Setting Up With Turbot-Managed IAM Role
In this guide, you will:
- Setup Global Event Handlers in the Guardrails workspace using the Guardrails UI.
- Monitor and troubleshoot the GEH update process.
Guardrails is designed to enable organizations to selectively install policies, controls, and guardrails tailored to specific services. The Global Event Handler simplifies cloud management by providing a unified framework for responding to and managing events, ensuring proactive governance and security across cloud environments.
Prerequisites
- Turbot/Owner permissions at the Turbot resource level.
- Familiarity with Guardrails console.
- Turbot Guardrails configured IAM role should have required IAM permissions to create IAM role and policy.
- CloudTrail should be configured. See here for more details.
Step 1: Login Guardrails Console
Log into the Guardrails console with provided local credentials or by using any SAML based login.
Step 2: Enable Service Role
IAM role is required for Global Event handler. This can be created manually by customer or can be done by AWS Turbot Service Role
Check if all the AWS > Turbot > Service Rolescontrols in all AWS accounts are in OK state
Step 3: Check Service Role Source Policy
Select any one of the control from the above step and navigate to Policies, select Source to validate the created policy.
NoteYou can create these roles manually and use the same. Open a Support Ticket to help you with the process in case you need to create these roles manually as per your compliance need.
Step 4: Enable Global Event Handler
In the Guardrails's console navigate to the Policies and search for AWS > Turbot > Service Roles > Event Handlers [Global] policy. Select New Policy Setting
![Event Handlers [Global] Policy](/_next/image?url=%2Fimages%2Fdocs%2Fguardrails%2Fguides%2Faws%2Fglobal-event-handlers%2Fsetup-with-turbot-managed-iam-role%2Fgeh-policy.png&w=2048&q=75)
Choose Resource as Turbot and Setting as Enabled
Step 5: Review
Validate that the setting is applied successfully. While in Settings tab, select Event Handler [Global] value.
Ensure the value is shown as Enabled. Select no of values circled to validate the number of account where the policy is applied.
Check if all the related controls for AWS > Turbot > Event Handlers [Global] are in OK state. You can browse to the Reports tab, navigate to Controls by State, select AWS > Turbot > Event Handlers [Global] in Types. Ensure all controls are in OK state.
Step 6: Verify Events
The global event handlers are now configured in the target account. To verify they are functioning correctly:
Primary Region Testing: Create a resource in the primary region and verify its detection. Confirm that the associated controls are triggered and executed based on the policies set in the Guardrails console.
Secondary Region Testing: Create a resource in a secondary region and verify its detection. Ensure that the associated controls are triggered and executed according to the policies set in the Guardrails console.
Troubleshooting
| Issue | Description | Guide |
|---|---|---|
| Permission Issues | If the permissions granted to the Turbot IAM role do not allow configuration of event rules and SNS topics, then the logs will indicate access denied. | Troubleshoot Permission Issues |
| Service control policies (SCPs) Regional Restrictions | SCPs restrictions will appear as Access Denied errors in the Guardrails console. | Work with your SCP admins to determine which regions are permitted then update the AWS > Account > Regions policy to match. |
| Further Assistance | If you continue to encounter issues, please open a ticket with us and attach the relevant information to assist you more efficiently. | Open Support Ticket |