How do I push Systems Manager SSM Agent logs to CloudWatch?

Last updated: 2021-05-26

I want to send AWS Systems Manager SSM Agent logs to Amazon CloudWatch Logs. How can I do that?

Resolution

Create a log group in CloudWatch Logs

To create a log group in CloudWatch Logs, follow these steps:

  1. Open the CloudWatch console, and then choose Log groups from the navigation pane.
  2. Choose Create log group.
  3. For Log group name, enter a name.
  4. Choose Create.

Attach permissions

The Amazon Elastic Compute Cloud (Amazon EC2) instance must include AWS Identity and Access Management (IAM) permissions to send the logs. You must attach the CloudWatchLogsFullAccess IAM role to the instance. For instructions, see Attach an IAM role to an instance.

Note: You can include these permissions with already existing permissions. You can also further narrow the permissions based on your requirements.

Configure SSM Agent to send logs to CloudWatch Logs

For instructions to configure SSM Agent to send logs to CloudWatch Logs, see Sending SSM Agent logs to CloudWatch Logs.