Enable Automatic Enforcement

In this guide we’ll show how you can enable Guardrails to act autonomously. For large cloud footprints, it is often desirable to have Guardrails take automated actions based on your organization's compliance and security posture. Guardrails' controls can take a number of different automated enforcement actions, including deleting resources, changing the configuration of a resource, and tagging a resource.

This is the last guide in the Getting started with AWS series.

Prerequisites:

  • Completion of the previous guides in this series.
  • Access to the Guardrails console with administrative privileges.
Note

In the previous guide we showed how to add the single permission that enables you to take a Quick Action on S3 bcket versioning. This guide also requires that permission, so you can not proceed if you didn't follow the steps in the previous guide.

Step 1: Open the Policy Pack

In the guide titled Enable your First Policy Pack you enabled Enforce Versioning is Enabled for AWS S3 Buckets. Select Policies from the top-level navigation bar, then choose that policy pack from the list.

Step 2: Edit the policy setting

Select the pencil icon next to the calculated policy you created earlier.

Step 3: Disable calculated mode

Select Disable calculated mode to return to standard policy mode.

Step 4: Enable enforcement

Choose Enforce: Enabled from the list of policy options and then select Update.

Step 5: Observe Guardrails in action

Use your bookmark to navigate back to Controls by State report, and use the Type filter to choose AWS > S3 > Bucket > Versioning. In a few minutes all of your buckets in this account are now either OK or Skipped (except the one you created an exception for in the Create a static exception guide).

Try suspending versioning on a bucket. It won’t stay that way for long!

Step 6: Review

In this guide series you learned the basics of importing AWS accounts into Guardrails, enabling policy packs, creating exceptions and notifications, and even more mischief.

Next Steps

This Getting Started series just scratches the surface of what you can do with Guardrails. Try installing more policy packs into your workspace, and run through this series again to explore the breadth and variety of what Guardrails can do.

Progress tracker

Congratulations! You did it!

  • Prepare an AWS Account for import to Guardrails
  • Connect an AWS Account to Guardrails
  • Observe AWS Resource Activity
  • Enable Your First Policy Pack
  • Review Account-Wide Bucket Versioning
  • Create a Static Exception to a Guardrails Policy
  • Create a Calculated Exception to a Guardrails Policy
  • Send an Alert to Email
  • Apply a Quick Action
  • Enable Automatic Enforcement