How do I troubleshoot Session Manager logging to Amazon S3 or CloudWatch?

Short description

The following are reasons why Session Manager isn't sending logs to Amazon S3 or CloudWatch:

• Incorrectly configured Session Manager logging
• Incorrect S3 bucket permissions and AWS Identity and Access Management (IAM) policy
• Amazon Virtual Private Cloud (Amazon VPC) endpoint reachability issues
• IAM role missing required permissions for CloudWatch logging

Prerequisites:

• You completed the Session Manager prerequisites.
• Your IAM instance profile has the required permissions for Session Manager.
• (Optional) You installed the Session Manager plugin.

Resolution

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Verify Session Manager logging configuration

To activate logging session data, confirm that you configured Session Manager for Amazon S3 or CloudWatch Logs.

When you configure CloudWatch Logs, use the following best practices:

• Review the Session Manager preferences to verify that you turned on CloudWatch Logs.
• Confirm that you specified a valid log group name.
• Make sure that the specified log group exists in CloudWatch.

Check Amazon S3 bucket permissions and IAM policy

For Session Manager to upload logs to Amazon S3, the IAM role that you associated with the instance must have the required permissions.

To troubleshoot missing logs in Amazon S3, take the following actions:

• Check that your Amazon Elastic Compute Cloud (Amazon EC2) instance profile role has the correct S3 IAM permissions with the S3 bucket ARN.
• Check that the S3 bucket policy allows the instance profile role as Principal with the required S3 actions on the S3 bucket.

Verify Amazon VPC endpoint reachability

If your Amazon EC2 instance doesn't have internet access, then you must create Amazon VPC endpoints for Session Manager logging to Amazon S3 or CloudWatch.

Check your end-to-end networking and confirm that HTTPS traffic is open for the following endpoints:

• HTTPS://ec2.region-code.amazonaws.com
• HTTPS://ec2messages.region-code.amazonaws.com
• HTTPS://ssm.region-code.amazonaws.com
• HTTPS://ssmmessages.region-code.amazonaws.com
• HTTPS://s3.region-code.amazonaws.com
• HTTPS://monitoring.region-code.amazonaws.com

To create an endpoint, see Connect to an endpoint service as the service consumer.

Configure an IAM policy for CloudWatch logging

If session or stream logs are missing from the CloudWatch log group, then the instance profile role doesn't have the correct IAM permissions.

To create log streams and put log events in CloudWatch, Session Manager must have the following permissions in the IAM policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:REGION:ACCOUNT-ID:log-group:LOG-GROUP-NAME:*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "logs:DescribeLogGroups",
"Resource": "*"
}
]
}

Note:

• In the preceding policy, replace REGION, ACCOUNT-ID, and LOG-GROUP-NAME with your AWS Region, AWS account ID, and log group name.
• If you encrypted CloudWatch log group with an AWS Key Management Service (AWS KMS) customer managed key, then grant the instance profile role permission to use it. The AWS KMS key policy must allow the role to access the key.

"Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/ssm/my-log-group:*"

Additional troubleshooting

To troubleshoot CloudWatch Logs issues, view the AWS CloudTrail Event history based on actions and timestamps. For more information, see Logging CloudWatch Logs API and console operations in AWS CloudTrail.

Related information

How do I troubleshoot issues with AWS Systems Manager Session Manager?