{
	"id": "61087ff4-8979-46ea-b2b4-1adb74a14f12",
	"created_at": "2026-04-06T03:36:54.421732Z",
	"updated_at": "2026-04-10T03:20:45.903055Z",
	"deleted_at": null,
	"sha1_hash": "4ba09b05bcb95f80cf56ca473d983f28b9971bdf",
	"title": "How do I use CloudTrail to track API calls to my Amazon EC2 instances?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63296,
	"plain_text": "How do I use CloudTrail to track API calls to my Amazon EC2\r\ninstances?\r\nBy AWS Official\r\nPublished: 2019-09-04 · Archived: 2026-04-06 03:33:13 UTC\r\nI want to track API calls that run, stop, start, and terminate my Amazon Elastic Compute Cloud (Amazon EC2)\r\ninstances.\r\nResolution\r\nYou can use AWS CloudTrail to track API calls to your AWS account. These API calls, also known as event types,\r\ninclude RunInstances, StopInstances, StartInstances, and TerminateInstances.\r\nNote: You can use CloudTrail to search event history for the last 90 days.\r\nTrack API calls with CloudTrail event history\r\n1. Open the CloudTrail console.\r\n2. Choose Event history.\r\n3. For Filter, select the dropdown list. Then, choose Event name.\r\n4. For Enter event name, enter the event type. Then, choose the event type.\r\n5. For Time range, specify the search period.\r\n6. Choose Apply.\r\nFor more information, see Working with CloudTrail event history and Viewing recent management events with the\r\nconsole.\r\nTrack API calls with Athena queries\r\nYou can use the following example queries for the RunInstances API call and adapt them for other supported\r\nevent types. For more information, see How do I automatically create tables in Athena to search through\r\nCloudTrail logs?\r\nImportant: Replace cloudtrail-logs with your Amazon Athena table name in the following example queries.\r\nExample query to return all available event information for the RunInstances API call:\r\nSELECT *\r\nFROM cloudtrail-logs\r\nhttps://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/\r\nPage 1 of 3\n\nWHERE eventName = 'RunInstances'\r\nExample query to return filtered event information for the RunInstances API call:\r\nSELECT userIdentity.username, eventTime, eventName\r\nFROM cloudtrail-logs\r\nWHERE eventName = 'RunInstances'\r\nExample query to find event information for API calls that end with \"Instances\" during a specific time period:\r\nImportant: Replace 2021-07-01T00:00:01Z with the start date.\r\nSELECT userIdentity.username, eventTime, eventName\r\nFROM cloudtrail-logs\r\nWHERE (eventName LIKE '%Instances') AND eventTime \u003e '2021-07-01T00:00:01Z'\r\nTrack API calls with archived CloudWatch logs in Amazon S3\r\nPrerequisite: To log events to an Amazon Simple Storage Service (Amazon S3) bucket, you must create a\r\nCloudTrail trail.\r\n1. To access your CloudTrail log files, follow the instructions in Getting and viewing your CloudTrail log\r\nfiles.\r\n2. Download your log files. For instructions, see Downloading your CloudTrail log files.\r\n3. Search the logs with jq or another JSON command line processor to find event types.\r\nExample jq procedure to search Amazon CloudWatch logs from Amazon S3 for event types:\r\nOpen a Bash terminal, and then run the following command to create a storage directory.\r\n$ mkdir cloudtrail-logs\r\nNavigate to the new directory. Then, run the following command to download the CloudTrail logs:\r\nImportant: Replace the example my_cloudtrail_bucket with your S3 bucket.\r\nhttps://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/\r\nPage 2 of 3\n\n$ cd cloudtrail-logs\r\n$ aws s3 cp s3://my_cloudtrail_bucket/AWSLogs/012345678901/CloudTrail/eu-west-1/2019/08/07 ./ --recursive\r\nRun the following gzip command to decompress the log files:\r\nImportant: Replace * with the file name that you want to decompress.\r\n$ gzip -d *\r\nExample jq query to return all available event information for the RunInstances API call:\r\nRun the following jq query to find specific event types.\r\ncat * | jq '.Records[] | select(.eventName==\"RunInstances\")'\r\nExample jq query to return all available event information for the StopInstances and TerminateInstances API calls:\r\ncat * | jq '.Records[] | select(.eventName==\"StopInstances\" or .eventName==\"TerminateInstances\" )'\r\nRelated information\r\nHow do I use CloudTrail to review what API calls and actions have occurred in my AWS account?\r\nCreating metrics from log events using filters\r\nAWS Config console now displays API events associated with configuration changes\r\nSource: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/\r\nhttps://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/"
	],
	"report_names": [
		"cloudtrail-search-api-calls"
	],
	"threat_actors": [],
	"ts_created_at": 1775446614,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4ba09b05bcb95f80cf56ca473d983f28b9971bdf.pdf",
		"text": "https://archive.orkl.eu/4ba09b05bcb95f80cf56ca473d983f28b9971bdf.txt",
		"img": "https://archive.orkl.eu/4ba09b05bcb95f80cf56ca473d983f28b9971bdf.jpg"
	}
}