Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How can I get logs of commands executed on a EC2 instance when connecting through SSM ?

0

I use SSM with the "StartSSHSession" document to ssh to servers (with something like ssh -o ProxyCommand="sh -c 'aws ssm start-session --document-name AWS-StartSSHSession'"). Is there a way for SSM to intercept all the commands once connected to the EC2 and log them (to CloudWatch, S3 or anywhere else) ? I have setup CloudWatch & S3 logging in SSM preferences, but it only logs commands when starting a session from AWS console. I've seen https://repost.aws/en/questions/QUcqSin_nsRKiQOy-A_2sRLQ/where-is-ssm-session-command-line-logging and read the mentioned documentation, but I didn't find anything for this.

If this is not possible, what alternatives do I have to know what commands have benn ran? I know that the cloudwatch agent can track a file, but I fear that it's too easy to tamper (once on the instance, someone can simply stop the agent, change its config or change the PROMPT_COMMAND and we will not be able to know which commands were run after that).

Topics
ComputeManagement & GovernanceAWS Well-Architected Framework
Tags
Amazon EC2AWS Systems ManagerSecurity
Language
English
asked 9 months ago437 views
2 Answers
2

Session logging records information about current and completed sessions in the Systems Manager console. You can also log details about commands run during sessions in your AWS account.

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging.html

Enter image description here

Enter image description here

You can send a continual stream of session data logs to Amazon CloudWatch Logs. Essential details, such as the commands a user has run in a session, the ID of the user who ran the commands, and timestamps for when the session data is streamed to CloudWatch Logs, are included when streaming session data.

Enter image description here

EXPERT
answered 9 months ago
EXPERT
reviewed 9 months ago
  • Maxime
    9 months ago

    Thanks for the quick answer, however I've already setup "Stream session logs" on that page and like I said, it only logs commands when starting a session from AWS console. It doesn't log anything when I'm using ssh with a SSM ProxyCommand with document "AWS-StartSSHSession".

0

To help other people with the same issue:

  • I found no "AWS built-in" way to use ssh and have logs of all commands
  • to keep using ssh and still have logs, the option I found was to use Teleport (https://github.com/gravitational/teleport)
  • if you don't need to use the ssh protocol, you can use SSM command line directly (aws ssm start-session --document-name SSM-SessionManagerRunShell, you can omit the document-name as it is the default) and it will log the commands like when opening a session from the console (but the person performing it will always have command-line access to the user ssm-user) NB: I didn't find an equivalent for scp in that case, my best lead is to to build one yourself using S3.
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content