Amazon AWS: How to get details of terminated EC2 instance from instance id
One of our EC2 instance went missing from running instance list, probably it got terminated accidentally by someone.
In cloudtrail events, I can see some terminate instance events along with event time, user and instance id's which got terminated.
Problems is, as instances are already terminated I am not able to find more details of those instances using instance id.
I am interested in more details such as ami, key pair, tags.
Is there a way to get these details for terminated instance?
Answer
If the instance was started in the last 90 days, you can get the information you want from Cloudtrail dashboard.
If the instance was started more than 90 days ago: If you have Cloudtrail enabled and configured it to write to S3, then you can go through the Cloudtrail log and look for events related the instance id. If you are able to find the RunInstances event for that instance id, then you can get all information about that instance from that event.
The logs are compressed json files generated many times a day. It takes few lines of Python code to read the log files and find the events tied to that instance.
I have done the exact same thing and was able to get the information from cloudtrail logs.