Fork me on GitHub


Teleport Enterprise Cloud Architecture



We have designed the Teleport Enterprise Cloud environment to be secure. We work with independent security auditors on a regular basis to identify and correct any gaps, while also continuing to iterate on improvements to fortify the platform for the most strict of compliance use-cases.

The Teleport Enterprise Cloud environment is protected from network and transport layer DDoS attacks that may target Teleport tenants by leveraging AWS Shield.


We completed our most current SOC 2 Type II audit on August 9th, 2022.

The report covers:

  • Teleport Open Source
  • Teleport Enterprise, self-hosted
  • Teleport Enterprise, cloud-hosted (SaaS)

The SOC 2 report is available for download at

For any other questions, reach out to

Managed Teleport Settings

SSH sessions are recorded on nodes. Teleport Enterprise Cloud Proxy does not terminate SSH sessions when using OpenSSH and tsh sessions. The Cloud Proxy terminates TLS for Application, Database, and Kubernetes sessions.

Data retention

Data retention cannot currently be configured by customers. All Teleport Enterprise Cloud customers have audit logs retained in DynamoDB for 1 year, cluster configuration retained in DynamoDB indefinitely, and session recordings retained in S3 indefinitely. When data retention policies are introduced, customers will be contacted and able to specify their preferred data retention schedules.

Customers whose subscriptions lapse will have all session recordings, audit logs, and cluster state deleted between 7 and 30 days after the lapse.

High Availability

Auth Service

The Teleport Auth Service is deployed within the AWS us-west-2 region in 4 availability zones, and can tolerate a single zone failure. AWS guarantees 99.99% of monthly uptime.


The Teleport Proxy Service is deployed to multiple AWS regions around the world for low-latency access to distributed infrastructure.

  • us-west-2 (default)
  • us-east-1
  • eu-central-1
  • ap-south-1
  • ap-southeast-1
  • sa-east-1


Teleport Enterprise Cloud only serves the latest stable release of the Teleport software for its customers.

Teleport Enterprise Cloud team upgrades the service with patch releases weekly and major releases quarterly. The team waits for the first minor release before a major upgrade. For example, the team will deploy 12.1.0 instead of 12.0.0. The first minor release happens 3-4 weeks after a first major release.

Patch releases are fully backward compatible and require no actions by the customer.

Major releases do require customers to upgrade all instances of Teleport they are running within 3 months of the upgrade. Failure to upgrade Teleport instances to the latest major release during this window may lead to compatibility issues with Teleport Enterprise Cloud and a loss of access to your infrastructure.

Subscribe to status updates at for Cloud upgrade notifications.

Service Level Agreement

Teleport Enterprise Cloud commits to an SLA of 99.9% of monthly uptime, a maximum of 44 minutes of downtime per month. As we continue to invest in the cloud product and infrastructure, the SLA will be increased.