📦AWS
View CloudTrail activity taken within a privileged session.
Step 1: Create a CloudTrail and CloudLake Data Store
Note: AWS CloudTrail is enabled by default for all AWS accounts, capturing management events in the Event history. However, to retain logs beyond 90 days and to integrate with services like P0, you will need to create a trail that delivers queryable logs to an Amazon S3 bucket.


Sign in to the AWS Management Console and open the CloudTrail console.
Refer to AWS's official documentation for up-to-date instructions on creating a trail and the accompanying CloudLake Data Store.
After creation, copy the ARN of the event data store for integration with P0.
Step 2: Integrate CloudTrail with P0
A. Adding a New AWS Account in P0
In P0, navigate to Integrations > AWS > Access Logging.
Click Add account.
Select your AWS account identifier (Account must have previously been set up with IAM Management).
Paste the CloudTrail Lake Event Data Store ARN copied earlier.
Click Next. P0 will provide setup instructions, including Shell and Terraform options.
B. Apply the IAM Role Policy
Use the AWS CLI or CloudShell to run the
aws iam put-role-policy
command provided by P0.This command grants the P0 Service Account permissions to query the specified CloudTrail Lake event data store.
This feature will require
StartQuery
andGetQueryResults
within CloudLake, in addition toGetRole
andGetRolePolicy
from IAM
Step 3: Viewing Sessions in P0
After integrating CloudTrail with P0:
Access Requests: When a user requests access (e.g., to assume a role), and it’s approved, the session is initiated.
Session History:
Navigate to Just-in-time > Active or Just-in-time > History in P0.
Click ‘view’ for specified request
Click on ‘View Session History’
Here, you can se:
Event names: e.g.,
GetCallerIdentity
,DescribeAccessEntry
.Source: e.g.,
sts.amazonaws.com
,eks.amazonaws.com
.User Identity: Who performed the action.
User Agent: The tool or service used.
Event Timestamps: When the action occurred.
Error Indicators: Toggle off to only show successful events.
Raw Logs:
Click on individual entries to view raw CloudTrail logs.
Details include IP addresses, request IDs, session context, etc.
Search:
Search by event name, source, user agent, error, IP address, or resource ARN.
Export:
Export as either CSV or JSON
Pagination:
Adjust the number of rows requested (10/20/50/100).
Navigate through pages to view older logs.
Note: CloudTrail logs may take up to 5 minutes to appear after an event occurs.
Additional Considerations
Data Events: Enable only if necessary, as they can significantly increase log volume and costs.
Multi-Region Trails: Recommended to capture events across all regions.
Last updated