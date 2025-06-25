Version: 18.x (unreleased)

On this page

Self-Hosting Identity Activity Center Report an issue with this page

In this guide, you will set up the infrastructure required to enable the Identity Activity Center in Teleport's Identity Security product. Identity Activity Center allows you to centralize audit logs and access paths from various sources for enhanced visibility and management.

Teleport Identity Activity Center is a centralized data platform that enhances visibility, allows to search and analyze activity from both human and non-human identities across multiple data sources.

It provides a rich visualization layer that maps access policies across services such as AWS, GitHub, Okta, and Teleport with the real-time activity from those identities.

Built to assist security and operations teams, Identity Activity Center combines activities from the same identity across different platforms improving the correlation of identity-based events across platforms and expedites investigations. Through an intelligent alerting engine that detects irregularities in audit logs, emphasizes odd behavior, and describes the access levels each identity has across corporate services, it offers contextual insights during incident response.

Identity Activity Center is a feature of Teleport Identity Security product that is only available to Teleport Enterprise customers.

Teleport Identity Security uses an AWS SQS queue to publish and consume audit logs. When deployed in high-availability mode, Teleport Identity Security elects a leader that's responsible for consuming messages from the queue, converting and enhancing them with metadata such as location, and writing them as Parquet files in the long-term S3 bucket.

Amazon Athena powers a query engine in the Identity Activity Center. To specify the schema and retrieve data from Parquet files kept in the long-term S3 bucket, Amazon Athena makes use of an AWS Glue Table. With this configuration, audit logs can be efficiently queried and analyzed, leading to improved insights and simplified data management for identity security.

A running Teleport Enterprise cluster v18.0.0 or later.

An updated Teleport Enterprise license file with Teleport Identity Security enabled.

A PostgreSQL database server v14 or later. Access Graph needs a dedicated database to store its data. The user that Teleport connects to the database with needs to be the owner of this database, or have similar broad permissions: at least the CREATE TABLE privilege on the public schema, and the CREATE SCHEMA privilege. Amazon RDS for PostgreSQL is supported.

A TLS certificate for the Access Graph service

A running Access Graph node v1.28.0 or later. Check the Identity Security page for details on how to set up Access Graph.

note The Identity Activity Center is currently supported only for self-hosted clusters. Teleport Enterprise Cloud support is planned for release later this year.

You can set up the required infrastructure to support the Identity Activity Center with the following Terraform script.

Terraform script Below is a list of the required variables along with their descriptions, which are necessary for the Terraform script to execute. eu-central-1 is the name of the region where infrastructure should be created.

is the name of the region where infrastructure should be created. example-sqs-queue is the name of the AWS SQS queue.

is the name of the AWS SQS queue. example-sqs-dlq is the name of the AWS SQS dead-letter queue.

is the name of the AWS SQS dead-letter queue. example-kms-key is the name of the AWS KMS encryption key used to encrypt S3 bucket files and SQS messages.

is the name of the AWS KMS encryption key used to encrypt S3 bucket files and SQS messages. example-long-term-bucket is the long-term S3 bucket used to store the events.

is the long-term S3 bucket used to store the events. example-transient-bucket is the transient S3 bucket used to store temporary files such as query results and large files.

is the transient S3 bucket used to store temporary files such as query results and large files. example-db is the name of the AWS Glue database.

is the name of the AWS Glue database. example-table is the name of the AWS Glue table.

is the name of the AWS Glue table. example-workgroup is the name of the Amazon Athena Workgroup.

is the name of the Amazon Athena Workgroup. aws-account-id is the AWS account id. Define the variables using the script below or configure them in your Teleport IaC script. cat > variables.auto.tfvars << EOF aws_region = " eu-central-1 " iac_sqs_queue_name = " example-sqs-queue " iac_sqs_dlq_name = " example-sqs-dlq " iac_kms_key_alias = " example-kms-key " iac_long_term_bucket_name = " example-long-term-bucket " iac_transient_bucket_name = " example-transient-bucket " iac_database_name = " example-db " iac_table_name = " example-table " iac_workgroup = " example-workgroup " EOF Execute the following Terraform script to create the required infrastructure. variables.tf file includes the description of the required Terraform variables. variable "aws_region" { description = "AWS region" default = "us-west-2" } variable "iac_sqs_queue_name" { description = "Name of the SQS queue used for Identity Activity Center." } variable "iac_sqs_dlq_name" { description = "Name of the SQS Dead-Letter Queue used for handling unprocessable events" } variable "max_receive_count" { description = "Number of times a message can be received before it is sent to the DLQ" default = 20 } variable "iac_kms_key_alias" { description = "The alias of a custom KMS key" } variable "iac_long_term_bucket_name" { description = "Name of the long term storage bucket used for storing audit logs" } variable "iac_transient_bucket_name" { description = "Name of the transient storage bucket used for storing query results and large events payloads" } variable "iac_database_name" { description = "Name of Glue database" } variable "iac_table_name" { description = "Name of Glue table" } variable "iac_workgroup" { description = "Name of Athena iac_workgroup" } variable "iac_workgroup_max_scanned_bytes_per_query" { description = "Limit per query of max scanned bytes" default = 21474836480 } identity_activity_center.tf file includes the declaration of every resource that Terraform will create and manage. This includes AWS KMS keys, AWS S3 Buckets for transient and long-term storage, and AWS Glue table and database. provider "aws" { region = var.aws_region } data "aws_caller_identity" "current" {} resource "aws_kms_key" "identity_activity_center_encryption_key" { description = "KMS key for Athena audit log" enable_key_rotation = true } resource "aws_kms_key_policy" "identity_activity_center_encryption_key_policy" { key_id = aws_kms_key.identity_activity_center_encryption_key.id policy = jsonencode({ Statement = [ { Action = [ "kms:*" ] Effect = "Allow" Principal = { AWS = data .aws_caller_identity.current.account_id } Resource = "*" Sid = "Default Policy" }, ] Version = "2012-10-17" }) } resource "aws_kms_alias" "identity_activity_center_encryption_key_alias" { name = "alias/ ${var.iac_kms_key_alias} " target_key_id = aws_kms_key.identity_activity_center_encryption_key.key_id } resource "aws_sqs_queue" "identity_activity_center_queue_dlq" { name = var.iac_sqs_dlq_name kms_master_key_id = aws_kms_key.identity_activity_center_encryption_key.arn kms_data_key_reuse_period_seconds = 300 message_retention_seconds = 604800 tags = { Name = "Identity Activity Center DLQ" Purpose = "Dead letter queue for failed identity event processing" Component = "MessageQueue" } } resource "aws_sqs_queue" "identity_activity_center_queue" { name = var.iac_sqs_queue_name kms_master_key_id = aws_kms_key.identity_activity_center_encryption_key.arn kms_data_key_reuse_period_seconds = 300 redrive_policy = jsonencode({ deadLetterTargetArn = aws_sqs_queue.identity_activity_center_queue_dlq.arn maxReceiveCount = var.max_receive_count }) tags = { Name = "Identity Activity Center Main Queue" Purpose = "Primary queue for identity event ingestion" Component = "MessageQueue" } } resource "aws_s3_bucket" "identity_activity_center_long_term_storage" { bucket = var.iac_long_term_bucket_name force_destroy = true object_lock_enabled = false tags = { Name = "Identity Activity Center Long-term Storage" Purpose = "Permanent storage for processed identity events" Component = "Storage" DataType = "LongTerm" } } resource "aws_s3_bucket_server_side_encryption_configuration" "identity_activity_center_long_term_storage" { bucket = aws_s3_bucket.identity_activity_center_long_term_storage.id rule { apply_server_side_encryption_by_default { kms_master_key_id = aws_kms_key.identity_activity_center_encryption_key.arn sse_algorithm = "aws:kms" } bucket_key_enabled = true } } resource "aws_s3_bucket_ownership_controls" "identity_activity_center_long_term_storage" { bucket = aws_s3_bucket.identity_activity_center_long_term_storage.id rule { object_ownership = "BucketOwnerEnforced" } } resource "aws_s3_bucket_versioning" "identity_activity_center_long_term_storage" { bucket = aws_s3_bucket.identity_activity_center_long_term_storage.id versioning_configuration { status = "Enabled" } } resource "aws_s3_bucket_public_access_block" "identity_activity_center_long_term_storage" { bucket = aws_s3_bucket.identity_activity_center_long_term_storage.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } resource "aws_s3_bucket" "identity_activity_center_transient_storage" { bucket = var.iac_transient_bucket_name force_destroy = true tags = { Name = "Identity Activity Center Transient Storage" Purpose = "Temporary storage for processing and query results" Component = "Storage" DataType = "Transient" } } resource "aws_s3_bucket_lifecycle_configuration" "identity_activity_center_transient_bucket_lifecycle_config" { bucket = aws_s3_bucket.identity_activity_center_transient_storage.id rule { status = "Enabled" id = "delete_after_60_days" filter {} expiration { days = 60 } } } resource "aws_s3_bucket_server_side_encryption_configuration" "identity_activity_center_transient_storage" { bucket = aws_s3_bucket.identity_activity_center_transient_storage.id rule { apply_server_side_encryption_by_default { kms_master_key_id = aws_kms_key.identity_activity_center_encryption_key.arn sse_algorithm = "aws:kms" } bucket_key_enabled = true } } resource "aws_s3_bucket_ownership_controls" "identity_activity_center_transient_storage" { bucket = aws_s3_bucket.identity_activity_center_transient_storage.id rule { object_ownership = "BucketOwnerEnforced" } } resource "aws_s3_bucket_versioning" "identity_activity_center_transient_storage" { bucket = aws_s3_bucket.identity_activity_center_transient_storage.id versioning_configuration { status = "Enabled" } } resource "aws_s3_bucket_public_access_block" "identity_activity_center_transient_storage" { bucket = aws_s3_bucket.identity_activity_center_transient_storage.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } resource "aws_glue_catalog_database" "identity_activity_center_db" { name = var.iac_database_name description = "Database containing identity activity event tables for multi-tenant analytics" } resource "aws_glue_catalog_table" "identity_activity_center_table" { name = var.iac_table_name database_name = aws_glue_catalog_database.identity_activity_center_db.name table_type = "EXTERNAL_TABLE" description = "Identity activity events table with partition projection for efficient querying" parameters = { "EXTERNAL" = "TRUE" "classification" = "parquet" "parquet.compression" = "SNAPPY" "projection.enabled" = "true" "projection.tenant_id.type" = "injected" "projection.event_date.type" = "date" "projection.event_date.format" = "yyyy-MM-dd" "projection.event_date.interval" = "1" "projection.event_date.interval.unit" = "DAYS" "projection.event_date.range" = "NOW-4YEARS,NOW" "storage.location.template" = format( "s3://%s/data/$ ${tenant_id} /$ ${event_date} /" , aws_s3_bucket.identity_activity_center_long_term_storage.bucket) } storage_descriptor { location = format( "s3://%s/data/" , aws_s3_bucket.identity_activity_center_long_term_storage.bucket) input_format = "org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat" output_format = "org.apache.hadoop.hive.ql.io.parquet.MapredParquetOutputFormat" ser_de_info { name = "identity-events-parquet-serde" serialization_library = "org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe" parameters = { "serialization.format" = "1" } } columns { name = "event_source" type = "string" } columns { name = "identity" type = "string" } columns { name = "identity_kind" type = "string" } columns { name = "identity_id" type = "string" } columns { name = "token" type = "string" } columns { name = "action" type = "string" } columns { name = "origin" type = "string" } columns { name = "status" type = "string" } columns { name = "ip" type = "string" } columns { name = "city" type = "string" } columns { name = "country" type = "string" } columns { name = "region" type = "string" } columns { name = "latitude" type = "double" } columns { name = "longitude" type = "double" } columns { name = "target_resource" type = "string" } columns { name = "target_kind" type = "string" } columns { name = "target_location" type = "string" } columns { name = "target_id" type = "string" } columns { name = "user_agent" type = "string" } columns { name = "event_type" type = "string" } columns { name = "event_time" type = "timestamp" } columns { name = "uid" type = "string" } columns { name = "event_data" type = "string" } columns { name = "aws_account_id" type = "string" } columns { name = "aws_service" type = "string" } columns { name = "github_organization" type = "string" } columns { name = "github_repo" type = "string" } columns { name = "okta_org" type = "string" } columns { name = "teleport_cluster" type = "string" } } partition_keys { name = "tenant_id" type = "string" } partition_keys { name = "event_date" type = "date" } } resource "aws_athena_workgroup" "identity_activity_center_workgroup" { name = var.iac_workgroup force_destroy = true description = "Workgroup for Identity Activity Center analytics with cost controls and encryption" configuration { bytes_scanned_cutoff_per_query = var.iac_workgroup_max_scanned_bytes_per_query engine_version { selected_engine_version = "Athena engine version 3" } result_configuration { output_location = format( "s3://%s/results/" , aws_s3_bucket.identity_activity_center_transient_storage.bucket) encryption_configuration { encryption_option = "SSE_KMS" kms_key_arn = aws_kms_key.identity_activity_center_encryption_key.arn } } } tags = { Name = "Identity Activity Center Workgroup" Purpose = "Analytics workgroup for identity event queries" Component = "Analytics" } } output "identity_activity_center_yaml" { description = "YAML configuration for Identity Activity Center applications" value = <<EOT identity_activity_center: region: ${var.aws_region} database: ${var.iac_database_name} table: '${var.iac_table_name}' s3: '${format( "s3://%s/data" , aws_s3_bucket.identity_activity_center_long_term_storage.bucket)}' s3_results: '${format( "s3://%s/results" , aws_s3_bucket.identity_activity_center_transient_storage.bucket)}' s3_large_files: '${format( "s3://%s/large_files" , aws_s3_bucket.identity_activity_center_transient_storage.bucket)}' sqs_queue_url: '${aws_sqs_queue.identity_activity_center_queue.url}' workgroup: '${aws_athena_workgroup.identity_activity_center_workgroup.name}' maxmind_geoip_city_db_path: './geo...' EOT } output "kms_key_arn" { description = "ARN of the KMS key used for encryption" value = aws_kms_key.identity_activity_center_encryption_key.arn sensitive = false } output "sqs_queue_url" { description = "URL of the main SQS queue for event ingestion" value = aws_sqs_queue.identity_activity_center_queue.url } output "sqs_dlq_url" { description = "URL of the dead letter queue" value = aws_sqs_queue.identity_activity_center_queue_dlq.url } output "long_term_bucket_name" { description = "Name of the S3 bucket for long-term storage" value = aws_s3_bucket.identity_activity_center_long_term_storage.bucket } output "transient_bucket_name" { description = "Name of the S3 bucket for transient storage" value = aws_s3_bucket.identity_activity_center_transient_storage.bucket } output "database_name" { description = "Name of the Glue database" value = aws_glue_catalog_database.identity_activity_center_db.name } output "table_name" { description = "Name of the Glue table" value = aws_glue_catalog_table.identity_activity_center_table.name } output "athena_workgroup_name" { description = "Name of the Athena workgroup" value = aws_athena_workgroup.identity_activity_center_workgroup.name } policy.tf includes the declaration of the AWS IAM policy that must be attached to the AWS identity that the Identity Security service runs as, enabling it to access the resources and execute queries. data "aws_partition" "current" {} data "aws_region" "current" {} data "aws_iam_policy_document" "identity_activity_center_policy" { statement { sid = "AllowListingMultipartUploads" effect = "Allow" actions = [ "s3:ListBucketMultipartUploads" , "s3:GetBucketLocation" , "s3:ListBucketVersions" , "s3:ListBucket" ] resources = [ aws_s3_bucket.identity_activity_center_transient_storage.arn, aws_s3_bucket.identity_activity_center_long_term_storage.arn, ] } statement { sid = "AllowMultipartAndObjectAccess" effect = "Allow" actions = [ "s3:PutObject" , "s3:ListMultipartUploadParts" , "s3:GetObjectVersion" , "s3:GetObject" , "s3:DeleteObjectVersion" , "s3:DeleteObject" , "s3:AbortMultipartUpload" ] resources = [ format( "%s/data/*" , aws_s3_bucket.identity_activity_center_long_term_storage.arn), format( "%s/results/*" , aws_s3_bucket.identity_activity_center_transient_storage.arn), format( "%s/large_files/*" , aws_s3_bucket.identity_activity_center_transient_storage.arn), ] } statement { sid = "AllowPublishReceiveSQS" effect = "Allow" actions = [ "sqs:ReceiveMessage" , "sqs:DeleteMessage" , "sqs:SendMessage" ] resources = [ aws_sqs_queue.identity_activity_center_queue.arn ] } statement { sid = "AllowAthenaQuery" effect = "Allow" actions = [ "glue:GetTable" , "athena:StartQueryExecution" , "athena:GetQueryResults" , "athena:GetQueryExecution" ] resources = [ aws_glue_catalog_table.identity_activity_center_table.arn, aws_glue_catalog_database.identity_activity_center_db.arn, aws_athena_workgroup.identity_activity_center_workgroup.arn, "arn: ${data.aws_partition.current.partition} :glue: ${data.aws_region.current.name} : ${data.aws_caller_identity.current.account_id} :catalog" , ] } statement { sid = "AllowAthenaKMSUsage" effect = "Allow" actions = [ "kms:GenerateDataKey" , "kms:Decrypt" ] resources = [ aws_kms_key.identity_activity_center_encryption_key.arn, ] } } output "identity_activity_center_iam_policy" { description = "Complete IAM policy JSON for Identity Activity Center access" value = data .aws_iam_policy_document.identity_activity_center_policy.json } The Terraform script will output two variables: identity_activity_center_iam_policy : AWS IAM policy required for Identity Security to connect to AWS resources. Attach the policy to the Identity Security AWS IAM role.

: AWS IAM policy required for Identity Security to connect to AWS resources. Attach the policy to the Identity Security AWS IAM role. identity_activity_center_yaml : YAML configuration to append to the Identity Security configuration or Helm chart values.

note MaxMind GeoIP database configuration is optional, but we do recommend it for geolocation tracking.

To enrich audit events with GeoIP details such as country, city, region, latitude, and longitude based on IP addresses, we strongly recommend using the MaxMind GeoIP City database.

MaxMind provides both free and paid versions of its GeoIP City database. The free version is less accurate and updated less frequently compared to the paid version. You can find instructions for downloading the free version or purchasing the paid version on the MaxMind Developer website.

Self-hosted cluster

Self-hosted cluster using Helm Chart To configure enhanced location details for self-hosted clusters, upload the database file to the machine where Identity Security runs. You will specify its location in the config file below. To configure enhanced location details for self-hosted clusters installed using the Helm Chart, first create the secret that contains the IP database: $ kubectl create secret generic maxmind-geoip-city-db --from-file=GeoLite2-City.mmdb

Self-hosted cluster

Self-hosted cluster using Helm Chart To configure it for self-hosted clusters, update the Identity Security configuration and append the following section: identity_activity_center: region: eu-central-1 database: example-db table: example-table s3: s3:// example-long-term-bucket /data/ s3_results: s3:// example-transient-bucket /results/ s3_large_files: s3:// example-transient-bucket /large_files sqs_queue_url: https://sqs. eu-central-1 .amazonaws.com/ aws-account-id / example-sqs-queue maxmind_geoip_city_db_path: /path/to/geoIp-city.mmdb To configure it for self-hosted clusters installed using the Helm Chart, update your Helm chart values with the following details: volumes: - name: maxmind-geoip-city-db secret: secretName: maxmind-geoip-city-db optional: false volumeMounts: - name: maxmind-geoip-city-db mountPath: "/etc/maxmindGeoIP/" readOnly: true identity_activity_center: enabled: true region: eu-central-1 database: example-db table: example-table s3: s3:// example-long-term-bucket /data/ s3_results: s3:// example-transient-bucket /results/ s3_large_files: s3:// example-transient-bucket /large_files sqs_queue_url: https://sqs. eu-central-1 .amazonaws.com/ aws-account-id / example-sqs-queue maxmind_geoip_city_db_path: "/etc/maxmindGeoIP/GeoLite2-City.mmdb" Run helm upgrade to re-deploy Identity Security.