Issues we faced with setting up AWS Session Manager
We wanted to make use of AWS Session manager to address the following things:
- Allow access to EC2 shell, without dealing with Keypairs
- Disallow downloading of files to their local system (scp).
- Have log captured of all commands executed for the purpose of auditing
While AWS documentation is good, there were some small challenges that we faced, which I wanted to share here.
a. The Logs were not getting captured in the CloudWatch log group.
Since we wanted to capture the commands executed for auditing, we added the necessary log group and updated the configuration in SSM manager to use the new log group. But still, there were no logs coming into the log group, and there were no errors shown while starting the session or terminating the session. Later, we figured that the EC2 instance role itself required access to CloudWatch logs, so we added the necessary policy to allow this. This part is not clear from their official documentation. Below is the policy statement we added:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-west-2:1234567890:log-group:aws-ssm-session-manager:*"
}
]
}Next, we got the logs flowing, and then we tried some basic linux commands and stuff after logging into the session. Then we came across one more problem:
b. The arrow keys (up and down) to access command history were not working. Instead, it was printing the characters ^[[A” “^[[B” “^[[C” “^[[D”
To address this problem, we had to change the shell it provides by default. The session manager by default uses Bourne shell(/bin/sh). To change it to Bourne Again SHell(/bin/bash), we had to follow steps described in this support article: