Update storage bucket policies
This feature requires HCP Boundary Plus or Boundary Enterprise
A storage policy codifies storage bucket lifecycle management for session recordings.
A storage policy exists in either the global scope or an org scope. Storage policies that are created in the global scope can be associated with any org scope.
When you update a storage policy, new session recordings within a scope where the policy is applied will conform to the updated policy. Existing recordings will maintain the previous policy unless the new policy is retroactively applied.
This page describes the process for applying updated storage policies to existing recordings within a scope.
For more information about setting up storage bucket policies, refer to the configure storage bucket policies page.
Requirements
This page continues the workflows outlined in the configure storage bucket policies page. The requirements outlined in that page are prerequisites for the workflow defined below.
To apply an updated storage policy to existing session recordings, you first need:
- An external storage provider configured to store session recordings.
- A Boundary worker configured for local storage.
- A Boundary storage bucket with a defined retention and/or deletion policy.
- A scope with the storage policy attached.
- A set of session recordings made when the storage policy was attached.
The policies mentioned here demonstrate how to apply an updated storage policy to an existing set of session recordings.
Storage policy changes
A storage policy defines how long the recording within a scope should retain its session recordings.
Over time, you may update storage policies to reflect new organizational requirements, compliance changes, or cost management strategies. While updated policies automatically apply to new session recordings within the scopes associated with that policy, existing recordings maintain the previous policies unless you apply the new policy directly to those recordings.
In the configure storage bucket policies page, the following policy was created to implement compliance with SOC-2 retention requirement of 7 years:
- Name:
soc2-policy
- Description:
SOC 2 compliant storage policy for session recordings
- Retention policy:
2557
days, Overridable:false
- Deletion policy:
2657
days, Overridable:true
Update a storage policy
In the following example, the soc2-policy
should be updated to the following:
- Name:
soc2-policy
- Description:
SOC 2 compliant storage policy for session recordings, V2
- Retention policy:
2557
days, Overridable:false
- Deletion policy:
2757
days, Overridable:false
The updated policy requires the deletion of recordings after 2757
days, 200 days after the standard SOC 2 retention requirements. It also changes Overridable to false
, preventing lower scopes from overwriting the Deletion policy.
The following is an example of updating the soc2-policy
policy.
Log in to Boundary.
Select Storage Policies in the navigation panel and select the
global
scope.Click on
soc2-policy
.Click the Edit Form button and update the following fields:
- Description:
SOC 2 compliant storage policy for session recordings, V2
- Retention Policy:
SOC 2 (7 years)
- Deletion Policy:
Custom
Delete after:2757
days Toggle the switch beside Allow orgs to override to the off position.
- Description:
Click Save.
This policy was applied to the prod-databases
org in the configure storage bucket policies page.
New recordings within the prod-databases
org will automatically have the updated version of the soc2-policy
applied.
Reapply a storage policy
Many organizations compliance standards will require that previous versions of storage policies remain applied to existing recordings.
Note
During the initial migration to a Boundary version that includes storage policies, all existing session recordings will have a retain_for
attribute of -1
, which retains the recording forever.
In the event that an updated policy should be retroactively applied to existing session recordings, you must reapply the storage policy.
- Log in to Boundary.
- Select Session Recordings in the navigation panel in the
global
scope. - Click on View for a session recording that should have the storage policy re-applied.
- Click the Manage dropdown and select Re-apply storage policy.
- Verify the Delete after field has been updated under the recording's Session details.
Detached or deleted storage policies
If a scope's storage policy is detached or deleted, new session recordings within that scope will automatically be retained forever, unless there is an overriding policy.
Existing session recordings will maintain their existing storage policy attributes until a new policy is re-applied, including any overriding policy from another scope.