AdvLab1: Session Manager with Logging

Author: Dean Suzuki (Last Updated: 4/1/20)

Abstract

In an earlier step, you experienced how AWS Systems Manager Session Manager can provide secure interactive access to your managed instances without the need to expose inbound ports, manage bastion hosts, or manage SSH keys. In this lab, we will enable Session Manager logging so that you can record every session to an S3 bucket. This capability maybe required for compliance purposes or for your security requirements.

Step 1: Create S3 bucket to hold session manager logs

To store the Session Manager logs, you will first create an S3 bucket to hold the audit logs from the Session Manager interactive shell usage.

  1. Go to the S3 section of the AWS Management Console.
  2. Press the Create bucket button
  3. Enter a DNS compliant bucket name (e.g. session-manager-logs-<yourname>). Note, the name needs to be unique in all of AWS so you may need to add additional characters to make it unique (e.g. today’s date). Make sure that it is created in the US East (N. Viriginia) region.
  4. Scroll to the bottom and press Create bucket button.
  5. You will need the bucket amazon resource name (ARN) for the next step. Click the checkbox next to the new bucket and select the Copy ARN button. Paste it into a notepad.

Step 2: Create an IAM Policy to allow access to your S3 bucket

Now, you create an IAM policy to grant write access to your S3 bucket.

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Policies, and then chose Create policy.
  3. Click the JSON tab.
  4. Remove the existing JSON and paste the following:

    {
    
        "Version": "2012-10-17",
    
        "Statement": [
    
            {
    
                "Sid": "VisualEditor1",
    
                "Effect": "Allow",
    
                "Action": "s3:*",
    
                "Resource": [
    
                    "arn:aws:s3:::session-manager-logs-deansuzuki",
    
                    "arn:aws:s3:::session-manager-logs-deansuzuki/*"
    
                ]
    
            }
    
        ]
    
    }
        
  5. In the JSON, replace my bucket ARN in the Resource section with your bucket ARN that you copied earlier. Note, you have to do this twice and on the second line, add /* to the end to allow access to the objects inside the bucket. Make sure to include your bucket ARN in double quotes.

    • Click Review Policy
  6. For Name, enter AccessTo-S3-SSM-Bucket

    • Enter a description

    • Press Create policy button

Step 3: Add the new Policy to the IAM Role

Next, we need to add the policy to the IAM role that our EC2 instances use so that they can get the rights that our new policy defines.

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Roles, and then in the search box, type managed
  3. Click the link for ManagedInstanceProfile.
  4. Click Attach policies button.
  5. Check the box next to the Access-to-S3-SSM-Bucket policy that you just created. Then, press the Attach Policy button. This action gives the IAM role, ManagedInstanceProfile, the rights that are in the policy that we created (ie. to write objects to the S3 bucket that you just created). The role is attached to the web servers in the environment.

Step 4: Enable Logging in Session Manager

Now, we will enable logging in Session Manager.

  1. Go to the System Manager console (https://console.aws.amazon.com/systems-manager/)
  2. Select Session Manager in the left hand navigation
  3. Select Configure Preference and press the Edit button
  4. Under Write session output to an Amazon S3 bucket,

    • Select the checkbox next to S3 bucket.

    • Uncheck Encrypt log data.

    • In the S3 bucket name field, select the bucket that you created in the prior step.

    • Press Save

Step 5: Test Session Manager Logging

Now, let’s test logging with Session Manager.

  1. Go to the System Manager console (https://console.aws.amazon.com/systems-manager/)

  2. Select Session Manager in the left hand navigation

  3. Select Start session.

  4. Select the WEB01 web server and press Start Session button.

  5. You should be presented with a terminal session on the server.

    • Type hostname to see the hostname of the server

    • Type Get-WindowsFeature to see the features running on the server. Confirm that Web Server (IIS) is installed.

  6. Press Terminate when done.

Step 6: Review the Session manager audit logs

Now, let’s review what was captured in the audit logs for the interactive session.

  1. Browse to the Session History tab and locate our last session. Wait for session Status to move from Terminating to Terminated. Press the refresh button since the status sometimes doesn’t update immediately.
  2. In the Output location column, click Amazon S3 to view the session log.
  3. On the S3 page, select the Download button to download the log file.
  4. Open the downloaded log file. Note the data captured in the session log includes all input and output of the commands we entered.

Congratulations!

In this lab, you learned how to enable logging in Session Manager so that anyone who uses Session Manager will have their session logged to a S3 bucket.