- Step 1: Open the Controls by State report
- Step 2: Set the Type filter
- Step 3: Set the State filter
- Step 4: Choose a bucket
- Step 5: View resource details
- Step 6: Open the new policy dialog
- Step 7: Select the policy type
- Step 8: Create the policy exception
- Step 9: Confirm the setting
- Step 10: View in context
- Step 11: Review bucket activity
- Step 12: Review
- Next Steps
- Progress tracker
Create a Static Exception to a Guardrails AWS Policy
In this guide you’ll learn how to exempt a specific resource from an account-wide policy
This is the sixth guide in the Getting started with AWS series.
Prerequisites:
- Completion of the previous guides in this series.
- Access to the Guardrails console with administrative privlidges.
Step 1: Open the Controls by State report
Navigate to the Controls by State report, expand the Type dropdown,
and search for aws s3 bucket versioning.
Step 2: Set the Type filter
Enable the checkbox next to AWS > S3 > Bucket > Versioning to filter by Type.
Step 3: Set the State filter
You can also filter by State. Expand that dropdown, and enable the checkbox next to Alarm.
Step 4: Choose a bucket
Pick a control, here bucket-example-03, and click its linked name.
Step 5: View resource details
Because we were viewing the Controls by State report, our action landed us on the Control Details page. We can switch to the Resource Detail view by using the blue Resource link next to the sub-tab bar.
Step 6: Open the new policy dialog
Now you are are viewing the Resource Detail for the selected bucket, create an exception for this resource. To do that you will create a new policy setting. Select the Policies sub-tab and click the green New Policy Setting button.
Step 7: Select the policy type
In the Search policy types... input box, type aws s3 bucket versioning, and enable the checkbox next to AWS > S3 > Bucket > Versioning.
Step 8: Create the policy exception
Choose the Skip setting, and select Create.
Step 9: Confirm the setting
This bucket is now exempt from the requirement to enable versioning.
Step 10: View in context
Select the Hierarchy tab. The account-level policy specifies Check: Enabled. You’ve overridden that with an exception that exempts this particular bucket from that policy.
Step 11: Review bucket activity
Select the Activity tab and observe the history. When you created the bucket-level policy setting to make an exception for this bucket, the control reevaluated and set the status to Skipped.
Step 12: Review
In this guide you created a resource-level exception for the Bucket Versioning control.
Next Steps
In the next guide we’ll see how to dynamically calculate an exception based on a resource tag.
Progress tracker
- Prepare an AWS Account for import to Guardrails
- Connect an AWS Account to Guardrails
- Observe AWS Resource Activity
- Enable Your First Policy Pack
- Review Account-Wide Bucket Versioning
- Create a Static Exception to a Guardrails Policy
- Create a Calculated Exception to a Guardrails Policy
- Send an Alert to Email
- Apply a Quick Action
- Enable Automatic Enforcement