Create a Static Exception to a Guardrails AWS Policy

In this guide you’ll learn how to exempt a specific resource from an account-wide policy

This is the sixth guide in the Getting started with AWS series.

Prerequisites:

  • Completion of the previous guides in this series.
  • Access to the Guardrails console with administrative privileges.

Step 1: Open the Controls by State report

Navigate to the Controls by State report, expand the Type dropdown, and search for aws s3 bucket versioning.

Step 2: Set the Type filter

Enable the checkbox next to AWS > S3 > Bucket > Versioning to filter by Type.

Step 3: Set the State filter

You can also filter by State. Expand that dropdown, and enable the checkbox next to Alarm.

Step 4: Choose a bucket

Pick a control, here bucket-example-03, and click its linked name.

Step 5: View resource details

Because we were viewing the Controls by State report, our action landed us on the Control Details page. We can switch to the Resource Detail view by using the blue Resource link next to the sub-tab bar.

Step 6: Open the new policy dialog

Now you are are viewing the Resource Detail for the selected bucket, create an exception for this resource. To do that you will create a new policy setting. Select the Policies sub-tab and click the green New Policy Setting button.

Step 7: Select the policy type

In the Search policy types... input box, type aws s3 bucket versioning, and enable the checkbox next to AWS > S3 > Bucket > Versioning.

Step 8: Create the policy exception

Choose the Skip setting, and select Create.

Step 9: Confirm the setting

This bucket is now exempt from the requirement to enable versioning.

Step 10: View in context

Select the Hierarchy tab. The account-level policy specifies Check: Enabled. You’ve overridden that with an exception that exempts this particular bucket from that policy.

Step 11: Review bucket activity

Select the Activity tab and observe the history. When you created the bucket-level policy setting to make an exception for this bucket, the control reevaluated and set the status to Skipped.

Step 12: Review

In this guide you created a resource-level exception for the Bucket Versioning control.

Next Steps

In the next guide we’ll see how to dynamically calculate an exception based on a resource tag.

Progress tracker

  • Prepare an AWS Account for Import to Guardrails
  • Connect an AWS Account to Guardrails
  • Observe AWS Resource Activity
  • Enable Your First Policy Pack
  • Review Account-Wide Governance
  • Create a Static Exception to a Guardrails Policy
  • Create a Calculated Exception to a Guardrails Policy
  • Send an Alert to Email
  • Apply a Quick Action
  • Enable Automatic Enforcement