AWS EC2 Governance: Real-Time Alerts for Manual Instance (Standalone) Creation

When working with AWS, we may want to track AWS EC2 instance launches. By default, both manual launches and Auto Scaling Group (ASG) launches generate the same RunInstances API event in CloudTrail.

But in real-world use cases, we often want alerts only for manually created (standalone) AWS EC2 instances, not for instances spawned automatically by ASGs.

We can achieve this using CloudTrail + EventBridge + SNS.

Why Do We Need This?

• Cost control – Standalone AWS EC2s may be created for testing or troubleshooting and forgotten, leading to unnecessary spend.
• Security – Manually launched instances may not follow standard security hardening or tagging policies.
• Governance – Many organizations want resources to be created only via approved pipelines (Terraform, CloudFormation, ASG).
• Visibility – Alerts help ops/FinOps teams track who created instances and why, ensuring better accountability.
• Noise reduction – By excluding Auto Scaling Group launches, you only get notified for unexpected/manual creations.

How the Events Look in CloudTrail

Whenever an AWS EC2 instance is launched, CloudTrail records a RunInstances event.

When the instance is created by ASG, then we have the below userAgent value.

This difference in userAgent lets us filter out ASG events.

Create an SNS Topic for Notifications

• Go to Amazon SNS → Topics → Create topic

  a) Type: Standard 

  b) Name: EC2CreationAlerts

• Create a subscription of Email.
• Confirm the subscription by clicking on confirm subscription on the email you received.

Create an EventBridge Rule

• Create a rule with the name EC2CreationAlerts-rule.
  
   

• Click on Custom Pattern(Json Editor) and paste the pattern below.

  

• While creating the EventBridge rule, set the Target to the SNS topic EC2CreationAlerts.
• Click on Next, Review, and create the rule.

Test the Setup

StandAlone EC2 :

• Launch an EC2 instance manually from the AWS Console.
• Standalone AWS EC2 gets created.
• You should have received an email via the Amazon SNS topic.

EC2 Created by ASG Test :

• Create an ASG and set the desired capacity to 2.
• 2 ASG EC2s are getting created, and we will not get any alerts for both of them via the SNS topic

Note: If you prefer a custom message format over raw event JSON via email, you can create a Lambda function and attach it to EventBridge according to your requirements. Please ensure that AWS Lambda has the required permissions to send logs to Amazon CloudWatch and publish messages to an SNS topic.

Conclusion

With this setup, we get real-time visibility into EC2 instances that are created manually, while avoiding noise from Auto Scaling events. This not only helps us enforce governance and security policies, but also ensures we can act quickly to prevent unnecessary costs from forgotten or unauthorized resources.

By combining CloudTrail, EventBridge, and Amazon SNS (or AWS Lambda for custom messages), we build a lightweight yet powerful guardrail that keeps your AWS environment clean, secure, and cost-efficient.