# AWS

### **Step 1: Create a CloudTrail and CloudLake Data Store**

> Note: AWS CloudTrail is enabled by default for all AWS accounts, capturing management events in the Event history. However, to [retain logs beyond 90 days](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html#event-history-limitations) and to integrate with services like P0, you will need to create a trail that delivers queryable logs to an Amazon S3 bucket.

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-f7bb5ae209084a58724dee13f1a41849196e4078%2FScreenshot%202025-05-20%20at%209.40.57%E2%80%AFPM.png?alt=media" alt=""><figcaption><p>Enabling up a CloudTrail trail allows more flexibility than the default logging settings.</p></figcaption></figure>

<figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-32296b59c42a4fab103d7d576fdc2f6a0de3291f%2FScreenshot%202025-05-20%20at%209.38.14%E2%80%AFPM.png?alt=media" alt=""><figcaption><p>CloudTrail Lake allows you to run SQL-based queries on events.</p></figcaption></figure>

1. **Sign in** to the AWS Management Console and open the [CloudTrail console](https://console.aws.amazon.com/cloudtrail/).
2. Refer to [AWS's official documentation](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) for up-to-date instructions on creating a trail and the accompanying CloudLake Data Store.
3. After creation, **copy the ARN** of the event data store for integration with P0.

### **Step 2: Integrate CloudTrail with P0** <a href="#id-6e974fe1-e164-4738-b8c2-a8c14de22e9b" id="id-6e974fe1-e164-4738-b8c2-a8c14de22e9b"></a>

{% embed url="<https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2F8jp4v6x8B1cMMNd5050e%2Fsession-recording-install-demo.mp4?alt=media&token=22f54e0f-c6b4-4081-ba2d-fcdaf5855263>" %}
Add AWS Access Logging Installation
{% endembed %}

#### **A. Adding a New AWS Account in P0** <a href="#f48495ec-2a34-482f-ada8-ca929eb8ba0a" id="f48495ec-2a34-482f-ada8-ca929eb8ba0a"></a>

1. In P0, navigate to **Integrations** > **AWS** > **Access Logging**.
2. Click **Add account**.
3. Select your AWS account identifier (Account must have previously been set up with IAM Management).
4. Paste the **CloudTrail Lake Event Data Store ARN** copied earlier.
5. Click **Next**. P0 will provide setup instructions, including Shell and Terraform options.

#### **B. Apply the IAM Role Policy** <a href="#id-7583ea12-5b5a-4904-92ff-645495f0625b" id="id-7583ea12-5b5a-4904-92ff-645495f0625b"></a>

1. Use the AWS CLI or CloudShell to run the `aws iam put-role-policy` command provided by P0.
   * This command grants the P0 Service Account permissions to query the specified CloudTrail Lake event data store.
   * This feature will require `StartQuery` and `GetQueryResults` within CloudLake, in addition to `GetRole` and `GetRolePolicy` from IAM

### **Step 3: Viewing Sessions in P0** <a href="#a443529c-e368-488e-99db-02764834784f" id="a443529c-e368-488e-99db-02764834784f"></a>

{% embed url="<https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2F2Vz9DiceJTYVcMZPjIir%2Fsession-recording-search-demo.mp4?alt=media&token=02edbc17-ce53-44ea-b179-ab404fe56e4f>" %}
Search Logs
{% endembed %}

{% embed url="<https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2FYWZ4F4pVKm4pxss2Jhjv%2Fsession-recording-usage-demo.mp4?alt=media&token=14811433-97c2-4b71-9143-722a9c69c1ab>" %}
Export Logs
{% endembed %}

After integrating CloudTrail with P0:

1. **Access Requests**: When a user requests access (e.g., to assume a role), and it’s approved, the session is initiated.
2. **Session History**:
   * Navigate to Access Management > Active or Access Management > History in P0.
   * Click ‘view’ for specified request
   * Click on ‘View Session History’
   * Here, you can se:
     * **Event names**: e.g., `GetCallerIdentity`, `DescribeAccessEntry`.
     * **Source**: e.g., `sts.amazonaws.com`, `eks.amazonaws.com`.
     * **User Identity**: Who performed the action.
     * **User Agent**: The tool or service used.
     * **Event Timestamps**: When the action occurred.
     * **Error Indicators**: Toggle off to only show successful events.
3. **Raw Logs**:
   * Click on individual entries to view raw CloudTrail logs.
   * Details include IP addresses, request IDs, session context, etc.
4. **Search:**
   * Search by event name, source, user agent, error, IP address, or resource ARN.
5. **Export:**
   * Export as either CSV or JSON
6. **Pagination:**
   * Adjust the number of rows requested (10/20/50/100).
   * Navigate through pages to view older logs.

> **Note**: CloudTrail logs may take up to **5 minutes** to appear after an event occurs.

### **Additional Considerations** <a href="#f00739ea-41b0-4da7-8bb8-0d20710ed35a" id="f00739ea-41b0-4da7-8bb8-0d20710ed35a"></a>

* **Data Events**: Enable only if necessary, as they can significantly increase log volume and costs.
* **Multi-Region Trails**: Recommended to capture events across all regions.