Policy: AWS > Turbot > IAM > Managed

This policy determines the permission mode used by Guardrails. There are 3 possible configurations:

None: Guardrails will not manage any AWS IAM permissions. This setting is for organizations that want to maintain complete control over AWS IAM.

Policy-Only Mode: Guardrails policies are created in AWS IAM, but no management of roles or users will occur. This option helps automate policy creation across a wide number of accounts while keeping control in the hands of the organization.

Role Mode: Guardrails will create policies and roles within the AWS account. This allows administrators to assign AWS permissions in Guardrails. Users federate into AWS and will assume the role that is assigned to their profile in Guardrails.

Role Mode with strict Turbot-managed policies: Ensures Turbot-managed policies can be attached to roles, blocking custom policy attachments for stricter security control.

User Mode: Guardrails will create policies, roles, groups and users within the AWS account. Access granted at the folder level ABOVE the accounts will always leverage roles. Guardrails users granted access only at the folder level will NOT have a corresponding IAM User. If a user is granted any access explicitly on the account, an IAM user will be created for them.

User Mode with strict Turbot-managed policies and groups: Restricts roles, users, and groups to only Turbot-managed policies and groups, ensuring a secure and controlled environment by disallowing custom attachments.