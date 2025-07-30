CC6.1 - Restricts Logical Access Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets. Teleport Enterprise supports robust Role-based Access Controls (RBAC) to: Control which SSH nodes a user can or cannot access.

Control cluster level configuration (session recording, configuration, etc.)

Control which UNIX logins a user is allowed to use when logging into a server.

CC6.1 - Identifies and Authenticates Users Persons, infrastructure, and software are identified and authenticated prior to accessing information assets, whether locally or remotely. Provide role-based access controls (RBAC) using short-lived certificates and your existing identity management service. Connecting locally or remotely is just as easy.

CC6.1 - Manages Points of Access Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. Label Nodes to inventory and create rules



Create Labels from AWS Tags



Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time.

CC6.1 - Restricts Access to Information Assets Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access-control rules for information assets. Teleport uses Certificates to grant access and create access control rules

CC6.1 - Manages Identification and Authentication Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure, and software. Teleport makes setting policies for SSH requirements easy since it works in the cloud and on premise with the same authentication security standards.

CC6.1 - Manages Credentials for Infrastructure and Software New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use. Invite nodes to your cluster with short lived tokens

CC6.1 - Uses Encryption to Protect Data The entity uses encryption to supplement other measures used to protect data at rest, when such protections are deemed appropriate based on assessed risk. Teleport Audit logs can use DynamoDB encryption at rest.

CC6.1 - Protects Encryption Keys Processes are in place to protect encryption keys during generation, storage, use, and destruction. Teleport acts as a Certificate Authority to issue SSH and x509 user certificates that are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically

CC6.2 - Removes Access to Protected Assets When Appropriate Processes are in place to remove credential access when an individual no longer requires such access. Teleport issues temporary credentials based on an employees role and are revoked upon job change, termination or end of a maintenance window

CC6.2 - Reviews Appropriateness of Access Credentials The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials. Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time.

CC6.3 - Creates or Modifies Access to Protected Information Assets Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner. Build Approval Workflows with Access Requests to get authorization from asset owners.

CC6.3 - Removes Access to Protected Information Assets Processes are in place to remove access to protected information assets when an individual no longer requires access. Teleport uses temporary credentials and can be integrated with your version control system or even your HR system to revoke access with the Access requests API

CC6.3 - Uses Role-Based Access Controls Role-based access control is utilized to support segregation of incompatible functions. Role based access control ("RBAC") allows Teleport administrators to grant granular access permissions to users.

CC6.3 - Reviews Access Roles and Rules The appropriateness of access roles and access rules is reviewed on a periodic basis for unnecessary and inappropriate individuals with access and access rules are modified as appropriate. Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time.

CC6.6 - Restricts Access The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted. Teleport makes it easy to restrict access to common ports like 21, 22 and instead have users tunnel to the server using Teleport. Teleport uses the following default ports.

CC6.6 - Protects Identification and Authentication Credentials Identification and authentication credentials are protected during transmission outside system boundaries. Yes, Teleport protects credentials outside your network allowing for Zero Trust network architecture

CC6.6 - Requires Additional Authentication or Credentials Additional authentication information or credentials are required when accessing the system from outside its boundaries. Yes, Teleport can manage MFA with TOTP, WebAuthn or U2F Standards or connect to your Identity Provider using SAML, OAUTH or OIDC

CC6.6 - Implements Boundary Protection Systems Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts. Trusted clusters

CC6.7 - Uses Encryption Technologies or Secure Communication Channels to Protect Data Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. Teleport has strong encryption including a FedRAMP compliant FIPS mode

CC7.2 - Implements Detection Policies, Procedures, and Tools Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. Teleport creates detailed SSH Audit Logs with Metadata



Use BPF Session Recording to catch malicious program execution

CC7.2 - Designs Detection Measures Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software. Use Enhanced Session Recording to catch malicious program execution, capture TCP connections and log programs accessing files on the system the should not be accessing.

CC7.3 - Communicates and Reviews Detected Security Events Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. Use Session recording to replay and review suspicious sessions.

CC7.3 - Develops and Implements Procedures to Analyze Security Incidents Procedures are in place to analyze security incidents and determine system impact. Analyze detailed logs and replay recorded sessions to determine impact. See exactly what files were accessed during an incident.

CC7.4 - Ends Threats Posed by Security Incidents Procedures are in place to mitigate the effects of ongoing security incidents. Use Teleport to quickly revoke access and contain an active incident

CC7.4 - Obtains Understanding of Nature of Incident and Determines Containment Strategy An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach. Use Teleport’s Session Recording and Replay along with logs to understand what actions led to an incident.

CC7.4 - Evaluates the Effectiveness of Incident Response The design of incident-response activities is evaluated for effectiveness on a periodic basis. Use audit logs and session recordings to find pain points in your incident response plan and improve effectiveness.

CC7.4 - Periodically Evaluates Incidents Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. Use Session recording and audit logs to find patterns that lead to incidents.

CC7.5 - Determines Root Cause of the Event The root cause of the event is determined. Use Session recording and audit logs to find root cause.

CC7.5 - Improves Response and Recovery Procedures Lessons learned are analyzed and the incident-response plan and recovery procedures are improved. Replay Session recordings at your 'after action review' or postmortem meetings

CC8.1 - Authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to its infrastructure, data, software, and procedures to meet its objectives. Manages changes throughout the system life cycle. Enables a documented software development lifecycle through its integrations with infrastructure as code tools.

CC8.1 - Authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to its infrastructure, data, software, and procedures to meet its objectives. Authorizes Changes, Identifies and Evaluates System Changes. Infrastructure as code integrations enable you to authorize changes using GitOps platforms. Access Requests enable authorization for elevated privileges.

CC8.1 - Authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to its infrastructure, data, software, and procedures to meet its objectives. Designs and Develops Changes. Infrastructure as code integrations allow you to specify infrastructure access controls as code.

CC8.1 - Authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to its infrastructure, data, software, and procedures to meet its objectives. Documents Changes. Infrastructure as code integrations allow for documenting configuration changes in version control system logs, and a notification system allows you to inform end users of system changes.

CC8.1 - Authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to its infrastructure, data, software, and procedures to meet its objectives. Tracks System Changes. Infrastructure as code integrations and audit logging allow you to track the history of configuration changes and Access Request approvals in a Teleport cluster.

CC8.1 - Authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to its infrastructure, data, software, and procedures to meet its objectives. Configures Software. Infrastructure as code support enables you to track dynamic resource configurations. Helm support allows you to track configurations for Teleport services on Kubernetes. You can also use version control to manage Teleport YAML configuration files.

CC8.1 - Authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to its infrastructure, data, software, and procedures to meet its objectives. Tests System Changes. Teleport's infrastructure as code support and gRPC API make it possible to set up staging environments and automated tests for changes in a Teleport configuration.

CC8.1 - Authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to its infrastructure, data, software, and procedures to meet its objectives. Approves System Changes. Access Requests allow approvals to proposed permissions changes, and infrastructure as code support enables you to set up an approval system for configurations.

CC8.1 - Authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to its infrastructure, data, software, and procedures to meet its objectives. Deploys System Changes. RBAC protections for API resources allow you to restrict configuration changes to an authorized continuous deployment runner.

CC8.1 - Authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to its infrastructure, data, software, and procedures to meet its objectives. Identifies Changes in the Infrastructure, Data, Software, and Procedures Required to Remediate Incidents. Infrastructure as code support enables you to revert changes. It is also possible for you to back up the Auth Service backend on self-hosted clusters.

CC8.1 - Authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to its infrastructure, data, software, and procedures to meet its objectives. Creates Baseline Configuration of IT Technology. Infrastructure as code support enables you to set up a baseline configuration in a code repository.

CC8.1 - Authorizes, designs, develops or acquires, configures, documents, tests, approves and implements changes to its infrastructure, data, software, and procedures to meet its objectives. Provides Changes Necessary in Emergency Situations. Admins can use Access Requests to obtain temporarily elevated permissions in order to provide changes in emergency situations.