Announcement

Route alerts to the right people with dynamic notification rules

New account-level permissions and flexible notification routing help app teams respond faster to cloud governance alerts.

Turbot Team
5 min. read - Apr 14, 2025
New account-level permissions and flexible notification routing help app teams respond faster to cloud governance alerts.

In a previous announcement, we introduced Guardrails notifications with email, Slack, and Teams integrations, featuring embedded Quick Actions for on-the-spot remediation. Building on those capabilities, we've added new features to help application teams stay instantly aware of their cloud security and FinOps posture.

Account Permissions for App Teams

The new Account permissions are specifically designed for application teams who need to react to alerts and manage their notifications. These permissions provide a streamlined experience in Guardrails focused on the resources that matter to the app team, elevating them to have more ownership and control to elevate the posture of their cloud environments.

Permission LevelWhat They Can Do
Account/ReadOnlyView inventory, controls, policies, and notifications for their resources
Account/OperatorExecute approved Quick Actions to remediate issues
Account/AdminConfigure notification and issue-routing policies
Account/OwnerManage other Account/* permissions

When an application developer or DevOps engineer logs in with Account permissions, they see a focused view of just their resources, making it intuitive to understand their compliance posture without the broader access of the full Guardrails configuration experience.

For context, these differ from Turbot/* permissions, which allow cloud teams or delegated app teams permissions to manage their own cloud governance policies.

Granting App Teams Access

Permissions are assigned through the Guardrails permissions page for specific accountable resources (AWS accounts, Azure subscriptions, GCP projects, GitHub repositories, Kubernetes clusters, etc).

Grants to Account/* permissions follow the same approach as managing other time-based role-based access controls (RBAC) permissions across Guardrails, AWS, Azure and GCP.

Permissions can be assigned in the Turbot Guardrails console, via GraphQL API, or by way of the Guardrails Terraform Provider. When setting permissions, you choose the resource scope, the identities, and the permissions to be granted. Set criteria to act immediately, or later with pre-approval. Any permission grant(s) can be set to expire:

Guardrails Account Permission Grant

Notification Routing to App Teams

With Account permissions established, you can route notifications to these profiles. Guardrails will send the notification to all users who have been granted the specified permissions via the email address in their profile. Using the Turbot > Notifications > Rule-Based Routing policy you can specify the Account permissions, such as notifying the Account Owner and Admin when controls move from OK to ALARM state:

- rules: "NOTIFY $.oldControl.state:ok $.control.state:alarm"
profiles:
- "Account/Owner"
- "Account/Admin"

Commonly, profiles are used to route notifications to the account team for the resource. You can use any permissions for notification routing:

- rules: "NOTIFY $.oldControl.state:ok $.control.state:alarm"
profiles:
- "AWS/Admin"
- "Turbot/Owner"

The * wildcard is supported. For example, you can send notifications to anyone with Account permissions.

- rules: "NOTIFY $.oldControl.state:ok $.control.state:alarm"
profiles:
- "Account/*"

Account-level CC Notifications

Sometimes, you want to loop others into notifications without requiring them to log in to Guardrails. This is where the Turbot > Notifications > CC > * policies can be used to define any email address to the associated resource. This allows you to maintain consistent notification lists for entire accounts, perfect for distribution lists or teams that need awareness across all resources but not necessarily access to Turbot Guardrails.

Guardrails Account CC list

Then you can combine these approaches in your notification rules:

- rules: "NOTIFY $.oldControl.state:ok $.control.state:alarm"
profiles:
- "Account/Owner"
- "Account/Admin"
- "Account/CC"

Resource-level CC Notifications

For the most precise control over notification routing, Guardrails allows you to use resource tags to direct notifications to specific email addresses. This feature is particularly powerful for complex environments where:

  • Multiple teams share responsibility for resources within a single account
  • Specialized teams need awareness of specific resource types (like databases or network components)
  • External stakeholders require notifications about particular resources

Use the turbot_notification_cc tag (or your custom tag name) on any resource to specify notification recipients:

S3 bucket with turbot_notification_cc tag

When a policy violation occurs on a tagged resource, notifications are automatically sent to the email address in the tag value. You can customize the tag name used for notification routing by setting the Turbot > Notifications > CC > Tag > Name policy to match your existing tagging standards.

See it in Action

Watch how these features work together to streamline your cloud governance workflow, from detection through notification to resolution, all while keeping the right stakeholders involved at every step.

Get Started

Turbot Guardrails account permissions and tag-based notifications are available now for all customers. Start assigning permissions, tagging resources, and setting routing rules today to empower your application teams with alerts that drive action.

Have questions? Join the conversation in our Slack community in the #guardrails channel.