In this walkthrough, you’ll learn how to pinpoint the IAM user who terminated an EC2 instance (ID ends with 1D91) using AWS CloudTrail’s Event History. This helps you audit critical API calls and enhance security visibility.
1. Access CloudTrail Event History
Sign in to the AWS Management Console and search for CloudTrail .
In the left-hand menu, select Event history .
Adjust the time range and apply filters as needed to narrow down results.
By default, Event history shows all recorded API calls, such as:
CreateBucketPutBucketEncryptionConsoleLoginTerminateInstances
Ensure your IAM user or role has the cloudtrail:LookupEvents permission to view event history.
2. Filter for TerminateInstances Events
In the Event name filter, type TerminateInstances.
(Optional) Under Resource name , enter the instance ID:
Now you should see the specific TerminateInstances event for the target instance. The summary row displays the IAM user, timestamp, and event name.
3. Inspect Event Details Click the TerminateInstances entry to expand the details pane. You’ll find several sections:
{ "eventVersion" : "1.08" , "userIdentity" : { "type" : "IAMUser" , "principalId" : "AIDAZZBPMTHEGGK6QLMU" , "arn" : "arn:aws:iam::672261773768:user/John" , "accountId" : "672261773768" , "accessKeyId" : "ASIAZZBPMTHEGOIBHXVW" , "userName" : "John" , "sessionContext" : { "attributes" : { "creationDate" : "2023-10-16T17:24:53Z" , "mfaAuthenticated" : "false" } } }, "eventTime" : "2023-10-16T17:25:20Z" , "eventSource" : "ec2.amazonaws.com" }
This indicates:
IAM user John (principalId: AIDAZZBPMTHEGGK6QLMU)
Event timestamp: 2023-10-16T17:25:20Z
API source: ec2.amazonaws.com
3.2 Instance State Transition Scroll down to Response elements to view the state change:
{ "responseElements" : { "requestId" : "77104859-e0f6-4465-a836-830c1cb8583e" , "instancesSet" : { "items" : [ { "instanceId" : "i-02287a6b78cc71d91" , "previousState" : { "code" : 16 , "name" : "running" }, "currentState" : { "code" : 32 , "name" : "shutting-down" } } ] } } }
State Code Meaning previousState 16 Running currentState 32 Shutting-down
This confirms the TerminateInstances call initiated a shutdown.
4. Summary of Event Record At the bottom of the details pane, you’ll find additional metadata:
{ "eventID" : "0ea6b2d5-51d5-4765-ad83-4db65d506d9c" , "readOnly" : false , "eventType" : "AwsApiCall" , "managementEvent" : true , "recipientAccountId" : "672261773768" , "eventCategory" : "Management" }
Field Sample Value Description eventID 0ea6b2d5-51d5-4765-ad83-4db65d506d9c Unique ID for the CloudTrail event eventType AwsApiCall Type of API call managementEvent true Indicates a management-level operation recipientAccountId 672261773768 AWS account where the event occurred
From this audit trail, you’ve confirmed that John executed the TerminateInstances API call, changing the instance from running to shutting-down .
5. Automate Alerts with EventBridge Integrate these CloudTrail logs with Amazon EventBridge (formerly CloudWatch Events) to trigger alerts or remediation workflows when critical actions occur:
aws events put-rule \ --name EC2TerminationRule \ --event-pattern '{ "source": ["aws.ec2"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventName": ["TerminateInstances"] } }'
Attach a target (e.g., SNS topic, Lambda function) to notify your team or perform automated checks.
References 
