Menu
One of our EC2 instance went missing from running instance list, probably it got terminated accidentally by someone.
In cloudtrail events, I can see some terminate instance events along with event time, user and instance id's which got terminated.
Problems is, as instances are already terminated I am not able to find more details of those instances using instance id.
I am interested in more details such as ami, key pair, tags.
Is there a way to get these details for terminated instance?
698
Open the CloudTrail console. Choose Event history. Select Event Name in the Filter dropdown list, and then enter TerminateInstances to view all instance termination API calls.
It's not possible to recover either the original Amazon EC2 instance or any volumes that were deleted as part of the termination process.
If the instance was started in the last 90 days, you can get the information you want from Cloudtrail dashboard.
If the instance was started more than 90 days ago: If you have Cloudtrail enabled and configured it to write to S3, then you can go through the Cloudtrail log and look for events related the instance id. If you are able to find the RunInstances event for that instance id, then you can get all information about that instance from that event.
The logs are compressed json files generated many times a day. It takes few lines of Python code to read the log files and find the events tied to that instance.
I have done the exact same thing and was able to get the information from cloudtrail logs.
156
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
