Now customize the idle session timeout value and stream session logs to Amazon CloudWatch Logs for Session Manager

Posted on: Nov 18, 2020

Session Manager, a capability of AWS Systems Manager, now offers customers greater control over how long sessions remain idle before being terminated automatically. This feature can help you meet compliance requirements, such as PCI Requirement 8.1.8, which requires that users reauthenticate if a session is idle for more than 15 minutes.

Additionally, customers can now stream session logs continuously to CloudWatch for the duration of a session, instead of waiting until the session is terminated. The logs are structured as JSON messages, and
identify the user initiating the session, the instance and session IDs, and the commands and output from the session. The ability to receive and process structured logs continuously throughout the duration of the session provides you with improved visibility into user activity. Using the structured logs, you can easily search for conditions such as session initiation or the use of a specific command, to help analyze and troubleshoot session activity.

To get started, in the navigation pane of the Session Manager console, in the navigation pane, choose Preferences. You can customize the idle session timeout value in the General Preferences. You can enable streaming logs by enabling logs in the CloudWatch logging section, and then choosing Stream session logs
as the logging option.

Session Manager is available in all AWS Regions where AWS Systems Manager is available. To learn more about Session Manager, see the Session Manager documentation. For information about AWS Systems Manager, see our product detail page