Back to All Checks
Medium SSM Regional

SSM Automation should have CloudWatch logging enabled

FSBP

Description

This control verifies whether Amazon CloudWatch logging is enabled for AWS Systems Manager (SSM) Automation. The control will fail if CloudWatch logging is not enabled for SSM Automation. SSM Automation is an AWS Systems Manager tool designed to help users build automated solutions for deploying, configuring, and managing AWS resources at scale using predefined or custom runbooks. To meet operational or security requirements, it's often necessary to have a record of the scripts that SSM Automation runs. Users can configure SSM Automation to send the output from aws:executeScript actions within their runbooks to a specified Amazon CloudWatch Logs log group. CloudWatch Logs allows for monitoring, storing, and accessing log files from various AWS services.

Remediation

To enable CloudWatch logging for SSM Automation, configure the service setting to send automation script output to CloudWatch Logs.

Steps

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
  2. In the navigation pane, choose Automation.
  3. Choose the Preferences tab, and then choose Edit.
  4. Select the check box next to Send output to CloudWatch Logs.
  5. (Recommended) Select the check box next to Encrypt log data. With this option turned on, log data is encrypted using the server-side encryption key specified for the log group. If you don't want to encrypt the log data that is sent to CloudWatch Logs, clear the check box. Clear the check box if encryption isn't allowed on the log group.
  6. For CloudWatch Logs log group, to specify the existing CloudWatch Logs log group in your AWS account that you want to send action output to, select one of the following:
  7. - Send output to the default log group – If the default log group doesn't exist (/aws/ssm/automation/executeScript), Automation creates it for you.
  8. - Choose from a list of log groups – Select a log group that has already been created in your account to store action output.
  9. - Enter a log group name – Enter the name of a log group in the text box that has already been created in your account to store action output.
  10. Choose Save.

Compliance

FSBP
Start Your Free Security Check