HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Boundary
Host management

Enable session recording with AWS and Vault

  • 25min
  • |
  • HCP
  • Boundary
  • Vault
  • Terraform
  • Video

Deployment

    Boundary support session recording with HCP Boundary Plus and Boundary Enterprise editions. Session recording provides insight into user actions over remote SSH sessions to meet regulatory requirements for organizations and prevent malicious behavior. Administrators can enable session recording on SSH targets in their Boundary environment and replay recordings back within the Boundary admin UI.

    You can watch the following video to learn more about session recording.

    This tutorial demonstrates enabling SSH session recording using Amazon S3 as the storage backend and HashiCorp Vault for credential management. Learners will deploy the required AWS resources using Terraform.

    Tutorial overview

    1. Prerequisites
    2. Background
    3. Get setup
    4. Deploy Vault, targets, and workers
    5. Configure Vault
    6. Set up Boundary
    7. Enable session recording
    8. Verify and play back recordings

    Prerequisites

    Note

    This tutorial was tested on 10 October 2023 using macOS 13.6, and in the Windows Subsystem for Linux (WSL) with Ubuntu 20.04. If you deploy the lab on a Windows machine, ensure you perform all the lab steps within the WSL.

    Before moving on, check that the following versions or greater are installed.

    • This tutorial recommends completing the HCP Boundary administration tutorials first. The learner should have a working Boundary cluster and org running on HCP.

    • A Boundary binary greater than 0.13.2 in your PATH

    • A Vault binary greater than 1.12.0 in your PATH is recommended. Any version of Vault greater than 1.7 should work with this tutorial.

    • Terraform 0.14.9 or greater is required. The binary must be available in your PATH.

    • The jq utility installed and in your PATH

    • The make utility is recommended to simplify workflow management for this tutorial, and should be installed and in your PATH.The tutorial can be completed without using make.

    • Installing the Boundary Desktop App provides an optional workflow at the end of this tutorial. The 1.2.0 version or above is required for Vault support.

    This tutorial assumes basic knowledge of using Vault, including managing policies, roles, and tokens. If you are new to using Vault, complete the Getting Started with Vault quick start tutorials before you integrate Vault with Boundary.

    Session recording background

    In highly regulated environments, a common requirement and challenge is having a system of record that archives actions taken on the network so that organizations can improve their security posture and enhance compliance.

    Session recording allows administrators to get insight into user actions over remote SSH sessions in order to meet various regulatory requirements for organizations and prevent malicious behavior. Administrators can enable session recording on SSH targets in their Boundary environment, store signed recordings in their Amazon S3 storage bucket, and replay recordings back within the Boundary admin UI.

    Recorded sessions are converted into a Boundary session recording (BSR), a binary file format and specification created to define the structure of Boundary recording files.

    BSR is designed to:

    • Support the recording of both multiplexed and non-multiplexed protocols
    • Allow recordings of independent byte streams in a session to be written in parallel
    • Support an optimal user experience during playback
    • Be extensible to support more protocols in the future

    BSR contains all of the data transmitted between a user and a target during a session and is available within your storage bucket. These files are signed to ensure they are tamper-proof.

    SSH session recording is available as a part of the new Plus tier in both HCP Boundary and Boundary Enterprise.

    Configure the lab environment

    Several components are needed for the lab environment for this tutorial:

    • HCP Boundary Plus or Boundary Enterprise cluster
    • Amazon S3 storage bucket
    • SSH host for testing recordings
    • Vault server with policies allowing connections from Boundary and credentials for the SSH target
    • Boundary AWS host catalog, Vault credential store, and SSH target resources

    Deploy an HCP Boundary Plus cluster

    Session recording, credential injection, and SSH targets are features available in HCP Boundary Plus.

    First, deploy an HCP Boundary cluster with the HCP Plus sku selected.

    1. Launch the HCP Portal and login.

    2. Select your organization and project. From within that project, select Boundary from the Services menu in the left navigation.

    3. Click Deploy Boundary.