-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: update Policy and Graph Explorer verbiage in teleport-policy guide #50412
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,9 @@ | ||
--- | ||
title: See permission changes with Access Graph Crown Jewels | ||
description: Describes how to use Access Graph Crown Jewels to see permission changes in Teleport. | ||
title: See permission changes with Graph Explorer Crown Jewels | ||
description: Describes how to use Graph Explorer Crown Jewels to see permission changes in Teleport. | ||
--- | ||
|
||
Access Graph's Crown Jewel feature allows you to track changes to access for | ||
Graph Explorer's Crown Jewel feature allows you to track changes to access for | ||
your most sensitive users or resources. When you mark a resource as a Crown | ||
Jewel, Teleport emits audit events any time access to that resource changes. | ||
|
||
|
@@ -23,14 +23,13 @@ log in via Teleport Auth Connectors. | |
|
||
- A running Teleport Enterprise cluster v16.2.0 or later. | ||
- For self-hosted clusters, an updated `license.pem` with Teleport Policy enabled. | ||
- For self-hosted clusters, a running Access Graph node v1.24.0 or later. | ||
Check [Access Graph page](teleport-policy.mdx) for details on | ||
how to set up Access Graph. | ||
- For self-hosted clusters, a running Graph Explorer node v1.24.0 or later. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Technically we run access graph service for Teleport Policy https://gallery.ecr.aws/gravitational/access-graph |
||
Check [Graph Explorer page](teleport-policy.mdx) for details on how to set it up. | ||
|
||
Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product | ||
Graph Explorer is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product | ||
available to Teleport Enterprise edition customers. | ||
|
||
After logging in to the Teleport UI, navigate to the Management tab. If enabled, Access Graph options can be found | ||
After logging in to the Teleport UI, navigate to the Management tab. If enabled, Graph Explorer options can be found | ||
under the Permission Management section. | ||
|
||
## Required RBAC permissions | ||
|
@@ -55,7 +54,7 @@ version: v7 | |
|
||
To create a Crown Jewel, you need to mark a resource or user as critical. Only changes to marked resources | ||
and users will be logged by Teleport Policy. | ||
To mark a resource or user as Crown Jewel, open the Access Graph and navigate to the "Crown Jewels" tab. | ||
To mark a resource or user as Crown Jewel, open the Graph Explorer and navigate to the "Crown Jewels" tab. | ||
|
||
![Create Page](../../../img/access-graph/crown-jewels/create-page.webp) | ||
|
||
|
@@ -67,13 +66,13 @@ Pick a name for the Crown Jewel and click "Create". | |
|
||
![Create Matcher Name](../../../img/access-graph/crown-jewels/create-matcher-name.webp) | ||
|
||
The Crown Jewel will now be created, and you will see it in the list of Crown Jewels. Access Graph will now create | ||
The Crown Jewel will now be created, and you will see it in the list of Crown Jewels. Graph Explorer will now create | ||
audit events in Teleport's audit log and new entries in the "Access Changes" tab in the "Crown Jewels" menu whenever | ||
access path to a resource or a user changes. | ||
|
||
## Viewing permission changes | ||
|
||
To view permission changes, open the Access Graph and navigate to the "Crown Jewels" tab. | ||
To view permission changes, open the Explorer and navigate to the "Crown Jewels" tab. | ||
Here you can see a list of all Crown Jewels and the changes that have been made to them. | ||
|
||
![Changes](../../../img/access-graph/crown-jewels/changes.webp) | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,31 +1,30 @@ | ||
--- | ||
title: Discover AWS Access Patterns with Teleport Policy | ||
description: Describes how to import and visualize AWS accounts access patterns using Teleport Policy and Access Graph. | ||
description: Describes how to import and visualize AWS accounts access patterns using Teleport Policy and Graph Explorer. | ||
--- | ||
|
||
Teleport Policy streamlines and centralizes access management across your entire infrastructure. You can view access relationships in seconds, | ||
viewing unified, up-to-date relationships and policies between all users, groups, and computing resources. | ||
|
||
Teleport Policy with Access Graph offers insights into access patterns within your AWS account. By scanning IAM | ||
Teleport Policy with Graph Explorer offers insights into access patterns within your AWS account. By scanning IAM | ||
permissions, users, groups, resources, and identities, it provides a visual representation and aids in | ||
enhancing the permission model within your AWS environment. This functionality enables you to address queries such as: | ||
|
||
- What resources are accessible to AWS users and roles? | ||
- Which resources can be reached via identities associated with EC2 instances? | ||
- What AWS resources can Teleport users access when connecting to EC2 nodes? | ||
|
||
Utilizing the Access Graph to analyze IAM permissions within an AWS account necessitates the setup of the Access Graph (AG) | ||
Utilizing the Graph Explorer to analyze IAM permissions within an AWS account necessitates the setup of the Graph Explorer (AG) | ||
service, a Discovery Service, and integration with your AWS account. | ||
|
||
Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product that is | ||
Graph Explorer is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product that is | ||
available to Teleport Enterprise customers. | ||
|
||
After logging in to the Teleport UI, go to the Management tab. If enabled, | ||
Access Graph options can be found under the Permission Management section. | ||
After logging in to the Teleport UI, go to the Management tab. If enabled, Explorer options can be found under the Permission Management section. | ||
|
||
## How it works | ||
|
||
Access Graph discovers AWS access patterns, synchronizes various AWS resources, | ||
Graph Explorer discovers AWS access patterns, synchronizes various AWS resources, | ||
including IAM Policies, Groups, Users, User Groups, EC2 instances, EKS clusters, and RDS databases. | ||
These resources are then visualized using the graph representation detailed in the | ||
[Teleport Policy usage page](../policy-how-to-use.mdx). | ||
|
@@ -48,11 +47,11 @@ At intervals of 15 minutes, it retrieves the following resources from your AWS a | |
- S3 Buckets | ||
|
||
Once all the necessary resources are fetched, the Teleport Discovery Service pushes them to the | ||
Access Graph, ensuring that it remains updated with the latest information from your AWS environment. | ||
Graph Explorer, ensuring that it remains updated with the latest information from your AWS environment. | ||
|
||
### Importing resources | ||
|
||
Teleport Policy’s Access Graph feature delves into the IAM policies, identities, | ||
Teleport Policy’s Graph Explorer feature delves into the IAM policies, identities, | ||
and resources retrieved from your AWS account, crafting a | ||
graphical representation thereof. | ||
|
||
|
@@ -63,10 +62,10 @@ graphical representation thereof. | |
- Teleport Policy enabled for your account. | ||
- For self-hosted clusters: | ||
- Ensure that an up-to-date `license.pem` is used in the Auth Service configuration. | ||
- A running Access Graph node v1.17.0 or later. | ||
- A running Graph Explorer node v1.17.0 or later. | ||
Check the [Teleport Policy page](../teleport-policy.mdx) for details on | ||
how to set up Access Graph. | ||
- The node running the Access Graph service must be reachable from the Teleport Auth Service. | ||
how to set up Graph Explorer. | ||
- The node running the Graph Explorer service must be reachable from the Teleport Auth Service. | ||
|
||
## Step 1/2. Configure Discovery Service (Self-hosted only) | ||
|
||
|
@@ -95,16 +94,16 @@ it's possible to reuse it as long as the following requirements are met: | |
|
||
- On step 2, you match the `discovery_group` with the existing Discovery Service's | ||
`discovery_group`. | ||
- Access Graph service is reachable from the machine where Discovery Service runs. | ||
- Graph Explorer service is reachable from the machine where Discovery Service runs. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Most of this is good, but I would note again that we run the access graph service for this. |
||
|
||
## Step 2/2. Set up Access Graph AWS Sync | ||
## Step 2/2. Set up Graph Explorer AWS Sync | ||
|
||
To initiate the setup wizard for configuring AWS Sync, access the Teleport UI, | ||
navigate to the Management tab, and choose the Access Graph option within the | ||
navigate to the Management tab, and choose the Graph Explorer option within the | ||
Permission Management section. | ||
|
||
If both Teleport and Access Graph support AWS sync, you'll notice a new button | ||
adjacent to the Access Graph navigation bar labeled `Analyze AWS IAM policies with Access Graph`. | ||
If both Teleport and Graph Explorer support AWS sync, you'll notice a new button | ||
adjacent to the Graph Explorer navigation bar labeled `Analyze AWS IAM policies with Graph Explorer`. | ||
|
||
You'll be prompted to create a new Teleport AWS integration if you haven't configured | ||
one already. Alternatively, you can opt for a previously established integration. | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
--- | ||
title: Analyze Entra ID policies with Teleport Policy | ||
description: Describes how to import and visualize Entra ID policies using Teleport Policy and Access Graph. | ||
description: Describes how to import and visualize Entra ID policies using Teleport Policy and Graph Explorer. | ||
--- | ||
|
||
The Microsoft Entra ID integration in Teleport Identity synchronizes your Entra ID directory into your Teleport cluster, | ||
|
@@ -27,7 +27,7 @@ At intervals of 5 minutes, it retrieves the following resources from your Entra | |
|
||
Entra ID users and groups are imported into Teleport as users and Access Lists respectively. | ||
Once all the necessary resources are fetched, Teleport pushes them to the | ||
Access Graph, ensuring that it remains updated with the latest information. | ||
Graph Explorer, ensuring that it remains updated with the latest information. | ||
These resources are then visualized using the graph representation detailed in the | ||
[Teleport Policy usage page](../policy-how-to-use.mdx). | ||
|
||
|
@@ -37,16 +37,16 @@ These resources are then visualized using the graph representation detailed in t | |
- Teleport Identity and Teleport Policy enabled for your account. | ||
- For self-hosted clusters: | ||
- Ensure that an up-to-date `license.pem` is used in the Auth Service configuration. | ||
- A running Access Graph node v1.21.3 or later. | ||
- A running Graph Explorer node v1.21.3 or later. | ||
Check the [Teleport Policy page](../teleport-policy.mdx) for details on | ||
how to set up Access Graph. | ||
- The node running the Access Graph service must be reachable from the Teleport Auth Service. | ||
how to set up Graph Explorer. | ||
- The node running the Graph Explorer service must be reachable from the Teleport Auth Service. | ||
- Your user must have privileged administrator permissions in the Azure account | ||
- For OIDC setup, the Teleport cluster must be publicly accessible from the internet. | ||
- For air gapped clusters, `tctl` must be v16.4.7 or later. | ||
|
||
To verify that Access Graph is set up correctly for your cluster, sign in to the Teleport Web UI and navigate to the Management tab. | ||
If enabled, the Access Graph menu item will appear in the Permission Management section. | ||
To verify that Graph Explorer is set up correctly for your cluster, sign in to the Teleport Web UI and navigate to the Management tab. | ||
If enabled, the Graph Explorer menu item will appear in the Permission Management section. | ||
|
||
## Step 1/3. Choose a setup method | ||
|
||
|
@@ -232,7 +232,7 @@ For clusters running in multiplex mode, this address will be the same as your pr | |
If your Teleport license does not include [Teleport Policy](../teleport-policy.mdx), include the `--no-access-graph` flag. | ||
|
||
```code | ||
# Disable Access Graph integration if your license supports Teleport Policy with --no-access-graph flag. | ||
# Disable Graph Explorer integration if your license supports Teleport Policy with --no-access-graph flag. | ||
$ tctl plugins install entraid \ | ||
--default-owner=<Var name="Access List Owner"/> \ | ||
[email protected] \ | ||
|
@@ -518,7 +518,7 @@ Currently, when using manual mode, it is not possible to operate without the `-- | |
</Notice> | ||
|
||
```code | ||
# enable Access Graph integration if your license supports Teleport Policy. | ||
# enable Graph Explorer integration if your license supports Teleport Policy. | ||
$ tctl plugins install entraid \ | ||
--default-owner=<Var name="Access List Owner"/> \ | ||
[email protected] \ | ||
|
@@ -534,14 +534,13 @@ Follow the detailed instructions provided by the `tctl plugins install entraid` | |
</TabItem> | ||
</Tabs> | ||
|
||
## Step 3/3. Analyze Entra ID directory in Teleport Access Graph | ||
## Step 3/3. Analyze Entra ID directory in Graph Explorer | ||
|
||
Shortly after the integration onboarding is finished, | ||
your Entra ID directory will be imported into your Teleport cluster and Access Graph. | ||
your Entra ID directory will be imported into your Teleport cluster and Graph Explorer. | ||
|
||
You can find Entra ID users and groups in the Access Graph UI. If you have Entra ID SSO set up for your AWS accounts, | ||
and the AWS accounts have been connected to Teleport, | ||
Access Graph will also show access to AWS resources granted to Entra ID identities. | ||
You can find Entra ID users and groups in the Explorer UI. If you have Entra ID SSO set up for your AWS accounts, | ||
and the AWS accounts have been connected to Teleport, Graph Explorer will also show access to AWS resources granted to Entra ID identities. | ||
|
||
In the following example, Bob is assigned to group `AWS-Engineers` in Entra ID. | ||
This allows him to use SSO to assume the AWS IAM role `Engineers`, | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've been splitting this out into another feature, and calling it
Teleport Policy Crown Jewels
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, @benarent! I'll update this and the other references when I get back from vacation, 12/30.