Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
AWS
Loading policies...

Policy: AWS > Turbot > Permissions

This policy determines the permission mode used by Guardrails. There are 3 possible configurations:

None: Guardrails will not manage any AWS IAM permissions. This setting is for organizations that want to maintain complete control over AWS IAM.

Policy-Only Mode: Guardrails policies are created in AWS IAM, but no management of roles or users will occur. This option helps automate policy creation across a wide number of accounts while keeping control in the hands of the organization.

Role Mode: Guardrails will create policies and roles within the AWS account. This allows administrators to assign AWS permissions in Guardrails. Users federate into AWS and will assume the role that is assigned to their profile in Guardrails.

User Mode: Guardrails will create policies, roles and users within the AWS account. Access granted at the folder level ABOVE the accounts will always leverage roles. Guardrails users granted access only at the folder level will NOT have a corresponding IAM User. If a user is granted any access explicitly on the account, an IAM user will be created for them

Targets

This policy targets the following resource types:

  • AWS > Account

Primary Policy

This policy is used with the following primary policy:

  • AWS > Turbot

Related Policies

  • Compiled
  • Source
  • Custom Group Levels [Account]
  • Custom Role Levels [Account]
  • Custom Role Levels [Folder]
  • Levels
  • Levels [Default]
  • Lockdown
  • Superuser Boundary
  • Terraform Version
  • User Boundary
  • Group
  • Name Path [Default]
  • Name Prefix [Default]
  • Policy
  • Role
  • Tags Default
  • User

Controls

Setting this policy configures these controls:

  • AWS > Turbot > IAM
  • AWS > IAM > Role > Boundary
  • AWS > IAM > User > Boundary

Policy Specification

Schema Type
string
Default
Skip
Valid Values [YAML]
  • Skip

  • Check: None

  • Check: Policy-Only Mode

  • Check: Role Mode

  • Check: User Mode

  • Enforce: None

  • Enforce: Policy-Only Mode

  • Enforce: Role Mode

  • Enforce: User Mode
Examples [YAML]
  • Enforce: None

Category

  • IAM > Permissions

In Your Workspace

  • Policy Settings by Type report

Developers

    Category URI
    • tmod:@turbot/turbot#/control/categories/iamPermissions
    • Policy Type URI
    • tmod:@turbot/aws-iam#/policy/types/permissions
    • GraphQL
    • query policyType(id: "tmod:@turbot/aws-iam#/policy/types/permissions") { … }
    • query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-iam#/policy/types/permissions'") { … }
    • query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-iam#/policy/types/permissions'") { … }
    • CLI
    • Get Policy Type
    • turbot graphql policy-type --id "tmod:@turbot/aws-iam#/policy/types/permissions"
      • Get Policy Settings
    • turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-iam#/policy/types/permissions"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
180
Mods
497
Resource Types
8,691
Policies
3,362
Controls
1,833
Quick Actions
540
IAM