AWS - IAM

Configure AWS IAM at Scale

Monitoring Demo CloudTrail

In this walkthrough, you’ll learn how to pinpoint the IAM user who terminated an EC2 instance (ID ends with 1D91) using AWS CloudTrail’s Event History. This helps you audit critical API calls and enhance security visibility.

1. Access CloudTrail Event History

  1. Sign in to the AWS Management Console and search for CloudTrail.
  2. In the left-hand menu, select Event history.
  3. Adjust the time range and apply filters as needed to narrow down results.

By default, Event history shows all recorded API calls, such as:

  • CreateBucket
  • PutBucketEncryption
  • ConsoleLogin
  • TerminateInstances

Note

Ensure your IAM user or role has the cloudtrail:LookupEvents permission to view event history.

2. Filter for TerminateInstances Events

  1. In the Event name filter, type TerminateInstances.
  2. (Optional) Under Resource name, enter the instance ID:
    i-02287a6b78cc71d91
    

Now you should see the specific TerminateInstances event for the target instance. The summary row displays the IAM user, timestamp, and event name.

3. Inspect Event Details

Click the TerminateInstances entry to expand the details pane. You’ll find several sections:

3.1 User Identity & Metadata

{
  "eventVersion": "1.08",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDAZZBPMTHEGGK6QLMU",
    "arn": "arn:aws:iam::672261773768:user/John",
    "accountId": "672261773768",
    "accessKeyId": "ASIAZZBPMTHEGOIBHXVW",
    "userName": "John",
    "sessionContext": {
      "attributes": {
        "creationDate": "2023-10-16T17:24:53Z",
        "mfaAuthenticated": "false"
      }
    }
  },
  "eventTime": "2023-10-16T17:25:20Z",
  "eventSource": "ec2.amazonaws.com"
}

This indicates:

  • IAM user John (principalId: AIDAZZBPMTHEGGK6QLMU)
  • Event timestamp: 2023-10-16T17:25:20Z
  • API source: ec2.amazonaws.com

3.2 Instance State Transition

Scroll down to Response elements to view the state change:

{
  "responseElements": {
    "requestId": "77104859-e0f6-4465-a836-830c1cb8583e",
    "instancesSet": {
      "items": [
        {
          "instanceId": "i-02287a6b78cc71d91",
          "previousState": {
            "code": 16,
            "name": "running"
          },
          "currentState": {
            "code": 32,
            "name": "shutting-down"
          }
        }
      ]
    }
  }
}
StateCodeMeaning
previousState16Running
currentState32Shutting-down

This confirms the TerminateInstances call initiated a shutdown.

4. Summary of Event Record

At the bottom of the details pane, you’ll find additional metadata:

{
  "eventID": "0ea6b2d5-51d5-4765-ad83-4db65d506d9c",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "672261773768",
  "eventCategory": "Management"
}
FieldSample ValueDescription
eventID0ea6b2d5-51d5-4765-ad83-4db65d506d9cUnique ID for the CloudTrail event
eventTypeAwsApiCallType of API call
managementEventtrueIndicates a management-level operation
recipientAccountId672261773768AWS account where the event occurred

From this audit trail, you’ve confirmed that John executed the TerminateInstances API call, changing the instance from running to shutting-down.

5. Automate Alerts with EventBridge

Integrate these CloudTrail logs with Amazon EventBridge (formerly CloudWatch Events) to trigger alerts or remediation workflows when critical actions occur:

aws events put-rule \
  --name EC2TerminationRule \
  --event-pattern '{
    "source": ["aws.ec2"],
    "detail-type": ["AWS API Call via CloudTrail"],
    "detail": {
      "eventName": ["TerminateInstances"]
    }
  }'

Attach a target (e.g., SNS topic, Lambda function) to notify your team or perform automated checks.

References

Watch Video

Watch video content

Previous
CloudTrail