Can I fetch the details of the user who created the instance in AWS using
instance-id
ami id
tag details
or anything?
I want to contact the person who created a particular instance under a particular role. How can I achieve this?
You can query CloudTrail logs to find the user who started the instances.
Here is the Python Boto3 script I have created to list all the instances and owner.
https://gist.github.com/sudharsans/39d5eaf8a82b7ccdf8b3230d13ba7d81
You can query the Cloudtrail events, and if you need more derailed info. then you can make use of AWS Config which will give you even granular details
Related
my requirement is, my code will be deployed on an ec2 instance. and at some point, it needs the username of the IAM account who is executing that code. or whose session is currently active on that ec2 instance. Is it even possible?
FYI,
I read the answers here
From AWS SDK, how to I get the current logged in username (or IAM user)?, but they are not much of a use
PS. I have to authenticate which IAM account is executing the spark job
Edit: based on #John Rotenstein suggestions, adding more details
Many IAM users might access the ec2 instance when provided with IP. So based on which IAM users has logged in into EC2 instance, and is trying to run spark job in an EMR cluster. I want to validate if he has permission to execute the code ( There is a separate database of list of authorized users, where i would search his IAM username in database, if not found throw an error). For this purpose, i need the username of that IAM account.
If there is any utility in aws-sdk or some kind of metadata which gets created after a IAM user launches ec2 instance? And just for clarity, I know the details of os users, and not concerned with them. Till now, we were doing this process with os users only, but with new changes we need to validate users from their IAM account username instead of os usernames.
For a while, I have used cloudformation and a lambda script to tag EC2 instances, their EBS volumes and network interfaces with the IAM user that created them. Is there a better way to do this automatically with AWS?
AWS does not maintain a relationship between resources and users that create them.
If a user has sufficient permissions to create resources in an account, then any resources created are associated with the AWS Account rather than the user that created them.
One way to discover such a relationship would be to use AWS CloudTrail records, since they reference both the resources involved in API calls and the IAM entity (user, role, etc) that issued the API call.
So, in theory you could:
Create an Amazon CloudWatch Events rule to trigger an AWS Lambda function as new CloudTrail events happen
The AWS Lambda function could look at the event, determine whether it's something of interest (eg a resource was created) and then extract the user information and add it to a tag
It could get a little complex, such as requests coming from IAM Roles associated with Amazon EC2 instances, where it is hard to associate API calls with a "user"
Unfortunately, AWS doesn't support tagging resources automatically with IAM principal tags. You have to craft your own solution as described in the previous answer. However, you can find a couple of projects on Github. I have been maintaining the following project, which applies IAM principal tags and session tags to newly created resources.
https://github.com/erhanux/aws-tags
I have created some IAM users to my AWS account with permission to launch instances.
Now I want to track and store their instance launch activity like time and instance ID in my MySQL or any other database.
Is there any way to achieve this, any suggestion will be appreciated.
All activities of an IAM user can be monitored using aws cloudtrail. Cloudtrail logs all the events.
The cloudtrail log is stored to a S3 bucket. You can use the storage trigger option in aws lambda functions to watch for a particular log .
In this case the log for new EC2 instance creation.
In the lambda function you need to add the code that takes that log information and stores into a Mysql database that you have setup.
Refer this post https://docs.aws.amazon.com/lambda/latest/dg/with-cloudtrail.html
Also you can try creating a cloudwatch for EC2 instance creation and it can trigger an aws lambda function which will do the data insert to the db.
Here is a sample of cloudwatch based scheduler. You have to setup a specific trigger as per your need though.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html
You should use AWS CloudTrail:
CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history. For an ongoing record of activity and events in your AWS account, create a trail.
Is it possible to send an email from an EC2 instance and join some files with it to the owner of the instance ?
The idea is to compute some things with a Python script, to store the informations in a database and to generate two files of result and log.
It would be great if I can automatize it so that I receive these two files in an email and the instance stops after it.
Yes, you can send email from an ec2 instance using the AWS SES service.
When you launch your instance, you can assign it a role. That role should have rights to send email using SES, and if you want it to shut down when you're done then you'd add the StopInstances permission as well.
You would then use the AWS CLI tool to stop the instance. You can get the current instance ID from the instance metadata.
This is what I am trying to do:
We have IAM in place and each user logs in to the AWS console with his/her respective email address and create the EC2 instance. I being the Administrator, when I login to AWS console, I see a whole bunch of Instance created and many of them are not even utilized. However, I am not able to figure who created those instances.
Question:
Is there a way to map EC2 Instances with the email address of the user who created it? I have thoroghly explored EC2 CLI but it was of no help. Is there a way to do this via SDK? OR did I overlook something?
Thanks.
To keep it simple without having to use an SDK outside of the CLI, you could create the tag "Owner" and have your users tag their instances they create with their name/email. You can then click on the "Show/Hide" button in the EC2 Management Console to add your tag to the other data that is shown in the console. It allows you to filter and sort instances by the value of the tag. This isn't a fail proof solution since it depends on your users to create the tags, but it is simple.