Automated controls require a large number of configuration settings from the biggest decisions (e.g. allowed services) right down to small, but critical, details (e.g. automated tags for cost management). In Turbot, Policies are used to manage these settings.
In Turbot, policies provide:
- Clearly defined, validated and managed definitions for all Resources managed by Turbot
- Secure enforcement of required settings across large environments.
- Exception management, including automatic expiration
- Shared defaults via recommended settings
Turbot Policies can be managed using the Turbot UI, Turbot API or software configuration management tools.
The v5 mods directory is an invaluable resource for looking up policy URIs, policy values and policy defaults. (A free, self-registered account is required.)
A control objective is a business need, for example at rest enforcement for S3, EC2, and RDS. Note that a control objective may require one or many policies to fully implement.
A Policy Type targets one of more resource types. This defines which type of resources the setting applies to.
GCP > Storage > Bucket > Approvedpolicy applies to
GCP > Storage > Bucketresource types.
While the policy type targets a specific resource type, you may set the policy at any scope in the Policy Hierarchy at or above the resource. Organizations can define policies such as restricted regions for a folder in Turbot which are then inherited by accounts and resources within said folder.
GCP > Storage > Bucket > Approvedpolicy at the Project scope will impact all of the buckets in that Project.
Policy settings have a precedence, which defines whether they are required or recommended on descendent resources.
The Policy Setting is the desired value for the policy. For example, an organization could define specific approved RDS database engine types, which are three simple policies. Alternatively, another organization might want to tag Azure resources with Terraform, where the power of policies are flexed, utilizing Terraform deployment, Turbot Files, and Calculated policies.
Every policy can have an expiration, after which the policy will no longer be in effect.
Controls implement policies. The policy setting is created, an applicable resource inherits the value, and the relevant control will check and/ or remediate the resource.
Consider an S3 bucket Resource called
my-bucket, an instance of the Resource Type
AWS > S3 > Bucket. To define the correct configuration of
my-bucket, a few policy settings are required. For example:
|Type||Setting to define for
|AWS > S3 > Bucket > Approved||"Enforce: Delete if new & empty"|
|AWS > S3 > Bucket > Approved > Regions||[ "us-*" ]|
|AWS > S3 > Bucket > Encryption at Rest||"Enforce: AWS SSE or higher"|
The above policy settings are then applied directly to the bucket (if the policies were set at the bucket resource level) as a value or are inherited as a value (the typical situation). In this case, we are telling Turbot to
Enforce: Delete if new & empty if either encryption is not configured to be
AWS: SSE or higher OR the bucket is created in a region outside of the US.