From 97cd50a6abce552af4513af3cec4c4244ccfb83f Mon Sep 17 00:00:00 2001
From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com>
Date: Tue, 8 Aug 2023 10:03:39 -0400
Subject: [PATCH] docs: Update session recording configuration

---
 .../content/docs/configuration/kms/awskms.mdx |  2 +
 .../create-storage-bucket.mdx                 | 45 +++++++++++++++++++
 .../enable-session-recording.mdx              |  2 +-
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/website/content/docs/configuration/kms/awskms.mdx b/website/content/docs/configuration/kms/awskms.mdx
index debce99f86..96d75320da 100644
--- a/website/content/docs/configuration/kms/awskms.mdx
+++ b/website/content/docs/configuration/kms/awskms.mdx
@@ -33,6 +33,8 @@ These parameters apply to the `kms` stanza in the Boundary configuration file:
 - `purpose` - Purpose of this KMS, acceptable values are: `worker-auth`, `worker-auth-storage`,
    `root`, `previous-root`, `recovery`, `bsr`, or `config`.
 
+   To [enable session recording](/boundary/docs/configuration/session-recording/enable-session-recording), you must configure the `bsr` value for the `purpose`.
+
 - `region` `(string: "us-east-1")`: The AWS region where the encryption key
   lives. If not provided, may be populated from the `AWS_REGION` or
   `AWS_DEFAULT_REGION` environment variables, from your `~/.aws/config` file,
diff --git a/website/content/docs/configuration/session-recording/create-storage-bucket.mdx b/website/content/docs/configuration/session-recording/create-storage-bucket.mdx
index da4600fc83..3c4b4693e6 100644
--- a/website/content/docs/configuration/session-recording/create-storage-bucket.mdx
+++ b/website/content/docs/configuration/session-recording/create-storage-bucket.mdx
@@ -70,6 +70,51 @@ At this time, the only supported storage is AWS S3.
       "Resource": "arn:aws:kms:us-east-1:1234567890:key/uuid"
    }
    ```
+   The following is an example working policy with KMS encryption configured on the S3 bucket:
+    ```json
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+         {
+            "Sid": "S3Permissions",
+            "Effect": "Allow",
+            "Action": [
+               "s3:PutObject",
+               "s3:GetObject",
+               "s3:GetObjectAttributes"
+            ],
+            "Resource": [
+               "arn:aws:s3:::test-session-recording-bucket/*"
+            ]
+         },
+         {
+            "Sid": "UserPermissions",
+            "Effect": "Allow",
+            "Action": [
+               "iam:DeleteAccessKey",
+               "iam:GetUser",
+               "iam:CreateAccessKey"
+            ],
+            "Resource": [
+               "arn:aws:iam::1234567890:user/test-boundary"
+            ]
+         },
+         {
+            "Sid": "KMSPermissions",
+            "Effect": "Allow",
+            "Action": [
+               "kms:Decrypt",
+               "kms:GenerateDataKey",
+               "kms:DescribeKey"
+            ],
+            "Resource": [
+               "arn:aws:kms:us-east-2:1234567890:key/4b887395-c376-4936-8f37-80c592ea582c"
+            ]
+         }
+      ]
+   }
+
+    ```
 
 ### Boundary workers requirements
 
diff --git a/website/content/docs/configuration/session-recording/enable-session-recording.mdx b/website/content/docs/configuration/session-recording/enable-session-recording.mdx
index 333d02a6de..b52e466057 100644
--- a/website/content/docs/configuration/session-recording/enable-session-recording.mdx
+++ b/website/content/docs/configuration/session-recording/enable-session-recording.mdx
@@ -1,6 +1,6 @@
 ---
 layout: docs
-page_title: Create a storage bucket
+page_title: Enable session recording on a target
 description: |-
   How to enable session recording on a target in Boundary
 ---