Policy: AWS > Turbot > Permissions
This policy determines the permission mode used by Guardrails. There are 3 possible configurations:
None: Guardrails will not manage any AWS IAM permissions. This setting is for organizations that want to maintain complete control over AWS IAM.
Policy-Only Mode: Guardrails policies are created in AWS IAM, but no management of roles or users will occur. This option helps automate policy creation across a wide number of accounts while keeping control in the hands of the organization.
Role Mode: Guardrails will create policies and roles within the AWS account. This allows administrators to assign AWS permissions in Guardrails. Users federate into AWS and will assume the role that is assigned to their profile in Guardrails.
User Mode: Guardrails will create policies, roles and users within the AWS account. Access granted at the folder level ABOVE the accounts will always leverage roles. Guardrails users granted access only at the folder level will NOT have a corresponding IAM User. If a user is granted any access explicitly on the account, an IAM user will be created for them
Resource Types
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Related Policies
- Compiled
- Source
- Custom Group Levels [Account]
- Custom Role Levels [Account]
- Custom Role Levels [Folder]
- Levels
- Levels [Default]
- Lockdown
- Superuser Boundary
- Terraform Version
- User Boundary
- Group
- Name Path [Default]
- Name Prefix [Default]
- Policy
- Role
- Tags Default
- User
Policy Specification
Schema Type |
|
---|---|
Default |
|
Valid Values [YAML] |
|
Examples [YAML] |
|
Category
In Your Workspace
Developers
- tmod:@turbot/turbot#/control/categories/iamPermissions
- tmod:@turbot/aws-iam#/policy/types/permissions
- turbot graphql policy-type --id "tmod:@turbot/aws-iam#/policy/types/permissions"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-iam#/policy/types/permissions"
Get Policy TypeGet Policy Settings