Bring my own S3 Bucket for recordings storage

Border0 allows you to define a custom session log storage location. This way, you are in control of your session log data. Currently, we support S3 as a storage location. Please contact us for requests for other storage types.

Using Border0 with your own AWS S3 buckets means all your session recordings will be stored in your own bucket using your bucket configuration, which means you own the recording and control access.

This feature uses a cross-account AWS IAM role and thus requires no credentials to be provided to Border0.


Pre-Requisites

Certain resources must exist in your AWS account in order for Border0 to use the S3 Bucket. In this section we will go over what those resources are and what they will be used for.

📘

Note

Advanced AWS users may choose to skip to the "AWS CloudFormation Stack" section below where a CFN stack template is provided for you to inspect and deploy at will

In short, your AWS account needs the following three resources:

  • An AWS S3 Bucket to be used as the target location for session recordings
  • An AWS IAM "policy" to grant an IAM entity permissions to access the S3 bucket
  • An AWS IAM "role" with the above policy attached - for Border0 to assume (and receive its permissions)

The AWS IAM Policy

The IAM policy should have the following policy document, it controls the type of access that is allowed.

Note: replace ${BUCKET_NAME}, with the real name of your S3 bucket

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET_NAME}",
                "arn:aws:s3:::${BUCKET_NAME}/*"
            ],
            "Effect": "Allow",
            "Sid": "AllowAccessS3Bucket"
        }
    ]
}

The AWS IAM Role

The IAM role should have the IAM policy attached, and the following Assume-Role-Policy (trusted entities):

Note: replace ${EXTERNAL_ID} with a shared ID

Note: The "Condition" section with an ExternalId is optional, but recommended by Amazon Web Services.
The external ID used in the context of AWS IAM roles can be thought of as a shared secret, somewhat similar to a password, but it serves a specific purpose in the trust relationship between AWS accounts. It is used when you want to allow a third party to assume roles in your AWS account securely.

For more information see the official AWS documentation regarding External ID

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::235487987553:root"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "${EXTERNAL_ID}"
                }
            }
        }
    ]
}

AWS CloudFormation Stack Template

Advanced AWS users may choose to inspect and deploy a CloudFormation stack template. It will create the above three resources following the recommended approach. You may click here to download it.

Configure Recording Storage

In the admin portal select the "Organization Settings" menu in the left and browse to the "Recording Storage" tab.

Here you can manage the recording storage settings. If there is no configuration you can use the Action menu to configure this.

(1) Type (required)

Currently we only support AWS S3 as the type for recordings storage.

(2) AWS S3 Bucket Name (required)

The "bucket name" is the AWS S3 bucket name to use as the target for storing session recordings.

(3) AWS IAM Role ARN (required)

The "role arn" is the Amazon Resource Number (ARN) of the AWS IAM Role in your AWS account for Border0 to assume.

By assuming this role within your AWS account, Border0 is able to read and write sessions recordings to the S3 bucket in your account.

(4) External ID (strongly recommended)

The "external id" is an optional parameter that can be configured when creating the AWS IAM Role in your account. It acts as an additional parameter for third-parties to provide when assuming the role.

For more information regarding the "external id" concept and how it makes cross-account roles more secure, see the official AWS documentation.