How do I find out which AWS ACCESS KEY ID was used to launch an instance?

Question

I would like to create a tool that will monitor AWS for unused instances and then send an email to the user that launched the instance asking them to shut it down if they aren't using it.

Assuming I have a database with a mapping between Access Key ID's and the email addresses of the users at our company that launch EC2 instances, how can I find the Access Key ID of a running EC2 instance?

Are there any existing software or services that already do this?

Answer 1

All instances will have a IAM user associated with it. You can get this information from CloudTrail but it will show the trail for the last 2 weeks so you need to periodically collect the data and store it.

The way I do is: I use a combination of CloudTrail + Lambda and tag the instance when the instance is started. The Tag can be a name or email. When I see unused instance(s), I queried the tag and send email identified by the tag. It works flawlessly. I posted it as a question: Mandatory tagging when launching EC2 instance

Check the accepted answer posted by me. It was fun learning about AWS Lambda. The Lambda usage falls below free tier limit and I pay nothing for using AWS Lambda.

Answer 2

You can't do this - there is not always a relationship between a user and a running instance.

Think about autoscaling: an instance can come online in response to an event, run for a few hours, and then go away. No human intervention needed.

You may be able to pull some information about the user that created it by turning on CloudTrail, but it won't identify which key was used. Remember than users can have multiple keys.

If you really want to ensure that you can track who is launching instances, put in a policy to require a specific tag (say, "Owner") with an email address, and terminate any instances that don't have the tag set. (You should be able to do this with AWS Config rules)