Skip to main content
By default, session recordings are stored in Infisical’s managed database. If you need control over where recordings live — for data residency, retention policies, or compliance requirements — you can store them in your own S3 bucket instead.

Prerequisites

Before configuring external storage, you need an AWS Connection set up in your organization. This provides the credentials Infisical uses to write to your bucket. If you don’t have one, see the AWS Connection guide.

Required Permissions

The connection’s IAM role needs these permissions on the bucket:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:GetObject"],
      "Resource": "arn:aws:s3:::your-bucket-name/*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::your-bucket-name"
    }
  ]
}

Configuring a Template for External Storage

External storage is set at the template level. Each template can use a different bucket if needed.
1

Open the template

Go to Account Templates and click on the template you want to configure.
2

Find Recording Storage

In System Settings, find the Recording Storage section.
3

Select External S3

Change from Internal to External S3.
4

Configure the bucket

FieldDescription
AWS ConnectionSelect your AWS connection
Bucket NameYour S3 bucket
RegionAWS region
Key PrefixOptional prefix for object keys (e.g., pam/prod/)
5

Save

Click Save. Infisical validates that it can reach the bucket before saving.

CORS Configuration

For session playback to work in the browser, your bucket needs a CORS policy:
[
  {
    "AllowedHeaders": ["*"],
    "AllowedMethods": ["GET"],
    "AllowedOrigins": ["https://app.infisical.com"],
    "MaxAgeSeconds": 3600
  }
]
Replace https://app.infisical.com with your Infisical URL if you have a custom domain. To configure:
  1. Open the bucket in AWS Console
  2. Go to Permissions → Cross-origin resource sharing (CORS)
  3. Add the configuration above
If CORS isn’t set up correctly, session playback will fail with a network error.

How Recordings Are Stored

Recordings are stored as encrypted chunks:
<key-prefix>/sessions/<session-id>/chunk-0.enc
<key-prefix>/sessions/<session-id>/chunk-1.enc
...
Infisical encrypts recordings before upload, so the data in your bucket is encrypted. You can add bucket-level encryption (SSE-S3 or SSE-KMS) for additional protection.

Managing Retention

Since recordings are in your bucket, you control retention. Configure S3 lifecycle rules to automatically delete or transition objects after a certain period.
This gives you full control over how long recordings are kept — essential for compliance requirements.

Next Steps

Session Recording

Learn more about how recording works.

Auditing

View the audit trail for all PAM activity.