Get a Demo
COMPLIANCE
SOC 2 Compliance with Teleport
No static credentials. No manual evidence collection.
Prove activity across infrastructure, enforce least privileged access, and give auditors complete audit trails for every human, machine, and AI agent.
Teleport Features for SOC 2 Controls
Logical & Physical Access (CC6) | ||||||
|---|---|---|---|---|---|---|
Control Name | ID | Teleport Capability | ||||
Restricts Logical Access | CC6.1 | Teleport Enterprise supports robust Role-based Access Controls (RBAC) to:
| ||||
Identifies and Authenticates Users | CC6.1 | Teleport provides role-based access controls (RBAC) using short-lived certificates, integrated with your existing identity management service. Connecting locally or remotely is just as easy. | ||||
Considers Network Segmentation | CC6.1 | |||||
Manages Points of Access | CC6.1 |
| ||||
Restricts Access to Information Assets | CC6.1 | |||||
Manages Identification and Authentication | CC6.1 | Teleport makes setting policies for SSH requirements and other protocols easy since it works in the cloud and on premise with the same authentication security standards. | ||||
Manages Credentials for Infrastructure and Software | CC6.1 | |||||
Uses Encryption to Protect Data | CC6.1 | Teleport Audit logs can use DynamoDB encryption at rest. | ||||
Protects Encryption Keys | CC6.1 | Teleport acts as a Certificate Authority to issue SSH and x509 user certificates that are signed by the CA and are (by default) short-lived. | ||||
Controls Access Credentials to Protected Assets | CC6.2 | |||||
Removes Access to Protected Assets When Appropriate | CC6.2 | |||||
Reviews Appropriateness of Access Credentials | CC6.2 | Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. | ||||
Creates or Modifies Access to Protected Information Assets | CC6.3 | Build Approval Workflows to get authorization from asset owners. | ||||
Removes Access to Protected Information Assets | CC6.3 | Teleport uses temporary credentials and can be integrated with your version control system or even your HR system to revoke access with the Workflow API | ||||
Uses Role-Based Access Controls | CC6.3 | |||||
Reviews Access Roles and Rules | CC6.3 | Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time. | ||||
Restricts Access | CC6.6 | Teleport makes it easy to restrict access to common ports like 21, 22 and instead have users tunnel to the server using Teleport. Teleport uses the following default ports. | ||||
Protects Identification and Authentication Credentials | CC6.6 | |||||
Requires Additional Authentication or Credentials | CC6.6 | |||||
Implements Boundary Protection Systems | CC6.6 | Teleport offers a trusted clusters concept to manage trust across arbitrary infrastructure boundaries. | ||||
Uses Encryption Technologies or Secure Communication Channels to Protect Data | CC6.7 | Teleport has strong encryption including a FedRAMP compliant FIPS mode. | ||||
System Operations (CC7) | ||||||
|---|---|---|---|---|---|---|
Control Name | ID | Teleport Capability | ||||
Implements Detection Policies, Procedures, and Tools | CC7.2 | |||||
Designs Detection Measures | CC7.2 | |||||
Communicates and Reviews Detected Security Events | CC7.3 | |||||
Develops and Implements Procedures to Analyze Security Incidents | CC7.3 | |||||
Contains Security Incidents | CC7.4 | |||||
Ends Threats Posed by Security Incidents | CC7.4 | |||||
Obtains Understanding of Nature of Incident and Determines Containment Strategy | CC7.4 | |||||
Evaluates the Effectiveness of Incident Response | CC7.4 | |||||
Periodically Evaluates Incidents | CC7.4 | |||||
Determines Root Cause of the Event | CC7.5 | |||||
Improves Response and Recovery Procedures | CC7.5 | |||||
Ready to Teleport to SOC 2 compliance?
MORE COMPLIANCE USE CASES
Frequently Asked Questions
Is Teleport SOC 2 Type II certified, and how can I get the report?
Yes. Teleport Cloud is SOC 2 Type II certified by an independent AICPA-accredited auditor, with annual renewal audits covering the Security, Availability, and Confidentiality Trust Services Criteria. The current SOC 2 report, along with ISO 27001 and other compliance artifacts, is available through the Teleport Trust Center at trust.goteleport.com, where prospects and customers can request documents under NDA. Teleport also publishes external penetration test summaries to simplify vendor security reviews.
Which SOC 2 Trust Services Criteria does Teleport help satisfy?
Teleport directly supports the Common Criteria controls that make up the bulk of a SOC 2 audit, with deepest coverage in CC6 (Logical and Physical Access) and CC7 (System Operations). Specific capabilities map to CC6.1 (restricting logical access and managing credentials), CC6.2 (access reviews and timely revocation), CC6.3 (role-based access and appropriateness of permissions), CC6.6 (boundary protection and MFA), CC7.2 and CC7.3 (detection and monitoring), and CC7.4 (incident containment). When paired with Access Request approval workflows, Teleport also contributes evidence for CC8.1 change management.
How does Teleport eliminate static credentials to meet SOC 2 CC6.1?
Teleport replaces static credentials like SSH keys, database passwords, Kubernetes kubeconfigs, and cloud API tokens with short-lived x509 and SSH certificates signed by its built-in Certificate Authority. Every human user, machine, workload, and AI agent authenticates through cryptographic identity tied to the organization's identity provider (Okta, Entra ID, Google Workspace, etc.), with no shared secrets to rotate or inventory. Certificate TTLs are configurable and typically measured in hours, which satisfies CC6.1 requirements for restricting logical access, managing credentials for infrastructure, and identifying and authenticating users.
How do I pull access review evidence from Teleport for SOC 2 CC6.2 audits?
Teleport generates access review evidence automatically through its immutable audit log and exposes it via the Web UI, the tctl CLI, and the Teleport API. Auditors typically need a list of users, their assigned roles, active sessions, access request history with approver identity, and revocation timestamps - all of which can be exported as structured JSON or CSV. Because every permission grant, change, and revocation is recorded as a discrete audit event, organizations can produce a timestamped chain of evidence for CC6.2 without manual screenshotting or spreadsheet tracking.
How does Teleport prove timely de-provisioning when employees or contractors leave?
Teleport proves timely de-provisioning through two mechanisms: short-lived certificates that expire automatically (typically within hours) and Session & Identity Locking that terminates all active sessions instantly. When a user is deactivated in the upstream identity provider, Teleport immediately stops issuing new certificates, and admins can apply a lock to kill any in-flight sessions in seconds. The audit log records the exact revocation timestamp and the identity of the admin who applied the lock, giving auditors direct evidence for SOC 2 CC6.2 and CC6.3 de-provisioning controls.
How does Teleport enforce separation of duties and least privilege for production infrastructure?
Teleport enforces least privilege through Role-Based Access Control (RBAC) that grants each identity only the permissions required for its function, and enforces separation of duties through Just-in-Time Access Requests that require peer or manager approval before privileges are elevated. Moderated Sessions add a second layer by requiring a designated approver to join before sensitive commands execute. Access request decisions route through Slack, Microsoft Teams, PagerDuty, or Jira, and every role assignment, request, and approval is captured in the audit log for SOC 2 CC6.3 evidence.
Does Teleport help with SOC 2 compliance for AI agents and non-human identities?
Yes. Teleport extends the same identity, access, and audit controls to AI agents, CI/CD pipelines, and workloads that it applies to human users, which directly addresses the accountability gap auditors increasingly flag for agentic systems. Through Teleport Machine & Workload Identity, every AI agent receives a cryptographic identity, operates under scoped RBAC, and produces a complete audit trail of inputs, outputs, and triggered actions - so privileged actions are always attributable to an accountable identity rather than a shared service account. This satisfies SOC 2 CC6 least-privilege expectations and CC7 monitoring requirements for autonomous systems.
How does Teleport handle SOC 2 CC8.1 change management for AI-driven or automated actions?
Teleport logs every infrastructure change with the originating identity, timestamp, and command-level detail, regardless of whether the change was initiated by a human, a CI/CD pipeline, or an AI agent. Access Requests route automated and elevated changes through approval workflows in Slack, Jira, or PagerDuty before execution, satisfying CC8.1's requirement for authorized changes with documented request and approval trails. Because the audit log is tamper-evident and immutable, auditors get the full chain of request, approver identity, execution, and outcome - the same evidence pattern expected for traditional change tickets, applied consistently to autonomous workflows.
Can Teleport meet SOC 2 audit log retention requirements, and for how long are logs retained?
Yes. Teleport writes tamper-evident audit logs to customer-controlled backends including Amazon DynamoDB, Amazon S3, Google Cloud Storage, and Azure Blob Storage, with retention policies set by the customer to match SOC 2 guidance (commonly 1 year minimum, often 7 years for regulated industries). Teleport Cloud retains audit events according to the plan's documented retention window, and self-hosted deployments retain logs indefinitely based on backend storage configuration. Log entries are immutable once written, which preserves integrity for SOC 2 CC7.2 and CC7.3 monitoring and investigation controls.
Can I stream Teleport audit events to Splunk, Datadog, Panther, or another SIEM for continuous monitoring?
Yes. Teleport exports structured JSON audit events to any SIEM via Fluentd, syslog, webhooks, or direct cloud log forwarding, with documented integrations for Splunk, Datadog, Panther, Elastic, Sumo Logic, and AWS Security Hub. Exported events include session metadata, command-level detail, access request decisions, file access (via Enhanced Session Recording), and the identity context for every human, machine, and AI action. Streaming events to a central SIEM supports SOC 2 CC7.2 continuous monitoring, automated anomaly detection, and correlation with other security telemetry.