Enabling AWS IAM User Mode
What is User Mode?
User Mode provides a full set of AWS permission management capabilities using AWS IAM users and groups. User mode is suited for customers that have business restrictions preventing the use of Guardrails Policy-only, or Role permission modes.
User Mode utilizes AWS IAM users, groups, and policies to assign rights to user profiles in a Guardrails workspace to log into AWS accounts.
In general, Turbot recommends using Role Mode.
Enabling User Mode
To enable User Mode, simply set the policy AWS > Turbot > Permissions
to Enforce: User Mode.
Once this policy is set, a series of actions will be triggered.
- The policy
AWS > Turbot > Permissions > Sourcewill automatically run, generating a Terraform configuration for theAWS > Turbot > IAMstack control. - The control
AWS > Turbot > IAMwill run automatically when a change in theAWS > Turbot > Permissions > Sourcepolicy value is detected. - Once the necessary cloud resources are created, the
AWS > Turbot > IAMcontrol should go into an OK state. If there are errors, reach out to Turbot Support.
Granting Permissions to Users
Granting AWS access to Guardrails console users with User Mode is analogous to Role Mode. Refer to our Permissions Guide for more information. Be sure to doublecheck the resource scope prior to assignment!
AWS IAM User Mode Login Names
Guardrails-created IAM users are derived from the policy
AWS > IAM > Login User Names. By default, Guardrails calculates the profile username value using the following
nunjucks template:
{% if $.profile.profileId %}- '{{ $.profile.profileId }}'{% else %} [] {% endif %}This policy can be modified if desired, but in general the default setting is sufficient.
Notes:
- Exceptions can be set directly on Guardrails profiles to customize the login username for specific users.
- Login User Names must be unique.
Enabling AWS/* Rights
- Use
AWS > {Service} > Enabledpolicies to grant user rights to the specific service. For example, useAWS > EC2 > Enabledto allow EC2 permission grants. By default, all AWS services are denied. TheAWS > {Service} > Enabledpolicy settings will enable those services. - The policy
AWS > {Service} > Permissions > Levelscan be configured to restrict what permission levels can be assigned with respect to a particular service. The available options are Metadata, ReadOnly, Operator, Admin, and Owner. Refer to Guardrails Standard Levels for more information. - Allowed permission levels across all services can be defined using the blanket
policy,
AWS > Turbot > Permissions > Levels [Default]. - The AWS > Turbot > Permissions > Custom Group Levels [Account] policy setting can be
used to add custom IAM groups to the Guardrails standard
AWS/{Permission}andAWS/{Service}/{Permission Level}permission assignments.
Boundary Policy
Turbot can be configured to apply boundary policies to users and super users via the following two policies:
AWS > Turbot > Permissions > Superuser BoundaryAWS > Turbot > Permissions > User Boundary
For questions regarding AWS Permission boundaries, refer to AWS documentation.
Additionally, refer to Turbot Lockdown and Boundary Policy documentation for more information on how Turbot utilizes boundary policies to restrict permissions.
Name Prefix and Paths
AWS IAM resources can have customized name prefixes as well as paths. This can be beneficial for customers who utilize these parameters for automation and identification.
To set the Name prefix of an AWS IAM policy, role, or group, set:
AWS > Turbot > Permissions > Group > Name PrefixAWS > Turbot > Permissions > Policy > Name PrefixAWS > Turbot > Permissions > Role > Name Prefix
To set a global name prefix. use
AWS > Turbot > Permissions > Name Prefix [Default].
To set the Name path of policy, role, user, or group, set:
AWS > Turbot > Permissions > Group > Name PathAWS > Turbot > Permissions > Policy > Name PathAWS > Turbot > Permissions > Role > Name PathAWS > Turbot > Permissions > User > Name Path
A global path can be defined using the policy
AWS > Turbot > Permissions > Name Path [Default].