Announcement

Multi-directory federated cloud access with custom roles and groups

Cloud admins can leverage Guardrails as a central identity hub to assign temporary role-based access controls (RBAC) to users or groups.

Turbot Team
5 min. read - Mar 04, 2024
Cloud admins can leverage Guardrails as a central identity hub to assign temporary role-based access controls (RBAC) to users or groups.

Turbot Guardrails is known for its ability to secure and optimize cloud resources instantly. It provides real-time defense that detects resource drift and remediates misconfigurations.

Multi-directory federated access for multi-cloud

Guardrails supports multi-directory aggregation by centralizing the management of one or more SAML, LDAP, and local directories. This joins identity profiles in a unified way, whether using your own internal directory or aggregating multiple directories for break-glass access, secondary authentication via an identity provider if issues arise, or trusted 3rd party access. These enterprise-grade identity features scale with you.

Manage time-based role-based access controls (RBAC)

Each user or group from the associated directories can be assigned RBAC or group-based permissions. In Guardrails, you have a single pane of glass to manage roles and groups across directories, cloud providers, and cloud accounts. In the example below, resources can be assigned permissions across Guardrails, AWS, Azure and GCP. When setting at a Folder level, permissions automatically inherit to descendant cloud accounts, or apply explicitly to specific cloud accounts.

Permissions can be assigned in the Turbot Guardrails console, via GraphQL API, or by way of the Guardrails Terraform Provider. When setting permissions, you choose the resource scope, the identities, and the permissions to be granted. Set criteria to act immediately, or later with pre-approval. Any permission grant(s) can be set to expire.

Consistent multi-cloud role definitions with extensibility

Guardrails comes packaged with over 1000+ predefined roles, defined consistently at the ReadOnly, Operator, and Admin levels. Summarized policies like AWS/Admin include all enabled AWS services; per-service roles are also available, such as AWS/S3/Admin. Each level can be enabled in one — or across hundreds of — cloud accounts. Guardrails does the heavy lifting of PIM/PAM automation across environments.

While it's simplest to use Guardrails' role definitions out-of-the-box, you can modify these roles to include or exclude whatever IAM actions are applicable:

And you may consider wrapping preventative controls to restrict over-permissive elevated access. Guardrails can manage IAM Boundary policies, and/or Lockdown policies, to explicitly apply Deny Not Action IAM policies. In this example there are friendly restrictive policies to enable for S3 actions:

Bring your own custom roles or deploy through Guardrails Stacks

Guardrails also enables you to bring your own provisioned roles into your cloud accounts, and associate them to Guardrails for unified management of permissions.

Simply associate the AWS > Turbot > Permissions > Custom Role Levels policy with a list of roles for Guardrails to begin managing.

Alternatively you can deploy and manage roles using Guardrails' Stacks policies. Stacks will deploy your Terraform configurations, and manage any configuration drift in real-time. When applying Stacks, you can assign across multiple cloud accounts and different accounts with variance:

Authenticate to Guardrails, federate into AWS

Guardrails can serve as a central authentication hub that federates multiple AWS, Azure, and GCP cloud accounts. When roles are assigned in Guardrails, users can select which account role to assume access - whether a Guardrails-managed role or a custom assigned role. Quick access to these accounts is available in the Guardrails UI, with a user profile summary that lists accounts for easy point-and-click authentication. Developers can also programmatically obtain credentials via the Turbot Guardrails CLI or Guardrails API.

Manage time-based group-based access controls

AWS prefers that IAM roles act as separate IAM resources with associated permissions and users. Roles have built-in features to help switch roles across accounts, authenticate in time-based sessions, and define the permissions that individuals can assume when they login. Guardrails takes full advantage of IAM roles, and adds management and time-based access controls consistent with multi-cloud accounts.

Turbot Guardrails supports both user-based and role-based identity management across multiple cloud accounts, applying RBAC permissions to Users, Roles and now also custom IAM Groups.

For some limited scenarios, IAM users can provide for more flexibility than roles — for example, when you need to tie individuals and system accounts to long-standing authentication credentials, or apply granular permissions. Turbot Guardrails is the only cloud authentication platform on the market that can federate third party identity — including Active Directory, Ping, and Okta — with AWS IAM users. End users never directly manage their associated IAM user entities; Guardrails automation ensures that they cannot become the IAM user from outside the organization's trusted network.

Without an automated cloud governance platform this is very hard to manage at scale, since users are local to each account, policies can vary, and it's a huge challenge to track changes across 10s to 1000s of identities. Guardrails makes it easy, giving you the same RBAC capabilities but with a more flexible permission model.

AWS IAM Group management guardrails

AWS IAM Groups simplify permissions management by enabling admins to assign common permission sets to groups of IAM users. For example, an admin could create a 'security_ops' group and grant it permissions to audit one or more AWS accounts. You then only need to add IAM users to the 'security_ops' group to give them the ability to audit the specified accounts.

Alternatively AWS IAM Roles can act as separate IAM resources with associated permissions. Turbot Guardrails supports both user-based and role-based identity management across multiple cloud accounts, applying RBAC permissions to Users, Roles and now also IAM Groups.

Managing time-based IAM user and policies associations

To manage AWS IAM groups with Guardrails, you can either bring your own existing AWS IAM Groups for Guardrails to manage, or use Guardrails to deploy and manage AWS IAM Groups.

Initially, configure your AWS > Turbot > Permissions policy to Enforce: User Mode

Manage your own AWS IAM groups with Guardrails

After enabling User Mode, associate your existing AWS IAM groups, such as security_ops and cloud_team_admins.

Once associated, these groups can be assigned to users in the Turbot Guardrails console, via GraphQL API, or by way of the Guardrails Terraform Provider.

Guardrails continuously monitors IAM user groups, protecting against accidental removal and maintaining approved permissions consistently.

Deploying and managing AWS IAM Groups with Guardrails

With Guardrails Stacks, deploying and managing AWS IAM groups is as straightforward as managing other cloud resources. These Stacks utilize Terraform to define policies that ensure infrastructure immutability. If changes or deletions occur, Turbot automatically restores the original state, correcting any drift.

For example, a Stacks policy can be used to create an audit_team AWS IAM group and attach the AWS-managed SecurityAudit role to it.

Audit AWS IAM activity

Turbot Guardrails captures all user activity, including both cloud provider actions and Guardrails’ own operations, centrally. This enables comprehensive reporting on permission grants to users, groups, or roles. For instance, you can track how Bob grants Adam & Barry access to the audit_team AWS IAM group.

Additionally, Guardrails can visualize configuration drift resulting from cloud resource changes, such as adding users to the audit_team group.

See it in action

Elevate your cloud management with time-based identity controls

With Guardrails' identity management, role-based or group-based access controls will enhance the security and efficiency of your cloud governance operations.

Try Turbot Guardrails with a 14-day free trial to see how you can elevate your cloud identity management across AWS, Azure and GCP.