Is there a way (for example in CLI) to check what user stopped an instance?
There is some data in the console:
State transition reason: User initiated (2017-07:24 10:15:42 GMT)
State transition reason message: Client.UserInitiatedShutdown: User initiated shutdown
Amazon CloudTrail can be used to create an Audit Trail of most API requests made to AWS. It records the time, IP address, user and request details.
However, you will need to configure CloudTrail before it captures this information because you will need to specify an Amazon S3 bucket where it can store the data. Therefore, you won't be able to see who stopped your instance this time, but if you configure CloudTrail you'll be able to do it in future.
Related
I'm the administrator of an AWS account that has 4 users. One of the users is racking up higher-than-expected costs.
I checked the Cost Explorer, but could not seem to configure it to view individual users.
As an administrator in AWS, how do I see all of the services this particular user has been using during a given period of time (e.g. the last 12 months)?
Thanks!
AWS resources are associated with an AWS Account, not a specific user.
If a user has the necessary permissions to create resources (eg an Amazon EC2 instance), then the instance is launched in the AWS Account, but there is no link back to the user that requested the resource.
You can, however, use AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
It will show all API calls made by the user, including the Action ('launch an EC2 instance'), their IP address, timestamp, etc. Operations in the AWS management console will also be shown, since it makes API calls on behalf of the user.
CloudTrail keeps a history of the past 90 days, but you can create specific 'Trails' that retain data permanently. If you have not done this, then it will not be possible to see what they did prior to 90 days ago.
This happens when accessing EC2 console for any region.
Global services like S3, IAM and account related pages can be accessed without problems.
No AWS Organization issue, no policy issue.
Just go to your email and click the link AWS management console and open an AWS account.
So, now you can access your EC2.
Check whether you have skipped one or more steps during registration.
You may have received an email stating you need to complete those steps.
File a support case to receive the email again if you missed it.
It takes a while to AWS to verify your card details after you register a new account with AWS. It would be great if AWS would give a more sensible message.
Wait for account activation :
After you choose a Support plan, a confirmation page indicates that your account is being activated. Accounts are usually activated within a few minutes, but the process might take up to 24 hours.
AWS create and activate account
I have created some IAM users to my AWS account with permission to launch instances.
Now I want to track and store their instance launch activity like time and instance ID in my MySQL or any other database.
Is there any way to achieve this, any suggestion will be appreciated.
All activities of an IAM user can be monitored using aws cloudtrail. Cloudtrail logs all the events.
The cloudtrail log is stored to a S3 bucket. You can use the storage trigger option in aws lambda functions to watch for a particular log .
In this case the log for new EC2 instance creation.
In the lambda function you need to add the code that takes that log information and stores into a Mysql database that you have setup.
Refer this post https://docs.aws.amazon.com/lambda/latest/dg/with-cloudtrail.html
Also you can try creating a cloudwatch for EC2 instance creation and it can trigger an aws lambda function which will do the data insert to the db.
Here is a sample of cloudwatch based scheduler. You have to setup a specific trigger as per your need though.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html
You should use AWS CloudTrail:
CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history. For an ongoing record of activity and events in your AWS account, create a trail.
I have just started with AWS config. I had set up the AWS config with ec2 instance as resource and I am receiving notification for any changes that are happening with AWS ec2 in my region.
a) my first question whether I can record only for any specific vpc related ec2 or only specific ec2?
since I have quite a few vpc and ec2 in my account region, I am getting a lot of change notification .
b)whether the AWS is recording all the changes happened in the ec2 instance in my region even though I turn off the recorder and I am getting a notification once I turn on the recorder with different settings i.e I change the resources to ec2::EIP?
You can choose to record all resource types supported by AWS Config or specific resource types such as EC2::Instance, EC2::NetworkInterface, IAM::User etc. AWS Config does not offer a capability to only record resources that are associated with a particular VPC. For example, if you choose to record EC2::Instance, AWS Config will start recording configuration changes to all EC2 instances in your AWS account.
If you choose to record only selective resource types, AWS Config will send you notifications when resources of the specified types get created, modified or deleted. For other resources that are not specified in the recorder, AWS Config only sends notifications when they are created or deleted.
If you are using an email client to receive notifications, you can use email filters to select the notifications of your interest. Alternatively, you can write a lambda function that subscribes to your SNS topic to filter notifications.
I have setup event subscriptions for every action in RDS so I can be notified each time there is a change in the RDS infrastructure.
However , when the email arrives there is no info on which aws user made the change so to talk directly with him.
Is there such an option in AWS ?
CloudTrail should have the required features you are looking for -
https://aws.amazon.com/cloudtrail/