Active Guardrails
Overview
The Active guardrail flags whether the resource is in active use, and if not, has the ability to delete/cleanup the resource. When running an automated compliance environment, it's common to end up with a wide range of alarms that are difficult and time consuming to clear. The Active guardrail brings automated, well-defined control to this process.
The Active guardrail is completely independent of the Approved guardrail. For example, an Approved resource may actually be Inactive - e.g. an S3 bucket created 2 years ago with no items and no usage. Similarly, an Unapproved resource may be Active - e.g. an S3 bucket in an unapproved region that is still receiving active traffic.
In general, Approved is considered more at the point of resource creation while Active is considered more as the resource reaches the end of it's useful life.
The Active guardrail checks the status of the defined Active policies for the resource, raises an alarm, and takes the defined enforcement action. Each Active sub-policy can calculate a status of active, inactive or skipped. Generally, if the resource appears to be Active for any reason it will be considered Active. Note the contrast with Approved, where if the resource appears to be Unapproved for any reason it will be considered Unapproved.
The core Active policy has a consistent form: {service} > {resource} > Active
AWS > S3 > Bucket > Active
AWS > SNS > Topic > Active
AWS > EC2 > Instance > Active
The values for this policy reflect how it should be checked and the action to take if the resource is not active. The basic form is:
Skip Check: Active Enforce: {action} inactive with {period} warning
# AWS > S3 > Bucket Active - Skip - Check: Active - Enforce: Delete with 1 day warning - Enforce: Delete with 3 days warning - Enforce: Delete with 7 days warning - Enforce: Delete with 14 days warning - Enforce: Delete with 30 days warning - Enforce: Delete with 60 days warning - Enforce: Delete with 90 days warning - Enforce: Delete with 180 days warning - Enforce: Delete with 365 days warning
The alarm lifecycle is as follows:
- If Active, the status is OK.
- If Inactive, the status is ALARM and the warning period starts.
- If Inactive and the warning period has expired, the enforcement action is taken.
- The enforcement action is typically a delete, which will then automatically cleanup the alarm. If it fails, the alarm will remain in ALARM or ERROR state.
The Active guardrail and policy have a number of sub-settings to determine the
attributes of the Active check. The format of these policy types is
{service} > {resource} > Active > {Items}
:
{service} > {resource} > Active > Status {service} > {resource} > Active > Last Modified {service} > {resource} > Active > Recently Used {service} > {resource} > Active > Age
Each of these policies defines rules or settings to determine if that specific area or attribute of the resource is Active. Per above, if any Active sub-check returns active then the overall resource is active.
AWS > IAM > Access Key > Active > Age
AWS > IAM > Access Key > Active > Status
AWS > IAM > Access Key > Active > Last Modified
AWS > IAM > Access Key > Active > Recently Used
Guardrails Resource Active Evaluation
For an Active control, the status is based on the evaluation of the child policy conditions. This happens in the following order:
- If any of the Active > * policies evaluate to
Force Active
, the resource isActive
. - If any of the Active > * policies evaluate to
Force Inactive
, the resource isInactive
. - If any of the Active > * policies evaluate to
Active
, the resource isActive
. - If any of the Active > * policies evaluate to
Inactive
, the resource isInactive
. - If all Active > * policies evaluates to
Skip
, the control will be inSkipped
.
For example, if one policy evaluates to Inactive
, but another evaluates to
Force Active
, the resulting control will deem the resource Active
.
Active controls are designed to be slow to decide, but forceful in action. This
is in contrast to the Approved
family of policies, guardrails, and controls,
which are designed to be fast to decide, but weak in action.
Example: AWS > EC2 > Instance > Active
First, assume that the instance is 60 days old, but it was last modified only 15 days ago (i.e. tags on the instance were changed). The following policies have been configured in Guardrails:
- AWS > EC2 > Instance > Active > Age is set to
Force inactive if age > 60 days
. - AWS > EC2 > Instance > Active > Last Modified is set to
Active if last modified <= 30 days
. - AWS > EC2 > Instance > Active > Budget is set to
Force inactive if Budget > State is Over or higher
. - AWS > Account > Budget > State is set to
Under
. - AWS > EC2 > Instance > Active is set to
Check: Active
.
In order, these policies will evaluate to Active
(age is equal to 60 days),
Active
(modified within the last 30 days) and Active
(As Account spending is
below the budget and the current state is under). Using the rules above, the
final result is that the instance is Active
. The last policy in the list tells
the AWS > EC2 > Instance > Active
control how to evaluate the result. In this
case, the control is simply checking the instance for being active or not. The
policy evaluation of Active
results in the control being in the OK state.
Example: AWS > EC2 > Volume > Active
First, assume that the volume is 170 days old, but it was last modified 58 days ago (i.e. tags on the volume were changed). The volume is available and not attached to any instance. The following policies have been configured in Guardrails:
- AWS > EC2 > Volume > Active > Age is set to
Force inactive if age > 180 days
. - AWS > EC2 > Volume > Active > Last Modified is set to
Active if last modified <= 60 days
. - AWS > EC2 > Volume > Active > Attached is set to
Force inactive if unattached
. - AWS > EC2 > Volume > Active > Budget is set to
Skip
. - AWS > EC2 > Volume > Active is set to
Enforce: Detach, snapshot and delete inactive with 7 days warning
.
In order, these policies will evaluate to Active
(age is less than 180 days) ,
Active
(modified within the last 60 days) and Force inactive
as the volume
is not attached. Using the rules above, the final result is that the volume is
Force inactive
. The last policy in the list tells the
AWS > EC2 > Volume > Active
control how to evaluate the result. The policy
evaluation of Force inactive
results in the control being in the ALARM
state. In this case, the control is going to take action and will schedule
volume deletion in 7 days from the date of alarm. A snapshot will get created
prior to deleting the volume.