search
Ctrlk

Session Audit

Capture and trace privileged session activity with full access context

During an audit, an admin is asked to provide evidence of activity performed during privileged access. She can show who requested access and who approved it, but demonstrating what actually occurred during that access requires pulling data from multiple systems.

To answer this request, she gathers access requests, approval records, and infrastructure logs from multiple systems, then reconstructs events manually. This takes time and is difficult to validate. It can leave gaps in audit evidence. As a result, responding quickly and accurately to compliance requirements such as SOC 2, PCI-DSS, or HIPAA becomes more difficult.

Session Audit records activity performed during privileged access sessions. When enabled, it captures text-based session activity:

  • Actions performed by a user

  • When those actions occurred

  • Who approved the user's access to the affected resource

  • Which access flow allowed access

Apono delivers that data into your customer-owned storage for compliance evidence and reporting. Sensitive session data remains under your control and is not persisted in Apono systems.

circle-info

Scope and limitations

Scope

Session Audit captures SSH session activity through an Apono connector in AWS environments. It supports SSH integrations.

Limitations

Session Audit does not support the following:

  • Session replay or video

  • Real-time monitoring or alerts

  • Command blocking or enforcement

  • Non-AWS cloud providers (GCP, Azure)

  • Full-text search across session content

  • Terminal environments with limited or no compatibility (for example, Warp)

  • Interactive terminal sessions or commands that obscure input/output streams (for example, screen, tmux, vi)

hashtag
How Session Audit works

When Session Audit is enabled, user connections are routed through the Apono connector instead of connecting directly to the target resource.

The sequence is:

  1. A user is granted access to a resource.

  2. Apono generates connection details that point to the connector.

  3. The user connects to the connector.

  4. The connector routes the session to the target resource.

  5. The connector captures session activity as the session passes through it.

  6. The connector sends the captured data to two different destinations: customer-managed storage (raw session data) and Apono (session metadata).

hashtag
Data storage model

Data Type
Details

Raw session data

Includes session activity such as commands, outputs, and session lifecycle events

Storage: customer-managed S3 bucket

Session metadata

Includes identifying and operational context such as session ID, user, resource, protocol, timestamps, and request ID

Storage: Apono

This data separation allows Apono to provide fast filtering and reporting using metadata, while keeping full session content in customer-controlled storage.

hashtag
Prerequisites

Item
Description

SSH Serversarrow-up-right integration

SSH Apono integration within an AWS environment

Apono connector

On-prem connection serving as a bridge between an SSH server and Apono

Required Version: 1.7.8

Helm Chart version: v2.0.34

Helm Upgrade command:

Learn how to update an existing AWS connector.

The connector's IAM role must be tagged with apono-connector-s3-access: true and attached with a scoped S3 write policy. Access to the bucket is granted by tag — any additional principals must be added as explicit statements in the bucket policy.

S3 Bucket - Recommended Configuration

The bucket should be created with versioning enabled, Object Lock enabled (can only be set at creation time), public access blocked, and ownership controls set to BucketOwnerEnforced. Encrypt objects at rest using SSE-S3 (AES256) or SSE-KMS for customer-managed keys. See recommended configuration for the full ACK template.

S3 bucket ARN

ARN of the customer-managed S3 bucket, without the path prefix

The Apono Connector must have write permissions to this bucket.

Example: arn:aws:s3:::your-bucket-name

Connector endpoint

The DNS address users connect to for audited SSH sessions. The endpoint type depends on your deployment: EKS — ClusterIP service DNS exposed. ECS — private or public Network Load Balancer (NLB) on port 10022.

Network routing

Users must be able to reach the Apono connector on port 10022

hashtag
Enable Session Audit

You must enable Session Audit within the Apono connector and the SSH integration.

circle-info

After Session Audit has been enabled, you can review and download session information from the Session History tab.

hashtag
Connector enablement

Edit the connector page

Follow these steps to enable Session Audit for the connector:

  1. On the Connectorsarrow-up-right tab, in the row of the Apono connector associated with the integration, click ︙ > Edit. The Edit Connector page appears.

  2. Toggle Audit sessions to ON. The toggle will appear green when enabled.

  3. Under Session History Bucket ARN, enter your S3 bucket ARN.

  4. Enter the Connector Endpoint.

  5. Click Update Connector.

hashtag
Integration enablement

Audit sessions toggle

Follow these steps to enable Session Audit for the integration:

  1. On the Connectedarrow-up-right tab, in the row of your SSH integration, click ︙ > Edit. The Edit Integration page appears.

  2. Under Get more with Apono, toggle Audit sessions to ON. The toggle will appear green when enabled.

PreviousAdmin Audit Log (Syslog)NextSession History

Last updated

Was this helpful?