How to find terminated instances based on IP address in AWS CloudTrail

Question

I am trying to find a terminated EC2 instance in CloudTrail based on a Primary Private IP, but no luck.

I also tried looking at AWS Config resource timeline. Not savvy with AWS Config Advance queries either. Even in that case I would need to look for a parameter of CloudTrail "Event Record" corresponding to IP information.

Any help is greatly appreciated.

score 0 · Answer 1 · answered Aug 20 '21 at 00:27

0

Probably the easiest way would be to use AWS Athena to query your CloudTrail trails stored in S3 as explained in AWS docs:

Querying AWS CloudTrail Logs

answered Aug 20 '21 at 00:27

Marcin

215,873
14
235
294

score 0 · Answer 2 · answered Jun 10 '22 at 04:07

Similar problems I also face. I want to trace the ec2 instances id based on IP and from the AWS console, it's very difficult to trace. So I write a PowerShell script that helps me to find the instance id with the associated IP address.

Hope this will help you.

$instanceList = @("i-01f4da30bad3b", "i-06eaa91009872", "i-06ab536ca4e"")

foreach($eachInstance in $instanceList)
{
    $configuration_json  = aws configservice get-resource-config-history --resource-type AWS::EC2::Instance --resource-id $eachInstance --region us-west-2 | ConvertFrom-JSON
    $instanceIP = (($configuration_json.configurationItems.configuration)[1] | ConvertFrom-JSON).PrivateIPAddress
    $instanceID = (($configuration_json.configurationItems.configuration)[1] | ConvertFrom-JSON).instanceId
    Write-Host "$instanceID - $instanceIP"
    
}

How to find terminated instances based on IP address in AWS CloudTrail

2 Answers2