Enable CloudWatch Logging for AWS SSM Session Manager

Joshua WelbeckJoshua Welbeck
2 min read

Introduction

AWS Systems Manager (SSM) Session Manager provides secure access to EC2 instances, but logging session activity is crucial for auditing and compliance. By enabling CloudWatch logging, you can track who accessed instances, what commands were run, and store logs securely.

Step 1: Create a CloudWatch Log Group

  1. Navigate to AWS CloudWatch Console → Click LogsLog groups.
  2. Click Create log group.
  3. Enter a Log Group Name (e.g., /aws/ssm/session-logs).
  4. Choose an appropriate Retention period.
  5. Click Create.

Step 2: Update IAM Role to Allow Logging

The IAM role attached to EC2 instances must have permission to write to CloudWatch Logs.

  1. Go to AWS IAM ConsoleRoles.
  2. Find and select the EC2SSMRole role used for SSM.
  3. Click Attach Policies → Search for CloudWatchLogsFullAccess (or create a custom policy if needed).
  4. Click Attach policy.

Step 3: Enable Session Logging in SSM

  1. Go to AWS Systems Manager ConsoleSession Manager.
  2. Click Preferences.
  3. Click Edit and enable Session logging.
  4. Select CloudWatch Logs.
  5. Choose the Log group created in Step 1 (/aws/ssm/session-logs).
  6. Click Save.

Step 4: Start a Session and Verify Logging

  1. Open a new SSM session:
    aws ssm start-session --target <INSTANCE_ID>
    
  2. Run some commands inside the session.
  3. Check the CloudWatch Logs Console → Navigate to /aws/ssm/session-logs to see logs.

Conclusion

  • Enhanced security and auditing with detailed session logs.
  • Easy tracking of user actions for compliance and troubleshooting.
  • Seamless integration with CloudWatch for centralized logging.

Now your SSM sessions are fully logged and auditable! 🚀

0
Subscribe to my newsletter

Read articles from Joshua Welbeck directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Joshua Welbeck
Joshua Welbeck