我有一些EC2实例，我真的不知道是谁发动了进攻。

有没有办法知道谁发动了具体的实例？

解决方案

不幸的是这些信息不能直接可以通过API调用 - 你现在有两个选择：

根据您的需求，您可以通过使用接近你的目标的 DescribeInstances API行动来看看键名用于启动该实例（如果有的话，它是可选的，但通常是在的地方） - 假设你遵循安全性的最佳实践，并使用专用的EC2密钥对每 IAM 用户（而非共享密钥），密钥通常应该代表谁开始的实例的用户;） 在这最容易通过 AWS命令行界面测试，具体的形容-实例 现在你可以激活 AWS CloudTrail ，其中的记录AWS API调用为您的帐户和提供日志文件，以你和正好提供了你的信息后，：

  

所记录的信息包括了API调用者的身份，该   API调用的API调用者的源IP地址，时间   请求参数，以及由AWS返回的响应元素   服务。      AWS CloudTrail是一个早就应该和宝贵的工具，提供联合国precedented洞察您的AWS使用情况;很容易上手并只有少数剩余的注意事项目前：

最重要的是，它不是在所有地区都还没有，但AWS刚刚延长到3个，共5，看的 AWS CloudTrail再扩展 - 多个位置，服务，从而迅速接近其整个的全球基础设施 不是所有的服务都还没有覆盖，但AWS竟只是扩展到7个，共15个，看的 AWS CloudTrail更新 - 七个新服务 根据您的需求，您很可能希望有一个日志作为服务（LAAS ）到位，以缓解通过日志的大量挖掘，并提供警报等解决方案 - 一些供应商已经开始提供专门的CloudTrail集成（通常是免费的层足够的为好） 交付事件的 API调用的和所生成的日志的的15分钟内，以提供S3桶大约每5分钟的，从而导致在20分钟的最大延迟，这是足够的事后和批次的分析，但没有足够的，当然近实时告警（参阅 AWS CloudTrail常见问题解答）

I have some EC2 instances that I don't really know who launched them.

Is there a way to know who launched a specific instance?

解决方案

Unfortunately this information is not directly available via an API call - you currently have two options:

depending on your needs, you could approximate your goal by using the DescribeInstances API action to look at the key-name used for starting that instance (if any, it's optional, though usually in place) - assuming you have followed security best practices and are using a dedicated EC2 key pair per IAM user (rather than sharing keys), the key should usually denote the user who started the instance ;) that's most easily tested via the AWS Command Line Interface, specifically describe-instances nowadays you could activate AWS CloudTrail, which records AWS API calls for your account and delivers log files to you and provides exactly the information you are after:

The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.

AWS CloudTrail is a long overdue and invaluable tool and provides unprecedented insight into your AWS usage; it is easy to get started and only has a few remaining caveats currently:

most importantly, it isn't available in all regions yet, but AWS has just extended it to 3 more for a total of 5, see AWS CloudTrail Expands Again - More Locations and Services, thus quickly approaching coverage of their entire Global Infrastructure not all services are covered yet, but AWS hast just extended it to 7 more for a total of 15, see AWS CloudTrail Update - Seven New Services depending on your needs, you most likely want to have a Logging as a Service (LaaS) solution in place to ease digging through the vast amount of logs, and provide alerts etc. - several providers already offer dedicated CloudTrail integration (and usually a free tier sufficient for that as well) events are delivered within 15 minutes of the API call and the resulting logs to your S3 bucket approximately every 5 minutes, resulting in a maximum delay of 20 minutes, which is enough for post hoc and batch analysis, but not sufficient for near real-time alerting of course (see the AWS CloudTrail FAQ)