How to find out who created a Key Pair in aws ec2?

Question

I have full access to AWS account, see all keys that was created and used and need to know the person who owns the private keys. But AWS UI does no provide any information about Key Pairs except ID, Name, Type, Fingerprint

Is it possible to identify who created a certain key pair in AWS EC2?

Answer 1

If CloudTrail is setup it would have recorded the event which includes the user. The Following is lifted from the AWS Cloudtrail docs:

{"Records": [{
    "eventVersion": "1.0",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "EX_PRINCIPAL_ID",
        "arn": "arn:aws:iam::123456789012:user/Alice",
        "accountId": "123456789012",
        "accessKeyId": "EXAMPLE_KEY_ID",
        "userName": "Alice",
        "sessionContext": {"attributes": {
            "mfaAuthenticated": "false",
            "creationDate": "2014-03-06T15:15:06Z"
        }}
    },
    "eventTime": "2014-03-06T17:10:34Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "CreateKeyPair",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "72.21.198.64",
    "userAgent": "EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx",
    "requestParameters": {"keyName": "mykeypair"},
    "responseElements": {
        "keyName": "mykeypair",
        "keyFingerprint": "30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21",
        "keyMaterial": "\u003csensitiveDataRemoved\u003e"
    }
}]}

If cloudTrail was not enabled when the keypair was created i think you might be out of luck. If you have paid support you could ask the question to AWS or otherwise use the AWS forums - they may know more than me.