Document versioned S3 bucket requirement

[zmb3]

Details

Teleport implicitly requires versioned S3 buckets for session recordings, but this requirement is not documented or enforced anywhere.

• [x] Ensure that docs/guides mention this requirement
• [ ] Ensure that example terraform provisions versioned buckets
• [ ] Ensure that teleport itself issues a clear error message when a non-versioned bucket is used

Category

• Improve Existing

[programmerq]

Revisiting the code, I think I understand better why it isn't just a simple caution to get the earliest version. It appears that when versioning is disabled, the objects in the bucket can be overwritten. By requiring versioning to be turned on, Teleport will always get the original version of the object to ensure that the integrity of the session hasn't been compromised by someone trying to alter the object.

I was curious to see if there was a way to make objects in a bucket immutable, and found Amazon S3 Object Lock. That requires that bucket versioning is enabled. I presume this is to protect against the possibility of an object being deleted and then later recreated with the same name.

[programmerq]

Here's a terraform snippet creating a version enabled bucket with private canned ACL.

variable "bucket_name" {
  type = string
  description = "AWS S3 Bucket Name. Must be globally unique."
}

resource "aws_s3_bucket" "session_recording_bucket" {
    bucket                      = var.bucket_name
}

resource "aws_s3_bucket_acl" "session_recording_bucket" {
  bucket = aws_s3_bucket.session_recording_bucket.id
  acl    = "private"
}

resource "aws_s3_bucket_versioning" "session_recording_bucket" {
  bucket = aws_s3_bucket.session_recording_bucket.id
  versioning_configuration {
    status = "Enabled"
  }
}

[alexfornuto]

16423 Addresses the first bullet (documentation).