Store AWS SSM Session Logs in S3 for Long-Term Retention

Introduction

By default, AWS SSM Session Manager does not store logs permanently. While CloudWatch is great for real-time monitoring, S3 provides long-term log storage for security audits and compliance.

This guide covers:
✅ Creating an S3 bucket for SSM logs
✅ Enabling SSM session logging to S3
✅ Verifying logs are saved in S3

Step 1: Create an S3 Bucket for Logging

1. Navigate to AWS S3 Console → Click Create bucket.
2. Enter a unique bucket name (e.g., ssm-session-logs-123).
3. Choose the AWS region where your EC2 instances run.
4. Under Block Public Access settings, ensure public access is blocked.
5. Click Create bucket.

Step 2: Attach IAM Permissions for S3 Logging

AWS SSM needs permission to write logs to the S3 bucket.

1. Go to the AWS IAM Console → Click Roles.
2. Select the IAM role attached to your EC2 instance (e.g., SSMLoggingRole).
3. Click Attach Policies → Choose AmazonS3FullAccess.
4. Click Save.

Step 3: Enable SSM Logging to S3

1. Navigate to AWS Systems Manager Console → Click Session Manager.
2. In the left panel, click Preferences.
3. Click Edit and configure:
   • ✅ Enable S3 Logging → Select your S3 bucket from Step 1.
4. Click Save.

Step 4: Verify Logs in S3

1. Start an SSM session:

   aws ssm start-session --target <INSTANCE_ID>