This process describes how to discover who caused an email alarm sent to the owner of an AWS account. This process is appropriate to investigate emails with the subject: ALARM: "Name" in US East (N. Virginia). (Note that the process for investigating emails with the following subject is slightly different: AWS Notification Message.)
From the alarm email, note the “Name” and “TimeStamp” of the alarm.
Login to the console of AWS account that received the alarm. ReadOnly privileges are sufficient.
Select the “Cloudwatch” service.
From the panel on the left, select “Log groups” and select the “CloudTrail/YaleLogGroup” log group.
From the tabs in the center of the page, select “Metric filters”. Copy the “Filter pattern” for the alarm “Name” in the email.
From the tabs at the center of the page, select “Log streams” and select the log that includes the “TimeStamp” of the alarm in the email.
Paste the “Filter pattern” for the alarm in the search box, and select a date range to limit the output.
Select an event and expand it. In the “userIdentity” block at the top, look at the “principalId” to see who caused the alarm.