Policy Settings in 7 minutes
|Goal||Create a policy setting.|
Automated controls require a large number of configuration settings to determine their desired behavior. In Turbot Guardrails, Policies are used to manage these settings.
In this exercise, you will create policy settings to manage S3 Bucket tags using the Turbot Guardrails Console UI.
By the end of this lab, you will be able to create and view policy settings and values in the Turbot Guardrails Console.
You must have at least one S3 bucket that has been discovered in your workspace. It is recommended that you create a test bucket for this lab.
View a Policy Value
In the Turbot Guardrails Console, navigate to the test bucket that you created in the prerequisite step. Our test bucket name is turbot-bucket-version, which we can search for at the main Turbot Guardrails screen. Click on the bucket once it is found.
From the list of Policy Values for this bucket, click on the Template (Bucket > Tags > Template) item to bring up the policy value.
The Policy Value page shows the Policy Hierarchy on the left, and the current value in the box.
In the example above you can see that the policy value is
 (in other words,
a blank array), and that this value comes from the default.
Create a new Policy Setting
- In the VALUE box, click the CREATE SETTING link to bring up the Create Policy Setting page.
- Note that the Policy Type field has already been set to
AWS > S3 > Bucket > Tags > Templateand the Resource is set to your bucket.
- In the Setting field, enter some tags and values:
Department: "Sales"Company: "Vandelay Industries"Cost Center: "314159"
Browse the Hierarchy
You can create or edit policy values anywhere at or above the resource in the policy hierarchy. In the previous example, we created a setting on the bucket, thus it applies only to that bucket. You could instead create a policy setting on a folder, account, or region that would apply to ALL the buckets in that folder, account, or region.
- By default, items in the hierarchy that do not affect the value are hidden.
- Note that you can View and Edit or create a Setting anywhere above the bucket in the hierarchy.
Set Precedence, note and expiration
By default, the policy setting page will create an unannotated, non-expiring, required setting. You can change these options when creating or editing a policy setting.
- Click EDIT in the policy setting that you created earlier.
- Add a note in the Notes field
- Add expiration to
24 hoursto make this policy setting expire.
- Click Update
- Note that the policy setting now shows the expiration and annotation.
Create a Policy Setting to Enforce Tags
AWS > S3 > Bucket > Tags > Template that you set previously defines the
set of tags that should exist, but to enforce tagging, you must also set the
AWS > S3 > Bucket > Tags policy.
- From the Policies tab, click the New Policy Setting button marked in green.
- Search and select
AWS > S3 > Bucket > Tagsas Policy Type.
- If you were already filtered on your test bucket, it will be automatically selected as the Resource. If not, select it. You may search by name, or Browse for it.
- In the Setting field, select
Enforce: Set Tags
- Click Create. A new policy setting will be created. Within a few seconds, the Tags control will run and set the tags from your tags template to your S3 bucket.