Who created an Amazon EC2 instance using Boto and Python?

Question

I want to know who created a particular instance. I am using Cloud Trail to find out the statistics, but I am not able to get a particular statistics of who created that instance. I am using Python and Boto3 for finding out the details. I am using this code- Lookup events() from Cloud trail in boto3, to extract the information about an instance.

ct_conn = sess.client(service_name='cloudtrail',region_name='us-east-1')


events=ct_conn.lookup_events()

Can you download the CloudTrail logs, filter for RunInstances, locate the specific instance ID and then retrieve the user identity from that log? — jarmod, Jun 02 '15 at 13:56
Can you provide a code snippet?? or how to approach this using Boto? — upaang saxena, Jun 02 '15 at 16:11
please show the code you are attempting to use, @upaangsaxena. — tedder42, Jun 02 '15 at 18:33
@upaangsaxena Sorry, I have not used the boto CloudTrail API. The documentation is minimal and I see no good examples of how to use it. — jarmod, Jun 02 '15 at 18:39
You don't need a code to find out that from CloudTrail. Please navigate to CloudTrail in the AWS Console and filter using date — Naveen Vijay, Jun 03 '15 at 02:22
If you had AWS Config setup - then those details are directly out of the box — Naveen Vijay, Jun 03 '15 at 02:22

score 2 · Accepted Answer · edited Jul 31 '18 at 11:55

2

I found out the solution to the above problem using lookup_events() function.

ct_conn = boto3.client(service_name='cloudtrail',region_name='us-east-1')

events_dict= ct_conn.lookup_events(LookupAttributes=[{'AttributeKey':'ResourceName', 'AttributeValue':'i-xxxxxx'}])
for data in events_dict['Events']:
    json_file= json.loads(data['CloudTrailEvent'])
    print json_file['userIdentity']['userName']

edited Jul 31 '18 at 11:55

Rajarshi Das

11,778
6
46
74

answered Jun 03 '15 at 10:49

upaang saxena

779
1
6
18

Can you provide the entire code if possible or can you also mention the line where you defined "sess" before using it in the line "ct_conn = sess.client(service_name='cloudtrail',region_name='us-east-1')" – karthik v Mar 22 '17 at 11:05
You can define the session object just above the ct_conn line. – upaang saxena Apr 10 '17 at 10:32

score 0 · Answer 2 · edited Nov 11 '17 at 17:47

@Karthik - Here is the sample of creating session

import boto3
import json
import os

session = boto3.Session(region_name='us-east-1',aws_access_key_id=os.environ['AWS_ACCESS_KEY_ID'],aws_secret_access_key=os.environ['AWS_SECRET_ACCESS_KEY'])

ct_conn = session.client(service_name='cloudtrail',region_name='us-east-1')

events_dict= ct_conn.lookup_events(LookupAttributes=[{'AttributeKey':'ResourceName', 'AttributeValue':'i-xxx'}])

for data in events_dict['Events']:
    json_file= json.loads(data['CloudTrailEvent'])
    print (json_file['userIdentity']['userName'])

Who created an Amazon EC2 instance using Boto and Python?

2 Answers2

Linked