diff --git a/lib/auth/autoupdate/autoupdatev1/service.go b/lib/auth/autoupdate/autoupdatev1/service.go
index aa9e29f2fabea..77baae74e4658 100644
--- a/lib/auth/autoupdate/autoupdatev1/service.go
+++ b/lib/auth/autoupdate/autoupdatev1/service.go
@@ -30,6 +30,7 @@ import (
 	apievents "github.com/gravitational/teleport/api/types/events"
 	"github.com/gravitational/teleport/lib/authz"
 	"github.com/gravitational/teleport/lib/events"
+	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/services"
 )
 
@@ -292,6 +293,10 @@ func (s *Service) CreateAutoUpdateVersion(ctx context.Context, req *autoupdate.C
 		return nil, trace.Wrap(err)
 	}
 
+	if err := checkAdminCloudAccess(authCtx); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbCreate); err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -333,6 +338,10 @@ func (s *Service) UpdateAutoUpdateVersion(ctx context.Context, req *autoupdate.U
 		return nil, trace.Wrap(err)
 	}
 
+	if err := checkAdminCloudAccess(authCtx); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbUpdate); err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -374,6 +383,10 @@ func (s *Service) UpsertAutoUpdateVersion(ctx context.Context, req *autoupdate.U
 		return nil, trace.Wrap(err)
 	}
 
+	if err := checkAdminCloudAccess(authCtx); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbCreate, types.VerbUpdate); err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -415,6 +428,10 @@ func (s *Service) DeleteAutoUpdateVersion(ctx context.Context, req *autoupdate.D
 		return nil, trace.Wrap(err)
 	}
 
+	if err := checkAdminCloudAccess(authCtx); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbDelete); err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -589,3 +606,14 @@ func (s *Service) emitEvent(ctx context.Context, e apievents.AuditEvent) {
 		)
 	}
 }
+
+// checkAdminCloudAccess validates if the given context has the builtin admin role if cloud feature is enabled.
+func checkAdminCloudAccess(authCtx *authz.Context) error {
+	if modules.GetModules().Features().Cloud && !authz.HasBuiltinRole(*authCtx, string(types.RoleAdmin)) {
+		return trace.AccessDenied("This Teleport instance is running on Teleport Cloud. "+
+			"The %q resource is managed by the Teleport Cloud team. You can use the %q resource to opt-in, "+
+			"opt-out or configure update schedules.",
+			types.KindAutoUpdateVersion, types.KindAutoUpdateConfig)
+	}
+	return nil
+}
diff --git a/lib/services/presets.go b/lib/services/presets.go
index d82ba05a4f4b2..3532375149185 100644
--- a/lib/services/presets.go
+++ b/lib/services/presets.go
@@ -185,6 +185,8 @@ func NewPresetEditorRole() types.Role {
 					types.NewRule(types.KindIdentityCenter, RW()),
 					types.NewRule(types.KindContact, RW()),
 					types.NewRule(types.KindWorkloadIdentity, RW()),
+					types.NewRule(types.KindAutoUpdateVersion, RW()),
+					types.NewRule(types.KindAutoUpdateConfig, RW()),
 				},
 			},
 		},