Back to Infisical

External Storage

docs/documentation/platform/pam/sessions/external-storage.mdx

0.162.03.5 KB
Original Source

By default, session recordings are stored in Infisical's managed database. If you need control over where recordings live — for data residency, retention policies, or compliance requirements — you can store them in your own S3 bucket instead.

Prerequisites

Before configuring external storage, you need an AWS Connection set up in your organization. This provides the credentials Infisical uses to write to your bucket.

If you don't have one, see the AWS Connection guide.

Required Permissions

The connection's IAM role needs these permissions on the bucket:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:GetObject"],
      "Resource": "arn:aws:s3:::your-bucket-name/*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::your-bucket-name"
    }
  ]
}

Configuring a Template for External Storage

External storage is set at the template level. Each template can use a different bucket if needed.

<Steps> <Step title="Open the template"> Go to **Account Templates** and click on the template you want to configure. </Step> <Step title="Find Recording Storage"> In **System Settings**, find the **Recording Storage** section. </Step> <Step title="Select External S3"> Change from **Internal** to **External S3**. </Step> <Step title="Configure the bucket"> | Field | Description | |-------|-------------| | **AWS Connection** | Select your AWS connection | | **Bucket Name** | Your S3 bucket | | **Region** | AWS region | | **Key Prefix** | Optional prefix for object keys (e.g., `pam/prod/`) | </Step> <Step title="Save"> Click **Save**. Infisical validates that it can reach the bucket before saving. </Step> </Steps>

CORS Configuration

For session playback to work in the browser, your bucket needs a CORS policy:

json
[
  {
    "AllowedHeaders": ["*"],
    "AllowedMethods": ["GET"],
    "AllowedOrigins": ["https://app.infisical.com"],
    "MaxAgeSeconds": 3600
  }
]

Replace https://app.infisical.com with your Infisical URL if you have a custom domain.

To configure:

  1. Open the bucket in AWS Console
  2. Go to Permissions → Cross-origin resource sharing (CORS)
  3. Add the configuration above

If CORS isn't set up correctly, session playback will fail with a network error.

How Recordings Are Stored

Recordings are stored as encrypted chunks:

<key-prefix>/sessions/<session-id>/chunk-0.enc
<key-prefix>/sessions/<session-id>/chunk-1.enc
...

Infisical encrypts recordings before upload, so the data in your bucket is encrypted. You can add bucket-level encryption (SSE-S3 or SSE-KMS) for additional protection.

Managing Retention

Since recordings are in your bucket, you control retention. Configure S3 lifecycle rules to automatically delete or transition objects after a certain period.

<Tip> This gives you full control over how long recordings are kept — essential for compliance requirements. </Tip>

Next Steps

<CardGroup cols={2}> <Card title="Session Recording" icon="video" href="/documentation/platform/pam/sessions/session-recording"> Learn more about how recording works. </Card> <Card title="Auditing" icon="clipboard-list" href="/documentation/platform/pam/auditing"> View the audit trail for all PAM activity. </Card> </CardGroup>