[PAM] S3 Bucket and PAM Session Recording
search cancel

[PAM] S3 Bucket and PAM Session Recording

book

Article ID: 194365

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

[Use case]

PAM having "Security Safe" mode for session recording mounting S3 bucket.

 

How does PAM handle session recording when the Session Recording Mount is S3 bucket?

Environment

Release :4.0.X /4.1.X

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

In a Security Safe mode, PAM should only allow access to Target Servers (that require session recording) when the Session Recording Mount is available and in this use case it is S3 bucket.

The moment user requests access the Target Server, PAM will check if the Session Recording Mount is available.

available = grant access

not available == deny access

 

But it is possible the session recording mount can become unavailable after the access has been granted.

If Primary Mount becomes unavailable but Secondary Mount is still available then the PAM will failover and start writing to the secondary mount.

If Secondary mount also becomes unavailable then PAM will write whatever recording that was in the buffer to be flushed to the /var/tmp/aws_cache/<bucketname>

 

As there are no session recording mounts available and is running Security Safe mode the user session(recording) would close.

As the session recording did not complete gracefully this would be in encoding error state and some portion of the recording file would be found in the /var/tmp/aws_cache/<bucketname> (it can be few MB).

If the flushed recording was 1MB and had there been 100 session recordings that got interrupted, it would be 100MB stored in the /var/tmp/aws_cache/<bucketname> (assuming there is only 1 PAM node).

 

When you click on "Encoding Error" link on the Session Recording list, PAM will try to combine all the recording parts together and see if it can finalize it. If it is finalized successfully then you will see "View Recording" link.

If it fails to finalize or resulting size is less than 1KB then you will see it report error and get removed.