How do I use CloudTrail to search for actions on a specific resource, such as who deleted an EBS volume on an EC2 instance?

4 minute read
0

I want to use AWS CloudTrail to search a specific resource for information.

Resolution

Important:

  • The rate of lookup requests is limited to one request per second for each account. If you exceed this limit, then a throttling error occurs.
  • Confirm that CloudTrail logging is turned on before an event occurs. Otherwise, you can't look up the event during the time range that it occurred.
  • AWS services might continue to add events. CloudTrail records the events in Event history.
  • If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

The following examples are run from the AWS CLI. Most of these commands use the command-line JSON processor, jq. For more information on jq, see the jq website.

To install jq on Amazon Linux, use yum:

yum install jq

Note: There are jq installation options for other platforms. For information on jq installation options, see Download jq on the jq website.

List all event names for a specific resource

The following example uses an Amazon Elastic Block Store (Amazon EBS) volume ID to get a list of recent events for any API action. Replace the AttributeValue of vol-0f59a355c2example with your volume ID and the us-east-1 with your Region.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=vol-0f59a355c2example --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1

Note: CloudTrail might take longer than expected to populate recent calls.

You can use different resource IDs, such as an EBS snapshot, to run the same example. Replace the AttributeValue of snap-0993c0d9a8example with your snapshot ID and us-east-1 with your Region.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=snap-0993c0d9a8example --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1

List events for a specific API action for a specific resource

The following example shows how to get a list of recent events for the DeleteVolume API action for an EBS volume. Replace the AttributeValue of vol-0f59a355c2example with your volume ID.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=vol-0f59a355c2example --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output json --region us-east-1 | jq -r '.[] | select(.event == "DeleteVolume")'

Example output:

{  "username": "jdoe",
  "eventid": "e3ec4051-9999-4e87-9999-9cc72example",
  "resource": "vol-0f59a355c2example",
  "accesskey": "ASIAXUZVKEUACEXAMPLE",
  "time": 1550191014,
  "event": "DeleteVolume"
}

List a specific event name for all resources

The following example uses the DeleteVolume event name as a filter to list deleted EBS volumes. Replace us-east-1 with your Region.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteVolume --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1

List terminated EC2 instances for all resources

The following example lists recent EC2 TerminateInstances. Replace -region us-east-1 with your Region.

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=TerminateInstances --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1

View details for a specific event ID

After you find an event ID, you can view the details about this event. Replace the AttributeValue of 0840b15f-75b5-4082-a194-86e15example with your event ID and us-east-1 with your Region.

$ aws cloudtrail lookup-events --query "Events[0].CloudTrailEvent" --output text --lookup-attribute AttributeKey=EventId,AttributeValue=0840b15f-75b5-4082-a194-86e15example --region us-east-1 | jq -r '.'

Example output:

{  "eventVersion": "1.05",
  "userIdentity": {
    "type": "AssumedRole",
    "principalId": "AROAJ3THTCWDOKEXAMPLE:jdoe",
    "arn": "arn:aws:sts::52570EXAMPLE:assumed-role/Admin/jdoe",
    "accountId": "52570example",
    "accessKeyId": "ASIAXUZVKEUAKEXAMPLE",
    "sessionContext": {
      "attributes": {
        "mfaAuthenticated": "false",
        "creationDate": "2019-02-14T23:55:15Z"
      },
      "sessionIssuer": {
        "type": "Role",
        "principalId": "AROAJ3THTCWDOKEXAMPLE",
        "arn": "arn:aws:iam::52570EXAMPLE:role/Admin",
        "accountId": "52570EXAMPLE",
        "userName": "Admin"
      }
    }
  },
  "eventTime": "2019-02-15T00:48:05Z",
  "eventSource": "ec2.amazonaws.com",
  "eventName": "DeleteVolume",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "999.999.999.999",
  "userAgent": "aws-cli/1.16.999 Python/2.7.15 Darwin/17.7.0 botocore/1.12.91",
  "requestParameters": {
    "volumeId": "vol-0c50d65c6eexample"
  },
  "responseElements": {
    "_return": true
  },
  "requestID": "a8a43ccd-736d-4b09-ba75-24b9cexample",
  "eventID": "0840b15f-75b5-4082-a194-86e15example",
  "eventType": "AwsApiCall",
  "recipientAccountId": "52570EXAMPLE"
}

Specify a date range

To specify a date range of events, use the --start-time and --end-time parameters:

$ aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteVolume --query 'Events[].{username:Username,time:EventTime,event:EventName,eventid:EventId,accesskey:AccessKeyId,resource:(Resources[0].ResourceName)}' --output table --region us-east-1 --start-time 2019-01-01T13:00Z --end-time 2019-03-01T14:00Z

Note: Choose your preferred timestamp from the list at Valid timestamp formats.

The listed events occur after the start time and up to, and including, the end time.

The default start time is the earliest date that data is available within the last 90 days. The default end time is the time of the event that occurred closest to the current time. If the specified start time is after the specified end time, then an InvalidTimeRangeException error is returned.

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago