Store AWS SSM Session Logs in S3 for Long-Term Retention

Joshua WelbeckJoshua Welbeck
1 min read

Introduction

By default, AWS SSM Session Manager does not store logs permanently. While CloudWatch is great for real-time monitoring, S3 provides long-term log storage for security audits and compliance.

This guide covers:
✅ Creating an S3 bucket for SSM logs
✅ Enabling SSM session logging to S3
✅ Verifying logs are saved in S3

Step 1: Create an S3 Bucket for Logging

  1. Navigate to AWS S3 Console → Click Create bucket.
  2. Enter a unique bucket name (e.g., ssm-session-logs-123).
  3. Choose the AWS region where your EC2 instances run.
  4. Under Block Public Access settings, ensure public access is blocked.
  5. Click Create bucket.

Step 2: Attach IAM Permissions for S3 Logging

AWS SSM needs permission to write logs to the S3 bucket.

  1. Go to the AWS IAM Console → Click Roles.
  2. Select the IAM role attached to your EC2 instance (e.g., SSMLoggingRole).
  3. Click Attach Policies → Choose AmazonS3FullAccess.
  4. Click Save.

Step 3: Enable SSM Logging to S3

  1. Navigate to AWS Systems Manager Console → Click Session Manager.
  2. In the left panel, click Preferences.
  3. Click Edit and configure:
    • Enable S3 Logging → Select your S3 bucket from Step 1.
  4. Click Save.

Step 4: Verify Logs in S3

  1. Start an SSM session:
    aws ssm start-session --target <INSTANCE_ID>
0
Subscribe to my newsletter

Read articles from Joshua Welbeck directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSAWS s3AWS Session Manager

Written by

Joshua Welbeck
Joshua Welbeck