diff --git a/enos/enos-scenario-e2e-ui-aws.hcl b/enos/enos-scenario-e2e-ui-aws.hcl
index 7fc088e015..7817885b78 100644
--- a/enos/enos-scenario-e2e-ui-aws.hcl
+++ b/enos/enos-scenario-e2e-ui-aws.hcl
@@ -75,6 +75,10 @@ scenario "e2e_ui_aws" {
     }
   }
 
+  locals {
+    egress_tag = "egress"
+  }
+
   step "create_boundary_cluster" {
     module = module.aws_boundary
     depends_on = [
@@ -98,6 +102,7 @@ scenario "e2e_ui_aws" {
       vpc_tag_module           = step.create_base_infra.vpc_tag_module
       worker_count             = var.worker_count
       worker_instance_type     = var.worker_instance_type
+      worker_type_tags         = [local.egress_tag]
     }
   }
 
@@ -200,6 +205,7 @@ scenario "e2e_ui_aws" {
       aws_secret_access_key     = step.iam_setup.secret_access_key
       aws_host_set_filter       = step.create_tag_inputs.tag_string
       aws_host_set_ips          = step.create_targets_with_tag.target_ips
+      worker_tag_egress         = local.egress_tag
     }
   }
 
diff --git a/enos/enos-scenario-e2e-ui-docker.hcl b/enos/enos-scenario-e2e-ui-docker.hcl
index 8795810360..7e81af6b52 100644
--- a/enos/enos-scenario-e2e-ui-docker.hcl
+++ b/enos/enos-scenario-e2e-ui-docker.hcl
@@ -116,6 +116,25 @@ scenario "e2e_ui_docker" {
   }
 
   step "create_worker" {
+    module = module.docker_worker
+    depends_on = [
+      step.create_docker_network,
+      step.build_boundary_docker_image,
+      step.create_boundary
+    ]
+    variables {
+      image_name       = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
+      boundary_license = var.boundary_edition != "oss" ? step.read_license.license : ""
+      config_file      = "worker-config.hcl"
+      container_name   = "worker"
+      initial_upstream = step.create_boundary.upstream_address
+      network_name     = [local.network_cluster]
+      tags             = [local.egress_tag]
+      port             = "9402"
+    }
+  }
+
+  step "create_worker_token" {
     module = module.docker_worker
     depends_on = [
       step.create_docker_network,
@@ -126,11 +145,11 @@ scenario "e2e_ui_docker" {
       image_name              = matrix.builder == "crt" ? var.boundary_docker_image_name : step.build_boundary_docker_image.image_name
       boundary_license        = var.boundary_edition != "oss" ? step.read_license.license : ""
       config_file             = "worker-config-worker-led.hcl"
-      container_name          = "worker"
+      container_name          = "worker_token"
       initial_upstream        = step.create_boundary.upstream_address
       network_name            = [local.network_cluster]
-      tags                    = [local.egress_tag]
-      port                    = "9402"
+      tags                    = ["token"]
+      port                    = "9502"
       worker_led_registration = true
     }
   }
@@ -179,7 +198,8 @@ scenario "e2e_ui_docker" {
       ldap_user_name            = step.create_ldap_server.user_name
       ldap_user_password        = step.create_ldap_server.user_password
       ldap_group_name           = step.create_ldap_server.group_name
-      worker_token              = step.create_worker.worker_led_token
+      worker_token              = step.create_worker_token.worker_led_token
+      worker_tag_egress         = local.egress_tag
     }
   }
 }
diff --git a/enos/modules/aws_boundary/boundary-instances.tf b/enos/modules/aws_boundary/boundary-instances.tf
index e11abb4cfa..3f43a21316 100644
--- a/enos/modules/aws_boundary/boundary-instances.tf
+++ b/enos/modules/aws_boundary/boundary-instances.tf
@@ -158,11 +158,14 @@ resource "enos_file" "worker_config" {
   depends_on  = [enos_bundle_install.worker]
   destination = "/etc/boundary/boundary.hcl"
   content = templatefile("${path.module}/${var.worker_config_file_path}", {
-    id             = each.value
-    kms_key_id     = data.aws_kms_key.kms_key.id,
-    controller_ips = jsonencode(aws_instance.controller.*.private_ip),
-    public_addr    = aws_instance.worker.0.public_ip
-    region         = var.aws_region
+    id                     = each.value
+    kms_key_id             = data.aws_kms_key.kms_key.id,
+    controller_ips         = jsonencode(aws_instance.controller.*.private_ip),
+    public_addr            = aws_instance.worker.0.public_ip
+    region                 = var.aws_region
+    type                   = jsonencode(var.worker_type_tags)
+    recording_storage_path = var.recording_storage_path
+
   })
   for_each = toset([for idx in range(var.worker_count) : tostring(idx)])
 
@@ -177,10 +180,12 @@ resource "enos_boundary_start" "worker_start" {
   depends_on = [enos_boundary_start.controller_start, enos_file.worker_config]
   for_each   = toset([for idx in range(var.worker_count) : tostring(idx)])
 
-  bin_name    = var.boundary_binary_name
-  bin_path    = var.boundary_install_dir
-  config_path = "/etc/boundary"
-  license     = var.boundary_license
+  bin_name               = var.boundary_binary_name
+  bin_path               = var.boundary_install_dir
+  config_path            = "/etc/boundary"
+  license                = var.boundary_license
+  recording_storage_path = var.recording_storage_path != "" ? var.recording_storage_path : null
+
   transport = {
     ssh = {
       host = aws_instance.worker[tonumber(each.value)].public_ip
diff --git a/enos/modules/aws_boundary/templates/worker.hcl b/enos/modules/aws_boundary/templates/worker.hcl
index 0125a32381..fd636a28b2 100644
--- a/enos/modules/aws_boundary/templates/worker.hcl
+++ b/enos/modules/aws_boundary/templates/worker.hcl
@@ -18,7 +18,7 @@ worker {
   public_addr = "${public_addr}"
 
   tags {
-    type   = ["prod", "webservers"]
+    type   = ${type}
     region = ["${region}"]
   }
 }
diff --git a/enos/modules/aws_boundary/templates/worker_bsr.hcl b/enos/modules/aws_boundary/templates/worker_bsr.hcl
new file mode 100644
index 0000000000..4d15ae2ae4
--- /dev/null
+++ b/enos/modules/aws_boundary/templates/worker_bsr.hcl
@@ -0,0 +1,33 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+listener "tcp" {
+  purpose = "proxy"
+  tls_disable = true
+  address = "0.0.0.0"
+}
+
+worker {
+  # Name attr must be unique across workers
+  name = "demo-worker-${id}"
+  description = "Enos Boundary worker ${id}"
+
+  # Workers must be able to reach controllers on :9201
+  controllers = ${controller_ips}
+
+  public_addr = "${public_addr}"
+
+  tags {
+    type   = ${type}
+    region = ["${region}"]
+  }
+
+  recording_storage_path = "${recording_storage_path}"
+}
+
+# must be same key as used on controller config
+kms "awskms" {
+  purpose    = "worker-auth"
+  region     = "${region}"
+  kms_key_id = "${kms_key_id}"
+}
diff --git a/enos/modules/aws_boundary/variables.tf b/enos/modules/aws_boundary/variables.tf
index a29d889440..b1b7a03a20 100644
--- a/enos/modules/aws_boundary/variables.tf
+++ b/enos/modules/aws_boundary/variables.tf
@@ -28,6 +28,12 @@ variable "worker_instance_type" {
   default     = "t2.micro"
 }
 
+variable "worker_type_tags" {
+  description = "Tag to set on worker for use in worker filters"
+  type        = list(string)
+  default     = ["collocated", "prod", "webservers"]
+}
+
 variable "worker_ebs_iops" {
   description = "EBS IOPS for the root volume"
   type        = number
@@ -358,3 +364,9 @@ variable "vpc_tag_module" {
   type        = string
   default     = "aws_vpc"
 }
+
+variable "recording_storage_path" {
+  description = "Path on instance to store recordings"
+  type        = string
+  default     = ""
+}
diff --git a/enos/modules/test_e2e_ui/main.tf b/enos/modules/test_e2e_ui/main.tf
index 56a58683ba..ce19be0956 100644
--- a/enos/modules/test_e2e_ui/main.tf
+++ b/enos/modules/test_e2e_ui/main.tf
@@ -108,6 +108,16 @@ variable "aws_host_set_filter" {
   type        = string
   default     = ""
 }
+variable "aws_region" {
+  description = "AWS region where the resources will be created"
+  type        = string
+  default     = ""
+}
+variable "aws_bucket_name" {
+  description = "AWS S3 bucket name"
+  type        = string
+  default     = ""
+}
 variable "aws_host_set_ips" {
   description = "List of IP addresses in aws_host_set_filter1"
   type        = list(string)
@@ -153,6 +163,11 @@ variable "worker_token" {
   type        = string
   default     = ""
 }
+variable "worker_tag_egress" {
+  description = "Worker tag for the egress worker"
+  type        = string
+  default     = ""
+}
 
 locals {
   aws_ssh_private_key_path = abspath(var.aws_ssh_private_key_path)
@@ -180,6 +195,8 @@ resource "enos_local_exec" "run_e2e_test" {
     E2E_AWS_SECRET_ACCESS_KEY     = var.aws_secret_access_key
     E2E_AWS_HOST_SET_FILTER       = var.aws_host_set_filter
     E2E_AWS_HOST_SET_IPS          = local.aws_host_set_ips
+    E2E_AWS_REGION                = var.aws_region
+    E2E_AWS_BUCKET_NAME           = var.aws_bucket_name
     E2E_LDAP_ADDR                 = var.ldap_address
     E2E_LDAP_DOMAIN_DN            = var.ldap_domain_dn
     E2E_LDAP_ADMIN_DN             = var.ldap_admin_dn
@@ -188,6 +205,7 @@ resource "enos_local_exec" "run_e2e_test" {
     E2E_LDAP_USER_PASSWORD        = var.ldap_user_password
     E2E_LDAP_GROUP_NAME           = var.ldap_group_name
     E2E_WORKER_TOKEN              = var.worker_token
+    E2E_WORKER_TAG_EGRESS         = var.worker_tag_egress
   }
 
   inline = var.debug_no_run ? [""] : ["set -o pipefail; PATH=\"${var.local_boundary_dir}:$PATH\" yarn --cwd ${var.local_boundary_ui_src_dir}/ui/admin run e2e 2>&1 | tee ${path.module}/../../test-e2e-ui.log"]