Skip to main content
CloudTrail provides a comprehensive audit trail of all API calls in your AWS account. In this guide, you’ll learn how to trace which IAM user issued the StopInstances command to shut down an EC2 instance.

Table of Contents

Use Case: Investigating EC2 Shutdown

When an unexpected EC2 instance stops, you need to know who performed that action. CloudTrail captures every API call, making it straightforward to identify the culprit.
The image is a diagram showing the process of investigating who shut down an EC2 instance using AWS CloudTrail. It involves an IAM user making an API call to stop the instance, which is logged by AWS CloudTrail.

How CloudTrail Works

  1. An IAM user or role issues an API request (e.g., StopInstances).
  2. CloudTrail records the request details: caller identity, API action, resource ARNs, and timestamp.
  3. Logs are delivered to an S3 bucket (or optionally to CloudWatch Logs) for storage and analysis.
Make sure you have at least one active trail in the region where your EC2 instances run.
Configure multi-region logging for global coverage.

Key Features

FeatureDescription
Audit TrailComplete history of all API calls for compliance and forensic use
Visibility & SecurityDetect unusual behavior by monitoring account activity
Centralized Log StorageStore logs in Amazon S3 for long-term retention
Real-time MonitoringIntegrate with CloudWatch Logs to trigger alerts instantly
The image explains AWS CloudTrail, highlighting its functions: creating an audit trail, enhancing security through activity monitoring, and storing logs in S3 buckets for real-time analysis.

Demo: Finding the StopInstances Event

Follow these steps in the AWS Management Console or use the AWS CLI to locate the StopInstances event.

AWS Management Console

  1. Open the CloudTrail service.
  2. Click Event history.
  3. In the filter bar, select Event name and enter StopInstances.
  4. Review each entry’s:
    • Event time
    • Username (IAM user or role)
    • Resources (affected EC2 instance ARNs)

AWS CLI

aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=EventName,AttributeValue=StopInstances \
  --max-results 10
This returns a JSON list of matching events. Inspect the Username, EventTime, and Resources fields to pinpoint who stopped the instance.
If your trail isn’t configured to deliver logs to CloudWatch Logs, you won’t get real-time alerts.
Enable CloudWatch integration in the trail settings to receive immediate notifications.

Best Practices

  • Enable multi-region trails to capture global AWS API activity.
  • Encrypt log files with SSE-KMS for data protection.
  • Implement log file validation to ensure integrity.
  • Configure lifecycle policies in S3 to archive or delete old logs.

References

Watch Video