Monitor EC2 SSH Logins in Real Time Using CloudWatch Agent

Introduction

In cloud environments, an EC2 instance is the host for many services, but knowing who accessed the instance and when is crucial for security auditing. SSH login events are key indicators of both legitimate and malicious activity, yet CloudWatch by default only monitors performance metrics, not OS logs.

Core Idea

The solution is to deploy the CloudWatch Agent on the EC2 instance so that it forwards OS‑level logs (e.g., /var/log/secure or /var/log/auth.log) to CloudWatch Logs, where they can be searched and used to trigger alarms.

Step 1 – Create an IAM Role (Authorization)

Create a trust policy

# Create a trust policy file trust-policy.json
echo '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "Service": "ec2.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }
  ]
}' > trust-policy.json

Create the role

aws iam create-role --role-name EC2-CloudWatch-Agent-Role --assume-role-policy-document file://trust-policy.json

Attach the required policy

aws iam attach-role-policy --role-name EC2-CloudWatch-Agent-Role --policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy

Create an instance profile and bind the role

# Create instance profile
aws iam create-instance-profile --instance-profile-name EC2-CloudWatch-Agent-Profile
# Add role to profile
aws iam add-role-to-instance-profile --instance-profile-name EC2-CloudWatch-Agent-Profile --role-name EC2-CloudWatch-Agent-Role
# Associate profile with the EC2 instance (replace i-xxxxxxxxxxxx)
aws ec2 associate-iam-instance-profile --instance-id i-xxxxxxxxxxxx --iam-instance-profile Name=EC2-CloudWatch-Agent-Profile

Tip: When launching a new instance, you can select the IAM instance profile in the “Advanced Details” section of the launch wizard.

Step 2 – Install and Configure the Agent

Install the CloudWatch Agent sudo yum install amazon-cloudwatch-agent -y Create the agent configuration file Create cw-agent-config.json on the instance. The JSON tells the agent which log file to collect and where to send it. For SSH logs, use /var/log/secure on Amazon Linux/CentOS/RHEL or /var/log/auth.log on Debian/Ubuntu, and send them to a log group such as /ec2/ssh-login-logs .

Tip: Use log_stream_name: {instance_id} so each instance gets its own log stream.

Step 3 – Start the Agent and Verify

Start the agent with the configuration

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \</code>
<code>-a fetch-config -m ec2 -c file:./cw-agent-config.json -s

Successful output includes “Successfully fetched config” and “amazon-cloudwatch-agent has been started”.

Validate the logs

SSH into the instance from another machine.

Open the AWS console, go to CloudWatch → Log Groups, and open the /ec2/ssh-login-logs group.

Select the log stream named after your instance ID; you should see entries containing “Accepted password” or “Accepted publickey”.

Advanced – Create an Alarm for Successful Logins

In the /ec2/ssh-login-logs log group, choose “Actions → Create metric filter”.

Filter pattern : "Accepted publickey" OR "Accepted password" to match successful SSH logins.

Test the pattern against a recent log stream.

Assign a metric : name it SuccessfulSSHLogins.

Create an alarm : trigger when SuccessfulSSHLogins ≥ 1 within 1 minute, and attach an SNS topic to send email or SMS notifications.

With this alarm in place, you receive an email within minutes every time someone logs into the EC2 instance.

Conclusion

By combining AWS CLI commands with CloudWatch Agent, you can build an automated, repeatable monitoring pipeline for EC2 SSH login events, turning otherwise invisible system activity into searchable, alertable cloud data. The setup can be extended to archive logs to S3 or feed them into OpenSearch, Splunk, or other analytics tools for deeper investigation.