The Open Infrastructure Access Platform
The easiest, most secure way
to access all your infrastructure.
What is Teleport?
The open source access platform used by DevSecOps teams for SSH, Kubernetes, databases, internal web applications and Windows. Teleport prevents phishing by relying on biometrics and machine identity, stops attacker pivots with the Zero Trust architecture, is compatible with everything you have, comes as a cloud service or a self-hosted option and doesn't get in the way of an engineer's productivity.
| Hostname | Address | Labels | Actions |
|---|---|---|---|
ip-10-0-0-115 | ⟵ tunnel | region: us-west-1 | |
ip-10-0-0-20 | ⟵ tunnel | region: sa-east-1 | |
ip-10-0-0-60 | ⟵ tunnel | region: us-west-2 | |
ip-10-0-0-85 | ⟵ tunnel | region: eu-west-1 | |
ip-10-0-0-90 | ⟵ tunnel | region: us-east-1 |
| Name | Type | Labels | Actions |
|---|---|---|---|
aurora | RDS PostgreSQL | env: devpostgres | |
mongodb | Self-hosted MongoDB | env: dev-1mongodb | |
gcloud | GCP SQL Postgres | env: prodsql | |
Cockroach | Self-hosted CockroachDB | env: prodcrdb | |
mysql | Self-hosted Mysql | env: dev-2mysql |
| Name | Labels | Actions |
|---|---|---|
eks-stg-cluster | env: stg2region: us-west-2 | |
eks-prod-cluster | env:prodregion:us-east-2 | |
galactus | env:prodentropy-service | |
eks-dev-cluster | env:stgregion:us-east-2 | |
galaxy | env:stgEKS |
| Name | Address | Labels | Actions |
|---|---|---|---|
aws | https://dev.runteleport.com | env: dev | |
grafana | https://grafana.runteleport.com | env: work | |
jenkins | https://jenkins.runteleport.com | env: work | |
metabase | https://meta.runteleport.com | env: dev | |
gitlab | https://gitlab.runteleport.com | env: dev |
| Address | Name | Labels | Actions |
|---|---|---|---|
10.0.0.10 | Windows | name: Base | |
10.0.40.10 | Windows Prod | name: Prod | |
10.0.32.10 | Windows Dev | name: Dev | |
10.0.130.2 | Windows Bizops | name: Biz | |
10.0.157.72 | Windows Sys | name: Sys |
| Node | User(s) | Duration | Actions |
|---|---|---|---|
ip-10-0-0-51 | alice | 5 mins | |
ip-10-0-0-120 | bob | 7 mins | |
ip-10-0-0-51 | slack-plugin | 10 mins | |
ip-10-0-0-22 | terraform | 5 mins | |
ip-10-0-0-120 | eve | 7 mins |
| Username | Roles | Type | Actions |
|---|---|---|---|
alice | access | Github | |
bob | access | Github | |
terraform | terraform | Local User | |
slack-plugin | slack | Local User | |
eve | access | Local User |
Why Teleport
Complexity + Scale = Risk
Dynamic inventory of everything you have
Teleport provides an automated and holistic view of all privileged infrastructure resources within your organization. This eliminates access silos, protects from impersonation attacks and provides a single place to manage policy.
Trusted infrastructure
Self-updating inventory of privileged resources: servers, cloud instances, databases, Kubernetes clusters, and internal webapps.
Trusted client devices
Inventory of enrolled TPM-equipped client laptops, workstations, Yubikeys and other phishing-resistant MFA devices.
Worldwide view
The inventory supports IoT devices, multiple clouds, on-premise environments and the private environments of your clients.
Secretless access to everything
Secrets such as passwords, private keys, and browser cookies are the #1 source of data breach. They are vulnerable to phishing attacks, credential sharing, theft, client device loss and other forms of human errors. Teleport doesn’t use secrets.
Biometrics for humans
Phishing-resistant MFA and passwordless authentication supporting Touch ID, YubiKey Bio and other supported devices.
Machine Identity
No more private host keys. Embrace strong machine identities for service accounts, CI/CD automation and microservices. Teleport Machine ID can be hardened by HSM or virtual HSM.
Short-lived certificates
Built-in certificate authority for X.509 and SSH certificates for all resources, including legacy systems. Teleport PKI infrastructure is fully automatic and does not require management.
One place to manage all privileges
Break access silos. Consolidate privileges for humans and machines across all protocols and resource types in one place. Lower the operational overhead of managing access and enforcing policy.
Access requests
Implement the principle of least privilege, when a client is temporarily given only minimal privileges to complete the task. How does this work?
Dual authorization
FedRAMP AC-3 and other compliance frameworks like SOC 2 require that highly privileged actions must be approved by multiple authorized team members.
Session sharing and moderation
An interactive session can contain multiple simultaneous clients. Highly privileged sessions can be configured to always include a moderator to prevent a single client from being a point of failure.
True Zero Trust
Move away from network-based perimeter security and prevent attackers from pivoting. Teleport implements Zero Trust on the application level, enforcing authentication and encryption natively for all protocols.
Zero network exposure
Critical infrastructure resources do not need to listen on the network. They are accessed via encrypted reverse tunnels to Teleport identity-aware Proxy.
Universal connectivity
Manage access to remote devices running on 3rd party networks behind NAT with latency-optimized routing.
Trust federation
Multiple organizations can manage trust across teams and securely access shared infrastructure via role mapping.
Consolidated visibility and audit
Collect all security events generated by humans and machines across your entire infrastructure in one place and export to any SIEM or threat detection platforms for further analysis.
Rich Audit Logs
Security logs are collected on the application level, giving you rich protocol-native context for what happened and who’s responsible.
Session recordings
Interactive sessions for all protocols are recorded and can be replayed in a YouTube-like interface.
Real-time live sessions
See what is happening with every active authenticated connection across all resources in your entire infrastructure. Interfere if needed.
Cloud-native privileged access management
Modern cloud-native infrastructure is elastic, ephemeral and automated with code. Teleport is designed to natively fit into the modern DevOps workflow.
Policy as code
Extend Teleport access approval workflows with code using programming language you’re familiar with.
Flexible login rules
Customize the SSO flow with configurable login rules and role templates.
DevOps integrations
Approve access requests using the tools you already have, such as Slack, PagerDuty and others. This allows security teams to approve or deny requests quickly and avoids frustration for engineers who need to get the job done.
Why Use Teleport
Before and after Teleport
Before Teleport
Without Teleport, engineers must access infrastructure using an insecure and cumbersome mix of VPNs, bastions, secrets and legacy PAM solutions, each with its own access control and audit layer. Visibility is minimal and the risk of error is high. Controlling permissions for services connected to your infrastructure is just as complex.
After Teleport
With Teleport, every connection across your global infrastructure passes through Teleport’s Identity-Aware Access Proxy where it is authenticated and authorized based on human or machine identity. Because engineers and services are treated the same, you have complete visibility and control over every connection without managing different access control systems. And because Teleport bases authn/z on identity instead of static credentials like keys and passwords, it is more secure, cost effective to scale and easier to use.
Works with everything you have
Teleport integrates with over 170 cloud based resources
...and many more
# on a client$ tsh login --proxy=example.com
# on a server$ apt install teleport
# in a Kubernetes cluster$ helm installEasy to get started
Teleport is easy to deploy and use. We believe that simplicity and good user experience are key to first-class security.
Teleport consists of just two binaries.
- The tsh client allows users to login to retrieve short-lived certificates.
- The teleport agent can be installed on any server or any Kubernetes cluster with a single command.
