Enable S3 Logging to log session activity of SSM sessions
This runbook facilitates the capture and storage of SSM session activity of instances directly into an S3 bucket. By integrating S3 logging, every command executed and its respective output during SSM sessions are systematically logged. This not only enhances security and auditability but also provides a comprehensive record of operations performed in SSM sessions, ensuring transparency and traceability in system management tasks.
- 1ToTFXHMd3aUIgqYq8JD4Prerequisites of using a SSM session.
1
Prerequisites of using a SSM session.
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.Before utilizing AWS Systems Manager (SSM) sessions, certain prerequisites must be met. These include ensuring the target EC2 instances have the SSM Agent installed and are associated with an appropriate IAM role granting session permissions. Additionally, it's crucial to verify that the necessary AWS services, such as Amazon EC2 and Systems Manager, are accessible and adequately configured. Meeting these prerequisites ensures seamless initiation and management of sessions via SSM, enabling secure and efficient remote instance management.
inputsoutputs1- 1.1tQpRJ0KNuxSdiAL0vPXuVerify the target EC2 instances have the SSM agent installed and running
1.1
Verify the target EC2 instances have the SSM agent installed and running
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.Ensure the SSM Agent which is a software component that enables instances to interact with AWS Systems Manager services is installed on the target EC2 instances by checking whether the amazon-ssm-agent is running or not.
inputsoutputssudo systemctl status snap.amazon-ssm-agent.amazon-ssm-agent.servicecopied1.1 - 1.2liRAsceuaVuC1pPZ80xrVerify the IAM role has the correct permissions
1.2
Verify the IAM role has the correct permissions
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.For an EC2 instance to interact with AWS Systems Manager and establish an SSM session, it must be associated with an IAM role that has the correct Systems Manager permissions which include AmazonSSMManagedInstanceCore policy and any other policy required by the services such as S3FullAccess policy to enable S3 logging. By ensuring the IAM role is correctly configured with the appropriate permissions, you enable seamless integration between the EC2 instance and Systems Manager, facilitating tasks such as patch management, state management, and remote session operations.
inputsoutputs1.2
- 2iASI6LDMzG8eLR4ZFqnXEnable S3 logging by updating SSM file
2
Enable S3 logging by updating SSM file
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputs2- 2.1VzwJMy5EBU0bOhfJlApqStore the content of SSM-SessionManagerRunShell.json file
2.1
Store the content of SSM-SessionManagerRunShell.json file
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsecho '{ "schemaVersion": "1.0", "description": "Document to hold regional settings for Session Manager", "sessionType": "Standard_Stream", "inputs": { "s3BucketName": <bucket_name>, "s3KeyPrefix": "", "s3EncryptionEnabled": true, "cloudWatchLogGroupName": "", "cloudWatchEncryptionEnabled": true, "cloudWatchStreamingEnabled": false, "kmsKeyId": "", "runAsEnabled": false, "runAsDefaultUser": "", "idleSessionTimeout": "", "maxSessionDuration": "", "shellProfile": { "windows": "date", "linux": "pwd;ls" } } }' > SessionManagerRunShell.jsoncopied2.1 - 2.2wgke3hzrlGB339IS9YZSUpdate the SSM document to enable S3 logging
2.2
Update the SSM document to enable S3 logging
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.inputsoutputsfile_content=$(cat SessionManagerRunShell.json) aws ssm update-document --name "SSM-SessionManagerRunShell" --content "$file_content" --document-version "\$LATEST"copied2.2