I'm pretty new to EC2 so apologies if this is trivial but I can't seem to find an answer from Google. I have a EC2 instance that was in a security group it should not have been in. Whilst I have fixed the groups I would like to know which user assigned the group and when it was done, Is it possible to get this info or is it not logged anywhere?
Asked
Active
Viewed 108 times
2 Answers
2
What you need is called AWS CloudTrail https://aws.amazon.com/cloudtrail/
CloudTrail will create log files with (almost) all API calls in your AWS environment, including instances/security group modifications. Going through those logs might be challenging and time-consuming, but that's the only way.
Sergey Kovalev
- 353
- 1
- 6
-
I can see the event where I removed the group but it looks to have been added more than 7 days ago. I guess there isn't a way to retroactively add a trail. Close and definitely an answer if it had been changed recently, I will mark as answer if no other options are posted that can do >7 days. – Oliver Hills Oct 23 '17 at 08:40
-
So it looks like either someone setup the tails previously or they exist by default. I'm currently syncing the S3 bucket that holds them all and will now see if I can figure out how to parse it. – Oliver Hills Oct 23 '17 at 09:26
-
CloudTrail is not enabled by default, and it can't record any events that happened before it was enabled. If you have a trail, it was enabled by someone else. – Sergey Kovalev Oct 23 '17 at 09:27
-
Good to know thanks, do you have any tips on parsing the old logs? – Oliver Hills Oct 23 '17 at 09:28
-
I usually do it in 'Big Data style' with R or Spark, so I can't give you any easy solution. – Sergey Kovalev Oct 23 '17 at 09:37
0
AWS Config is another service that could help with this. I'm not 100% sure it will go to the level of detail you need, but it's worth considering / looking at. It seems to have a better UI than CloudTrail.
There are likely services or products that will help understand CloudTrail logs. They may be commercial.
Tim
- 31,888
- 7
- 52
- 78