Teleport 9 Webinar - Machine ID
Teleport 9 Webinar - Machine ID - overview
Teleport 9 is here! This latest release introduces Teleport Machine ID which delivers identity-based access and audit for infrastructure resources like servers and databases, CI/CD automation, service accounts and custom code in applications such as microservices. By consolidating identity-based credentials for engineers and the applications they write, Teleport 9 closes the identity loophole that enables compromised infrastructure and code to be used in cyberattacks.
In addition to releasing Machine ID, we have also added new capabilities to Teleport Desktop Access for Windows environments (Windows session recordings, Clipboard copy-and-paste, and multi-factor authentication) and Teleport Database Access (Redis, MariaDB and Microsoft SQL Server, as well as auto-discovery for Amazon Redshift clusters). Moderated Sessions are also new in Teleport 9. This new feature requires multiple authorized individuals to be jointly connected to the same session in order to increase security and compliance in critical systems.
Watch this webinar to learn more about Teleport from our Product Management and Developer Relations teams.
Key topics on Teleport 9 Webinar - Machine ID
- Distributed technology, distributed workforce, and a rise in cyberattacks have increased demand for Teleport.
- Teleport 9 consolidates identity-based access and audit for engineers as well as infrastructure resources like servers and databases, CI/CD automation, service accounts and custom code in applications such as microservices with Machine ID.
- Teleport Machine ID is an easy way for developers to secure machine-to-machine communications based on X.509 and SSH certificates.
- Machine ID programmatically issues and renews short-lived certificates to any service account (e.g., a CI/CD server) by retrieving credentials from the Teleport Auth Service. This enables fine-grained role-based access controls and audit.
- Teleport Desktop Access provides identity-based, passwordless access to Windows hosts across all computing environments: in the cloud, on-premises, or on the edge.
- Teleport Database Access allows implementing identity-based access for SQL and NoSQL databases, prevent data exfiltration, meet compliance requirements, and have complete visibility into access and behavior.
- Teleport 9 brings new added capabilities to Teleport Desktop Access for Windows environments and Teleport Database Access, as well as auto-discovery for Amazon Redshift clusters.
- Moderated Sessions are also new in Teleport 9.
Expanding your knowledge on Teleport 9 Webinar - Machine ID
- Teleport 9 - Introducing Machine ID
- Teleport Machine ID - Introduction
- Moderated Sessions
- Teleport Database Access
- Database Access: Redis
- Teleport Desktop Access
- Teleport Server Access
- Teleport Application Access
- Teleport Kubernetes Access
Learn more about Teleport 9 Webinar - Machine ID
- Contribute on GitHub
- [Join our Slack community]/(community-slack/)
- Participate in our discussions
- Upcoming Teleport Releases
Introduction - Teleport 9 Webinar - Machine ID
(The transcript of the session)
Ben: 00:00:00.305 So thanks for joining today, everybody. Today is our Teleport 9 webinar. Myself and Xin will be going through this deck. I'm going to pass it over to Xin to start with our introductions and kick things off.
Xin: 00:00:15.947 Cool. Thank you, Ben. Thanks, everyone for joining us for our webinar today. My name is Xin Ding. I'm the VP of Product here at Teleport. So we'll be sharing with you all the new features in Teleport 9 and a little bit of background before we get into the demos. We'll be spending most of the demo — yeah, most of the time on the demo today and have a little bit of time at the end for a Q&A. But before we get into that, I wanted to share a little bit of background about the industry, Teleport, and current release with 9.0, and then upcoming releases. And then I'll hand it over to Ben to do a lot of our demos, and then we can take questions at the end.
Demand meets supply
Xin: 00:00:58.250 So before we get into Teleport itself, I wanted to share some background information on how we've arrived here and what we've been able to take advantage of in order to grow as a company, and what is the increase in demand for a product like Teleport. So as everyone has lived out the last couple of years, we've seen a lot of changes in the world. From a technology standpoint, we've seen more growth in distributed technology. We've seen various forms of this, including a lot of different hosts of services gaining popularity. For example, a database as a service gaining popularity, as well as new architecture that are much more distributed, and technologies that enable the distribution of that technology.
Xin: 00:01:51.450 The second thing we've seen, especially over the last two, two and a half years with the advent of COVID, we've seen a much more distributed workforce. And there's a lot more remote working now, and the days of having all of your resources on-site and only being able to access those resources from specific IP addresses and locations are much harder to manage. So that's the second thing we've seen, a more distributed workforce. And the third is we've seen a substantial growth and increase in cyberattacks, whether it be in the form of vulnerabilities, ransomware, everything like that. We've seen much more emphasis in this part of the market, and we've just seen a lot more growth in the security sector. So given those three things, that kind of created the demand for a product like Teleport. And, Ben, if you go to the next slide?
Connect, authenticate, authorize, and audit
Xin: 00:02:52.794 So this is where Teleport comes in. We are the easiest, most secure way to access all of your infrastructure. And we have four components of the product: Connect, Authenticate, Authorize, and Audit. And together, we make it really easy to scale and really easy to control the compliance at scale when it comes to accessing your infrastructure. So what are the four different components? Well, with Connect, we're able to obviously help you connect to various resources. And to be able to do that, we need to support a variety of different protocols natively. I'll talk a little bit about that on the next slide. With Authenticate, we're able to essentially prove who the user is and who the identity of the user is. And we've extended this idea of identity from human users to machine users with Teleport 9, and we'll talk a little bit about that when we cover the Machine ID demo. With Authorize, this is much more of a compliance control sort of part of the access point where we are able to provide access to certain identities and revoke access from other identities. One of the major things here with regards to distributed workforce is that we've seen that it's fairly difficult to properly manage onboarding and offboarding at scale, and a lot of the features within our Authorize module will help companies manage that at scale.
Xin: 00:04:25.562 And the last thing here is Audit. So with Audit comes things like audit logs, things like session recording. And one of the cool features that we have that kind of touches on both Audit and Authorize in Teleport 9 is Moderated Sessions. And we'll be covering that in a demo that we'll be giving later in the webinar. So how did we get here and how did we create all these modules, and what did it take for Teleport to evolve into Teleport 9, and what have we gained along the way? Ben, if you can go to the next slide?
Xin: 00:05:01.519 So here's a rough timeline of all the different major releases and major features that we've shipped in Teleport 9. So Teleport's Server Access, which is predominantly used for SSH access to Linux servers was shipped in June of 2016. And very steadily following that, we've been shipping various different protocol supports for different technologies through the last five, six years. And we followed Server Access with Kubernetes Access and followed by Application Access in 2020, Database Access in 2021, and then most recently, Desktop Access preview in November 2021, and we did ship Desktop Access GA with the release of Teleport 9. So as you can kind of see from 2016 to 2021, our major efforts have been around extending our support to various different protocols and doing so natively. And with that, we've been able to expand our user base through being able to help them access various different resources and a variety of different resources. With Machine ID, which came out in preview with Teleport 9, we've extended the idea of a user from a human user — as I mentioned previously — for example, a DevOps engineer, a security engineer, to a machine. So this can be your Jenkins box. This could be your Ansible control box.
Xin: 00:06:41.272 So we've been able to essentially, in the form of certificate, provided identity to a machine, and then apply everything that I've talked about before with regards to Connect, Authorize, Audit, etc., to this idea of a machine. And similarly, we've been able to revoke that access with Machine ID as well. So this extends all the capabilities that Teleport has to offer today to a different definition of identity. So what comes out in Teleport 9 and what's coming out in the future? Ben, if you can go to the next slide?
Xin: 00:07:24.962 So with Teleport 9 as I mentioned, we were able to GA Desktop Access, which just included some extended features on top of our 8 preview release. We're also sharing a Machine ID preview in time for a 9.0 release, which extends the idea of an identity to human users to machine users. And with it, we have shipped Server Access for Machine ID, and we're steadily adding support for different protocols throughout 9.1, 9.2, and 9.3. I mentioned Moderated Sessions here as well. And we're continuing to work on additional extensions with our protocol support. So for example, Redis and MS SQL Server support, we'll be adding to Database Access. With 9.1, we'll be adding Machine ID X.509 certificate support, which extends the Machine ID to be able to support Database and Kubernetes Access along with TLS routing for Machine ID support. At 9.2, we'll be adding CA rotation support to Machine ID. With 9.3, we'll be adding ephemeral token-based joining to Machine ID, which is a UX improvement for now AWS use cases.
Xin: 00:08:52.331 With Teleport 10 in June 2022, we will be GAing Machine ID at that point, and then we'll be sharing a passwords preview, automatic upgrades preview, search-based access requests, IP restrictions, and an automatic user provisioning. And then as an extension to our Database Access story, we'll also be adding Cassandra and Snowflake support at that time. For more information, you can always go to goteleport.com/docs/preview/upcoming-releases. This is where we'll be keeping a lot of this information, and we update this on a weekly basis. Okay, so that's about it from me in terms of providing the background and for looking information on Teleport releases. I'll hand it off now to Ben to demo some of our cool features that we shipped in Teleport 9. Ben?
Demo: Machine ID
Ben: 00:09:49.265 Thank you, Xin. And as we said in the chat, if you have any questions, feel free to add them in the Q&A box. We'll get to them at the end, but I'm happy to answer as we go. So today, I have four demos for you. I'm going to spend most of my time on Machine ID, and then I'll follow up with a Database Access for Redis, a Desktop Access, sharing our clipboard, and session recording. And then last up, I'll give you a little overview of Moderated Sessions. I won't be demoing this because this is an Enterprise-only feature, and my clusters are Community Edition. But I can send you a link and some preview to give you a demo for Moderated Sessions. So let's start with Machine ID. So before I deep-dive into Machine ID, I have this webinar which we did last year called Tokens, TLS, and Teleport, and this is really an introduction to how Teleport deals with tokens, TLS, and adding sort of join tokens to different parts of the infrastructure. If you're sort of new to Teleport, this is a great introduction of the pros of using short-lived tokens or long-lived tokens like automatically generating certificates on-demand or creating long-lived ones. And as a foundational rule of Teleport, we always favor short-lived certificates for access over long-lived credentials.
Ben: 00:11:11.379 And so to sort of give you an example, Ansible is an infrastructure tool which most people should be relatively familiar for its “post”. Setting up your infrastructure, you use Ansible to configure the nodes. You might bake a public/private key into all of your AMIs. So before Machine ID, you'd have your control node and an SSH config that would talk to EC2 group for running updates. And there was many issues with this sort of setup. Teleport supports both public and — I'll go to the next stage to sort of explain sort of some of the problems. And so the next improvement over using public/private keys would be using a certificate. And if you look at my Tokens TLS webinar, this was our recommended approach previously. We'd just say, "Oh, just create credentials for one year for accessing Ansible." And so for any nodes that are behind Teleport, an administrator would use a tctl auth export. You'd get a CA; it would just be a really long certificate packed into a secret store. And then you could use that for configuring and setting up Teleport.
Ben: 00:12:28.224 But it had one problem. One, it was long-lived tokens. There was an extra step to get it into a system. If you're using AWS, you might need to put it into a secret store, and you have problems with who's handling which secrets and are they on an employee's laptop? It also made it very hard to rotate. If you were to do a Teleport CA rotation, you would also have to come and remind yourself to rotate these credentials as well to keep working. And lastly, there was some audit log events, but we didn't really have much visibility into who was creating these long-lived tokens and credentials for other robots and machines in your system. So this is the new way. We have a new addition to Teleport called tbot, which is a new binary, which is used for obtaining credentials. And you add bots in the same way. It's similar to a student said, "We've gone from just thinking about user's identity to machine identity." And sort of
bots add is similar to
users add, so you sort of consolidate all of your access for whatever jobs, so it could be your Ansible, your Jenkins, your cron jobs. You create bots for each user, and then you use tbots to obtain the certificates and then use the RBAC for access. So some of the benefits, sort of out of the box, credentials are automatically rotated every 20 minutes. Tbot writes these credentials to a disk, so you didn't necessarily have to go through a sort of third-party secret store and obtaining credentials. It supports Teleport CA rotation, and then also, you have a list of all registered bots available.
Ben: 00:14:09.412 So let me show you the new way, and I'm going to actually give you a demo of creating a new bot. But as you saw before, we have my Ansible control node. We're going to configure it with Machine ID using tbots, and this will get our credentials. So to start, I am going to log into my Teleport cluster. Okay, that's a good sign. So this is what we talked about, linking identity. I'm using GitHub as my SSO provider. And so I'm logged in as Ben Arent, which is my GitHub username. I have logins for access such as — let me do it this other way — Ubuntu, Easy2use, and Debian. I also have access to Kubernetes so I can do things like list all my servers and hosts. This host here is my Ansible control node. And I should make this a bit bigger for you too. So in this node, I have Ansible configured, and I have a simple playbook which would just get the hostname across all services, but we're going to add the configuration for Ansible. And so the old way, you got a host, which you'd add the hostname, the port. It would often be port 22. And then you'd have your identity file. Some people might bake this into your AMIs.
Ben: 00:15:43.044 The new way for doing this — it's the same. It's using SSH certificates under the hood. But you can see we have a host file and we have our SSH config from home, Ubuntu, into Machine ID. But before we configure Machine ID on this host, let's log in, and I need to first create the bot token. I need to find my webinar project. Okay, here we are. 9. And in my webinar project, the first thing I need to do is create a new IAM join token. And IAM join tokens are a new addition to Teleport. This lets you, instead of dealing with static tokens — I'm just telling Teleport to let any host with the IAM identity credentials to join. Let me just check something in this config. Yeah, so that is right. And so let's start by — the first thing I need to do is create this credential in Teleport. Okay, let's get it into my hardware token. Okay, so now I'm logged in as admin, and so I can now create my token. And next thing I need to do is create a bot user. Actually, I'm going to send it from my Scratchpad.
Ben: 00:17:37.117 And so all of this information is available in our documentation. I have a slightly abridged version, if you come under Machine ID guides. I'm using the AWS string method, but let me just keep going and adding the bot. Okay, so then I use tctl bots add, and then this is the name of it, so I'm going to call it webinar robots using the token that we created, which was called IAM webinar token. And I'm giving it the role access. Oh. I need to make sure that the bot name matches my config here. Okay, so now I have my bot user here. And so let's go back to my host with my Ansible run on it. And actually, let me create a new window here. A new tab. So I'm going to just SSH and just so I can show you this running in debug mode. Okay, and what was the name of my token here? IAM webinar token. And actually, let me just check as I did.
Ben: 00:19:24.114 So we'd recommend using systemd to run tbots. Oh, yeah, it's not loaded, so that's okay. Okay, so now I'm going to — oh, what I've done is I start the tbots. I have a config file. I'm using my IAM webinar token, IAM method. And you can see I have debug pulled here. But you can see that it has successfully joined and obtained the certificates. So it's written SSH certs, the CA certs, the TLS certificates, and it's attempted to join. And if we actually come into my Teleport cluster itself, you can see all of this activity is recorded. That bot 9 webinar user to certificate has been issued, which kind of means we're probably in a good space to run our playbook now. So let me come to this host and run the playbook. Fingers crossed. Okay, so now you can see it is connecting to all of these hosts. This is the name of my Teleport cluster. Under the hood, it says using my SSH config to connect to make this work. And actually, if you come into active sessions, you can see all of these host spots. This is Ansible running. And if I come into my audit log here, you can see that all these sessions for this bot has been recorded. And there's other interesting stuff, so you can see there's an SCP upload from this Ansible bot, which is one of the ways in which Ansible works.
Ben: 00:21:07.973 And so you get all this other information around what your robot users are doing and how many times they're accessing the system. And if I come back to the one that is running, you can see it has new credentials on disk. Next renewal happening in exactly 20 minutes. So this greatly reduces any possible attacks on the SSH config. So if someone was to get access to this host, there'd only be a very short window in which they could get access. There's other security methods that you can use so you can lock bots, and so it means they can't be used again. So it definitely makes remediation of any possible tokens being lost much greater. Okay, so I think that actually brings me to the end. We have fun instructions here around all of the certificates and information for Ansible. And we also have a guide for Jenkins to sort of get you started. In this current version of Machine ID, it's mainly for obtaining short-lived certificates for SSH, but in Teleport 9, we'll add support for both databases and applications. And so you can see you can use Teleport for adding your microservices, and just greatly reducing the places in which you have long-lived tokens within your infrastructure.
Ben: 00:22:24.235 Okay, let's move on to the — I think I need to open my slides again. Hold on. Make my slides again. Thanks, everyone, for hanging in there. If you have any questions, feel free to answer them. Only lost a couple of people during that demo, which is always a good sign. Okay, so as you can see, just a quick summary. So what we did there is we added a new bot using tctl with the IAM join token, so my tokens were shared, which is the new method for IAM joining. We had tbot which will obtain the credentials, and the Ansible control node was easily changed to use Teleport's Machine ID configuration as opposed to short-lived credentials. So we greatly reduced the time and ease of rotating certificates and credentials for the Ansible node.
Teleport Desktop Access
Ben: 00:23:25.325 So let's go on to Desktop Access. No, let's get back. Okay, so Desktop Access is a new addition in Teleport 8. We added it. We made it GA. Here we have these five desktop hosts that have been added to my list. Unfortunately, just before this demo, I noticed that my main admin password had expired. You may run into this. I need to actually come in through a third party to update it. But you can see I have access to this host. It has been recorded. But unfortunately, for this demo, I won't be able to show you much more. But I can show you the new addition, which is our session recording. So if I come in here — oh, no, this isn't my session recording. You can see we now have the full playback capabilities for Windows desktops. Even in this case which I was trying to reset my password, you can see this is all being recorded in Teleport. We also have support for clipboard. We're not a keylogger. We just send sort of clipboard events. So it's useful for getting debug logs of a server and also useful to know like were people copying and pasting different secrets from different Windows hosts? And it's also configurable using our RBAC.
Ben: 00:25:00.219 Another addition is — we added the support for required MFA for Windows hosts. So along with single identity provider, you can enforce people to use sort of a second-factor hardware token. I'm using YubiKeys in my case. And as you can see here, these are the session recordings from the webinar bot that performed all of the actions to show that everything else is sort of captured.
Demo: Accessing Redis using Teleport Database Access
Ben: 00:25:29.536 Okay, next up, let's go to Database Access. Databases, we keep adding a suite. We're going to focus on Redis, which is a new addition in Teleport 9. Everything that we do here has to be done on the command line, so I'm going to walk you through this now. And close this host. Okay, so to start off with, let me just check out my status. Okay, so I'm going to just log out of admin. And you use the log admin role to perform such things as sort of creating the new credentials. And so I prefer to use my local user. It's going to auth me again. Okay, so now if I do
tsh db ls, you can see these are the range databases. One thing that's sort of unique with databases, you also need to log into them, and it's also important to log in as the user. So I do
tsh db login --db-user=sre-team redis. I have an SRE team, and then I'm picking Redis. So now if I see
db ls, you can see that I've been logged in as user SRE team. And this is important because the SRE team is sort of baked into my credentials and my certificates for it to work. So now I do
tsh db connect redis.
Ben: 00:27:05.754 And now you see, this is probably familiar for people who are used to Redis. If I do
PING, you notice I'm connected, but there's no authentication. This is an extra step specific to Redis that we recommend turning off the default user and add an extra [inaudible]
AUTH. So this is my password for the SRE team. So now if I do
PONG, if I do
INFO, I am now connected. And you can see all this information about my host. And so this makes it very easy for you to share one consolidated login for all of your team but also have it behind the bastion and have a full audit log of what happened. So if I come back into our audit log here, you can see that I
AUTHed and then I did
PING and I did
INFO. On the database undefined, that's because the zero database indexing, it's a little weird with Redis support. But the most powerful thing for this is that myself as Ben Arent logged in as the
sre-team. Server ‘localhost’ because it's a bad idea to put Redis onto the internet. And so that's sort of the end of our Redis demo. We have instructions all in our documentation, and there's a guide for each protocol. We also support Redis Cluster and self-hosted Redis. We do plan to add support for cloud provider Redis. If there's a particular one that you are interested in, let us know and we'll be happy to investigate it.
Ben: 00:28:52.343 I think one of the last things about Redis, I also want to share this, it's sort of my role, to people who are new. RBAC is a very important sort of core component of Teleport, and you can see it needs to be baked in. I have support for both Redis and I have access to the Redis user, which is the SRE team as well. Okay, next up, we have Moderated Sessions. Moderated Sessions — it's a bit complicated to demo. But if you're interested, I have a blog post which goes over our creation of Moderated Sessions and a video. It is The Four Eyes principle. And if you come down here, there's a great video on Moderated Sessions in action. I can also add this to a link at the bottom. But this feature lets you — you can write a specific requirement for both Kubernetes and SSH sessions that you need people from two roles, so an example, an auditor and SecOps to join the session for the individual to start the session.
Ben: 00:30:01.798 And it's particularly unique. I don't think there's anything else like this on the market for Kubernetes execs. And so if you're interested, I definitely recommend exploring this. This is an enterprise-only feature and our teams will be more than willing to sort of give you a demo for it. Okay, let me go next. All right, so before the next steps, let me just do a quick poll. My end of Machine ID demo, I'm going to run this now just to get some feedback from you. After doing the demo, does this sort of interest you? Do you have a use case? I'll give some time for people to fill us in. Okay, seems like Ansible is winning out as far as the tool to use it for Mongo CI-CD. I'll just give a couple more minutes. All right. Thanks, everybody. I like that someone said, "I'm not really sure what Machine ID is." So hopefully, we'll work on some more messaging to improve Machine ID in the future webinars.
Ben: 00:31:08.800 Okay, all right. Next on what to do next. So if you're new, hopefully, you have enough interest in Teleport and we sort of explained it. If you're really new to Teleport and you want a demo, I highly recommend reaching out to our sales team. They can give you a high-level introduction, and it's definitely a very technical deep dive into Machine ID. If you want to just try it yourself, Community Edition, you can just go to Teleport and get started. You can also just check us out on GitHub. We're an open-source, open-core company. And then next up, we're going to open up for Q&A. So any questions at all — I'm happy to answer them.
Xin: 00:31:47.389 So in terms — we didn't cover Moderated Sessions a lot today. So I think one of the things that we can do is provide a more detailed description of what Moderated Sessions does and the use cases that it provides and why it's enterprise-specific. So I can start, and Ben, if you want to add, please go ahead. So one of the — so what Moderated Sessions is, is essentially, we created this feature to differentiate between different roles in a session. So for example, you can have sort of an approver role, and then you can have a user role, where if a user joins a session, the session does not begin until the admin or the approver joins and initiates the session. This is done in such a way for systems that you really want to have tight controls over for a very sensitive infrastructure. Essentially, if you have different folks working on it, and you might want to have an arbiter there being able to moderate the session and to initiate the session and to terminate the session. So you can essentially have someone log in, be in a waiting room until the moderator joins. Moderator initiates the session, and moderator at any point can terminate the session if they want to. This is an enterprise kind of [inaudible] use case where you have a bigger organization with much more control over very sensitive infrastructure. So that's a little bit more details on what Moderated Session is.
Ben: 00:33:32.962 Yeah, I think that's great. Also, I think, to follow on, it's sort of an addition to our access requests. Access requests let people request a role for a period of time, and this is sort of the next step. Not only do you request access to a role, but you also have to have someone on it to make sure that something's happening. All right. Dean said, "Do you have any videograms of how Teleport works?" Yes. If you come to our — I think, actually, we have a "how it works" page.
Xin: 00:34:02.402 Yeah. So you go to goteleport.com, the main landing page, I believe, and then you hover over documentation. And then the —
Ben: 00:34:11.708 Oh, yeah, how it works.
Xin: 00:34:12.085 — second one down is how it works. Yeah. Yeah, we have an architecture diagram as well.
Ben: 00:34:18.321 Yeah, this explains some of the fundamental sort of components between the auth and the proxy. So hopefully, this should answer your question. All right, any other questions from the audience?
Xin: 00:34:36.803 I think there's a question in the poll with asking for some clarity around what Machine ID is, right, Ben?
Ben: 00:34:44.038 Yes.
Xin: 00:34:45.524 So we can give a little bit more description here. And then we do have docs, so please check those out as well. So Machine ID, we've shown you a few demos today when I went through the Machine ID demo. So Machine ID, what it does is essentially, historically, I've shown you that timeline with different protocols that we've come out for support with. So traditionally, the definition of a user in Teleport is essentially a human user. And we will provide an identity to a human based on, a lot of the times, your identity provider. So we will link your Okta identity to a certificate that we issue to a user and associate that with the end control access based on that identity. With Machine ID, we essentially provided a way to provide certificates and identities to machines and control the access that that machine has inside of your structure.
Xin: 00:35:47.854 So for example, instead of limiting or instead of authorizing access for a user to access a specific Linux server, now we can do the same thing for a machine. It would provide a certificate that's associated with a specific machine. We rotate that certificate automatically, and we associate that certificate in our backend with specific roles and a specific ability to access certain resources and restrict its access to other resources. If you spin that resource down, for example, we can automatically revoke the access. So essentially, we've extended our control and capabilities from authorization to audit, to machine users. And we go beyond the traditional idea of what a human user entails.
Ben: 00:36:53.312 And Xin, this is a newbie question, but does Machine ID require Teleport?
Xin: 00:37:02.817 Yes, I think a lot of the — simply because Machine ID is essentially extending a lot of the Teleport capabilities that we offer to machines, so things like audit, it's just an extension of the Teleport access plan. So yes, it would require Teleport. And I think I'll relay the question as, is it available in the Community Edition? Because I think that was something that was asked about for Moderated Sessions. And the answer there is that yes, Machine ID is fully available in the Community Edition, so you're welcome to go, play around with that product, play around with the open source versions of that product.
Ben: 00:37:46.193 Yeah, and I mean, something we'll probably do in the future with one of the devs of Machine ID is the team has thought a lot about sort of like ACLs, certificates, and security, which we haven't necessarily dived in on this webinar. But especially if you're on a particularly security-conscious or a compliance organization, there's lots of extra features which you can tweak in Machine ID that will make your infrastructure much more secure. All right. Right now, we are quarter to on the hour. I guess we'll give it a couple more minutes for any other questions or comments. If anyone has any questions or comments, we have our GitHub discussions, but we also have our community Slack room. Feel free to join us here and sort of ask any questions.
Ben: 00:38:47.123 Okay, it seems like that's probably it for today. Thanks, William. All right, thanks, everyone. Thanks for joining today. And feel free to reach out to me or Xin if you have any other questions. Thanks for joining.
Xin: 00:39:04.567 Thanks for joining.
Join The Community