Web Access Session Recording
Web Access Session Recording captures browser-based Zero Trust Web Access (ZTWA) sessions for review, compliance, and incident investigation.
Note:If you are looking for Remote Desktop Protocol recordings, use RDP Session Recording.
Feature Scope
Web Access Session Recording covers:
- Browser session video capture.
- Recording quality selection.
- Upload to S3 or S3-compatible storage.
- Optional gzip compression before upload.
- Optional server-side encryption options.
- Lifecycle watchdog controls for recording duration and client-connect timing.
This feature is configured with deployment-time defaults in the Zero Trust Web Access chart values.yaml.
For ongoing Secure Remote Access session behavior, manage web and SSH settings through the Akeyless API by using the CLI or Console UI.
Session Correlation
ZTWA recordings use the same Secure Remote Access session identifier that appears in Session Overview and Audit Log entries.
For supported ZTWA versions, this identifier is a 24-digit numeric session ID.
To correlate a recording to a user account:
- Get the session ID from the recording object key or filename.
- Find the same session ID in Session Overview.
- Review the associated Audit Log events for that session ID.
In audit events, the end user identity appears as sra_unique_identifier.
Prerequisites For Session Visibility
If browser sessions run but Session Overview and Audit Log entries are missing, verify the following deployment settings:
- Use a ZTWA version that includes session reporting (
v2.0.0-rc6or later). - Ensure
clusterNameexactly matches the connected Akeyless Gateway cluster name. - Authenticate ZTWA by using the same Access ID that the Gateway is registered with.
- If the Gateway certificate is private or self-signed, provide trust material to ZTWA.
- Ensure the Gateway is running and registered in the same Akeyless account.
Configuration Surfaces
Use these surfaces:
- Primary:
sessionRecordinginvalues.yaml. - Advanced overrides:
dispatcher.config.recordingwebWorker.config.recording
Deployment guidance: Zero Trust Web Access on K8s.
Configuration Reference
Base Recording Controls
sessionRecording.enabled: Enables worker-side recording capture.sessionRecording.quality: Recording quality (144p,240p,360p,480p,720p,1080p).
Upload Controls
sessionRecording.upload.enabledsessionRecording.upload.s3BucketsessionRecording.upload.s3RegionsessionRecording.upload.s3PrefixsessionRecording.upload.s3Endpoint(optional S3-compatible endpoint)sessionRecording.upload.compress
Encryption Controls
sessionRecording.upload.sse.type("",sse-s3,sse-kms)sessionRecording.upload.sse.kmsKeyId
Credentials and Secret Wiring
sessionRecording.upload.existingSecretNames.s3sessionRecording.upload.existingSecretNames.s3AccessKeyIdKeysessionRecording.upload.existingSecretNames.s3SecretAccessKeyKey
If no secret is set, upload can use the AWS default credential chain.
Watchdog Controls
sessionRecording.watchdog.clientConnectTimeoutSecondssessionRecording.watchdog.intervalSecondssessionRecording.watchdog.maxDurationSeconds
These settings help bound long-running recordings and clean up stalled sessions.
Service-Level Overrides
Dispatcher upload override fields can be set in dispatcher.config.recording.
Worker capture override fields (enabled, quality) can be set in webWorker.config.recording.
Use overrides only when service-specific behavior must differ from the shared sessionRecording block.
End-to-End Workflow
- Enable recording in
sessionRecording.enabled. - Set desired recording quality.
- Enable upload and configure destination bucket and region.
- Configure credential secret references or identity-based authentication.
- Optionally configure compression and encryption.
- Optionally tune watchdog values for long-running workloads.
- Deploy or upgrade the chart.
- Start a ZTWA browser session and verify the recording artifact in the configured storage destination.
- Validate correlation by matching the session ID across the recording, Session Overview, and Audit Log.
Related Pages
Updated 27 days ago
