Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
AWS
Loading policies...

Policy: AWS > Turbot > IAM > Managed

This policy determines the permission mode used by Guardrails. There are 3 possible configurations:

None: Guardrails will not manage any AWS IAM permissions. This setting is for organizations that want to maintain complete control over AWS IAM.

Policy-Only Mode: Guardrails policies are created in AWS IAM, but no management of roles or users will occur. This option helps automate policy creation across a wide number of accounts while keeping control in the hands of the organization.

Role Mode: Guardrails will create policies and roles within the AWS account. This allows administrators to assign AWS permissions in Guardrails. Users federate into AWS and will assume the role that is assigned to their profile in Guardrails.

Role Mode with strict Turbot-managed policies: Ensures Turbot-managed policies can be attached to roles, blocking custom policy attachments for stricter security control.

User Mode: Guardrails will create policies, roles, groups and users within the AWS account. Access granted at the folder level ABOVE the accounts will always leverage roles. Guardrails users granted access only at the folder level will NOT have a corresponding IAM User. If a user is granted any access explicitly on the account, an IAM user will be created for them.

User Mode with strict Turbot-managed policies and groups: Restricts roles, users, and groups to only Turbot-managed policies and groups, ensuring a secure and controlled environment by disallowing custom attachments.

Targets

This policy targets the following resource types:

  • AWS > Account

Primary Policy

This policy is used with the following primary policy:

  • AWS > Turbot > IAM

Controls

Setting this policy configures these controls:

  • AWS > Turbot > IAM > Group > Managed
  • AWS > Turbot > IAM > Managed
  • AWS > Turbot > IAM > Policy > Managed
  • AWS > Turbot > IAM > Role > Managed
  • AWS > Turbot > IAM > User > Managed

Policy Specification

Schema Type
string
Default
Skip
Valid Values [YAML]
  • Skip

  • Check: None

  • Check: Policy-Only Mode

  • Check: Role Mode

  • Check: Role Mode with strict Turbot-managed policies

  • Check: User Mode

  • Check: User Mode with strict Turbot-managed policies and groups

  • Enforce: None

  • Enforce: Policy-Only Mode

  • Enforce: Role Mode

  • Enforce: Role Mode with strict Turbot-managed policies

  • Enforce: User Mode

  • Enforce: User Mode with strict Turbot-managed policies and groups
Examples [YAML]
  • Enforce: None

Category

  • IAM

In Your Workspace

  • Policy Settings by Type report

Developers

    Category URI
    • tmod:@turbot/turbot#/control/categories/iam
    • Policy Type URI
    • tmod:@turbot/aws-iam#/policy/types/iamTurbotManaged
    • GraphQL
    • query policyType(id: "tmod:@turbot/aws-iam#/policy/types/iamTurbotManaged") { … }
    • query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-iam#/policy/types/iamTurbotManaged'") { … }
    • query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-iam#/policy/types/iamTurbotManaged'") { … }
    • CLI
    • Get Policy Type
    • turbot graphql policy-type --id "tmod:@turbot/aws-iam#/policy/types/iamTurbotManaged"
      • Get Policy Settings
    • turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-iam#/policy/types/iamTurbotManaged"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
180
Mods
497
Resource Types
8,691
Policies
3,362
Controls
1,833
Quick Actions
540
IAM