instance?

Answer

Steffen Opel picture Steffen Opel · May 6, 2014

Unfortunately this information is not directly available via an API call - you currently have two options:

  1. depending on your needs, you could approximate your goal by using the DescribeInstances API action to look at the key-name used for starting that instance (if any, it's optional, though usually in place) - assuming you have followed security best practices and are using a dedicated EC2 key pair per IAM user (rather than sharing keys), the key should usually denote the user who started the instance ;)
  2. nowadays you could activate AWS CloudTrail, which records AWS API calls for your account and delivers log files to you and provides exactly the information you are after:

The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. AWS CloudTrail is a long overdue and invaluable tool and provides unprecedented insight into your AWS usage; it is easy to get started and only has a few remaining caveats currently:

  • most importantly, it isn't available in all regions yet, but AWS has just extended it to 3 more for a total of 5, see AWS CloudTrail Expands Again - More Locations and Services, thus quickly approaching coverage of their entire Global Infrastructure
  • not all services are covered yet, but AWS hast just extended it to 7 more for a total of 15, see AWS CloudTrail Update - Seven New Services
  • depending on your needs, you most likely want to have a Logging as a Service (LaaS) solution in place to ease digging through the vast amount of logs, and provide alerts etc. - several providers already offer dedicated CloudTrail integration (and usually a free tier sufficient for that as well)
  • events are delivered within 15 minutes of the API call and the resulting logs to your S3 bucket approximately every 5 minutes, resulting in a maximum delay of 20 minutes, which is enough for post hoc and batch analysis, but not sufficient for near real-time alerting of course (see the AWS CloudTrail FAQ)

Related questions

Proper access policy for Amazon Elastic Search Cluster

I've recently started using the new Amazon Elasticsearch Service and I can't seem to figure out the access policy I need so that I can only access the services from my EC2 instances that have a specific IAM role assigned …

Read More
Log in to AWS using Access Key ID and Secret Access Key ID

In AWS, how do I use my Access Key ID and Secret Access Key? I can't use them in IAM users sign-in link.

Read More
AWS Amazon IAM user Policy to access ONLY one EC2 instance on EU-WEST-1 region

I have read the AWS documentation and it wasn't helpful... at least not for me. I have read about IAM and the user policy on the EC2. I want to make users have full access/(or just some actions allowed) …

Read More