Amazon EC2 Audit Logging with AWS Systems Manager and auditd

Introduction

Audit logging is one of the most critical components of any secure infrastructure. Whether your workloads run in production or lower environments, understanding who did what, when, and how is essential for troubleshooting, compliance, and incident response. In Amazon EC2 environments, particularly those accessed by multiple engineers or automated tools, maintaining reliable audit logs becomes even more crucial.

This article explains what audit logs are, why they matter, and how to implement a comprehensive logging strategy on Ubuntu-based EC2 instances using AWS Systems Manager Session Manager and Linux auditd. You will also learn how to safely rotate your audit logs and push them to Amazon CloudWatch for centralized visibility.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

What are Audit Logs and why are they important?

Audit logs are detailed records that capture system activities performed by users, services, or processes. These logs typically include:

Commands executed
File modifications
Authentication attempts
Privilege escalations
Configuration changes
User or group updates

Audit logs matter because they:

Detect Security Breaches

Unauthorized actions such as file deletions, permission changes, or root escalations become immediately visible.

Support Compliance

Auditors often require detailed system activity logs (ISO 27001, SOC2, PCI DSS).

Help with Troubleshooting

Audit logs can explain why system configurations changed or who executed a specific command.

Provide Forensics

During incidents, security teams rely heavily on audit logs to reconstruct events.

How Audit Logs Work on Amazon EC2?

In AWS, Amazon EC2 instances can be accessed in several ways, SSH, Amazon EC2 Instance Connect, or AWS Systems Manager Session Manager. Because of this, AWS offers two powerful mechanisms for capturing audit data:

AWS SSM Session Manager Logs

AWS Session Manager allows users to access instances without SSH keys, and every action can be logged to:

Amazon CloudWatch Logs, or
Amazon S3

SSM logs automatically include:

The AWS IAM username
All terminal input and output
Session start/stop times
Transcript of commands typed by users

This is ideal for tracking who did what, especially in cloud-native environments.

auditd Logs (Linux Audit Framework)

auditd is the low-level Linux kernel audit tool that records:

File deletions
Permission and ownership changes
Access to sensitive files
Sudo / privilege escalations
System configuration updates
Cron/job modifications

Unlike SSM logs, auditd logs system calls at the OS level, even actions done by scripts, cron jobs, or root users.

How to Enable SSM Session Logging

Step 1: Ensure the Instance Has SSM Agent and AWS IAM Role

Attach an AWS IAM role with:

AmazonSSMManagedInstanceCore

1	AmazonSSMManagedInstanceCore

To enable Amazon CloudWatch streaming, also add:

CloudWatchAgentServerPolicy

1	CloudWatchAgentServerPolicy

Step 2: Enable Logging in SSM Preferences

Navigate to:

AWS Console → Systems Manager → Session Manager → Preferences

Enable:

Amazon CloudWatch Logs
Select Log Group (e.g., /ec2/session-logs)
Choose to stream the entire session data

Click Save.

Session logs will now automatically appear in Amazon CloudWatch or Amazon S3.

How to Enable auditd Logs?

Step 1: Install auditd

sudo apt update
sudo apt install auditd audispd-plugins -y

1 2	sudo apt update sudo apt install auditd audispd-plugins -y

Step 2: Add the Recommended auditd Rules

sudo nano /etc/audit/rules.d/audit.rules
Add rules such as:
-w /etc/ -p wa -k etc_changes
-w /var/log/ -p wa -k log_changes
-a always,exit -F arch=b64 -S chmod,chown,unlink,rename -k file_changes
-w /etc/sudoers -p wa -k sudo_changes
Restart auditd:
sudo service auditd restart

sudo nano /etc/audit/rules.d/audit.rules

Add rules such as:

-w /etc/ -p wa -k etc_changes

-w /var/log/ -p wa -k log_changes

-a always,exit -F arch=b64 -S chmod,chown,unlink,rename -k file_changes

-w /etc/sudoers -p wa -k sudo_changes

Restart auditd:

sudo service auditd restart

Step 3: Verify Logs

sudo ausearch -k file_changes

1	sudo ausearch -k file_changes

How to Rotate auditd Logs and Push to Amazon CloudWatch?

auditd logs can quickly grow, so rotation is important.

Step 1: Install Amazon CloudWatch Agent

sudo dpkg -i amazon-cloudwatch-agent.deb

1	sudo dpkg -i amazon-cloudwatch-agent.deb

Step 2: Configure Amazon CloudWatch Agent

Create:

/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json

1	/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json

Add:

{
  "logs": {
    "logs_collected": {
      "files": {
        "collect_list": [{
          "file_path": "/var/log/audit/audit.log",
          "log_group_name": "/ec2/auditd",
          "log_stream_name": "{instance_id}"
        }]
      }
    }
  }
}

{

"logs": {

"logs_collected": {

"files": {

"collect_list": [{

"file_path": "/var/log/audit/audit.log",

"log_group_name": "/ec2/auditd",

"log_stream_name": "{instance_id}"

}]

}

Restart agent:

sudo systemctl restart amazon-cloudwatch-agent

1	sudo systemctl restart amazon-cloudwatch-agent

Step 3: Configure Log Rotation

sudo nano /etc/logrotate.d/audit

1	sudo nano /etc/logrotate.d/audit

Add:

/var/log/audit/audit.log {
    daily
    rotate 14
    compress
    delaycompress
    missingok
    notifempty
    create 0600 root root
    sharedscripts
    postrotate
        /usr/sbin/service auditd reload > /dev/null 2>&1 || true
    endscript
}

/var/log/audit/audit.log {

daily

rotate 14

compress

delaycompress

missingok

notifempty

create 0600 root root

sharedscripts

postrotate

/usr/sbin/service auditd reload > /dev/null 2>&1 || true

endscript

}

Now logs rotate every day without losing any entries.

Conclusion

Audit logging is essential for maintaining system security, ensuring compliance, and enabling effective incident response. While AWS provides native logging features through Systems Manager, combining SSM Session Manager logs with Linux auditd provides the most comprehensive and reliable audit coverage.

SSM logs help you track who executed commands.
auditd logs help you track what happened on the system.

Together, they provide a robust, cloud-ready audit solution for any organization using Amazon EC2.

Drop a query if you have any questions regarding audit logging and we will get back to you quickly.

Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.

Reduced infrastructure costs
Timely data-driven decisions

Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. Why do I need both SSM logs and auditd?

ANS: – SSM logs provide AWS IAM identity and commands; auditd provides system-level events. Neither alone gives complete visibility.

2. Will auditd slow down my Amazon EC2 instance?

ANS: – With optimized rules (as shown above), the performance impact is minimal.

3. Can I track file deletions and permission changes using SSM logs?

ANS: – No, only auditd can track kernel-level file operations.

WRITTEN BY Deepak S

Deepak S is a Senior Research Associate at CloudThat, specializing in AWS services. He is passionate about exploring new technologies in cloud and is also an automobile enthusiast.