For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
How do I find out which user launched an EC2 instance in my account?
I want to identify the user that launched an Amazon Elastic Compute Cloud (Amazon EC2) instance in my AWS account.
Resolution
Use AWS CloudTrail to view the last 90 days of recorded API activity and events in an AWS Region. When you view your CloudTrail event history, use attribute filters and a time range filter to narrow the results. Check the RunInstances action in the Event name column for your instance. Choose View event for event details such as the user that initiated the instance launch request.
If you don't know your instance ID, then complete the following steps to identify your ID:
- Open the Amazon EC2 console.
- In the navigation pane, choose Instances.
- Choose your instance, and then choose the Details tab.
- Note the Instance ID value.
Related information
How do I use CloudTrail to track API calls to my Amazon EC2 instances?
- Topics
- Compute
- Language
- English
Thanks for the helpful article. I have a follow-up question:
What if the EC2 instances were** launched** more than 90 days ago? Since CloudTrail’s Event History only retains logs for the last 90 days, and I did not enable CloudTrail logging to an S3 bucket, I'm unable to retrieve older events.
I also have multiple IAM users and many EC2 instances across different regions, so it's becoming difficult to trace who launched which instance.
Is there any way to recover this information, or any AWS-native alternatives to identify the user who launched older instances without historical CloudTrail logs in S3?
Relevant content
- AWS OFFICIALUpdated 3 years ago
