27

One of our EC2 instance went missing from running instance list, probably it got terminated accidentally by someone.

In cloudtrail events, I can see some terminate instance events along with event time, user and instance id's which got terminated.

Problems is, as instances are already terminated I am not able to find more details of those instances using instance id.

I am interested in more details such as ami, key pair, tags.

Is there a way to get these details for terminated instance?

helloV
  • 50,176
  • 7
  • 137
  • 145
prashant
  • 969
  • 3
  • 11
  • 22
  • 3
    Check this [AWS link](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_InstanceStraightToTerminated.html). Look for state transition reason under description. From CLI, do `ec2-describe-instances instance_id -v`; – Sunil Bojanapally Jan 28 '16 at 06:48

1 Answers1

32

If the instance was started in the last 90 days, you can get the information you want from Cloudtrail dashboard.

If the instance was started more than 90 days ago: If you have Cloudtrail enabled and configured it to write to S3, then you can go through the Cloudtrail log and look for events related the instance id. If you are able to find the RunInstances event for that instance id, then you can get all information about that instance from that event.

The logs are compressed json files generated many times a day. It takes few lines of Python code to read the log files and find the events tied to that instance.

I have done the exact same thing and was able to get the information from cloudtrail logs.

helloV
  • 50,176
  • 7
  • 137
  • 145
  • 1
    You can get the event details in json format, like event source IP, date, user name etc, but can you get instance info? like AMI-ID, storage etc, I couldn't, if there is a way let me know please – Narek Hambardzumyan Feb 07 '23 at 09:46