hands-on lab

Monitor Amazon CloudWatch Security Logs for failed SSH attempts

Up to 1h 30m
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


Security is a significant issue for the technical sector, and the public cloud is no exception to that. If you Google "top cloud security concerns" one of the top articles is from Information Week titled 9 Worst Cloud Security Threats. The section on Account or Service Traffic Hijacking states:

An intruder with control over a user account can eavesdrop on transactions, manipulate data, provide false and business-damaging responses to customers, and redirect customers to a competitor's site or inappropriate sites.

This lab is germane to the quote above. In this lab, you will configure an EC2 instance to use the CloudWatch agent so it can deliver the security log file to Amazon CloudWatch. A CloudWatch Log Group and Log Stream will be automatically created for you. By monitoring the security log file for a specific type of potential breach (based on a pattern), CloudWatch will proactively send an email notification to your email. You will also configure Amazon Simple Notification Service (SNS) as the communication channel for the notification.

Although this lab focuses on failed SSH attempts, there is a broader application that should be recognized, including how CloudWatch can be utilized in many different ways for many different logs or infrastructure metrics. 

Learning objectives

Upon completion of this lab, you will be able to:

  • Configure an EC2 instance to use the CloudWatch log agent
  • Verify the log agent status
  • Locate key security-related log files and view them on the EC2 instance
  • Create a Simple Notification Service (SNS) topic and subscribe to it
  • Use CloudWatch to monitor a log stream for a specific pattern (invalid SSH users) and send a notification via SNS


You should be familiar with:

  • Basic security, log file, and SSH concepts
  • Using the Linux command line is not required but helpful

Lab environment

Before completing the lab instructions the environment will look as follows:

  • An EC2 instance with the CloudWatch Log Agent configured and running 
  • A custom IAM Role with a Policy that allows the EC2 instance to communicate with Amazon CloudWatch

After completing the lab instructions the environment should look similar to:



June 27th, 2023 - Resolved an issue that caused the lab to fail to provision on rare occasions

April 12th, 2023 - Updated the lab instructions to match the latest user interface changes

June 1st, 2022 - Migrated to EC2 instance connect and updated the instructions and screenshots to reflect the latest UI

July 29th, 2020 - Updated lab instructions for more consistent formatting and resolved an issue causing the lag agent to fail to start

July 18th, 2019 - Improved the validation Lab Step to further check the work you perform in the Lab

January 10th, 2019 - Added a validation Lab Step to check the work you perform in the Lab

About the author

Logan Rakai, opens in a new tab
Lead Content Developer - Labs
Learning paths

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.

LinkedIn, Twitter, GitHub

Covered topics

Lab steps

Logging In to the Amazon Web Services Console
Connecting to the Virtual Machine Using EC2 Instance Connect
Confirming CloudWatch Agent Setup, CloudWatch Log Group and Log Stream creation
Creating an SNS Topic for SSH failures
Creating a Subscription and subscribing to the SSH failure Topic
Creating an Alarm for SSH failures