Automate compliance session review with Teleport and Amazon Bedrock

By: Ben Arent, Director of Product – Teleport
By: JP Boreddy, Senior Solutions Architect – AWS

Teleport

Compliance frameworks such as SOC 2, PCI DSS, FedRAMP, and HIPAA require organizations to record and review interactive infrastructure sessions. But manual review is difficult to sustain at volume, so not everything that is recorded is fully analyzed.

Teleport, an AWS Partner and AWS Marketplace seller, provides identity-aware access management for infrastructure. It delivers unified, zero-trust access (requiring verification for every access request) to Amazon Web Services (AWS) resources through certificate-based authentication, automated auditing, and just-in-time provisioning (which grants access only when needed and for limited duration).

Teleport Identity Security and Amazon Bedrock, a fully managed service that makes foundation models (FMs) available through a unified API, make review compliance sustainable at scale. Together, they automatically summarize, classify risk, and alert on SSH, Kubernetes, and database sessions. Session recordings can become actionable security intelligence instead of an unwatched compliance artifact.

Why session reviews matter

Recording sessions without analyzing them still carries cost. Organizations accumulate thousands of hours of recordings that satisfy the mandate of SOC 2, PCI DSS, FedRAMP, and HIPAA to capture certain required data. However, the requirement to review this data becomes a staffing problem. Some teams dedicate multiple full-time employees to watching playback. Standing session review is the equivalent of standing privileges: persistent, costly, and poorly matched to actual risk. In the same way that just-in-time access replaced persistent permissions, automated analysis can replace persistent human review, letting reviewers jump straight to the moments that matter. The question shifts from “did someone watch this?” to “did anything in this session require attention?” That’s the issue Teleport and AWS address together: turning a compliance artifact that accumulates cost into security intelligence that drives action, without adding headcount.

The following screenshot shows a Teleport SSH session on an Amazon Elastic Compute Cloud (Amazon EC2) instance, capturing an attempt to exfiltrate /etc/passwd.

Figure 1: A Teleport SSH session recording

How it works

The integration between Teleport and AWS follows a four-stage pipeline that transforms raw session recordings into risk-classified audit intelligence. Each stage builds on capabilities inherent in both platforms:

1. Identity-attributed session recording – Teleport captures interactive SSH, Kubernetes, and database sessions, including structured JSON events and optional enhanced eBPF (Extended Berkeley Packet Filter)-based session recording, from across AWS and self-hosted infrastructure. Recordings are stored with server-side encryption using AWS Key Management Service (AWS KMS), specifically SSE-KMS. Customers can use a customer managed AWS KMS key for additional control over key policies and audit trails, and events are identity-attributed at capture time.
2. LLM-powered summarization using Amazon Bedrock – When a session ends, Teleport’s inference policy engine evaluates whether it matches configured summarization criteria based on session type, user traits, or resource labels. Matched sessions are sent to Amazon Bedrock, where a foundation model such as Claude by Anthropic in Amazon Bedrock or Amazon Nova 2 Pro (preview) generates a natural-language summary of what occurred. The Teleport Auth Service authenticates to Amazon Bedrock using AWS Identity and Access Management (IAM) roles, with bedrock:InvokeModel permissions scoped to specific model ARNs.
3. Risk classification – Within the same invocation, Amazon Bedrock assigns a risk classification (Low, Medium, High, or Critical) based on commands executed, signs of obfuscation or encoding, and deviation from expected behavior. Risk scores describe session activity, not the operator, and order human review rather than drive automated decisions. Classifications are emitted as structured audit events. The following is a screenshot of an SSH session recording showing detection of an AWS credential exfiltration attempt.
4. Audit events and security information and event management (SIEM) integration – Teleport emits the summary and risk level as structured audit events alongside the original session metadata. These events flow through Teleport’s audit log export to existing SIEM tools such as Splunk, Elastic, or Amazon Security Lake. Security teams can then build alerts (for example, triggering an incident response workflow whenever a Critical-risk session involves a production database) without ever manually reviewing a recording.

Figure 2: An SSH session recording showing detection of an AWS credential exfiltration attempt

The following steps describe how Teleport AI session summaries are generated:

1. A user logs into Teleport using the tsh command line interface (CLI) to start a session.
2. Teleport proxies the connection to Amazon EC2 over SSH.
3. Teleport audits and records the SSH session, storing the recording as a TAR file.
4. After the session, the Teleport auth server processes the recording and forwards it to the AI summarization layer.
5. Teleport’s identity security module authenticates the request and passes it to Amazon Bedrock, which categorizes the session and generates a timeline using an inference policy that selects models based on session kind and user traits.
6. The resulting session summary is uploaded back to storage alongside the original recording.

The following architecture diagram shows an overview of the Teleport and Amazon Bedrock session review pipeline.

Figure 3: Architecture diagram

Why Amazon Bedrock

Session recordings contain sensitive data such as commands, host names, and output that might include credentials or internal system details. A key reason organizations choose Amazon Bedrock is that inference happens entirely within the customer’s AWS account. On-demand inference doesn’t use customer inputs or outputs to train or improve FMs, and no data is shared with third parties. Invocations of bedrock:InvokeModel are logged to AWS CloudTrail, giving security teams an audit trail. Together, Teleport and Amazon Bedrock help session analysis inherit the same security controls as session recording.

Teleport captures the session, and the Amazon Bedrock InvokeModel API analyzes it, so that data stays in the customer’s AWS account in the selected AWS Region. Together, these layers provide defense in depth:

• Teleport enforces TLS 1.2 or higher to encrypt data in transit end to end.
• IAM controls which FMs can be invoked.
• AWS KMS handles encryption-at-rest keys.
• AWS PrivateLink is designed to keep recordings from traversing the public internet for inference.
• Pair AWS PrivateLink to Amazon Bedrock with Amazon Virtual Private Cloud (Amazon VPC) endpoints for AWS Security Token Service (AWS STS) and AWS KMS to keep the inference path off the public internet.

This shared security posture helps organizations meet the requirements of compliance frameworks that typically mandate session recording. These include SOC 2, PCI DSS, FedRAMP, and HIPAA-eligible workloads when a Business Associate Addendum (BAA) is in place. Data residency stays within the customer’s chosen Region.

Prerequisites

Before you begin, confirm you have the following in place:

• A Teleport Enterprise Cloud account (a Teleport Identity Security free trial is available)
• An AWS account with Amazon Bedrock access in a supported Region
• IAM permissions to create and modify IAM roles and policies, including bedrock:InvokeModel
• Basic familiarity with IAM roles and trust policies

Walkthrough: Configure integration between Teleport and Amazon Bedrock

In this section, you configure the integration between Teleport and Amazon Bedrock to automatically summarize and risk-classify your infrastructure sessions. By the end, you have a working pipeline that generates AI-powered summaries for SSH, Kubernetes, and database sessions.

An inference model resource tells Teleport which Amazon Bedrock FM to use for analysis. The inference policy acts as a filter, determining which sessions trigger AI summarization based on criteria like user role, resource type, or session duration. Together, these configurations control both the analysis engine and when it runs. Complete these high-level steps:

1. Start with Teleport Enterprise Cloud – Teleport Enterprise Cloud provides a default configuration for Enterprise Cloud customers. Sign in to your Teleport cluster and verify you have a role with permission to create inference resources.
2. Define the inference model resource – In Teleport, create an inference model resource that specifies your Amazon Bedrock FM Amazon Resource Name (ARN) and the IAM role the Teleport Auth Service will assume (configured in step 4).
3. Create the inference policy – Define an inference policy that controls which sessions are summarized and at what scope. You can filter by session type, user traits, or resource labels.
4. Configure the IAM policy in AWS – Create an IAM policy with bedrock:InvokeModel permissions scoped to your chosen inference model ARN. Attach it to the Teleport Auth Service’s IAM role. For the specific IAM policy JSON and various configuration options, refer to the Teleport Session Recording Summaries documentation.

For the full configuration walkthrough, refer to the Teleport Session Recording Summaries documentation and the official Amazon Bedrock documentation.

Verification

To verify the integration is working correctly:

1. Start a test SSH session to a configured resource.
2. Run a few commands and end the session.
3. Navigate to the Teleport audit session recordings and confirm the corresponding recording tile with a summary button.
4. Check the summary by choosing the summary button.
5. Validate the session is discoverable using Session Recording Search.

Conclusion

Compliance frameworks require you to record sessions as well as understand what happened in them. For most organizations, that understanding has depended on manual review: someone watches playback, writes a summary, and flags anything unusual. It’s manageable at small scale but becomes impractical when you’re recording thousands of sessions a month across SSH, Kubernetes, and database infrastructure. Together, Teleport Identity Security and Amazon Bedrock make compliance review sustainable at scale. The four-stage pipeline (record, summarize, classify, and alert) turns each qualifying session recording into a structured, risk-scored event that flows directly into your existing security tools. Sessions that need attention get flagged. Sessions that don’t need attention still get documented. Auditors get evidence that helps customers demonstrate the session-review expectations of SOC 2, PCI DSS, FedRAMP, and HIPAA where those frameworks apply to the customer’s program. The architecture keeps sensitive session data within your AWS environment. Amazon Bedrock is invoked through your own account, and network controls such as AWS PrivateLink help prevent recordings from traversing the public internet for inference.

Disclaimer: This content is provided for informational purposes. It is not a turnkey production deployment. You should work with your security and legal teams to meet your organizational security, regulatory, and compliance requirements before deploying.

Teleport is available in AWS Marketplace, where you can consolidate billing through your existing AWS account. You can also start a free trial to explore session recording summaries and the full Identity Security platform in your own environment. For detailed setup instructions, consult the Teleport session summaries documentation.

For related reading, refer to AWS Security Blog posts and Video security analysis for privileged access management using generative AI and Amazon Bedrock on the AWS Blog.

Teleport – AWS Partner Spotlight

Teleport is an ISV Accelerate AWS Partner, providing identity-native infrastructure access for SSH, Kubernetes, databases, and applications. Teleport replaces legacy access tools with a unified platform that enforces identity-based, zero-trust access across cloud and on-premises environments for both human and non-human identities.

Contact Teleport | Partner Overview | AWS Marketplace