GitLab Teleport Access Policy
Purpose
To ensure an audited access to our terminal/CLI tools like Database Access and Rails Console, GitLab uses Teleport.
Scope
The Teleport Access policy applies to all systems within our production environment that require a terminal or CLI access.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| GitLab Team Members | Responsible for following the requirements in this policy |
| System Owners | Alignment to this policy |
| Code Owners | Responsible for approving changes and exceptions to this policy |
Procedure
- Teleport access is managed through Okta and is provided as part of a role’s baseline group assignment or through an access request with appropriate approval
- Access reviews are performed on a quarterly basis to ensure that all users are appropriate and have appropriate access levels.
- Teleport Audit Logs must be retained for a defined period of 1 year
- Teleport Audit Logs must not be modified and or deleted before the defined time of 1 year
- Access to Teleport Audit log data must be limited based on the principle of least privilege
Exceptions
Exceptions to this policy will be tracked as per the Information Security Policy Exception Management Process
References
- What is considered production
- Production Architecture
- Runbook: How to connect to a Database console using Teleport
- Runbook: How to connect to a Rails Console using Teleport
- Teleport
Last modified June 24, 2024: Remove Teleport Access Policy from Controlled Docs (
d3fcea70)
