Policy: Turbot > Workspace > Policy Pack Attachment Levels

Restricts the scope where policy packs may be attached. By default, policy packs can be created anywhere in the hierarchy including right down to specific resources (e.g. an AWS S3 Bucket). This is powerful for exception management, but allows for complex configurations to emerge. Using this policy you can restrict policy pack attachment to the Folder or Accountable levels instead.

Note: This policy only blocks new policy pack attachments, it does not affect existing attachments.

Example: ACME approves security posture at an account level, resource level exceptions are not managed or allowed. Setting this policy to "Folder and Accountable" ensures that policy packs can only be attached to accounts and prevents resource level exceptions.

Related: Turbot > Workspace > Policy Setting Levels

Targets

This policy targets the following resource types:

Turbot

Primary Policy

This policy is used with the following primary policy:

Turbot > Workspace

Policy Specification

Schema Type	`string`
Default	`Anywhere`
Valid Values [YAML]	`Anywhere` `Folder` `Folder and Accountable`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/turbot#/control/categories/turbot

Policy Type URI

tmod:@turbot/turbot#/policy/types/policyPackAttachmentLevels

GraphQL

query policyType(id: "tmod:@turbot/turbot#/policy/types/policyPackAttachmentLevels") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/turbot#/policy/types/policyPackAttachmentLevels'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/turbot#/policy/types/policyPackAttachmentLevels'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/turbot#/policy/types/policyPackAttachmentLevels"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/turbot#/policy/types/policyPackAttachmentLevels"