![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/ec2-ssh-alarm.png\")
<\/a><\/figure>\n\n\n\nHow to Detect SSH Access?<\/strong><\/h5>\n\n\n\nThere are a few ways to detect SSH access to your Linux machine. One way is to utilize the system log. For this solution, we will use the log file \/var\/log\/secure<\/em> to detect SSH logins. <\/p>\n\n\n\nFor Linux machines that use the systemd<\/em> service, such as the AMI Linux 2<\/em>, the log file \/v<\/em><\/span>ar\/log\/secure may not exist. The reason is that this log file is generated by the rsyslog service<\/em>, which may not be installed by default. First, we need to install this service. We also need to install the CloudWatch agent, which is not installed by default in the AMI Linux 2<\/em>, and prepare its configuration file to specify<\/span> which log group and log stream to send the SSH logs to.<\/p>\n\n\n\nPrepare the EC2 Instance<\/strong><\/h5>\n\n\n\nIn summary, we have to make the following preparations for our EC2:<\/p>\n\n\n\n
\n- Install, enable and start the rsyslog<\/strong> service.<\/li>\n<\/ol>\n\n\n\n
sudo yum -y install rsyslog\n\nsudo systemctl enable rsyslog\n\nsudo systemctl start rsyslog<\/code><\/pre>\n\n\n\n\n- Install the CloudWatch agent.<\/li>\n<\/ol>\n\n\n\n
yum install amazon-cloudwatch-agent<\/code><\/pre>\n\n\n\n\n- Create the CloudWatch configuration file. You can create the configuration file manually or use the configuration wizard. Name the file as config.json<\/strong>.<\/li>\n<\/ol>\n\n\n\n
To start the configuration wizard, enter the following:<\/p>\n\n\n\n
sudo \/opt\/aws\/amazon-cloudwatch-agent\/bin\/amazon-cloudwatch-agent-config-wizard<\/code><\/pre>\n\n\n\nBelow is a snippet of the configuration file that we use in the sample EC2 resource, which we will build later using a CloudFormation template.<\/p>\n\n\n\n
{\n \"agent\": {\n \"metrics_collection_interval\": 60,\n \"run_as_user<\/strong>\": \"cwagent\"\n },\n \"logs\": {\n \"logs_collected\": {\n \"files\": {\n \"collect_list\": [\n {\n \"file_path\": \"\/var\/log\/secure\",\n \"log_group_class\": \"STANDARD\",\n \"log_group_name<\/strong>\": \"${LogGroupName}<\/strong>\",\n \"log_stream_name\": \"{instance_id}\",\n \"retention_in_days\": -1\n }\n ]\n }\n }\n },\n:\n:<\/code><\/pre>\n\n\n\nTwo of the fields that you need to decide are the (1) run_as_user<\/strong>, which specifies a user to use to run the CloudWatch agent, and (2) log_group_name<\/strong>, which specifies what to use as the log group name in CloudWatch Logs. Since the above configuration is part of a CloudFormation template, and the log_group_name<\/em> is set as a variable that will be replaced by Fn::Sub<\/code> with a parameter value.<\/p>\n\n\n\nPlease take note that it is essential to keep the value of the log_stream_name<\/strong> to {instance_id}. <\/strong>This value will be used to identify the instance ID where an SSH login took place.<\/p>\n\n\n\n\n- If you manually created the configuration file, copy it to its proper location and set its owner to root<\/em> and its access permission to 0644<\/em>. If you use the configuration wizard, the file should already be in the appropriate location with the right owner and access permission settings.<\/li>\n<\/ol>\n\n\n\n
sudo cp config.json \/opt\/aws\/amazon-cloudwatch-agent\/bin\/config.json\n\nsudo chmod 0644 \/opt\/aws\/amazon-cloudwatch-agent\/bin\/config.json\n\nsudo chown root:root \/opt\/aws\/amazon-cloudwatch-agent\/bin\/config.json<\/code><\/pre>\n\n\n\n\n- If you set the CloudWatch agent to run as a non-root user (e.g., cwagent), you need to grant access to the \/var\/log\/secure file. You can do this by modifying the file’s ACL.<\/li>\n<\/ol>\n\n\n\n
sudo setfacl -m u:cwagent:rx \/var\/log\/secure<\/code><\/pre>\n\n\n\n\n- Start the CloudWatch agent.<\/li>\n<\/ol>\n\n\n\n
sudo \/opt\/aws\/amazon-cloudwatch-agent\/bin\/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:\/opt\/aws\/amazon-cloudwatch-agent\/bin\/config.json<\/code><\/pre>\n\n\n\nThe Lambda Function<\/strong><\/h5>\n\n\n\nThe Lambda function is the service responsible for sending notifications, via SNS, and terminating the EC2 instance. The Lambda function will receive a message from the CloudWatch subscription filter in the following format: { \"awslogs\": {\"data\": \"BASE64ENCODED_GZIP_COMPRESSED_DATA\"} }<\/strong><\/code><\/p>\n\n\n\nThe Lambda function has to decompress the data<\/em> payload, which will yield the raw data formatted as JSON with the following structure:<\/p>\n\n\n\n{\n \"messageType\": \"DATA_MESSAGE\",\n \"owner\": \"123456789012\",\n \"logGroup\": \"\/aws\/ec2\/ssh-attempts\",\n \"logStream<\/strong>\": \"i-0ffe4156be759fb9e\",\n \"subscriptionFilters\": [\n \"SshAccessFilter\"\n ],\n \"logEvents\": [\n {\n \"id\": \"39081747012568859428767625513120880010897834134375366656\",\n \"timestamp\": 1752486146299,\n \"message<\/strong>\": \"Jul 14 09:42:21<\/strong> ip-172-31-34-86 <\/strong>sshd[2374]: pam_unix(sshd:session): session opened for user ec2-user<\/strong>(uid=1000) by (uid=0)\",\n \"extractedFields\": {\n \"mm\": \"Jul\",\n \"dd\": \"14\",\n \"ip\": \"ip-172-31-34-86\",\n \"text1\": \"session\",\n \"text2\": \"opened for user ec2-user(uid=1000) by (uid=0)\",\n \"time\": \"09:42:21\",\n \"cmd\": \"sshd[2374]:\",\n \"pam\": \"pam_unix(sshd:session):\"\n }\n }\n ]\n}<\/code><\/pre>\n\n\n\nThe key elements that will be used by the Lambda function in this raw data are:<\/p>\n\n\n\n
\n- logStream<\/strong>\u00a0<\/span>
This field will contain the instance ID that generates the log, and the Lambda function will use this to identify the EC2 instance that needs to be terminat<\/span>ed. This is the result of setting the log_stream_name<\/strong> field in the CloudWatch configuration file to the value of {instance_id}<\/strong>.
<\/li>\n\n\n\n- message<\/strong>
This field will provide information such as the source IP, the date and time of access, and the user who logged in.<\/li>\n<\/ul>\n\n\n\nThe CloudWatch Subscription Filter<\/strong><\/h5>\n\n\n\nThe CloudWatch subscription filter will not send the entire log to the Lambda function. Instead, only a particular log record is sent. This record is a record of a successful login and is identified by the string pattern “opened for user*<\/em><\/strong>“. The CloudWatch subscription filter will apply the following filter pattern:<\/p>\n\n\n\n[mm, dd, time, ip, cmd, pam=\"pam_unix(sshd:session):\", text1=session, text2=\"opened for user*\" ]<\/code><\/pre>\n\n\n\nThe Sample Infrastructure<\/strong><\/h5>\n\n\n\nThis CloudFormation template<\/a> creates the sample infrastructure that demonstrates the<\/span> solution described above. The template will create the following AWS services:<\/p>\n\n\n\n\n- An EC2 instance with a public IP using an AMI Linux 2. The template will automatically install the CloudWatch agent and the rsyslog service. It will also copy a CloudWatch agent configuration file. The EC2 instance profile will be configured to allow you to connect to the instance using the System Manager.
<\/li>\n\n\n\n - A Lambda function. Note that the Lambda function will not terminate the instance but only stop it. The reason is to allow you to perform multiple tests on the same instance.
<\/li>\n\n\n\n - A CloudWatch log group
<\/li>\n\n\n\n - A CloudWatch subscription filter.<\/li>\n<\/ol>\n\n\n\n
The template is written using the SAM model and must therefore be deployed accordingly. Hence, to deploy the template, use the following command:<\/p>\n\n\n\n
sam build\n\nsam deploy --parameter-overrides ParameterKey=SubnetId,ParameterValue=subnet-12345 ParameterKey=SecurityGroupId,ParameterValue=sg-12345 ParameterKey=EC2Name,ParameterValue=TestEC2 ParameterKey=SNSTopic,ParameterValue=MySNS <\/code><\/pre>\n\n\n\nThe template expects the following parameters to be supplied:<\/p>\n\n\n\n
\n- SubnetId<\/strong> – This subnet must be a public subnet. <\/li>\n\n\n\n
- SecurityGroupId<\/strong> – The security group must open port 22 for SSH access.<\/li>\n\n\n\n
- EC2Name<\/strong> – The name of the EC2 where an SSH will be performed.<\/li>\n\n\n\n
- SNSTopic<\/strong> – The SNS topic where the notification will be sent. The SNS topic is not created in the template. You have to create it separately.<\/li>\n<\/ul>\n\n\n\n
The rest of the parameters are optional and will have the following default value if not supplied:<\/p>\n\n\n\n
\n- AmiId<\/strong> – default to al2023-ami-kernel-6.1-x86_64<\/li>\n\n\n\n
- LogGroupName<\/strong> – default to \/aws\/ec2\/ssh-attempts<\/li>\n\n\n\n
- LogLevel<\/strong> – This is the Lambda log level, which defaults to INFO.<\/li>\n<\/ul>\n\n\n\n
Testing the Sample Infrastructure<\/strong><\/h5>\n\n\n\nTo test the infrastructure, connect to the EC2 using the EC2 Instance Connect.<\/strong> You cannot use an SSH client because the template will not generate any key pairs.<\/p>\n\n\n\n![\"\"](\"http:\/\/mylinuxsite.com\/wordpress\/wp-content\/uploads\/2025\/07\/Screenshot-from-2025-07-15-22-06-01-1024x354.png\")
<\/a><\/figure>\n\n\n\n
For Linux machines that use the systemd<\/em> service, such as the AMI Linux 2<\/em>, the log file \/v<\/em><\/span>ar\/log\/secure may not exist. The reason is that this log file is generated by the rsyslog service<\/em>, which may not be installed by default. First, we need to install this service. We also need to install the CloudWatch agent, which is not installed by default in the AMI Linux 2<\/em>, and prepare its configuration file to specify<\/span> which log group and log stream to send the SSH logs to.<\/p>\n\n\n\n In summary, we have to make the following preparations for our EC2:<\/p>\n\n\n\n To start the configuration wizard, enter the following:<\/p>\n\n\n\n Below is a snippet of the configuration file that we use in the sample EC2 resource, which we will build later using a CloudFormation template.<\/p>\n\n\n\n Two of the fields that you need to decide are the (1) run_as_user<\/strong>, which specifies a user to use to run the CloudWatch agent, and (2) log_group_name<\/strong>, which specifies what to use as the log group name in CloudWatch Logs. Since the above configuration is part of a CloudFormation template, and the log_group_name<\/em> is set as a variable that will be replaced by Please take note that it is essential to keep the value of the log_stream_name<\/strong> to {instance_id}. <\/strong>This value will be used to identify the instance ID where an SSH login took place.<\/p>\n\n\n\n The Lambda function is the service responsible for sending notifications, via SNS, and terminating the EC2 instance. The Lambda function will receive a message from the CloudWatch subscription filter in the following format: The Lambda function has to decompress the data<\/em> payload, which will yield the raw data formatted as JSON with the following structure:<\/p>\n\n\n\n The key elements that will be used by the Lambda function in this raw data are:<\/p>\n\n\n\n The CloudWatch subscription filter will not send the entire log to the Lambda function. Instead, only a particular log record is sent. This record is a record of a successful login and is identified by the string pattern “opened for user*<\/em><\/strong>“. The CloudWatch subscription filter will apply the following filter pattern:<\/p>\n\n\n\n This CloudFormation template<\/a> creates the sample infrastructure that demonstrates the<\/span> solution described above. The template will create the following AWS services:<\/p>\n\n\n\n The template is written using the SAM model and must therefore be deployed accordingly. Hence, to deploy the template, use the following command:<\/p>\n\n\n\n The template expects the following parameters to be supplied:<\/p>\n\n\n\n The rest of the parameters are optional and will have the following default value if not supplied:<\/p>\n\n\n\n To test the infrastructure, connect to the EC2 using the EC2 Instance Connect.<\/strong> You cannot use an SSH client because the template will not generate any key pairs.<\/p>\n\n\n\nPrepare the EC2 Instance<\/strong><\/h5>\n\n\n\n
\n
sudo yum -y install rsyslog\n\nsudo systemctl enable rsyslog\n\nsudo systemctl start rsyslog<\/code><\/pre>\n\n\n\n\n
yum install amazon-cloudwatch-agent<\/code><\/pre>\n\n\n\n\n
sudo \/opt\/aws\/amazon-cloudwatch-agent\/bin\/amazon-cloudwatch-agent-config-wizard<\/code><\/pre>\n\n\n\n{\n \"agent\": {\n \"metrics_collection_interval\": 60,\n \"run_as_user<\/strong>\": \"cwagent\"\n },\n \"logs\": {\n \"logs_collected\": {\n \"files\": {\n \"collect_list\": [\n {\n \"file_path\": \"\/var\/log\/secure\",\n \"log_group_class\": \"STANDARD\",\n \"log_group_name<\/strong>\": \"${LogGroupName}<\/strong>\",\n \"log_stream_name\": \"{instance_id}\",\n \"retention_in_days\": -1\n }\n ]\n }\n }\n },\n:\n:<\/code><\/pre>\n\n\n\nFn::Sub<\/code> with a parameter value.<\/p>\n\n\n\n\n
sudo cp config.json \/opt\/aws\/amazon-cloudwatch-agent\/bin\/config.json\n\nsudo chmod 0644 \/opt\/aws\/amazon-cloudwatch-agent\/bin\/config.json\n\nsudo chown root:root \/opt\/aws\/amazon-cloudwatch-agent\/bin\/config.json<\/code><\/pre>\n\n\n\n\n
sudo setfacl -m u:cwagent:rx \/var\/log\/secure<\/code><\/pre>\n\n\n\n\n
sudo \/opt\/aws\/amazon-cloudwatch-agent\/bin\/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:\/opt\/aws\/amazon-cloudwatch-agent\/bin\/config.json<\/code><\/pre>\n\n\n\nThe Lambda Function<\/strong><\/h5>\n\n\n\n
{ \"awslogs\": {\"data\": \"BASE64ENCODED_GZIP_COMPRESSED_DATA\"} }<\/strong><\/code><\/p>\n\n\n\n{\n \"messageType\": \"DATA_MESSAGE\",\n \"owner\": \"123456789012\",\n \"logGroup\": \"\/aws\/ec2\/ssh-attempts\",\n \"logStream<\/strong>\": \"i-0ffe4156be759fb9e\",\n \"subscriptionFilters\": [\n \"SshAccessFilter\"\n ],\n \"logEvents\": [\n {\n \"id\": \"39081747012568859428767625513120880010897834134375366656\",\n \"timestamp\": 1752486146299,\n \"message<\/strong>\": \"Jul 14 09:42:21<\/strong> ip-172-31-34-86 <\/strong>sshd[2374]: pam_unix(sshd:session): session opened for user ec2-user<\/strong>(uid=1000) by (uid=0)\",\n \"extractedFields\": {\n \"mm\": \"Jul\",\n \"dd\": \"14\",\n \"ip\": \"ip-172-31-34-86\",\n \"text1\": \"session\",\n \"text2\": \"opened for user ec2-user(uid=1000) by (uid=0)\",\n \"time\": \"09:42:21\",\n \"cmd\": \"sshd[2374]:\",\n \"pam\": \"pam_unix(sshd:session):\"\n }\n }\n ]\n}<\/code><\/pre>\n\n\n\n\n
This field will contain the instance ID that generates the log, and the Lambda function will use this to identify the EC2 instance that needs to be terminat<\/span>ed. This is the result of setting the log_stream_name<\/strong> field in the CloudWatch configuration file to the value of {instance_id}<\/strong>.
<\/li>\n\n\n\n
This field will provide information such as the source IP, the date and time of access, and the user who logged in.<\/li>\n<\/ul>\n\n\n\nThe CloudWatch Subscription Filter<\/strong><\/h5>\n\n\n\n
[mm, dd, time, ip, cmd, pam=\"pam_unix(sshd:session):\", text1=session, text2=\"opened for user*\" ]<\/code><\/pre>\n\n\n\nThe Sample Infrastructure<\/strong><\/h5>\n\n\n\n
\n
<\/li>\n\n\n\n
<\/li>\n\n\n\n
<\/li>\n\n\n\nsam build\n\nsam deploy --parameter-overrides ParameterKey=SubnetId,ParameterValue=subnet-12345 ParameterKey=SecurityGroupId,ParameterValue=sg-12345 ParameterKey=EC2Name,ParameterValue=TestEC2 ParameterKey=SNSTopic,ParameterValue=MySNS <\/code><\/pre>\n\n\n\n\n
\n
Testing the Sample Infrastructure<\/strong><\/h5>\n\n\n\n
<\/a><\/figure>\n\n\n\n