Access Monitoring
Access Monitoring allows users to understand and analyze the access patterns in a Teleport cluster.
When Access Monitoring is enabled in a cluster, Teleport runs a background service that collects data from different input sources, builds graphical reports highlighting usage patterns within the cluster, and allows users to create automated response actions.
The primary data source for Access Monitoring is the Teleport audit log. Out of the box, Teleport includes a report that searches the audit log for events indicating risky usage patterns (such as SSH or database sessions without MFA) and provides users with recommendations on suggested actions.
Users are able to write their own custom access monitoring queries by querying the audit log.
Access Monitoring is not currently supported with External Audit Storage in Teleport Enterprise (Cloud). This functionality will be enabled in a future Teleport release.
Prerequisites
-
A running Teleport cluster. If you do not have one, read Getting Started.
-
The
tctl
andtsh
clients.Installing
tctl
andtsh
clients-
Determine the version of your Teleport cluster. The
tctl
andtsh
clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at/v1/webapi/find
and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:TELEPORT_DOMAIN=teleport.example.com:443TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" -
Follow the instructions for your platform to install
tctl
andtsh
clients:- Mac
- Windows - Powershell
- Linux
Download the signed macOS .pkg installer for Teleport, which includes the
tctl
andtsh
clients:curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkgIn Finder double-click the
pkg
file to begin installation.dangerUsing Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.
curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zipUnzip the archive and move the `tctl` and `tsh` clients to your %PATH%
NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.
All of the Teleport binaries in Linux installations include the
tctl
andtsh
clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page.curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gztar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gzcd teleportsudo ./installTeleport binaries have been copied to /usr/local/bin
-
- For self-hosted Teleport the Amazon Athena Backend is required.
Configuration
- Teleport Enterprise (cloud-hosted)
- Self-Hosted
Access Monitoring is enabled by default for all Teleport Enterprise (cloud-hosted) accounts.
To enable Access Monitoring you need to update the Teleport Auth Service configuration:
auth_service:
access_monitoring:
enabled: true
# AWS role ARN that Teleport will assume to execute Athena SQL queries.
# The Teleport role should be configured with a trust relationship and should be able to assume this role.
role_arn: arn:aws:iam::123456789012:role/AccessMonitoringRole
# S3 bucket where Access Monitoring reports will be stored.
report_results: s3://audit-long-term/report_results
# (Optional) Athena workgroup used by Access Monitoring
# queries (if not set, the default primary workgroup will be used).
workgroup: access_monitoring_workgroup
Access Monitoring executes Athena SQL queries using a different AWS role than the one used by the Auth Service to access the Athena Audit Events backend. This role should have a trusted relationship with the Teleport role and the following IAM permissions. Ensure that the IAM role used by Access Monitoring is configured with sufficient access to Athena. Below, you can find the IAM permissions that allow the Auth Service to execute Athena queries and store the results in an S3 bucket.
Placeholder value | Replace with |
---|---|
eu-central-1 | AWS region |
1234567890 | AWS account ID |
audit-long-term | S3 bucket used for long-term storage |
audit-transient | S3 bucket used for transient storage |
kms_id | KMS key ID used for server-side encryption of S3 |
audit_db | Glue database used for audit logs |
audit_table | Glue table used for audit logs |
audit_workgroup | Athena workgroup used for Access Monitoring queries |
IAM Policy
{
"Statement": [
{
"Action": [
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::audit-transient",
"arn:aws:s3:::audit-long-term"
]
},
{
"Action": [
"s3:PutObject",
"s3:GetObjectVersion",
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3::::audit-transient/results/*",
"arn:aws:s3:::audit-long-term/report_results/*"
]
},
{
"Action": [
"s3:ListMultipartUploadParts",
"s3:GetObjectVersion",
"s3:GetObject",
"s3:AbortMultipartUpload"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::audit-transient/results/*",
"arn:aws:s3:::audit-long-term/report_results/*",
"arn:aws:s3:::audit-long-term/events/*"
]
},
{
"Action": [
"glue:GetTable",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryExecution"
],
"Effect": "Allow",
"Resource": [
"arn:aws:glue:eu-central-1:1234567890:table/audit_db/audit_table",
"arn:aws:glue:eu-central-1:1234567890:database/audit_db",
"arn:aws:glue:eu-central-1:1234567890:catalog",
"arn:aws:athena:eu-central-1:1234567890:workgroup/audit_workgroup"
]
},
{
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:eu-central-1:1234567890:key/kms_id"
}
],
"Version": "2012-10-17"
}
You can use our Terraform Example to set up Athena and Access Monitoring AWS resources and generate Athena Backend and Access Monitoring Teleport configuration:
terraform apply... access_monitoring: enabled: true report_results: s3://long-term/report_results role_arn: arn:aws:iam::123456789012:role/AccessMonitoringRole workgroup: access_monitoring_workgroup
Access Monitoring RBAC Permissions
To access the Access Monitoring interface, a user must have a role that allows
list
, read
and use
verbs on the security_report
and audit_query
resources.
The preset auditor
role has these permissions by default. Alternatively, you can create a custom role with these permissions:
kind: role
metadata:
name: my-role
spec:
allow:
rules:
- resources:
- security_report
- audit_query
verbs:
- list
- read
- use
You can also create and edit roles using the Web UI. Go to Access -> Roles and click Create New Role or pick an existing role to edit.