How can I find the user who stopped, rebooted, or terminated my EC2 Windows instance?

3 minute read
0

My Amazon Elastic Compute Cloud (Amazon EC2) Windows instance was unexpectedly stopped, rebooted, or terminated. I want to find the user who did this.

Resolution

An EC2 Windows instance can be stopped or rebooted either through AWS or the Windows operating system (OS). An EC2 Windows instance can be terminated only through AWS.

The instance was stopped, rebooted, or terminated through AWS

You can use the following tools to stop, reboot, or terminate your instance through AWS:

  • AWS Management Console
  • AWS Command Line Interface (AWS CLI)
  • AWS Tools for PowerShell
  • AWS APIs
  • AWS SDKs
  • AWS CloudShell

If the instance event happened in the last 90 days, then use AWS CloudTrail Event history to get more information about the event.

To see your instance event in CloudTrail, complete the following steps:

  1. Open the CloudTrail console.
  2. In the navigation pane, choose Event history.
  3. In the Lookup attributes dropdown list, choose Event name.
  4. For the Event name text box, enter one of the following event names, depending on your situation:
    • StopInstances when your instance was stopped.
    • RebootInstances when your instance was rebooted.
    • TerminateInstances when your instance was terminated.
  5. From the events list, select the event name.
  6. On the Details page, you can see the username of the AWS Identity and Access Management (IAM) identity that initiated the event.

The instance was stopped or rebooted in Windows

If CloudTrail doesn't show StopInstances or RebootInstances events for your instance, then the instance wasn't stopped or rebooted with AWS resources. In this case, the instance event was likely initiated in Windows.

To see more information about the instance event in Windows, connect to your instance, and then complete the following steps:

  1. On the Windows taskbar, choose Search, enter Event Viewer, and then choose Event Viewer to open the tool.
  2. In the navigation pane, expand Windows Logs, and then choose System.
  3. In the Actions pane, choose Filter Current Log.
  4. In the Filter Current Log dialog box, in the All Event IDs field, enter 1074 or 1076, and then choose OK.
  5. The event log shows the user who initiated the event.

Also, an EC2 Windows instance might stop or reboot in Windows in the following situations:

  • A user is logged in to the instance, and a Windows update reboots the OS.
  • Hardware unexpectedly fails.
  • An AWS planned maintenance event stops or restarts the instance.
  • A third-party tool issues the command.

Note: AWS sends notifications about planned instance retirements and unexpected hardware failures through email messages or your AWS Health Dashboard.

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago