Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free

Compliance

Streamlining FedRAMP Compliance

What is FedRAMP compliance?

FedRAMP Logo

FedRAMP (Federal Risk and Authorization Management Program) is a critical framework for cloud service providers (CSPs) aiming to offer their cloud solutions to the U.S. Federal government. The FedRAMP security controls are based on NIST SP 800-53 baselines and contain controls, parameters, and guidance above the NIST baseline that address the unique elements of cloud computing.

Need FedRAMP Help?

Get in touch

Teleport Features for FedRAMP Controls

Access Controls

Control Name

ID

Teleport Capability

Account Management

AC-02

  • Teleport integrates with SSO providers such as GitHub, Okta, Google, etc.
  • Teleport supports role-based access control (RBAC) for SSH and Kubernetes
  • Teleport certificate-based SSH and Kubernetes authentication and audit logging comply with these requirements without additional configuration.
  • Audit events are emitted when a user is created, updated, deleted, locked, or unlocked.

Access Enforcement

AC-03

Teleport supports robust role-based access controls (RBAC). RBAC can be used to:

  • Control which SSH nodes a user can or cannot access.
  • Control cluster-level configuration (session recording, configuration, etc.).
  • Control which UNIX logins a user is allowed to use when logging into a server.
  • Control which user groups have access to Kubernetes resources.

Unsuccessful Logon Attempts

AC-07

Teleport supports two types of users: local and SSO-based accounts (GitHub, Google Apps, Okta, etc). For local accounts, by default, Teleport locks accounts for 30 minutes after 5 failed login attempts. For SSO-based accounts, the number of invalid login attempts and lockout time period is controlled by the SSO provider.


System Use Notification

AC-08

Teleport supports two methods for System Use Notifications:

  • Linux Pluggable Authentication Modules (PAM). PAM modules can be used to display a custom message on login using a message of the day (MOTD) module within the Session management primitive.
  • Pre-Authentication MOTD. A method for displaying a custom message of the day (MOTD) prior to authenticating as a user.


Concurrent Session control

AC-10

Teleport supports both a maximum number of connections (`max_connections`) and the maximum number of simultaneously connected users (`max_users`) under the `connection_limits` configuration parameter.

Session Termination

AC-12

Teleport user sessions are automatically terminated when a certificate expires. Users can exit a Teleport interactive session at any time by typing `exit` or sending an interrupt signal to the process for remote execution of a program. Logout of all sessions (destroying credentials) indicates termination of all sessions and includes an explicit logout message.

Remote Access

AC-17

Teleport administrators create users with configurable roles that can be used to allow or deny access to system resources. Admins can terminate active sessions with session locking. Teleport terminates sessions on expiry or inactivity.

Use of External Information Systems

AC-20

Teleport supports connecting multiple independent clusters using a feature called Trusted Clusters. When allowing access from one cluster to another, roles are mapped according to a pre-defined relationship of the scope of access.

Audit & Accountability

Configuration Management

Identification and Authentication

System and Communications Protection

Try Teleport today

In the cloud, self-hosted, or open source.
View developer docs

Get Started
pam