docs/documentation/platform/pam/sessions/external-storage.mdx
By default, session recordings are stored in Infisical's managed database. If you need control over where recordings live — for data residency, retention policies, or compliance requirements — you can store them in your own S3 bucket instead.
Before configuring external storage, you need an AWS Connection set up in your organization. This provides the credentials Infisical uses to write to your bucket.
If you don't have one, see the AWS Connection guide.
The connection's IAM role needs these permissions on the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:GetObject"],
"Resource": "arn:aws:s3:::your-bucket-name/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::your-bucket-name"
}
]
}
External storage is set at the template level. Each template can use a different bucket if needed.
<Steps> <Step title="Open the template"> Go to **Account Templates** and click on the template you want to configure. </Step> <Step title="Find Recording Storage"> In **System Settings**, find the **Recording Storage** section. </Step> <Step title="Select External S3"> Change from **Internal** to **External S3**. </Step> <Step title="Configure the bucket"> | Field | Description | |-------|-------------| | **AWS Connection** | Select your AWS connection | | **Bucket Name** | Your S3 bucket | | **Region** | AWS region | | **Key Prefix** | Optional prefix for object keys (e.g., `pam/prod/`) | </Step> <Step title="Save"> Click **Save**. Infisical validates that it can reach the bucket before saving. </Step> </Steps>For session playback to work in the browser, your bucket needs a CORS policy:
[
{
"AllowedHeaders": ["*"],
"AllowedMethods": ["GET"],
"AllowedOrigins": ["https://app.infisical.com"],
"MaxAgeSeconds": 3600
}
]
Replace https://app.infisical.com with your Infisical URL if you have a custom domain.
To configure:
If CORS isn't set up correctly, session playback will fail with a network error.
Recordings are stored as encrypted chunks:
<key-prefix>/sessions/<session-id>/chunk-0.enc
<key-prefix>/sessions/<session-id>/chunk-1.enc
...
Infisical encrypts recordings before upload, so the data in your bucket is encrypted. You can add bucket-level encryption (SSE-S3 or SSE-KMS) for additional protection.
Since recordings are in your bucket, you control retention. Configure S3 lifecycle rules to automatically delete or transition objects after a certain period.
<Tip> This gives you full control over how long recordings are kept — essential for compliance requirements. </Tip>