Sign in

Enable S3 Logging to log session activity of SSM sessions

There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.

This runbook facilitates the capture and storage of SSM session activity of instances directly into an S3 bucket. By integrating S3 logging, every command executed and its respective output during SSM sessions are systematically logged. This not only enhances security and auditability but also provides a comprehensive record of operations performed in SSM sessions, ensuring transparency and traceability in system management tasks.

  1. 1

    Prerequisites of using a SSM session.

    There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.

    Before utilizing AWS Systems Manager (SSM) sessions, certain prerequisites must be met. These include ensuring the target EC2 instances have the SSM Agent installed and are associated with an appropriate IAM role granting session permissions. Additionally, it's crucial to verify that the necessary AWS services, such as Amazon EC2 and Systems Manager, are accessible and adequately configured. Meeting these prerequisites ensures seamless initiation and management of sessions via SSM, enabling secure and efficient remote instance management.

    1
    1. 1.1

      Verify the target EC2 instances have the SSM agent installed and running

      There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.

      Ensure the SSM Agent which is a software component that enables instances to interact with AWS Systems Manager services is installed on the target EC2 instances by checking whether the amazon-ssm-agent is running or not.

      sudo systemctl status snap.amazon-ssm-agent.amazon-ssm-agent.service
      copied
      1.1
    2. 1.2

      Verify the IAM role has the correct permissions

      There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.

      For an EC2 instance to interact with AWS Systems Manager and establish an SSM session, it must be associated with an IAM role that has the correct Systems Manager permissions which include AmazonSSMManagedInstanceCore policy and any other policy required by the services such as S3FullAccess policy to enable S3 logging. By ensuring the IAM role is correctly configured with the appropriate permissions, you enable seamless integration between the EC2 instance and Systems Manager, facilitating tasks such as patch management, state management, and remote session operations.

      1.2
  2. 2

    Enable S3 logging by updating SSM file

    There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.
    2
    1. 2.1

      Store the content of SSM-SessionManagerRunShell.json file

      There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.
      echo '{ "schemaVersion": "1.0", "description": "Document to hold regional settings for Session Manager", "sessionType": "Standard_Stream", "inputs": { "s3BucketName": <bucket_name>, "s3KeyPrefix": "", "s3EncryptionEnabled": true, "cloudWatchLogGroupName": "", "cloudWatchEncryptionEnabled": true, "cloudWatchStreamingEnabled": false, "kmsKeyId": "", "runAsEnabled": false, "runAsDefaultUser": "", "idleSessionTimeout": "", "maxSessionDuration": "", "shellProfile": { "windows": "date", "linux": "pwd;ls" } } }' > SessionManagerRunShell.json
      copied
      2.1
    2. 2.2

      Update the SSM document to enable S3 logging

      There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.
      file_content=$(cat SessionManagerRunShell.json) aws ssm update-document --name "SSM-SessionManagerRunShell" --content "$file_content" --document-version "\$LATEST"
      copied
      2.2