# Session Audit

During an audit, an admin is asked to provide evidence of activity performed during privileged access. She can show who requested access and who approved it, but demonstrating what actually occurred during that access requires pulling data from multiple systems.

To answer this request, she gathers access requests, approval records, and infrastructure logs from multiple systems, then reconstructs events manually. This takes time and is difficult to validate. It can leave gaps in audit evidence. As a result, responding quickly and accurately to compliance requirements such as SOC 2, PCI-DSS, or HIPAA becomes more difficult.

Session Audit records activity performed during privileged access sessions. When enabled, it captures text-based session activity:

* Actions performed by a user
* When those actions occurred
* Who approved the user's access to the affected resource
* Which access flow allowed access

Apono delivers that data into your customer-owned storage for compliance evidence and reporting. Sensitive session data remains under your control and is not persisted in Apono systems.

{% hint style="info" %} <mark style="color:$primary;">**Scope and limitations**</mark>

**Scope**

Session Audit captures SSH session activity through an Apono connector in AWS environments. It supports SSH integrations.

**Limitations**

Session Audit does not support the following:

* Session replay or video
* Real-time monitoring or alerts
* Command blocking or enforcement
* Non-AWS cloud providers (GCP, Azure)
* Full-text search across session content
* Terminal environments with limited or no compatibility (for example, Warp)
* Interactive terminal sessions or commands that obscure input/output streams (for example, `screen`, `tmux`, `vi`)
  {% endhint %}

***

### How Session Audit works

When Session Audit is enabled, user connections are routed through the Apono connector instead of connecting directly to the target resource.

The sequence is:

1. A user is granted access to a resource.
2. Apono generates connection details that point to the connector.
3. The user connects to the connector.
4. The connector routes the session to the target resource.
5. The connector captures session activity as the session passes through it.
6. The connector sends the captured data to two different destinations: customer-managed storage (raw session data) and Apono (session metadata).

#### Data storage model

<table><thead><tr><th width="241.717041015625">Data Type</th><th>Details</th></tr></thead><tbody><tr><td><strong>Raw session data</strong></td><td><p>Includes session activity such as commands, outputs, and session lifecycle events</p><p><strong>Storage</strong>: customer-managed S3 bucket</p></td></tr><tr><td><strong>Session metadata</strong></td><td><p>Includes identifying and operational context such as session ID, user, resource, protocol, timestamps, and request ID</p><p><strong>Storage</strong>: Apono</p></td></tr></tbody></table>

This data separation allows Apono to provide fast filtering and reporting using metadata, while keeping full session content in customer-controlled storage.

***

### Prerequisites

<table><thead><tr><th width="248.99130249023438">Item</th><th>Description</th></tr></thead><tbody><tr><td><a href="https://docs.apono.io/docs/additional-integrations/network-management/ssh-servers"><strong>SSH Servers</strong></a> integration</td><td>SSH Apono integration within an AWS environment</td></tr><tr><td><strong>Apono connector</strong></td><td><p>On-prem connection serving as a bridge between an SSH server and Apono</p><p><strong>Minimum Required Version</strong>: 1.7.6</p><p>Learn how to update an existing <a href="../aws-environment/apono-connector-for-aws/updating-a-connector-in-aws">AWS connector</a>.</p></td></tr><tr><td><strong>S3 bucket ARN</strong></td><td><p>ARN of the customer-managed S3 bucket, without the path prefix</p><p>The Apono Connector must have write permissions to this bucket.</p><p><strong>Example</strong>: <code>arn:aws:s3:::your-bucket-name</code></p></td></tr><tr><td><strong>Connector endpoint</strong></td><td>DNS name or IP address of the connector host that clients will connect to via ports</td></tr><tr><td><strong>Network routing</strong></td><td>Users must be able to reach the Apono connector on port <code>10022</code></td></tr></tbody></table>

***

### Enable Session Audit

You must enable Session Audit within the Apono connector and the SSH integration.

{% hint style="info" %}
After Session Audit has been enabled, you can review and download session information from the [**Session History**](https://docs.apono.io/docs/audits-and-reports/session-audit/session-history) tab.
{% endhint %}

#### Connector enablement

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-fa382789e27b2311332b1af95329ffd8e9d37948%2Fsession-audit-connector-enablement%20(1).png?alt=media" alt="" width="563"><figcaption><p>Edit the connector page</p></figcaption></figure>

Follow these steps to enable Session Audit for the connector:

1. On the [**Connectors**](https://app.apono.io/connectors) tab, in the row of the Apono connector associated with the integration, click **︙ > Edit**. The **Edit Connector** page appears.
2. Toggle **Audit sessions** to **ON**. The toggle will appear green when enabled.
3. Under **Session History Bucket ARN**, enter your S3 bucket ARN.
4. Enter the **Connector Endpoint**.
5. Click **Update Connector**.

#### Integration enablement

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-02c5bb037a95c282996bc18202d11b939a718fc9%2Fsession-audit-integration-enablement.png?alt=media" alt="" width="563"><figcaption><p>Audit sessions toggle</p></figcaption></figure>

Follow these steps to enable Session Audit for the integration:

1. On the [**Connected**](https://app.apono.io/catalog/connected) tab, in the row of your SSH integration, click **︙ > Edit**. The **Edit Integration** page appears.
2. Under **Get more with Apono**, toggle **Audit sessions** to **ON**. The toggle will appear green when enabled.