2

Is there a way to find the number of EC2 instances which were launched in last 1/2/3/4/5 or 6 months in all regions? (running and terminated). From a similar question as below, I can only get the current status (running|stopped|terminated) but not anything from past months. How to see all running Amazon EC2 instances across all regions?

Please advise. This is purely for audit purpose. Thanks in advance.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
helloworld9
  • 173
  • 2
  • 2
  • 8
  • If you have [turned on AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/gs-cli-subscribe.html) then you can obtain historical information. Or, perhaps from your historical billing data. – John Rotenstein Aug 31 '21 at 06:44

2 Answers2

1

I would recommend a combination of CloudTrail logs stored in S3 and Athena to do the query. The problem with CloudTrail alone is that you have a three month window before logs roll off. Your requirements include as far out as six months.

To deliver log files to an S3 bucket, CloudTrail must have the required permissions, and it cannot be configured as a Requester Pays bucket. CloudTrail automatically attaches the required permissions to a bucket when you create an Amazon S3 bucket as part of creating or updating a trail in the CloudTrail console.

To setup Athena you can configure through the CloudTrail Console:

  1. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/
  2. In the navigation pane, choose Event history.
  3. Choose Create Athena table.
  4. For Storage location, use the down arrow to select the Amazon S3 bucket where log files are stored for the trail to query.
  5. Choose Create table. The table is created with a default name that includes the name of the Amazon S3 bucket.

Then you can run a query similar to this in Athena:

SELECT eventname,
     useridentity.principalid,
     awsregion,
     eventtime
FROM cloudtrail_logs
WHERE eventtime >= '2021-02-01T00:00:00Z'
    AND eventtime < '2021-08-30T00:00:00Z'
    AND (eventname ='RunInstances')

References

Create S3 Bucket Policy for CloudTrail
Query CloudTrail logs with Athena
Athena Search CloudTrail Logs

kenlukas
  • 3,616
  • 9
  • 25
  • 36
0

AWS CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards by providing a history of activity in your AWS account.

AWS have an option to view Event History if you have CloudTrail enabled. Please go through this AWS page to view clear instructions.

If you like to use AWS CLI then this documentation provides all the details.

Subhashis Pandey
  • 1,473
  • 1
  • 13
  • 16