Workbench's session recording feature records videos of end-user operations on ECS instances. Administrators can review these recordings for operation audits and use them as evidence for security audits. This topic describes how to configure session recording and view the recording files.
Limitations
-
You can view session recordings in Workbench, but you cannot download them from the Workbench console.
-
Workbench stores session recordings in OSS. You can view and download the recording files from your OSS bucket, but you cannot parse or play them outside of Workbench.
Prerequisites
Create an OSS bucket to store session recording files. The bucket name must use the workbench-record-<Alibaba Cloud account ID>-<custom string> format. For more information, see Create a bucket.
-
If the bucket name does not use the required format, session recording will fail, and no recordings will be saved.
-
Workbench session recordings are stored in OSS. You are charged for the storage space that you use. For more information, see Billing overview.
Enable session recording
-
Configure the required permissions for session recording.
Session recording uses the following API operations. You can configure permissions for the API operations based on your business requirements.
-
Set the recording configuration for an instance: SetInstanceRecordConfig
-
Query the recording configuration of an instance: GetInstanceRecordConfig
-
View a list of recordings: ListInstanceRecords
-
View the content of a recording: ViewInstanceRecords
-
Create a permission policy.
-
For more information, see Create a custom permission policy.
-
Sample policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ecs-workbench:SetInstanceRecordConfig", "Resource": "*" }, { "Effect": "Allow", "Action": "ecs-workbench:GetInstanceRecordConfig", "Resource": "*" }, { "Effect": "Allow", "Action": "ecs-workbench:ListInstanceRecords", "Resource": "*" }, { "Effect": "Allow", "Action": "ecs-workbench:ViewInstanceRecords", "Resource": "*" } ] }
-
-
Attach the custom permission policy. For more information, see Grant permissions to a RAM user.
-
-
Call the SetInstanceRecordConfig API operation to enable session recording.
Parameter
Required
Description
Example
Enabled
Yes
Specifies whether to enable session recording.
-
true: Enable session recording. -
false: Disable session recording.
true
InstanceId
Yes
The ID of the target instance.
Specify the ID of a single target instance or an asterisk (
*). The asterisk (*) indicates that session recording is enabled for all instances.i-2ze3en5q21ah9x******
RecordStorageTarget
No
The destination for storing recordings.
Format: acs:oss:cn-<region>:<Alibaba Cloud account ID>:workbench-record-<Alibaba Cloud account ID>-<custom string>/<Bucket subdirectory>.
acs:oss:cn-beijing:1609982529******:workbench-record-1609982529******-<custom string>/record
ExpirationDays
No
The expiration period in days.
NoteAfter this period expires, you can no longer view the recording in Workbench. However, the recording file in the OSS bucket is not deleted. If you do not specify the
ExpirationDaysparameter, recordings are available in Workbench for 7 days by default.7
RegionId
No
The ID of the region where the instance is located.
cn-beijing
After enabling this feature, all end-user operations on the instance are automatically recorded.
-
-
Connect to the ECS instance by using Workbench.
For more information, see Connect to an instance by using Workbench.
-
View the list of recordings.
-
In the top menu bar of Workbench, choose .
-
On the Session Recording page, view information such as the user ID and recording duration.
-
-
View a session recording.
-
In the list of recordings, find the desired session and click Play in the Actions column.
-
You can also log in to the OSS console to view and download the recording files from your OSS bucket.
-
Disable session recording
You can disable session recording for an instance by calling the SetInstanceRecordConfig API operation and setting the Enabled parameter to false.