Transforming Privileged Access: A Dialogue on Secretless, Zero Trust Architecture
Mar 28
Virtual
Register Today
Teleport logoTry For Free

FedRAMP compliance for cloud infrastructure access

Easily implement access controls and enforce security policies required to ace your FedRAMP audit.

Get Started
Hero section illustration
Background image
Logo for GoogleLogo for NASDAQLogo for Moody'sLogo for HPLogo for IBM

What is FedRAMP compliance?

FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. Achieving FedRAMP compliance for cloud infrastructure requires a systematic approach and adherence to specific and prescribed guidelines. The following outlines key steps and considerations:

  1. Define the System Boundary: Identify the scope of the system that needs to be FedRAMP compliant, including all components and dependencies.
  2. Develop Security Documentation: Create and maintain security documentation, including system security plan (SSP), security assessment plan (SAP), and security assessment report (SAR), which outline the security controls and their implementation.
  3. Implement Security Controls: Implement the necessary security controls defined by the FedRAMP Moderate or High baselines, such as encryption, access controls, auditing, and incident response.
  4. Conduct Security Assessments: Perform regular security assessments, including vulnerability scanning, penetration testing, and configuration reviews, to identify and address any security vulnerabilities or weaknesses.
  5. Document Continuous Monitoring Procedures: Establish processes for ongoing monitoring of the system's security posture, including log analysis, security incident handling, and reporting.
  6. Prepare for Independent Assessment: Engage a FedRAMP-accredited third-party assessment organization (3PAO) to conduct an independent assessment of the system's compliance with FedRAMP requirements.

Achieve FedRAMP Compliance

With Teleport's Open Infrastructure Access Platform

Automated Provisioning

Reduce overhead with Teleport's infrastructure auto-discovery and SSO integration for automated onboarding and offboarding of employees.

Robust Security Controls

Go beyond the minimum requirements with Teleport's built-in security controls, including multi-factor authentication, role-based access controls, and session recording.

Audit & Accountability

Continuously monitor with Teleport's audit log and session recording capabilities, providing a complete record of all user activity.

Try Teleport today

In the cloud, self-hosted, or open source.
View developer docs

Get Started
pam

Teleport Features for FedRAMP Controls

FedRAMP Controls NIST 800-53How Teleport Helps Compliance

AC-02 Account Management

  • The organization employs automated mechanisms to support the management of information system accounts.
  • The information system automatically removes or temporary and emergency accounts.
  • The information system automatically disables inactive accounts.
  • The information system automatically audits account creation and modification.
  • The organization requires that users log out after a defined time-period.
  • The organization establishes, administers, and audits privileged user accounts in accordance with a role-based access scheme.
  • The information system enforces organization-defined usage conditions for organization-defined system accounts.
  • The organization monitors information system accounts and reports atypical usage.

To comply, Teleport must be integrated with an SSO provider such as GitHub, Okta, Google, etc.

Role-based access control (RBAC) for SSH and Kubernetes must be enabled*.

Teleport certificate-based SSH and Kubernetes authentication and audit logging comply with these requirements without additional configuration.

AC-03 Access Enforcement

  • The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
  • Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems

Teleport supports robust Role-based Access Controls* (RBAC).

RBAC can be used to:

  • Control which SSH nodes a user can or cannot access.
  • Control cluster-level configuration (session recording, configuration, etc.).
  • Control which UNIX logins a user is allowed to use when logging into a server.
  • Control which user groups have access to Kubernetes resources.

AC-07 Unsuccessful Logon Attempts

The information system:

  1. Enforces a limit of organization-defined number consecutive invalid logon attempts by a user during an organization-defined time period; and
  2. Automatically locks the account/node until released by an administrator; delays next logon prompt according to organization-defined delay algorithm when the maximum number of unsuccessful attempts is exceeded.

Teleport supports two types of users: from a local database and SSO-based accounts (GitHub, Google Apps, Okta, etc).

For local accounts, by default Teleport locks accounts for 20 minutes after 5 failed login attempts.:

For SSO-based accounts, the number of invalid login attempts and lockout time period is controlled by the SSO provider.

AC-08 System Use Notification

The information system displays to users an organization-defined notification message before granting access to the system that provides privacy and security notices consistent with applicable federal laws, executive orders, and other directives.

Teleport integrates with Linux Pluggable Authentication Modules (PAM).

PAM modules can be used to display a custom message on login using a message of the day (MOTD) module within the Session management primitive.

AC-10 Concurrent Session Control

The information system limits the number of concurrent sessions for each organization-defined account and/or account type to a defined number.

Teleport supports both a maximum number of connections (`max_connections`) and the maximum number of simultaneously connected users (`max_users`) under the `connection_limits` configuration parameter.

AC-12 Session Termination

The information system automatically terminates a user session after organization-defined conditions are met and provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to information resources.

Teleport user sessions are automatically terminated when a certificate expires.

Users can exit a Teleport interactive session at any time by typing `exit` or sending an interrupt signal to the process for remote execution of a program.

Logout of all sessions (destroying credentials) indicates termination of all sessions and includes an explicit logout message.

AC-17 Remote Access

The organization: establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed. It authorizes remote access to the information system prior to allowing such connections.

  • The information system monitors and controls remote access methods.
  • The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
  • The information system routes all remote accesses through managed remote access control points.

Teleport administrators create users with configurable roles that can be used to allow or deny access to system resources.

Teleport Proxy uses SSH or HTTP/TLS to authenticate and encrypt and transfer data between clients and servers.

Teleport encourages an architecture that requires all connections to go through the Teleport proxy.

AC-20 Use of External Information Systems

The organization establishes terms and conditions consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems. This allows authorized individuals to:

  1. Access the information system from external information systems; and
  2. Process, store, or transmit organization-controlled information using external information systems.

Teleport supports connecting multiple independent clusters using a feature called Trusted Clusters. After the establishment of a Trusted Cluster relationship between two clusters, one cluster “trusts” SSH and TLS certificates signed by the other and allows SSH connections from the other. When allowing access from one cluster to another, roles are mapped according to a pre-defined relationships to based on the scope of access.

AU-03 Audit and Accountability

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

AU-04 Audit Storage Capacity

The organization allocates audit record storage capacity in accordance with organization-defined audit record storage requirements.

Teleport contains an Audit Log that records cluster-wide events such as:

  • Failed login attempts
  • The command that was executed (SSH “exec” commands)
  • Ports that were forwarded
  • File transfers that were initiated
  • Filesystem changes
  • Network activity that happened during an interactive user session
  • Recorded interactive user sessions
  • Events typically include information such as the type, time of occurrence, user or node on which they occurred, and a human-readable audit message.

    Teleport supports sending audit events to external managed services like DynamoDB where storage concerns are handled by the cloud provider.

IA-03 Device Identification and Authentication

The information system uniquely identifies and authenticates organization-defined specific types of devices before establishing a connection.

Teleport requires valid x509 or SSH certificates issued by a Teleport Certificate Authority (CA) to establish a network connection for device-to-device network connection between Teleport components.

IA-04 Identifier Management

The organization manages information system identifiers by:

  • Receiving authorization from organization-defined personnel to assign an individual, group, role, or device identifier;
  • Selecting an identifier that identifies an individual, group, role, or device;
  • Assigning the identifier to the intended individual, group, role, or device;
  • Preventing reuse of identifiers for the organization-defined time period; and
  • Disabling the identifier after an organization-defined time period of inactivity.

Teleport maintains several unique identifiers:

  • The local users are required to be unique (unique username)
  • Teleport roles have unique names and tied to organization roles via SSO
  • Teleport identifiers for devices are unique randomly generated IDs (UUID)

SC-10 Network Disconnection

The information system terminates the network connection associated with a communications session at the end of the session or after the organization-defined time period of inactivity.

Teleport disconnects and releases all resources for non-active communications. In addition, session and idle timeouts and be specified to terminate and release resources for inactive connections.

SC-12 Cryptographic Key Establish and Management

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction.

The organization produces, controls, and distributes symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes.

Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue x509 and SSH certificates. SSH and x509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed).

Teleport Enterprise builds against a FIPS 140-2 compliant library (BoringCrypto). In addition, when Teleport Enterprise is in FedRAMP/FIPS 140-2 mode, Teleport will only start and use FIPS 140-2 compliant cryptography.

SC-17 Public Key Infrastructure Certificates

The organization issues public-key certificates under an organization-defined certificate policy or obtains public key certificates from an approved service provider.

Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue x509 and SSH certificates. SSH and x509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed).

SC-23 Session Authenticity

The information system protects the authenticity of communications sessions.

The information system invalidates session identifiers upon user logout or other session termination.

Teleport SSH and TLS sessions are protected with SSH user and x509 client certificates. For access to the Web UI, Teleport uses bearer token auth stored in a browser token to authenticate a session. Upon user logout, SSH and TLS certificates are deleted from disk and cookies are removed from the browser.

Try Teleport today

In the cloud, self-hosted, or open source.
View developer docs

Get Started
pam