Policy: AWS > Turbot > Permissions > Lockdown > API Boundary

A list of APIs that should be allowed in the Guardrails boundary policy.

This is represented as a list of apis and their scope (regional or global).

For example:

- api: 's3:*' regionScope: regional - api: 'iam:*' regionScope: global

Note: That APIs can be enabled or disabled via the relevant AWS > {Service} > API Enabled policies. An API will be allowed in the boundary if it is EITHER enabled via AWS > {Service} > API Enabled OR added to the AWS > Turbot > Permissions > Lockdown > API Boundary policy.

Targets

This policy targets the following resource types:

AWS > Account

Primary Policy

This policy is used with the following primary policy:

AWS > Turbot > Permissions > Lockdown

Policy Specification

Default	`[]`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/turbot#/control/categories/iamPermissions

Policy Type URI

tmod:@turbot/aws-iam#/policy/types/permissionsLockdownApiBoundary

GraphQL

query policyType(id: "tmod:@turbot/aws-iam#/policy/types/permissionsLockdownApiBoundary") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-iam#/policy/types/permissionsLockdownApiBoundary'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-iam#/policy/types/permissionsLockdownApiBoundary'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/aws-iam#/policy/types/permissionsLockdownApiBoundary"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-iam#/policy/types/permissionsLockdownApiBoundary"