How do I troubleshoot Session Manager logging to Amazon S3 or CloudWatch?

2 minute read
0

I want to know why I don't see logs in Amazon Simple Storage Service (Amazon S3) or Amazon CloudWatch when working with Session Manager, a capability of AWS Systems Manager.

Short description

The following are the most common reasons that Session Manager isn't sending logs to Amazon S3 or CloudWatch:

  • Misconfigured Session Manager logging
  • Incorrect Amazon S3 bucket permissions and AWS Identity and Access Management (IAM) policy
  • Amazon Virtual Private Cloud (Amazon VPC) endpoint reachability issues

Prerequisites: 

Resolution

Misconfigured Session Manager logging

To activate logging session data, confirm that you configured Session Manager for Amazon S3 logging or CloudWatch logging.

Note: When you configure logging to CloudWatch, review the Session Manager preferences to verify that the CloudWatch option is selected and a log group is defined. Also, verify that the provided log group name is for an existing log group.

Incorrect Amazon S3 bucket permissions and IAM policy

For Systems Manager to perform actions on your instances, you must grant access through an IAM role. For more information, see Verify or create an IAM role with Session Manager permissions. To troubleshoot missing logs in Amazon S3, complete the following steps:

  • Check that the IAM policy is set for the correct Amazon S3 bucket ARN.
  • Check that the Amazon S3 bucket policy has access permissions to the resource.

Amazon VPC endpoint reachability issues

To see Session Manager logs, you must create an endpoint to Amazon S3 or CloudWatch.

Review the end-to-end networking, and check that the HTTPS permission is open for the following endpoints:

  • HTTPS://ec2.region-code.amazonaws.com
  • HTTPS://ec2messages.region-code.amazonaws.com
  • HTTPS://ssm.region-code.amazonaws.com
  • HTTPS://ssmmessages.region-code.amazonaws.com
  • HTTPS://s3.region-code.amazonaws.com
  • HTTPS://monitoring.region-code.amazonaws.com

For more information, see Connect to an endpoint service as the service consumer.

Additional troubleshooting

To perform additional troubleshooting for CloudWatch logs, view the AWS CloudTrail Event history based on action and timestamps. For more information, see CloudWatch Logs information in CloudTrail.

Related information

How do I troubleshoot issues with AWS Systems Manager Session Manager?

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago