Unable to output session manager logs in CloudWatchLogs using CloudWatchLogs resource policy


I am trying to output session manager logs in CloudWatchLogs using a resource policy (not using IAM). However, I am unable to see any session logs in my log group streams. Below are the configurations I have made.

Session Manager:

  1. CloudWatch logging is enabled for sending session logs to CloudWatch.
  2. The logging option set to stream session logs.
  3. The CloudWatch log group is set to 'session-manager'.
  4. Enforce CloudWatch log encryption is set to 'No'.


  1. In Log group details for 'session-manager', I have not set any KMS Key ID or Data protection, and the retention is set to 'Never expire'.


  1. My instance has 'AmazonSSMRoleForInstancesQuickStep' role with the 'AmazonSSMManagedInstanceCore' policy.

Steps I have taken:

  1. I used CloudShell and executed the following commands: ・To put the resource policy:
aws logs put-resource-policy --policy-name AllowSessionManagerLogsToCloudWatch --policy-document file://ssmpolicy.json 

・To ensure that the policy has been created: (only the 'AllowSessionManagerLogsToCloudWatch' policy exist)

aws logs describe-resource-policies --region ap-northeast-1
  1. I connected to the EC2 instance using Session Manager, executed a few commands, and terminated the session. -> Since I have also enabled s3 logging, the logs are successfully delivered to the specified s3 bucket. However, there are no output logs in the CloudWatch Log group.

The policy I am using is as follows. In the policy, I also tried including "ec2.amazonaws.com" and "delivery.logs.amazonaws.com".

  "Version": "2012-10-17",
  "Statement": [
      "Sid": "AWSLogDeliveryWrite20150319",
      "Effect": "Allow",
      "Principal": {
        "Service": [
      "Action": [
      "Resource": [
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": ["0123456789"]
        "ArnLike": {
          "aws:SourceArn": ["arn:aws:ap-northeast-1:0123456789:*"]


If I set the following IAM policy to the EC2 IAM role, will I be able to output?

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": [

Resource-based policies define who is allowed to perform which actions, so wouldn't it be necessary to allow the ARN of the EC2 IAM role in "Principal"?

    "Version": "2012-10-17",
    "Statement": [
        "Sid": "AWSLogDeliveryWrite20150319",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::AWS-account-ID:role/ec2-role-name"
        "Action": [
        "Resource": [
        "Condition": {
          "StringEquals": {
            "aws:SourceAccount": ["0123456789"]
          "ArnLike": {
            "aws:SourceArn": ["arn:aws:ap-northeast-1:0123456789:*"]
profile picture
回答済み 6ヶ月前
  • Hi,

    Yes, you will be able to output the logs if you attach that policy to the EC2 IAM role. However, in my case, I am trying to output session manager logs by enabling logging from SSM directly, without using an IAM policy.

    I assume the policy you are referring to is an IAM policy and not a CloudWatch Logs resource policy.

ログインしていません。 ログイン 回答を投稿する。


