is it even possible to see who in your org created an ec2 instance
@sara I think there's some kind of audit log in IAM but I haven't looked for a long time
@sara If you have cloud trail monitoring enabled, you can trace it back to the STS assumtion role or credential id that created the instance which should narrow if not identify the source.
@chuck What am I looking at here? I've got the sts.amazonaws.com events pulled up but there's not really any human-readable info
@sara You'll need to trace it back to the instance id, there will be a creation event and the credential used to initiate that creation event.
@chuck only 90 days history :C
Everything is connected.