diff --git a/lib/auth/autoupdate/autoupdatev1/service.go b/lib/auth/autoupdate/autoupdatev1/service.go
index 576d23b50200..555a03506d55 100644
--- a/lib/auth/autoupdate/autoupdatev1/service.go
+++ b/lib/auth/autoupdate/autoupdatev1/service.go
@@ -77,6 +77,15 @@ func NewService(cfg ServiceConfig) (*Service, error) {
 
 // GetAutoUpdateConfig gets the current autoupdate config singleton.
 func (s *Service) GetAutoUpdateConfig(ctx context.Context, req *autoupdate.GetAutoUpdateConfigRequest) (*autoupdate.AutoUpdateConfig, error) {
+	authCtx, err := s.authorizer.Authorize(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	if err := authCtx.CheckAccessToKind(types.KindAutoUpdateConfig, types.VerbRead); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	config, err := s.cache.GetAutoUpdateConfig(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -165,6 +174,15 @@ func (s *Service) DeleteAutoUpdateConfig(ctx context.Context, req *autoupdate.De
 
 // GetAutoUpdateVersion gets the current autoupdate version singleton.
 func (s *Service) GetAutoUpdateVersion(ctx context.Context, req *autoupdate.GetAutoUpdateVersionRequest) (*autoupdate.AutoUpdateVersion, error) {
+	authCtx, err := s.authorizer.Authorize(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbRead); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	version, err := s.cache.GetAutoUpdateVersion(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err)
diff --git a/lib/auth/autoupdate/autoupdatev1/service_test.go b/lib/auth/autoupdate/autoupdatev1/service_test.go
index f162072c0b3e..840fd9bbf94c 100644
--- a/lib/auth/autoupdate/autoupdatev1/service_test.go
+++ b/lib/auth/autoupdate/autoupdatev1/service_test.go
@@ -110,10 +110,14 @@ func TestServiceAccess(t *testing.T) {
 			allowedVerbs: []string{types.VerbUpdate, types.VerbCreate},
 		},
 		{
-			name:             "GetAutoUpdateConfig",
-			allowedStates:    []authz.AdminActionAuthState{},
-			disallowedStates: []authz.AdminActionAuthState{},
-			allowedVerbs:     []string{types.VerbRead},
+			name: "GetAutoUpdateConfig",
+			allowedStates: []authz.AdminActionAuthState{
+				authz.AdminActionAuthUnauthorized,
+				authz.AdminActionAuthNotRequired,
+				authz.AdminActionAuthMFAVerified,
+				authz.AdminActionAuthMFAVerifiedWithReuse,
+			},
+			allowedVerbs: []string{types.VerbRead},
 		},
 		{
 			name:          "DeleteAutoUpdateConfig",
@@ -149,10 +153,14 @@ func TestServiceAccess(t *testing.T) {
 			allowedVerbs: []string{types.VerbUpdate, types.VerbCreate},
 		},
 		{
-			name:             "GetAutoUpdateVersion",
-			allowedStates:    []authz.AdminActionAuthState{},
-			disallowedStates: []authz.AdminActionAuthState{},
-			allowedVerbs:     []string{types.VerbRead},
+			name: "GetAutoUpdateVersion",
+			allowedStates: []authz.AdminActionAuthState{
+				authz.AdminActionAuthUnauthorized,
+				authz.AdminActionAuthNotRequired,
+				authz.AdminActionAuthMFAVerified,
+				authz.AdminActionAuthMFAVerifiedWithReuse,
+			},
+			allowedVerbs: []string{types.VerbRead},
 		},
 		{
 			name:          "DeleteAutoUpdateVersion",