|Goal||Create a policy setting.|
Automated controls require a large number of configuration settings to determine their desired behavior. In Turbot, Policies are used to manage these settings.
In this exercise, you will create policy settings to manage S3 Bucket tags using the Turbot Console UI.
By the end of this lab, you will be able to create and view policy settings and values in the Turbot Console.
- Install the aws and aws-s3 mods.
- You must have at least one S3 bucket that has been discovered in your workspace. It is recommended that you create a test bucket for this lab.
- In the Turbot Console, navigate to the test bucket that you created in the prerequisite step. Our test bucket name is turbot-bucket-version, which we can search for at the main Turbot screen. Click on the bucket once it is found.
- Click the Policies tab. It shows both Policy Settings and Policy Values.
- From the list of Policy Values for this bucket, click on the Template (Bucket > Tags > Template) item to bring up the policy value.
The Policy Value page shows the Policy Hierarchy on the left, and the current value in the box.
In the example above you can see that the policy value is
 (in other words, a blank array), and that this value comes from the default.
- In the VALUE box, click the CREATE SETTING link to bring up the Create Policy Setting page.
- Note that the Policy Type field has already been set to
AWS > S3 > Bucket > Tags > Templateand the Resource is set to your bucket.
In the Setting field, enter some tags and values:
Department: "Sales" Company: "Vandelay Industries" Cost Center: "314159"
- Click Create to create the setting. Note that the Policy setting is updated to show that the new setting on the bucket is now the active setting, and the value is updated with the value for the setting. To see the updated value, go to Values tab and click on the policy value record displayed.
You can create or edit policy values anywhere at or above the resource in the policy hierarchy. In the previous example, we created a setting on the bucket, thus it applies only to that bucket. You could instead create a policy setting on a folder, account, or region that would apply to ALL the buckets in that folder, account, or region.
- By default, items in the hierarchy that do not affect the value are hidden.
- Note that you can View and Edit or create a Setting anywhere above the bucket in the hierarchy.
By default, the policy setting page will create an unannotated, non-expiring, required setting. You can change these options when creating or editing a policy setting.
- Click EDIT in the policy setting that you created earlier.
- Add a note in the Notes field
- Add expiration to
24 hoursto make this policy setting expire.
- Click Update
- Note that the policy setting now shows the expiration and annotation.
AWS > S3 > Bucket > Tags > Template that you set previously defines the set of tags that should exist, but to enforce tagging, you must also set the
AWS > S3 > Bucket > Tags policy.
- From the Policies tab, click the New Policy Setting button marked in green.
- Search and select
AWS > S3 > Bucket > Tagsas Policy Type.
- If you were already filtered on your test bucket, it will be automatically selected as the Resource. If not, select it. You may search by name, or Browse for it.
- In the Setting field, select
Enforce: Set Tags
- Click Create. A new policy setting will be created. Within a few seconds, the Tags control will run and set the tags from your tags template to your S3 bucket.