amazon-ssm-agent icon indicating copy to clipboard operation
amazon-ssm-agent copied to clipboard

Published 20 hours ago verified publisher icon aws

No s3 log when ssh ubuntu@i-xxxxxxxxxx

Open MilanDasek opened this issue 5 years ago • 7 comments

Hi,

when I start session via browser: https://eu-west-1.console.aws.amazon.com/systems-manager/session-manager/start-session?region=eu-west-1

I get s3 output when session ends. The same way when I start session using aws ssm start-session --target i-xxxxxxxxx

But when I start session using ssh ubuntu@i-xxxxxxxxxx session starts, but there is no audit log in s3. Sessions stops with

[ubuntu@xxxxxxx ~]$ exit
logout
Connection to i-xxxxxxx closed.
Command '['session-manager-plugin', '{"SessionId": "xxxxxxxx", "TokenValue": "token", "StreamUrl": "wss://ssmmessages.eu-west-1.amazonaws.com/v1/data-channel/xxxxx?role=publish_subscribe", "ResponseMetadata": {"RequestId": "xxxxx", "HTTPStatusCode": 200, "HTTPHeaders": {"x-amzn-requestid": "xxxxxx", "content-type": "application/x-amz-json-1.1", "content-length": "690", "date": "Fri, 12 Jul 2019 10:05:40 GMT"}, "RetryAttempts": 0}}', 'eu-west-1', 'StartSession', '', '{"Target": "i-xxxxxx", "DocumentName": "AWS-StartSSHSession", "Parameters": {"portNumber": ["22"]}}', 'https://ssm.eu-west-1.amazonaws.com']' died with <Signals.SIGPIPE: 13>.

Can you please advise?

MilanDasek avatar Jul 12 '19 10:07 MilanDasek

Thanks for reaching out. Logging is not enabled for SSH/SCP over session manager as SSH encrypts all data and session manager merely acts as a tunnel, we will explore in the future.

sruthi-maddineni avatar Jul 15 '19 20:07 sruthi-maddineni

Hi @sruthi-maddineni,

Thanks for acknowledging, can we expect this feature any time soon??? Any timeline associated with this issue?

subramaniams avatar Aug 19 '19 00:08 subramaniams

@sruthi-maddineni Any update on this?

Also, Hey @MilanDasek from CM! :)

Klohto avatar Jan 15 '20 13:01 Klohto

Any update when this request would be considered in future? This would really an important addition. Have anyone found any other alternative approach to get the audit log for port forwarding session or SSH session?

SuchismitaGoswami avatar Jun 15 '20 13:06 SuchismitaGoswami

Do we have an update on this? This is really a showstopper when it comes to audit logs for SSM with portforwarding or SSH documents. Do you suggest any alternatives?

aryak007 avatar Jun 17 '20 07:06 aryak007

We ended up switching over to SSM sessions.

Here is my helper bash script that allow you to connect to a machine by specifying its name so its usage is closer to SSH.

#!/bin/bash

if [ -z "$1" ]; then
  echo "You need to specify instance name."
  exit 1;
fi;

instance_id=$(aws ec2 describe-instances --filter "Name=tag:Name,Values=$1" "Name=instance-state-name,Values=running" --query "Reservations[*].Instances[*].{Instance:InstanceId}" --output=text | head -n1)

aws ssm start-session --target=$instance_id

Usage: ./ssm-session.sh os-web01.staging.us

kamilbednarz avatar Jun 17 '20 07:06 kamilbednarz

Any updates on this or workarounds?

jbrewer3 avatar Apr 25 '24 17:04 jbrewer3