我正在使用AWS,最近我的帐户详细信息(访问密钥/密钥)已被盗用。他们开始了21个Ec2实例。有没有办法检查AWS EC2实例从哪个IP地址启动?
答案 0 :(得分:2)
如果您已启用CloudTrail,则可以查看此信息。该事件应该有“sourceIPAddress”。
{
"Records": [{
"eventVersion": "1.0",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accessKeyId": "EXAMPLE_KEY_ID",
"accountId": "123456789012",
"userName": "Alice"
},
"eventTime": "2014-03-06T21:22:54Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StartInstances",
"awsRegion": "us-west-2",
"sourceIPAddress": "205.251.233.176",
"userAgent": "ec2-api-tools 1.6.12.2",