# AWS

### **Step 1: Create a CloudTrail and CloudLake Data Store**

> Note: AWS CloudTrail is enabled by default for all AWS accounts, capturing management events in the Event history. However, to [retain logs beyond 90 days](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html#event-history-limitations) and to integrate with services like P0, you will need to create a trail that delivers queryable logs to an Amazon S3 bucket.

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-f7bb5ae209084a58724dee13f1a41849196e4078%2FScreenshot%202025-05-20%20at%209.40.57%E2%80%AFPM.png?alt=media" alt=""><figcaption><p>Enabling up a CloudTrail trail allows more flexibility than the default logging settings.</p></figcaption></figure>

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-32296b59c42a4fab103d7d576fdc2f6a0de3291f%2FScreenshot%202025-05-20%20at%209.38.14%E2%80%AFPM.png?alt=media" alt=""><figcaption><p>CloudTrail Lake allows you to run SQL-based queries on events.</p></figcaption></figure>

1. **Sign in** to the AWS Management Console and open the [CloudTrail console](https://console.aws.amazon.com/cloudtrail/).
2. Refer to [AWS's official documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) for up-to-date instructions on creating a trail and the accompanying CloudLake Data Store.
3. After creation, **copy the ARN** of the event data store for integration with P0.

### **Step 2: Integrate CloudTrail with P0** <a href="#id-6e974fe1-e164-4738-b8c2-a8c14de22e9b" id="id-6e974fe1-e164-4738-b8c2-a8c14de22e9b"></a>

{% embed url="<https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2F8jp4v6x8B1cMMNd5050e%2Fsession-recording-install-demo.mp4?alt=media&token=22f54e0f-c6b4-4081-ba2d-fcdaf5855263>" %}
Add AWS Access Logging Installation
{% endembed %}

#### **A. Adding a New AWS Account in P0** <a href="#f48495ec-2a34-482f-ada8-ca929eb8ba0a" id="f48495ec-2a34-482f-ada8-ca929eb8ba0a"></a>

1. In P0, navigate to **Integrations** > **AWS** > **Access Logging**.
2. Click **Add account**.
3. Select your AWS account identifier (Account must have previously been set up with IAM Management).
4. Paste the **CloudTrail Lake Event Data Store ARN** copied earlier.
5. Click **Next**. P0 will provide setup instructions, including Shell and Terraform options.

#### **B. Apply the IAM Role Policy** <a href="#id-7583ea12-5b5a-4904-92ff-645495f0625b" id="id-7583ea12-5b5a-4904-92ff-645495f0625b"></a>

1. Use the AWS CLI or CloudShell to run the `aws iam put-role-policy` command provided by P0.
   * This command grants the P0 Service Account permissions to query the specified CloudTrail Lake event data store.
   * This feature will require `StartQuery` and `GetQueryResults` within CloudLake, in addition to `GetRole` and `GetRolePolicy` from IAM

### **Step 3: Viewing Sessions in P0** <a href="#a443529c-e368-488e-99db-02764834784f" id="a443529c-e368-488e-99db-02764834784f"></a>

{% embed url="<https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2F2Vz9DiceJTYVcMZPjIir%2Fsession-recording-search-demo.mp4?alt=media&token=02edbc17-ce53-44ea-b179-ab404fe56e4f>" %}
Search Logs
{% endembed %}

{% embed url="<https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2FYWZ4F4pVKm4pxss2Jhjv%2Fsession-recording-usage-demo.mp4?alt=media&token=14811433-97c2-4b71-9143-722a9c69c1ab>" %}
Export Logs
{% endembed %}

After integrating CloudTrail with P0:

1. **Access Requests**: When a user requests access (e.g., to assume a role), and it’s approved, the session is initiated.
2. **Session History**:
   * Navigate to Access Management > Active or Access Management > History in P0.
   * Click ‘view’ for specified request
   * Click on ‘View Session History’
   * Here, you can se:
     * **Event names**: e.g., `GetCallerIdentity`, `DescribeAccessEntry`.
     * **Source**: e.g., `sts.amazonaws.com`, `eks.amazonaws.com`.
     * **User Identity**: Who performed the action.
     * **User Agent**: The tool or service used.
     * **Event Timestamps**: When the action occurred.
     * **Error Indicators**: Toggle off to only show successful events.
3. **Raw Logs**:
   * Click on individual entries to view raw CloudTrail logs.
   * Details include IP addresses, request IDs, session context, etc.
4. **Search:**
   * Search by event name, source, user agent, error, IP address, or resource ARN.
5. **Export:**
   * Export as either CSV or JSON
6. **Pagination:**
   * Adjust the number of rows requested (10/20/50/100).
   * Navigate through pages to view older logs.

> **Note**: CloudTrail logs may take up to **5 minutes** to appear after an event occurs.

### **Additional Considerations** <a href="#f00739ea-41b0-4da7-8bb8-0d20710ed35a" id="f00739ea-41b0-4da7-8bb8-0d20710ed35a"></a>

* **Data Events**: Enable only if necessary, as they can significantly increase log volume and costs.
* **Multi-Region Trails**: Recommended to capture events across all regions.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/orchestration/just-in-time-access/session-recording/aws.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.