Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · SSM

SSM.6: SSM Automation runs are not logged

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub SSM.6 check?

SSM.6 fails when Systems Manager Automation is not configured to send execution logs to CloudWatch Logs. By default SSM records only a high-level summary of each Automation run; the actual stdout/stderr of each step isn't captured without CloudWatch logging.

Why does SSM.6 matter?

A single Automation document can patch a thousand instances, rotate keys, or modify infrastructure across the fleet. When a run mis-fires — wrong targets, a bad parameter, a stale role — the question "what did it actually do?" needs an answer in minutes, and the console summary won't provide it. SOC 2 CC7.2, ISO 27001 A.12.4, HIPAA 164.312(b), and PCI DSS 10.2 all require complete logs of automated changes to production.

How do I fix SSM.6?

  1. Create or choose a CloudWatch Logs group for Automation output.
  2. Set the CloudWatch log group in Systems Manager Automation preferences.
  3. Ensure the Automation execution role can write to that log group.
  4. Set retention on the log group and forward the logs to your SIEM.

Remediation script · bash

# Verify the prerequisite first: API Gateway's account-level CloudWatch role.
# Without it, the logging setting saves but no logs ever flow.
aws apigateway get-account --query 'cloudwatchRoleArn' --output text

# Enable ERROR-level execution logging on every stage of a REST API.
REST_API=a1b2c3d4e5
for STAGE in $(aws apigateway get-stages --rest-api-id $REST_API \
  --query 'item[].stageName' --output text); do
  aws apigateway update-stage --rest-api-id $REST_API --stage-name $STAGE \
    --patch-operations op=replace,path=/*/*/logging/loglevel,value=ERROR
done

# Cap retention on the log group so storage stays bounded (do this every time you enable logging).
aws logs put-retention-policy \
  --log-group-name "API-Gateway-Execution-Logs_${REST_API}/prod" \
  --retention-in-days 90

# Example for a managed database: publish engine logs to CloudWatch (no per-event charge).
aws rds modify-db-instance --db-instance-identifier prod-db \
  --cloudwatch-logs-export-configuration 'EnableLogTypes=["error","audit"]' --apply-immediately

Full walkthrough (console steps, edge cases and verification) in the lesson Enable application and API logging.

Full lesson Enable application and API logging Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for SSM controls ↗ Check your own account for SSM.6 →
Part of the learning path See what's happening

More SSM controls

  • SSM.1 Instances are not managed by Systems Manager, so no patching or audit
  • SSM.2 Instances are missing security patches
  • SSM.3 SSM associations are non-compliant
  • SSM.4 SSM documents can be shared publicly
  • SSM.7 SSM documents can be shared publicly