1

Problem Statment:

I have an EC2 machine that is running, and today I found someone removed one of the Security Group attached to the EC2 machine.

I wanted to know, how can we check who removed the security group from the EC2 machine.

Solution Tried so far(CloudTrail):

  1. Checked RevokeSecurityGroupIngress and RevokeSecurityGroupEgress but that is only giving what is edited(Add/Remove/Edit) in particular security group.
  2. Checked ModifySecurityGroupRules.

Note: Cannot use Insights and Query due to business restrictions.

Not A Bot
  • 2,474
  • 2
  • 16
  • 33

1 Answers1

1

I believe it should be under ModifyInstanceAttribute with a security-group attribute on the event that is the ARN of the security group in question.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • `ModifyInstanceAttribute` didn't help in getting any useful information. In CloudTrail, Under *`Lookup attributes`*, I choose **Event Name** **:** **ModifyInstanceAttribute** which returns a few changes but **non** of them have anything related to the Security Group change. – Not A Bot Apr 20 '23 at 16:11
  • Can you not simply search for all events related to that security group ID? – Mark B Apr 20 '23 at 16:52