Recording RDP connections - Amazon Systems Manager
Configuring S3 bucket encryption for RDP recordingsConfiguring IAM permissions for recording RDP connectionsEnabling and configuring RDP connection recordingRDP connection recording status values
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Recording RDP connections

Just-in-time node access includes the ability to record RDP connections made to your Windows Server nodes. Recording RDP connections require an S3 bucket and an Amazon Key Management Service (Amazon KMS) customer managed key. The Amazon KMS key is used to temporarily encrypt the recording data while it's generated and stored on Systems Manager resources. The customer managed key must be a symmetric key with a key usage of encrypt and decrypt. You can either use a multi-Region key for your organization, or you must create a customer managed key in each Region where you've enabled just-in-time node access.

If you have enabled KMS encryption on the S3 bucket where you store recordings, you must provide access to the customer managed key used for bucket encryption to the ssm-guiconnect service principal. This customer managed key can be a different one than you specify in the recording settings, which must include for which the kms:CreateGrant permission is required for establishing connections.

Configuring S3 bucket encryption for RDP recordings

Your connection recordings are stored in the S3 bucket that you specify when you enable RDP recording.

If you use a KMS key as the default encryption mechanism for the S3 bucket (SSE-KMS), you must allow the ssm-guiconnect service principal access to kms:GenerateDataKey action on the key. We recommend using a customer managed key when using SSE-KMS encryption with S3 bucket. This is because you can update the associated key policy for a customer managed key. You can't update the key policies for Amazon managed keys.

Following is an example of the policy which can be used to allow the ssm-guiconnect service access to the KMS key for S3 storage. For information about updating a customer managed key, see Change a key policy in the Amazon Key Management Service Developer Guide.

{
    "Sid": "Allow the GUI Connect service principal to access S3",
    "Effect": "Allow",
    "Principal": {
        "Service": "ssm-guiconnect.amazonaws.com"
    },
    "Action": [
        "kms:GenerateDataKey*"
    ],
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "kms:ViaService": "s3.us-east-1.amazonaws.com"
        }
    }
}

Configuring IAM permissions for recording RDP connections

In addition to the required IAM permissions for just-in-time node access, the user or role you use must be allowed the following permissions based on the task you need to perform.

Permissions for configuring connection recording

To configure RDP connection recording, the following permissions are required:

  • ssm-guiconnect:UpdateConnectionRecordingPreferences

  • ssm-guiconnect:GetConnectionRecordingPreferences

  • ssm-guiconnect:DeleteConnectionRecordingPreferences

  • kms:CreateGrant

Permissions for initiating connections

To make RDP connections with just-in-time node access, the following permissions are required:

  • ssm-guiconnect:CancelConnection

  • ssm-guiconnect:GetConnection

  • ssm-guiconnect:StartConnection

  • kms:CreateGrant

Before you begin

To store your connection recordings, you must first create an S3 bucket and add the following bucket policy. Replace each example resource placeholder with your own information.

(For information about adding a bucket policy, see Adding a bucket policy by using the Amazon S3 console in the Amazon Simple Storage Service User Guide.)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ConnectionRecording",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ssm-guiconnect.amazonaws.com"
                ]
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::bucket name", 
                "arn:aws:s3:::bucket name/*"
            ],
            "Condition":{
            "StringEquals":{
                "aws:SourceAccount":"123456789012"
                }
            }            
        }
    ]
}

Enabling and configuring RDP connection recording

The following procedure describes how to enable and configure RDP connection recording.

To enable and configure RDP connection recording

  1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

  2. Select Settings in the navigation pane.

  3. Select the Just-in-time node access tab.

  4. In the RDP recording section, select Enable RDP recording.

  5. Choose the S3 bucket you want to upload session recordings to.

  6. Choose the customer managed key you want to use to temporarily encrypt the recording data while it's generated and stored on Systems Manager resources. (This can be a different customer managed key than you use to encrypt the bucket.)

  7. Select Save.

RDP connection recording status values

Valid status values for RPD connection recordings include the following:

  • Recording - The connection is in the process of being recorded

  • Processing - The video is being processed after the connection is terminated.

  • Finished - Successful terminal state:The connection recording video processed successfully and uploaded to the specified bucket.

  • Failed - Failed terminal state. The connection wasn't recorded successfully.

  • ProcessingError - One or more intermediate failures/errors occurred during video processing. Potential causes include service dependency failures or missing permissions due to a misconfiguration on the S3 bucket specified for storing recordings. The service continues to attempt processing when the recording is in this state.

Note

ProcessingError can be the result of the ssm-guiconnect service principal not having permission to upload objects to the S3 bucket after the connection has been established. Another potential cause is missing KMS permissions on the KMS key used for S3 bucket encryption.