Intelligent Assessment: Natural language Guardrails powered by AI
Define Guardrails policies using natural language to assess AWS, Azure and GCP posture with any custom logic.
Turbot Guardrails now provides an AI-powered approach to defining Guardrails policies using natural language prompts called Intelligent Assessment controls. These new policies allow you to simply describe the posture you want to check with any custom logic.
For example, rather than setting multiple policies for various conditions, you can set one policy with a user prompt of:
Check if versioning is enabled and multi-factor delete is configured when a 'data-classification':'restricted' tag is present. If the tag is not present, then just check if versioning is enabled.
The control will immediately assess the resources in scope:
The control reason is generated to provide specific insights based on the configurations of the cloud resource: "The S3 bucket has versioning enabled (Status is Enabled) which meets the requirement. The 'data-classification':'restricted' tag is not present in the bucket tags, so multi-factor delete configuration is not required according to the evaluation criteria. The bucket has proper versioning enabled with Status set to Enabled, satisfying the only applicable requirement."
Bring Your Own AI
This new feature is powered by AI with the benefit of using your own AI access keys and models from OpenAI and Anthropic. By using your own AI credentials, you maintain complete control over your data and AI processing while leveraging your existing AI provider relationships and pricing agreements. This approach ensures your governance data never leaves your control and allows you to use the most advanced models available through your preferred AI provider.
Guardrails provides default system prompts and temperature controls that have been tested and optimized, which you can extend or customize as needed. To integrate your preferred AI service with Guardrails, follow our AI Configuration guide.
Getting Started with Intelligent Assessment
Standard Guardrails controls are prescriptive. For example, AWS > S3 > Bucket > Versioning is purpose-built to verify if versioning is enabled or suspended. When in "Check" mode you can assess the conditions, and when in "Enforce" mode Guardrails will automatically remediate and maintain your posture at all times.
Using calculated policies, you can extend the logic with dynamic, conditional requirements to meet your nuanced governance posture.
Now with Intelligent Assessment controls, you can create your own freeform prompt. Let's start with a similar AWS S3 Bucket Versioning check:
Check if versioning is enabled
The control will evaluate each S3 bucket and clearly indicate whether versioning is enabled, providing explanations for any failures. In this example, all "acme-turbot-demo" buckets have versioning enabled. The control reason is automatically generated with:
"Versioning is enabled for the S3 bucket 'acme-demo-turbot-1' as confirmed by the Versioning.Status property which is set to 'Enabled'."
Multi-Condition Assessment
Now let's implement a check that combines multiple requirements:
Check if versioning is enabled and multi-factor delete is configured
This single control now evaluates both versioning AND whether MFA delete settings are enabled, combining multiple checks into one assessment. Now we see that all buckets are not meeting this requirement. The control reason provides further details such as:
"Versioning is enabled for the S3 bucket 'acme-demo-turbot-1' as shown by Versioning.Status being 'Enabled', but multi-factor delete (MFADelete) is set to 'Disabled'. The evaluation requires both versioning to be enabled and multi-factor delete to be configured."
Conditional Logic Assessment
We can take the requirements even further with conditional logic. In this case, we will include additional context that only buckets with a specific tag require MFA Delete enabled:
Check if versioning is enabled and multi-factor delete is configured when a 'data-classification':'restricted' tag is present. If the tag is not present, then just check if versioning is enabled.
This policy automatically handles nuanced logic based on conditional requirements and data sensitivity levels. Now we see there are only a few buckets out of compliance with all the logic included. The automated control reason provides insights into why the bucket is passing the requirements:
"The S3 bucket has versioning enabled (Status is Enabled) which meets the requirement. The 'data-classification':'restricted' tag is not present in the bucket tags, so multi-factor delete configuration is not required according to the evaluation criteria. The bucket has proper versioning enabled with Status set to Enabled, satisfying the only applicable requirement."
See it in Action
Watch this demo to see how Intelligent Assessment controls handle governance scenarios with natural language:
Transform Your Cloud Governance with AI
Intelligent Assessment controls provide a new way to implement AWS, Azure, and GCP governance policies with the ease of describing your posture using natural language.
Get started with a 14-day free trial of Intelligent Assessment Controls today.