Enable CloudWatch Logging for AWS SSM Session Manager

2 min read

Introduction
AWS Systems Manager (SSM) Session Manager provides secure access to EC2 instances, but logging session activity is crucial for auditing and compliance. By enabling CloudWatch logging, you can track who accessed instances, what commands were run, and store logs securely.
Step 1: Create a CloudWatch Log Group
- Navigate to AWS CloudWatch Console → Click Logs → Log groups.
- Click Create log group.
- Enter a Log Group Name (e.g.,
/aws/ssm/session-logs
). - Choose an appropriate Retention period.
- Click Create.
Step 2: Update IAM Role to Allow Logging
The IAM role attached to EC2 instances must have permission to write to CloudWatch Logs.
- Go to AWS IAM Console → Roles.
- Find and select the
EC2SSMRole
role used for SSM. - Click Attach Policies → Search for
CloudWatchLogsFullAccess
(or create a custom policy if needed). - Click Attach policy.
Step 3: Enable Session Logging in SSM
- Go to AWS Systems Manager Console → Session Manager.
- Click Preferences.
- Click Edit and enable Session logging.
- Select CloudWatch Logs.
- Choose the Log group created in Step 1 (
/aws/ssm/session-logs
). - Click Save.
Step 4: Start a Session and Verify Logging
- Open a new SSM session:
aws ssm start-session --target <INSTANCE_ID>
- Run some commands inside the session.
- Check the CloudWatch Logs Console → Navigate to
/aws/ssm/session-logs
to see logs.
Conclusion
- Enhanced security and auditing with detailed session logs.
- Easy tracking of user actions for compliance and troubleshooting.
- Seamless integration with CloudWatch for centralized logging.
Now your SSM sessions are fully logged and auditable! 🚀
0
Subscribe to my newsletter
Read articles from Joshua Welbeck directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
