AWS Systems Manager Session Manager Logs
Cloud & SaaSExecution EvidenceAWSSystems ManagerCloud Control PlaneSIEM / Log Aggregator
Location
Systems Manager session history with optional CloudWatch Logs or S3 transcript storageDescription
Session Manager metadata and optional session transcripts for shell access brokered through AWS Systems Manager instead of SSH or RDP. Includes session start and end times, target instance, actor identity, and transcript destinations when logging is enabled.
Forensic Value
Session Manager can become the only authoritative record of interactive access to instances when administrators disable direct SSH or RDP. Session history and transcripts reveal who opened privileged sessions, which hosts they touched, whether session logging was disabled, and what commands were executed when transcript logging was enabled.
Tools Required
AWS ConsoleAWS CLICloudWatch LogsS3
Collection Commands
AWS CLI
aws ssm describe-sessions --state History --output json > ssm_session_history.json
AWS CLI
aws logs filter-log-events --log-group-name <session-manager-log-group> --start-time 1709251200000 --end-time 1709856000000 > ssm_session_logs.json
AWS CLI
aws s3 cp s3://<session-manager-bucket>/ ./session-manager-logs/ --recursive
Collection Constraints
- •Session transcripts are available only if Session Manager logging was enabled to CloudWatch Logs or S3 before the session occurred.
- •Session metadata alone may show access timing without preserving every command executed.
MITRE ATT&CK Techniques
T1021T1078.004T1059