No More Backdoors: Know Who Has Access to What, Right Now
Jun 13
Register Today
Teleport logoTry For Free
Fork me on GitHub


Teleport Enterprise Cloud Architecture


We have designed the Teleport Enterprise Cloud environment to be secure. We work with independent security auditors on a regular basis to identify and correct any gaps, while also continuing to iterate on improvements to fortify the platform for the most strict of compliance use-cases.

The Teleport Enterprise Cloud environment is protected from network and transport layer DDoS attacks that may target Teleport tenants by leveraging AWS Shield.


We undergo an annual SOC 2 Type II audit of the Teleport Access Platform.

The audit report covers:

  • Teleport Open Source
  • Teleport Enterprise, self-hosted
  • Teleport Enterprise, cloud-hosted (SaaS)

The SOC 2 report is available for download at

For any other questions, reach out to

Managed Teleport Settings

SSH sessions are recorded on nodes. Teleport Enterprise Cloud Proxy does not terminate SSH sessions when using OpenSSH and tsh sessions. The Cloud Proxy terminates TLS for Application, Database, and Kubernetes sessions.

Data retention

All Teleport Enterprise Cloud customers have audit logs retained in S3 for 4 years, cluster configuration retained in DynamoDB indefinitely, and session recordings retained in S3 indefinitely.

Customers whose subscriptions lapse will have all session recordings, audit logs, and cluster state deleted between 7 and 30 days after the lapse.

Customers can configure External Audit Storage to store audit logs and session recordings in their own AWS account where retention period can be managed independently.

High Availability

Auth Service

The Teleport Auth Service is deployed in 2 AWS availability zones, and can tolerate a single zone failure. AWS guarantees 99.99% of monthly uptime. Teleport Enterprise Cloud can run in one of the following AWS regions:

  • us-west-2
  • us-east-1
  • eu-central-1
  • ap-south-1
  • ap-southeast-1
  • sa-east-1


The Teleport Proxy Service is deployed to multiple AWS regions around the world for low-latency access to distributed infrastructure.

  • us-west-2
  • us-east-1
  • eu-central-1
  • ap-south-1
  • ap-southeast-1
  • sa-east-1


Teleport Enterprise Cloud only serves the latest stable release of the Teleport software for its customers.

Teleport Enterprise Cloud team upgrades the service with patch releases weekly and major releases quarterly. The team waits for the first minor release before a major upgrade. For example, the team will deploy 15.1.0 instead of 15.0.0. The first minor release happens 3-4 weeks after a first major release.

Patch releases are fully backward compatible and require no actions by the customer.

Major releases do require customers to upgrade all instances of Teleport they are running within 3 months of the upgrade. Failure to upgrade Teleport instances to the latest major release during this window may lead to compatibility issues with Teleport Enterprise Cloud and a loss of access to your infrastructure.

Subscribe to status updates at for Cloud upgrade notifications.

Service Level Agreement

Teleport Enterprise Cloud commits to an SLA of 99.9% of monthly uptime, a maximum of 44 minutes of downtime per month. As we continue to invest in the cloud product and infrastructure, the SLA will be increased.