AWS

View CloudTrail activity taken within a privileged session.

PreviousSession Recording NextJust-in-time API

Last updated 7 days ago

AWS

View CloudTrail activity taken within a privileged session.

Step 1: Create a CloudTrail and CloudLake Data Store

Note: AWS CloudTrail is enabled by default for all AWS accounts, capturing management events in the Event history. However, to and to integrate with services like P0, you will need to create a trail that delivers queryable logs to an Amazon S3 bucket.

After creation, copy the ARN of the event data store for integration with P0.

Step 2: Integrate CloudTrail with P0

A. Adding a New AWS Account in P0

In P0, navigate to Integrations > AWS > Access Logging.
Click Add account.
Select your AWS account identifier (Account must have previously been set up with IAM Management).
Paste the CloudTrail Lake Event Data Store ARN copied earlier.
Click Next. P0 will provide setup instructions, including Shell and Terraform options.

B. Apply the IAM Role Policy

Use the AWS CLI or CloudShell to run the aws iam put-role-policy command provided by P0.
- This command grants the P0 Service Account permissions to query the specified CloudTrail Lake event data store.
- This feature will require StartQuery and GetQueryResults within CloudLake, in addition to GetRole and GetRolePolicy from IAM

Step 3: Viewing Sessions in P0

After integrating CloudTrail with P0:

Access Requests: When a user requests access (e.g., to assume a role), and it’s approved, the session is initiated.
Session History:
- Navigate to Just-in-time > Active or Just-in-time > History in P0.
- Click ‘view’ for specified request
- Click on ‘View Session History’
- Here, you can se:
  - Event names: e.g., GetCallerIdentity, DescribeAccessEntry.
  - Source: e.g., sts.amazonaws.com, eks.amazonaws.com.
  - User Identity: Who performed the action.
  - User Agent: The tool or service used.
  - Event Timestamps: When the action occurred.
  - Error Indicators: Toggle off to only show successful events.
Raw Logs:
- Click on individual entries to view raw CloudTrail logs.
- Details include IP addresses, request IDs, session context, etc.
Search:
- Search by event name, source, user agent, error, IP address, or resource ARN.
Export:
- Export as either CSV or JSON
Pagination:
- Adjust the number of rows requested (10/20/50/100).
- Navigate through pages to view older logs.

Note: CloudTrail logs may take up to 5 minutes to appear after an event occurs.

Additional Considerations

Data Events: Enable only if necessary, as they can significantly increase log volume and costs.
Multi-Region Trails: Recommended to capture events across all regions.

PreviousSession Recording NextJust-in-time API

Last updated 7 days ago

Step 1: Create a CloudTrail and CloudLake Data Store

Note: AWS CloudTrail is enabled by default for all AWS accounts, capturing management events in the Event history. However, to and to integrate with services like P0, you will need to create a trail that delivers queryable logs to an Amazon S3 bucket.

Sign in to the AWS Management Console and open the .
Refer to for up-to-date instructions on creating a trail and the accompanying CloudLake Data Store.
After creation, copy the ARN of the event data store for integration with P0.

Step 2: Integrate CloudTrail with P0

A. Adding a New AWS Account in P0

In P0, navigate to Integrations > AWS > Access Logging.
Click Add account.
Select your AWS account identifier (Account must have previously been set up with IAM Management).
Paste the CloudTrail Lake Event Data Store ARN copied earlier.
Click Next. P0 will provide setup instructions, including Shell and Terraform options.

B. Apply the IAM Role Policy

Use the AWS CLI or CloudShell to run the aws iam put-role-policy command provided by P0.
- This command grants the P0 Service Account permissions to query the specified CloudTrail Lake event data store.
- This feature will require StartQuery and GetQueryResults within CloudLake, in addition to GetRole and GetRolePolicy from IAM

Step 3: Viewing Sessions in P0

After integrating CloudTrail with P0:

Access Requests: When a user requests access (e.g., to assume a role), and it’s approved, the session is initiated.
Session History:
- Navigate to Just-in-time > Active or Just-in-time > History in P0.
- Click ‘view’ for specified request
- Click on ‘View Session History’
- Here, you can se:
  - Event names: e.g., GetCallerIdentity, DescribeAccessEntry.
  - Source: e.g., sts.amazonaws.com, eks.amazonaws.com.
  - User Identity: Who performed the action.
  - User Agent: The tool or service used.
  - Event Timestamps: When the action occurred.
  - Error Indicators: Toggle off to only show successful events.
Raw Logs:
- Click on individual entries to view raw CloudTrail logs.
- Details include IP addresses, request IDs, session context, etc.
Search:
- Search by event name, source, user agent, error, IP address, or resource ARN.
Export:
- Export as either CSV or JSON
Pagination:
- Adjust the number of rows requested (10/20/50/100).
- Navigate through pages to view older logs.

Note: CloudTrail logs may take up to 5 minutes to appear after an event occurs.

Additional Considerations

Data Events: Enable only if necessary, as they can significantly increase log volume and costs.
Multi-Region Trails: Recommended to capture events across all regions.