Prepare an AWS Account for Import to Guardrails

In this guide, you will prepare an AWS account to be imported into Guardrails by deploying an IAM access role using a CloudFormation template.

This is the first guide in the Getting started with AWS series.

Prerequisites

  • Access to the Turbot Guardrails console with admin privilege.

  • An AWS Account to import into Guardrails.

Note

While Guardrails does not need admin access to your AWS account, you will need elevated access to create the cross account roles necessary to import the account in readonly mode.

Step 1: Login to Guardrails

Login to your Guardrails console and select the CONNECT option from the home page.

Step 2: Download the CloudFormation template

Guardrails needs an IAM role that grants permission to discover resources in your account and to monitor changes via event handlers. The CloudFormation template downloaded in this step has the minimum permissions necessary to create that role.

Select AWS Account from the left navigation and then click the blue Download CloudFormation Template button to download the CloudFormation template you will use to create the required IAM role in your AWS account.

Important

Leave this browser tab open while we do the next steps in a different tab. Closing and reopening this page will cause a new random ExternalID to be generated.

Step 3: Create the stack

Open a new tab and login to your AWS account. Navigate to the CloudFormation service and create a stack with new resources.

Step 4: Upload the template

On the Create Stack page, select Upload a template file and then click the Choose file button.

Use the file dialog to find and upload the file you downloaded in step 2, then select the Next button.

Step 5: Launch the stack

In the Stack Name field, enter guardrails-import and then scroll down the page.

Review the rest of the default values (no changes should be needed), and then select the Next button at the bottom of the page:

On the next page of the stack wizard, scroll to the bottom, enable the acknowlegement checkbox and then the Next button.

On the final page of the wizard, scroll to the bottom of the page and select the Submit button.

Step 6: Verify the stack

Wait for the stack to complete and for the status of the stack to change to CREATE_COMPLETE.

Step 7: Review stack outputs

Select the Outputs tab and copy the ARN of the Guardrails IAM role.

Step 8: Review

In this guide you've learned how to deploy an AWS role that grants minimal permissions to Guardrails using the AWS CloudFormation service.

Next Steps

In the next guide you will use the IAM role you just created to import an AWS account into Guardrails.

Troubleshooting

If you run into issues following this guide, jump in the #guardrails channel in the Turbot Community Slack, or open a support ticket.

Progress tracker

  • Prepare an AWS Account for Import to Guardrails
  • Connect an AWS Account to Guardrails
  • Observe AWS Resource Activity
  • Enable Your First Policy Pack
  • Review Account-Wide Governance
  • Create a Static Exception to a Guardrails Policy
  • Create a Calculated Exception to a Guardrails Policy
  • Send an Alert to Email
  • Apply a Quick Action
  • Enable Automatic Enforcement