How to find who created a AWS RDS DB instance?

Question

I want to find who created a particular AWS RDS DB instance. I tried two ways:

• Using aws rds describe-db-instances command line
• Using AWS console https://console.aws.amazon.com/rds/

Is there a way to find out this or not? If yes, Can anyone help to find out the createdBy flag?

Answer 1

You can configure Cloudtrail to send all log events to Cloudwatch by following the instructions here: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html

That allows you interrogate the logs using the rich query syntax seen here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax-examples.html

Once the CLoudtrail -> Cloudwatch is in place, use the following query to list the creators of RDS instances along with size and other useful info:

fields eventName, requestParameters.dBInstanceClass as dbsize,  requestParameters.dBInstanceIdentifier as dbname, userIdentity.userName, eventSource, @timestamp, @message
| sort dbsize, dbname desc
| filter (eventName like 'CreateDBInstance') and  eventSource='rds.amazonaws.com'

You would run the above query in Cloudwatch -❯ Logs -> Insights. A direct link for London is : https://eu-west-2.console.aws.amazon.com/cloudwatch/home?region=eu-west-2#logs-insights:

Answer 2

If it was created in the last 7 days and if you have CloudTrail enabled, you can get the information you want (who created the RDS instance) in CloudTrail dashboard.

If it was created more than 7 days ago and if have CloudTrail logs (S3 bucket) enabled, then you can download the logs (compressed json files) and look for the event that creates the DB instance which will also have the user who created it.