EC2に対して SSH 接続した履歴、または、Systems Manager Session Manager で接続した履歴はどこに保持されていますか?

困っていた内容

とある要件にて、EC2 に接続した履歴を保持する必要があります。

何かいい方法はありますか？

どう対応すればいいの?

SSH 接続した履歴

一般的な Linux OS では、SSH 接続した履歴は /var/log/secure に保存されます。

Oct  4 00:49:14 ip-132-132-132-132 sshd[2459]: Accepted publickey for ec2-user from 123.123.123.123 port 58080 ssh2: RSA SHA256:SAMPLEvSAMPLE4aSAMPLEMSAMPLE8SAMPLE/SAMPLE
Oct  4 00:49:14 ip-132-132-132-132 sshd[2459]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
Oct  4 00:49:23 ip-132-132-132-132 sudo: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/less /var/log/secure
Oct  4 00:49:23 ip-132-132-132-132 sudo: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0)
Oct  4 00:51:32 ip-132-132-132-132 sudo: pam_unix(sudo:session): session closed for user root

Systems Manager Session Manager の履歴

Systems Manager Session Manager で EC2 へ接続した場合、StartSession API が実行されます。

この履歴は CloudTrail の証跡にて確認が可能です。

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROASAMPLESAMPLESAMPL:role-name",
        "arn": "arn:aws:sts::<AccountID>:assumed-role/user-name/role-name",
        "accountId": "<AccountID>",
        "accessKeyId": "ASIASAMPLESAMPLESAMPL",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROASAMPLESAMPLESAMPL",
                "arn": "arn:aws:iam::<AccountID>:role/role-name",
                "accountId": "<AccountID>",
                "userName": "user-name"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-10-04T00:39:32Z",
                "mfaAuthenticated": "true"
            }
        }
    },
    "eventTime": "2022-10-04T00:47:46Z",
    "eventSource": "ssm.amazonaws.com",
    "eventName": "StartSession",
    "awsRegion": "ap-northeast-1",
    "sourceIPAddress": "AWS Internal",
    "userAgent": "AWS Internal",
    "requestParameters": {
        "target": "i-0123456789abcdef0"
    },
    "responseElements": {
        "sessionId": "name-samplesamplesampl",
        "tokenValue": "Value hidden due to security reasons.",
        "streamUrl": "wss://ssmmessages.ap-northeast-1.amazonaws.com/v1/data-channel/name-samplesamplesampl?role=publish_subscribe&cell-number=SAMPLE"
    },
    "requestID": "SAMPLE",
    "eventID": "SAMPLE",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "<AccountID>",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
}

参考資料

第4章 情報セキュリティーの一般的な原則 Red Hat Enterprise Linux 6 | Red Hat Customer Portal

StartSession - AWS Systems Manager