EC2に対して SSH 接続した履歴、または、Systems Manager Session Manager で接続した履歴はどこに保持されていますか?
困っていた内容
とある要件にて、EC2 に接続した履歴を保持する必要があります。
何かいい方法はありますか?
どう対応すればいいの?
SSH 接続した履歴
一般的な Linux OS では、SSH 接続した履歴は /var/log/secure
に保存されます。
Oct 4 00:49:14 ip-132-132-132-132 sshd[2459]: Accepted publickey for ec2-user from 123.123.123.123 port 58080 ssh2: RSA SHA256:SAMPLEvSAMPLE4aSAMPLEMSAMPLE8SAMPLE/SAMPLE Oct 4 00:49:14 ip-132-132-132-132 sshd[2459]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0) Oct 4 00:49:23 ip-132-132-132-132 sudo: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/less /var/log/secure Oct 4 00:49:23 ip-132-132-132-132 sudo: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0) Oct 4 00:51:32 ip-132-132-132-132 sudo: pam_unix(sudo:session): session closed for user root
Systems Manager Session Manager の履歴
Systems Manager Session Manager で EC2 へ接続した場合、StartSession API が実行されます。
この履歴は CloudTrail の証跡にて確認が可能です。
{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROASAMPLESAMPLESAMPL:role-name", "arn": "arn:aws:sts::<AccountID>:assumed-role/user-name/role-name", "accountId": "<AccountID>", "accessKeyId": "ASIASAMPLESAMPLESAMPL", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROASAMPLESAMPLESAMPL", "arn": "arn:aws:iam::<AccountID>:role/role-name", "accountId": "<AccountID>", "userName": "user-name" }, "webIdFederationData": {}, "attributes": { "creationDate": "2022-10-04T00:39:32Z", "mfaAuthenticated": "true" } } }, "eventTime": "2022-10-04T00:47:46Z", "eventSource": "ssm.amazonaws.com", "eventName": "StartSession", "awsRegion": "ap-northeast-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "target": "i-0123456789abcdef0" }, "responseElements": { "sessionId": "name-samplesamplesampl", "tokenValue": "Value hidden due to security reasons.", "streamUrl": "wss://ssmmessages.ap-northeast-1.amazonaws.com/v1/data-channel/name-samplesamplesampl?role=publish_subscribe&cell-number=SAMPLE" }, "requestID": "SAMPLE", "eventID": "SAMPLE", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "<AccountID>", "eventCategory": "Management", "sessionCredentialFromConsole": "true" }
参考資料
第4章 情報セキュリティーの一般的な原則 Red Hat Enterprise Linux 6 | Red Hat Customer Portal