EBS volume detatch notification

Posted: 02.11.2021 11:00 | Updated: 06.01.2024 18:55 | Tags: aws cloud til storage

EBS sends events to CloudWatch when creating, deleting or attaching a volume, but not on detachment. However, CloudTrail is able to list detachments, the command below lists the last 25 detachments.

aws cloudtrail lookup-events \
--max-results 25 \
--lookup-attributes AttributeKey=EventName,AttributeValue=DetachVolume

Setting up noticiations is then possible with CloudWatch alarms for CloudTrail. The steps are summarized below:

Ensure that a trail is created with a log group.
Create a metric filter with the Filter pattern { $.eventName = "DetachVolume" } in CloudWatch.
Create an alarm in CloudWatch with threshold 1 and the appropriate Action.

Related ramblings

Using S3 Metadata to list recently uploaded objects
Delete versioned S3 buckets
Querying an object's access tier
Identifying your AWS account when using multiple sessions
Get default AWS network resources using Terraform