Sign up for FreeKnowledge Base

📦AWS

View CloudTrail activity taken within a privileged session.

Step 1: Create a CloudTrail and CloudLake Data Store

Note: AWS CloudTrail is enabled by default for all AWS accounts, capturing management events in the Event history. However, to retain logs beyond 90 days and to integrate with services like P0, you will need to create a trail that delivers queryable logs to an Amazon S3 bucket.

Enabling up a CloudTrail trail allows more flexibility than the default logging settings.
CloudTrail Lake allows you to run SQL-based queries on events.

  1. Sign in to the AWS Management Console and open the CloudTrail console.

  2. Refer to AWS's official documentation for up-to-date instructions on creating a trail and the accompanying CloudLake Data Store.

  3. After creation, copy the ARN of the event data store for integration with P0.

Step 2: Integrate CloudTrail with P0

Add AWS Access Logging Installation

A. Adding a New AWS Account in P0

  1. In P0, navigate to Integrations > AWS > Access Logging.

  2. Click Add account.

  3. Select your AWS account identifier (Account must have previously been set up with IAM Management).

  4. Paste the CloudTrail Lake Event Data Store ARN copied earlier.

  5. Click Next. P0 will provide setup instructions, including Shell and Terraform options.

B. Apply the IAM Role Policy

  1. Use the AWS CLI or CloudShell to run the aws iam put-role-policy command provided by P0.

    • This command grants the P0 Service Account permissions to query the specified CloudTrail Lake event data store.

    • This feature will require StartQuery and GetQueryResults within CloudLake, in addition to GetRole and GetRolePolicy from IAM

Step 3: Viewing Sessions in P0

Search Logs
Export Logs

After integrating CloudTrail with P0:

  1. Access Requests: When a user requests access (e.g., to assume a role), and it’s approved, the session is initiated.

  2. Session History:

    • Navigate to Just-in-time > Active or Just-in-time > History in P0.

    • Click ‘view’ for specified request

    • Click on ‘View Session History’

    • Here, you can se:

      • Event names: e.g., GetCallerIdentity, DescribeAccessEntry.

      • Source: e.g., sts.amazonaws.com, eks.amazonaws.com.

      • User Identity: Who performed the action.

      • User Agent: The tool or service used.

      • Event Timestamps: When the action occurred.

      • Error Indicators: Toggle off to only show successful events.

  3. Raw Logs:

    • Click on individual entries to view raw CloudTrail logs.

    • Details include IP addresses, request IDs, session context, etc.

  4. Search:

    • Search by event name, source, user agent, error, IP address, or resource ARN.

  5. Export:

    • Export as either CSV or JSON

  6. Pagination:

    • Adjust the number of rows requested (10/20/50/100).

    • Navigate through pages to view older logs.

Note: CloudTrail logs may take up to 5 minutes to appear after an event occurs.

Additional Considerations

  • Data Events: Enable only if necessary, as they can significantly increase log volume and costs.

  • Multi-Region Trails: Recommended to capture events across all regions.

PreviousSession RecordingNextJust-in-time API

Last updated