Add Crown Jewels docs (#46774)

* Add Crown Jewels docs * Update role definition * Apply suggestions from code review Co-authored-by: Roman Tkachenko <[email protected]> Co-authored-by: Zac Bergquist <[email protected]> * Address code review issues * Convert images from PNG to webp * Add audit event exporter section * Update Crown Jewels docs. * Move required RBAC roles higher in the Crown Jewels docs * Move crown jewels docs to Teleport Policy section. * Rename Teleport Policy to Access Graph Crown Jewels Updated references to the Crown Jewel feature from Teleport Policy to Access Graph in the title, description, and content. --------- Co-authored-by: Roman Tkachenko <[email protected]> Co-authored-by: Zac Bergquist <[email protected]>
gravitational · Oct 7, 2024 · 8c24899 · 8c24899
1 parent 8778547
commit 8c24899
Show file tree

Hide file tree

Showing 6 changed files with 98 additions and 1 deletion.
diff --git a/docs/config.json b/docs/config.json
@@ -124,7 +124,7 @@
       "nodeIP": "ip-172-31-35-170"
     },
     "access_graph": {
-      "version": "1.20.4"
+      "version": "1.24.4"
     },
     "ansible": {
       "min_version": "2.9.6"

diff --git a/docs/img/access-graph/crown-jewels/changes.webp b/docs/img/access-graph/crown-jewels/changes.webp
diff --git a/docs/img/access-graph/crown-jewels/create-matcher-name.webp b/docs/img/access-graph/crown-jewels/create-matcher-name.webp
diff --git a/docs/img/access-graph/crown-jewels/create-page.webp b/docs/img/access-graph/crown-jewels/create-page.webp
diff --git a/docs/img/access-graph/crown-jewels/create-selector.webp b/docs/img/access-graph/crown-jewels/create-selector.webp
diff --git a/docs/pages/admin-guides/teleport-policy/crown-jewels.mdx b/docs/pages/admin-guides/teleport-policy/crown-jewels.mdx
@@ -0,0 +1,97 @@
+---
+title: See permission changes with Access Graph Crown Jewels
+description: Describes how to use Access Graph Crown Jewels to see permission changes in Teleport.
+---
+
+Access Graph's Crown Jewel feature allows you to track changes to access for your most sensitive users or resources.
+When you mark a resource as a Crown Jewel, Teleport emits audit events any time access to that resource changes.
+These audit events include snapshots of the permissions before and after the change,
+which can alert you of unexpected access changes and allow you to verify the results.
+
+This guide shows you how to configure Crown Jewels, how to mark resources as Crown Jewels, and how to see permission changes for these resources.
+
+## Prerequisites
+
+- A running Teleport Enterprise cluster v16.2.0 or later.
+- For self-hosted clusters, an updated `license.pem` with Teleport Policy enabled.
+- For self-hosted clusters, a running Access Graph node v1.24.0 or later.
+Check [Access Graph page](teleport-policy.mdx) for details on
+how to set up Access Graph.
+
+Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product
+available to Teleport Enterprise edition customers.
+
+After logging in to the Teleport UI, navigate to the Management tab. If enabled, Access Graph options can be found
+under the Permission Management section.
+
+## Required RBAC permissions
+
+To create and view Crown Jewels, you need the following RBAC permissions:
+
+```yaml
+kind: role
+metadata:
+  name: crown-jewels-admin
+spec:
+  allow:
+    rules:
+    - resources:
+      - crown_jewel
+      verbs:
+      - *
+version: v7
+```
+
+## Creating a Crown Jewel
+
+To create a Crown Jewel, you need to mark a resource or user as critical. Only changes to marked resources
+and users will be logged by Teleport Policy.
+To mark a resource or user as Crown Jewel, open the Access Graph and navigate to the "Crown Jewels" tab.
+
+![Create Page](../../../img/access-graph/crown-jewels/create-page.webp)
+
+Click on "Create Crown Jewel" and select the resource or user you want to mark as critical.
+
+![Create Selector](../../../img/access-graph/crown-jewels/create-selector.webp)
+
+Pick a name for the Crown Jewel and click "Create".
+
+![Create Matcher Name](../../../img/access-graph/crown-jewels/create-matcher-name.webp)
+
+The Crown Jewel will now be created, and you will see it in the list of Crown Jewels. Access Graph will now create
+audit events in Teleport's audit log and new entries in the "Access Changes" tab in the "Crown Jewels" menu whenever
+access path to a resource or a user changes.
+
+## Viewing permission changes
+
+To view permission changes, open the Access Graph and navigate to the "Crown Jewels" tab.
+Here you can see a list of all Crown Jewels and the changes that have been made to them.
+
+![Changes](../../../img/access-graph/crown-jewels/changes.webp)
+
+The generated changes have a diff format showing removed nodes with "-" and added nodes with "+".
+Every time a change is made to a Crown Jewel, a new entry will be added to the list and an audit event
+will be generated in the Teleport Audit Log.
+
+## Audit events
+
+Every time a change is made to a Crown Jewel, an audit event is generated in the Teleport Audit Log.
+Here is what an example audit event looks like:
+
+```json
+{
+  "affected_resource_name": "bob",
+  "affected_resource_source": "TELEPORT",
+  "affected_resource_type": "teleport_node",
+  "change_id": "0110b3c4-d0b5-4af9-8585-aa49a064c85d",
+  "cluster_name": "ssh-node",
+  "code": "TAG001I",
+  "ei": 0,
+  "event": "access_graph.access_path_changed",
+  "time": "2024-09-20T19:50:38.194Z",
+  "uid": "5447d050-699a-4009-a901-ab8ed2614bc2"
+}
+```
+
+You can export the audit event using the event handler.
+The setup is described [here](../management/export-audit-events.mdx).