Route alerts to the right people with dynamic notification rules
New account-level permissions and flexible notification routing help app teams respond faster to cloud governance alerts.
In a previous announcement, we introduced Guardrails notifications with email, Slack, and Teams integrations, featuring embedded Quick Actions for on-the-spot remediation. Building on those capabilities, we've added new features to help application teams stay instantly aware of their cloud security and FinOps posture.
Account Permissions for App Teams
The new Account permissions are specifically designed for application teams who need to react to alerts and manage their notifications. These permissions provide a streamlined experience in Guardrails focused on the resources that matter to the app team, elevating them to have more ownership and control to elevate the posture of their cloud environments.
| Permission Level | What They Can Do |
|---|---|
Account/ReadOnly | View inventory, controls, policies, and notifications for their resources |
Account/Operator | Execute approved Quick Actions to remediate issues |
Account/Admin | Configure notification and issue-routing policies |
Account/Owner | Manage other Account/* permissions |
When an application developer or DevOps engineer logs in with Account permissions, they see a focused view of just their resources, making it intuitive to understand their compliance posture without the broader access of the full Guardrails configuration experience.
For context, these differ from Turbot/* permissions, which allow cloud teams or delegated app teams permissions to manage their own cloud governance policies.
Granting App Teams Access
Permissions are assigned through the Guardrails permissions page for specific accountable resources (AWS accounts, Azure subscriptions, GCP projects, GitHub repositories, Kubernetes clusters, etc).
Grants to Account/* permissions follow the same approach as managing other time-based role-based access controls (RBAC) permissions across Guardrails, AWS, Azure and GCP.
Permissions can be assigned in the Turbot Guardrails console, via GraphQL API, or by way of the Guardrails Terraform Provider. When setting permissions, you choose the resource scope, the identities, and the permissions to be granted. Set criteria to act immediately, or later with pre-approval. Any permission grant(s) can be set to expire:
Notification Routing to App Teams
With Account permissions established, you can route notifications to these profiles. Guardrails will send the notification to all users who have been granted the specified permissions via the email address in their profile. Using the Turbot > Notifications > Rule-Based Routing policy you can specify the Account permissions, such as notifying the Account Owner and Admin when controls move from OK to ALARM state:
- rules: "NOTIFY $.oldControl.state:ok $.control.state:alarm" profiles: - "Account/Owner" - "Account/Admin"Commonly, profiles are used to route notifications to the account team for the resource. You can use any permissions for notification routing:
- rules: "NOTIFY $.oldControl.state:ok $.control.state:alarm" profiles: - "AWS/Admin" - "Turbot/Owner"The * wildcard is supported. For example, you can send notifications to anyone with Account permissions.
- rules: "NOTIFY $.oldControl.state:ok $.control.state:alarm" profiles: - "Account/*"Account-level CC Notifications
Sometimes, you want to loop others into notifications without requiring them to log in to Guardrails. This is where the Turbot > Notifications > CC > * policies can be used to define any email address to the associated resource. This allows you to maintain consistent notification lists for entire accounts, perfect for distribution lists or teams that need awareness across all resources but not necessarily access to Turbot Guardrails.
Then you can combine these approaches in your notification rules:
- rules: "NOTIFY $.oldControl.state:ok $.control.state:alarm" profiles: - "Account/Owner" - "Account/Admin" - "Account/CC"Resource-level CC Notifications
For the most precise control over notification routing, Guardrails allows you to use resource tags to direct notifications to specific email addresses. This feature is particularly powerful for complex environments where:
- Multiple teams share responsibility for resources within a single account
- Specialized teams need awareness of specific resource types (like databases or network components)
- External stakeholders require notifications about particular resources
Use the turbot_notification_cc tag (or your custom tag name) on any resource to specify notification recipients:
When a policy violation occurs on a tagged resource, notifications are automatically sent to the email address in the tag value. You can customize the tag name used for notification routing by setting the Turbot > Notifications > CC > Tag > Name policy to match your existing tagging standards.
See it in Action
Watch how these features work together to streamline your cloud governance workflow, from detection through notification to resolution, all while keeping the right stakeholders involved at every step.
Get Started
Turbot Guardrails account permissions and tag-based notifications are available now for all customers. Start assigning permissions, tagging resources, and setting routing rules today to empower your application teams with alerts that drive action.
Have questions? Join the conversation in our Slack community in the #guardrails channel.