How do I troubleshoot Session Manager logging to Amazon S3 or CloudWatch?

2 minute read

I want to know why I don't see logs in Amazon Simple Storage Service (Amazon S3) or Amazon CloudWatch when working with Session Manager, a capability of AWS Systems Manager.

Short description

The following are the most common reasons that Session Manager isn't sending logs to Amazon S3 or CloudWatch:

Misconfigured Session Manager logging
Incorrect Amazon S3 bucket permissions and AWS Identity and Access Management (IAM) policy
Amazon Virtual Private Cloud (Amazon VPC) endpoint reachability issues

Prerequisites:

Resolution

Misconfigured Session Manager logging

To activate logging session data, confirm that you configured Session Manager for Amazon S3 logging or CloudWatch logging.

Note: When you configure logging to CloudWatch, review the Session Manager preferences to verify that the CloudWatch option is selected and a log group is defined. Also, verify that the provided log group name is for an existing log group.

Incorrect Amazon S3 bucket permissions and IAM policy

For Systems Manager to perform actions on your instances, you must grant access through an IAM role. For more information, see Verify or create an IAM role with Session Manager permissions. To troubleshoot missing logs in Amazon S3, complete the following steps:

Check that the IAM policy is set for the correct Amazon S3 bucket ARN.
Check that the Amazon S3 bucket policy has access permissions to the resource.

Amazon VPC endpoint reachability issues

To see Session Manager logs, you must create an endpoint to Amazon S3 or CloudWatch.

Review the end-to-end networking, and check that the HTTPS permission is open for the following endpoints:

HTTPS://ec2.region-code.amazonaws.com
HTTPS://ec2messages.region-code.amazonaws.com
HTTPS://ssm.region-code.amazonaws.com
HTTPS://ssmmessages.region-code.amazonaws.com
HTTPS://s3.region-code.amazonaws.com
HTTPS://monitoring.region-code.amazonaws.com

For more information, see Connect to an endpoint service as the service consumer.

Additional troubleshooting

To perform additional troubleshooting for CloudWatch logs, view the AWS CloudTrail Event history based on action and timestamps. For more information, see CloudWatch Logs information in CloudTrail.

Related information

How do I troubleshoot issues with AWS Systems Manager Session Manager?

Topics

Management & Governance

Relevant content

Unable to output session manager logs in CloudWatchLogs using CloudWatchLogs resource policy
saulgoodman
asked 6 months ago
AWS AppStream is unable to push session script logs to s3
rePost-User-0424427
asked a year ago
session manager logging not working
Accepted Answer
rePost-User-2566695
asked a year ago
Session Manager Preferences
AThena
asked 9 months ago
Session Manager Logs in S3 in a structured format
rePost-User-6086106
asked 8 months ago
How do I configure a central Amazon S3 bucket for Session Manager logging from multiple accounts?
AWS OFFICIALUpdated 10 months ago
How do I push Systems Manager SSM Agent logs to CloudWatch?
AWS OFFICIALUpdated 3 years ago
How do I troubleshoot issues with AWS Systems Manager Session Manager?
AWS OFFICIALUpdated a year ago
How do I troubleshoot CloudWatch logs that fail to export to S3 buckets?
AWS OFFICIALUpdated a month ago
Support Automation Workflow (SAW) Runbook: Troubleshoot AWS Systems Manager Session Manager
EXPERT
Maya Karalic
published a year ago