Teleport
See permission changes with Access Graph Crown Jewels
- Edge version
- Version 17.x
- Version 16.x
- Version 15.x
- Older Versions
Access Graph's Crown Jewel feature allows you to track changes to access for your most sensitive users or resources. When you mark a resource as a Crown Jewel, Teleport emits audit events any time access to that resource changes.
This guide shows you how to configure Crown Jewels, how to mark resources as Crown Jewels, and how to see permission changes for these resources.
Prerequisites
For an improved experience, we recommend using Crown Jewels in conjunction with Teleport local users or integrating with Okta or Microsoft Entra ID. This setup helps minimize the number of access path change entries generated when highly privileged ephemeral users log in via Teleport Auth Connectors.
- A running Teleport Enterprise cluster v16.2.0 or later.
- For self-hosted clusters, an updated
license.pem
with Teleport Policy enabled. - For self-hosted clusters, a running Access Graph node v1.24.0 or later. Check Access Graph page for details on how to set up Access Graph.
Access Graph is a feature of the Teleport Policy product available to Teleport Enterprise edition customers.
After logging in to the Teleport UI, navigate to the Management tab. If enabled, Access Graph options can be found under the Permission Management section.
Required RBAC permissions
To create and view Crown Jewels, you need the following RBAC permissions:
kind: role
metadata:
name: crown-jewels-admin
spec:
allow:
rules:
- resources:
- crown_jewel
verbs:
- *
version: v7
Creating a Crown Jewel
To create a Crown Jewel, you need to mark a resource or user as critical. Only changes to marked resources and users will be logged by Teleport Policy. To mark a resource or user as Crown Jewel, open the Access Graph and navigate to the "Crown Jewels" tab.
Click on "Create Crown Jewel" and select the resource or user you want to mark as critical.
Pick a name for the Crown Jewel and click "Create".
The Crown Jewel will now be created, and you will see it in the list of Crown Jewels. Access Graph will now create audit events in Teleport's audit log and new entries in the "Access Changes" tab in the "Crown Jewels" menu whenever access path to a resource or a user changes.
Viewing permission changes
To view permission changes, open the Access Graph and navigate to the "Crown Jewels" tab. Here you can see a list of all Crown Jewels and the changes that have been made to them.
The generated changes have a diff format showing removed nodes with "-" and added nodes with "+". Every time a change is made to a Crown Jewel, a new entry will be added to the list and an audit event will be generated in the Teleport Audit Log.
Audit events
Every time a change is made to a Crown Jewel, an audit event is generated in the Teleport Audit Log. Here is what an example audit event looks like:
{
"affected_resource_name": "bob",
"affected_resource_source": "TELEPORT",
"affected_resource_type": "teleport_node",
"change_id": "0110b3c4-d0b5-4af9-8585-aa49a064c85d",
"cluster_name": "ssh-node",
"code": "TAG001I",
"ei": 0,
"event": "access_graph.access_path_changed",
"time": "2024-09-20T19:50:38.194Z",
"uid": "5447d050-699a-4009-a901-ab8ed2614bc2"
}
You can export the audit event using the event handler. The setup is described here.