3
3
Table of Contents

When working with AWS, we may want to track AWS EC2 instance launches. By default, both manual launches and Auto Scaling Group (ASG) launches generate the same RunInstances API event in CloudTrail.

But in real-world use cases, we often want alerts only for manually created (standalone) AWS EC2 instances, not for instances spawned automatically by ASGs.

We can achieve this using CloudTrail + EventBridge + SNS.

Why Do We Need This?

  • Cost control – Standalone AWS EC2s may be created for testing or troubleshooting and forgotten, leading to unnecessary spend.
  • Security – Manually launched instances may not follow standard security hardening or tagging policies.
  • Governance – Many organizations want resources to be created only via approved pipelines (Terraform, CloudFormation, ASG).
  • Visibility – Alerts help ops/FinOps teams track who created instances and why, ensuring better accountability.
  • Noise reduction – By excluding Auto Scaling Group launches, you only get notified for unexpected/manual creations.

How the Events Look in CloudTrail

Whenever an AWS EC2 instance is launched, CloudTrail records a RunInstances event.

When the instance is created by ASG, then we have the below userAgent value.

userAgent ASG event

This difference in userAgent lets us filter out ASG events.

Create an SNS Topic for Notifications

  • Go to Amazon SNS → Topics → Create topic

    a) Type: Standard 

    b) Name: EC2CreationAlerts

  • Create a subscription of Email.
  • Confirm the subscription by clicking on confirm subscription on the email you received.

EC2CreationAlerts
Create an EventBridge Rule

  • Create a rule with the name EC2CreationAlerts-rule.
    Define rule detail
     

  • Click on Custom Pattern(Json Editor) and paste the pattern below.Event pattern Json Editor

    EC2 JSON

  • While creating the EventBridge rule, set the Target to the SNS topic EC2CreationAlerts.Target 1 EC2CreationAlerts
  • Click on Next, Review, and create the rule.Review and create the rule

Test the Setup

StandAlone EC2 :

  • Launch an EC2 instance manually from the AWS Console.Launching a StandaloneEC2 instance
  • Standalone AWS EC2 gets created.Created instance
  • You should have received an email via the Amazon SNS topic.SNS confirmation mail

EC2 Created by ASG Test :

  • Create an ASG and set the desired capacity to 2.Create an ASG and set the desired capacity 2
  • 2 ASG EC2s are getting created, and we will not get any alerts for both of them via the SNS topic

Note: If you prefer a custom message format over raw event JSON via email, you can create a Lambda function and attach it to EventBridge according to your requirements. Please ensure that AWS Lambda has the required permissions to send logs to Amazon CloudWatch and publish messages to an SNS topic.

Conclusion

With this setup, we get real-time visibility into EC2 instances that are created manually, while avoiding noise from Auto Scaling events. This not only helps us enforce governance and security policies, but also ensures we can act quickly to prevent unnecessary costs from forgotten or unauthorized resources.

By combining CloudTrail, EventBridge, and Amazon SNS (or AWS Lambda for custom messages), we build a lightweight yet powerful guardrail that keeps your AWS environment clean, secure, and cost-efficient.

You may also like

Thumbnail

99% of companies saved up to 15% monthly with this plan & achieved peak performance.

Download Whitepaper
12
Let's discuss your cloud challenges and see how CloudKeeper can solve them all!
Connect with us
Meet the Author
  • rohit
    Rohit Agarwal
    Senior DevOps Engineer

    Rohit is passionate about designing and implementing scalable, secure, and efficient DevOps solutions including automation pipelines, cloud architectures, and infrastructure as code.

4 Comments
Comments Profile
West

I remember once, our team found a whole bunch of test servers someone spun up months ago and completely forgot about. The cost savings were significant when we finally killed them off. It felt like discovering money on the ground, but on the steep Slope of resource optimization. https://slopegame-online.com

Comments Profile
Phoebe Beckett

Managing AWS EC2 instances is crucial. I'm curious about the alert mechanisms. Are we talking about something that can catch manually spun-up instances before they become a whole "Cookie Clicker" chain reaction of uncontrolled resource usage? It's easy for standalone instances to slip through the cracks, so a real-time alerting system would definitely improve governance and prevent potential cost overruns. https://cookieclickers.io/

Comments Profile
bat smash

The explanation of filtering ASG events through the userAgent in CloudTrail is clear and practical. It’s a great tip for AWS monitoring and automation enthusiasts. For more tech insights and tools, check out https://www.bat-smash.com/ —your ultimate tech companion!

Comments Profile
Doraiko Russ

Managing AWS EC2 instances can feel like navigating Granny's house - full of unexpected surprises! Implementing real-time alerts for manually created, standalone instances is crucial for governance. Without it, you're wandering in the dark. Proactive monitoring prevents configuration drift and cost overruns, ensuring your EC2 environment remains secure and compliant. Think of these alerts as your escape plan - get out before Granny catches you! https://grannyfree.io/

Read More
Read Less
Leave a Comment

Speak with our advisors to learn how you can take control of your Cloud Cost

Contact Us
  • 1
  • 2
  • 3
  • 5
  • 6
  • 8
  • 9
  • 10