Enabling AWS Services in Guardrails
This section details the steps required to enable services for an AWS Account. Alternatively, you can use the aws_services baseline which automates this process.
All supported services have an Enabled policy.
AWS > EC2 > Enabled
AWS > S3 > Enabled
AWS > DynamoDB > Enabled
You should enable any services that users are allowed to use. By default, the
value of these policies is set to Disabled. When a service is disabled,
users granted permissions to cloud accounts via Guardrails will not be able to
manage the service. Additionally, other policies may reference this policy to
determine their behavior. For example, the default behavior of the
Approved
control is that any resources are unapproved unless the service is
enabled.
Examples
# AWS > IAM > Enabledresource "turbot_policy_setting" "aws_iam_enabled" { resource = "id of account or parent folder/policy pack" //highlight-line type = "tmod:@turbot/aws-iam#/policy/types/iamEnabled" value = "Enabled"}
# AWS > EC2 > Enabledresource "turbot_policy_setting" "aws_ec2_enabled" { resource = "id of account or parent folder/policy pack" //highlight-line type = "tmod:@turbot/aws-ec2#/policy/types/ec2Enabled" value = "Enabled"}
# AWS > S3 > Enabledresource "turbot_policy_setting" "aws_s3_enabled" { resource = "id of account or parent folder/policy pack" //highlight-line type = "tmod:@turbot/aws-s3#/policy/types/s3Enabled" value = "Enabled"}