docs: Update session recording configuration

hashicorp · Aug 8, 2023 · 97cd50a · 97cd50a
1 parent 0af4c38
commit 97cd50a
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 1 deletion.
diff --git a/website/content/docs/configuration/kms/awskms.mdx b/website/content/docs/configuration/kms/awskms.mdx
@@ -33,6 +33,8 @@ These parameters apply to the `kms` stanza in the Boundary configuration file:
 - `purpose` - Purpose of this KMS, acceptable values are: `worker-auth`, `worker-auth-storage`,
    `root`, `previous-root`, `recovery`, `bsr`, or `config`.
 
+   To [enable session recording](/boundary/docs/configuration/session-recording/enable-session-recording), you must configure the `bsr` value for the `purpose`.
+
 - `region` `(string: "us-east-1")`: The AWS region where the encryption key
   lives. If not provided, may be populated from the `AWS_REGION` or
   `AWS_DEFAULT_REGION` environment variables, from your `~/.aws/config` file,

diff --git a/website/content/docs/configuration/session-recording/create-storage-bucket.mdx b/website/content/docs/configuration/session-recording/create-storage-bucket.mdx
@@ -70,6 +70,51 @@ At this time, the only supported storage is AWS S3.
       "Resource": "arn:aws:kms:us-east-1:1234567890:key/uuid"
    }
    ```
+   The following is an example working policy with KMS encryption configured on the S3 bucket:
+    ```json
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+         {
+            "Sid": "S3Permissions",
+            "Effect": "Allow",
+            "Action": [
+               "s3:PutObject",
+               "s3:GetObject",
+               "s3:GetObjectAttributes"
+            ],
+            "Resource": [
+               "arn:aws:s3:::test-session-recording-bucket/*"
+            ]
+         },
+         {
+            "Sid": "UserPermissions",
+            "Effect": "Allow",
+            "Action": [
+               "iam:DeleteAccessKey",
+               "iam:GetUser",
+               "iam:CreateAccessKey"
+            ],
+            "Resource": [
+               "arn:aws:iam::1234567890:user/test-boundary"
+            ]
+         },
+         {
+            "Sid": "KMSPermissions",
+            "Effect": "Allow",
+            "Action": [
+               "kms:Decrypt",
+               "kms:GenerateDataKey",
+               "kms:DescribeKey"
+            ],
+            "Resource": [
+               "arn:aws:kms:us-east-2:1234567890:key/4b887395-c376-4936-8f37-80c592ea582c"
+            ]
+         }
+      ]
+   }
+
+    ```
 
 ### Boundary workers requirements
 

diff --git a/website/content/docs/configuration/session-recording/enable-session-recording.mdx b/website/content/docs/configuration/session-recording/enable-session-recording.mdx
@@ -1,6 +1,6 @@
 ---
 layout: docs
-page_title: Create a storage bucket
+page_title: Enable session recording on a target
 description: |-
   How to enable session recording on a target in Boundary
 ---