Fork me on GitHub


Teleport Cloud Architecture



We have designed the Teleport Cloud environment to be secure. We work with independent security auditors on a regular basis to identify and correct any gaps, while also continuing to iterate on improvements to fortify the platform for the most strict of compliance use-cases.

The Teleport Cloud environment is protected from network and transport layer DDoS attacks that may target Teleport tenants by leveraging AWS Shield.


We completed our most current SOC 2 Type II audit on August 9th, 2022.

The report covers:

  • Teleport Open Source
  • Teleport Enterprise, self-hosted
  • Teleport Enterprise, cloud-hosted (SaaS)

Reach out to for report details.

Managed Teleport Settings

SSH sessions are recorded on nodes. Teleport Cloud Proxy does not terminate SSH sessions when using OpenSSH and tsh sessions. The Cloud Proxy terminates TLS for Application, Database, and Kubernetes sessions.

Data retention

Data retention cannot currently be configured by customers. All Teleport Cloud customers have audit logs retained in DynamoDB for 1 year, cluster configuration retained in DynamoDB indefinitely, and session recordings retained in S3 indefinitely. When data retention policies are introduced, customers will be contacted and able to specify their preferred data retention schedules.

Customers whose subscriptions lapse will have all session recordings, audit logs, and cluster state deleted between 7 and 30 days after the lapse.

High Availability

Auth Service

The Teleport auth service is deployed within the AWS us-west-2 region in 4 availability zones, and can tolerate a single zone failure. AWS guarantees 99.99% of monthly uptime.


The Teleport proxy service can be deployed to multiple AWS regions around the world for low-latency access to distributed infrastructure.

  • us-west-2 (default)
  • us-east-1
  • eu-central-1
  • ap-south-1
  • ap-southeast-1
  • sa-east-1

The multi-region option is currently opt-in by default. Once you have an account, please reach out to your account manager, customer success engineer, or [email protected]. A future update will expand the region availability and make all regions available by default.


Teleport Cloud only serves the latest stable release of the Teleport software for its customers.

Teleport Cloud team upgrades the service with patch releases weekly and major releases quarterly. The team waits for the first minor release before a major upgrade. For example, the team will deploy 11.1.0 instead of 11.0.0. The first minor release happens 3-4 weeks after a first major release.

Patch releases are fully backward compatible and require no actions by the customer.

Major releases do require customers to upgrade all instances of Teleport they are running within 3 months of the upgrade. Failure to upgrade Teleport instances to the latest major release during this window may lead to compatibility issues with Teleport Cloud and a loss of access to your infrastructure.

Subscribe to status updates at for Cloud upgrade notifications.

Service Level Agreement

Teleport Cloud commits to an SLA of 99.5% of monthly uptime, a maximum of 3 hours 40 minutes of downtime per month. As we continue to invest in the cloud product and infrastructure, the SLA will be increased.