Policy Packs

guardrails-samples

Ensure that IAM actions, such as creating, modifying, or deleting resources, can only be performed from trusted and approved networks.

Deny all AWS IAM actions from Unapproved Networks

main

aws_iam_role_boundary

Configure which boundary policy to apply to the IAM role .&#92;nThis must be the name of an existing AWS IAM Boundary policy.&#92;nAWS Boundary Policies are used to enforce Turbot Guardrails for&#92;nenabling/disabling API Services and Regions.&#92;n&#92;nIf set to `Check or Enforce per AWS &gt; Turbot &gt; Permissions`,&#92;nthe boundary will be enforced if Turbot &gt; Permissions are enforced, checked&#92;nif Turbot &gt; Permissions are  checked, and skipped if Turbot Permissions&#92;nare none or skip&#92;n

roleBoundary

AWS > IAM > Role > Boundary

aws_iam_role_boundary_policy

Configure which boundary policy to apply to the IAM role.&#92;nThis must be the name of an existing AWS IAM Boundary policy.&#92;nAWS Boundary Policies are used to enforce Turbot Guardrails for&#92;nenabling/disabling API Services and Regions.&#92;n

roleBoundaryPolicy

AWS > IAM > Role > Boundary > Policy

aws_iam_stack

Configure a custom stack on AWS, per the custom `Stack &gt; Source`.&#92;n&#92;nA Guardrails `Stack` is a set of resources configured by Guardrails, as specified&#92;nvia Terraform source.  Stacks are responsible for the creation and deletion&#92;nof multiple resources. Once created, stack resources are responsible for&#92;nconfiguring themselves from the stack source via their `Configured` control.&#92;n

iamStack

AWS > IAM > Stack

aws_iam_stack_source

The Terraform HCL source used to configure this stack.&#92;n&#92;nA Guardrails `Stack` is a set of resources configured by Guardrails, as specified&#92;nvia Terraform source.  Stacks are responsible for the creation and deletion&#92;nof multiple resources. Once created, stack resources are responsible for&#92;nconfiguring themselves from the stack source via their `Configured` control.&#92;n

Policy	Setting	Note
AWS > IAM > Role > Boundary	Calculated
AWS > IAM > Role > Boundary > Policy	myBoundaryPolicy
AWS > IAM > Stack	Check: Configured
AWS > IAM > Stack > Source	### Deny Actions from unapproved CIDRs ### resource "aws_iam_policy" "main" { # Boundary policy name that will be applied to the IAM role. name = "myBoundaryPolicy" path = "/" description = "Guardrails Managed Boundary policy to prevent actions from unapproved CIDRs" policy = jsonencode({ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "" "Resource": "", "Condition": { "IpAddress": { "aws:SourceIp": [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ] } } } ] }) }

Policy Settings