Enabling AWS IAM User Mode

What is User Mode?

User Mode provides a full set of AWS permission management capabilities using AWS IAM users and groups. User mode is suited for customers that have business restrictions preventing the use of Turbot's Policy-only or Role permission modes.

Turbot User Mode utilizes AWS IAM users, groups, and policies to assign rights to Turbot users to log into AWS accounts.

In general, Turbot highly recommends Role Mode if Turbot IAM management is being implemented!

Enabling User Mode

To enable Turbot User Mode, simply set the policy AWS > Turbot > Permissions to Enforce: User Mode.

Once this policy is set, a series of actions will be triggered.

  1. The policy AWS > Turbot > Permissions > Source will automatically run, generating a Terraform configuration for the Turbot stack.
  2. The control AWS > Turbot > IAM will run automatically when a change in the AWS > Turbot > Permissions > Source policy value is detected.
  3. Once the necessary cloud resources are created, the control AWS > Turbot > IAM should go into an OK state. If there are errors, reach out to Turbot Support.

Granting Permissions to Users

Granting AWS access to Turbot users with User Mode is analogous to Role Mode. Refer to our Permissions Guide for more information. Be sure to double check the resource scope prior to assignment!

AWS IAM User Mode Login Names

Turbot created IAM users are derived from the policy AWS > IAM > Login User Names. By default, Turbot calculates the profile user name value using the following nunjucks template:

{% if $.profile.profileId %}- '{{ $.profile.profileId }}'{% else %} [] {% endif %}

This policy can be modified if desired, but in general the default setting is sufficient.


  • Exceptions can be set directly on Turbot profiles to customize the login user name for specific users.
  • Login User Names must be unique.

Enabling AWS/* Rights

  • Use AWS > {Service} > Enabled policies to grant user rights to the specific service. For example, use AWS > EC2 > Enabled to allow EC2 permission grants.
  • The policy AWS > {Service} > Permissions > Levels can be configured to restrict what permission levels can be assigned with respect to a particular service. The available options are Metadata, ReadOnly, Operator, Admin, and Owner. Refer to Turbot's Standard Levels for more information.
  • Allowed permission levels across all services can be defined using the blanket policy, AWS > Turbot > Permissions > Levels [Default].

Boundary Policy

Turbot can be configured to apply boundary policies to users and super users via the following two policies:

  • AWS > Turbot > Permissions > Superuser Boundary
  • AWS > Turbot > Permissions > User Boundary

For questions regarding AWS Permission boundaries, refer to AWS documentation.

Additionally, refer to Turbot Lockdown and Boundary Policy documentation for more information on how Turbot utilizes boundary policies to restrict permissions.

Name Prefix and Paths

AWS IAM resources can have customized name prefixes as well as paths. This can be beneficial for customers who utilize these parameters for automation and identification.

To set the Name prefix of an AWS IAM policy, role, or group, set:

  • AWS > Turbot > Permissions > Group > Name Prefix
  • AWS > Turbot > Permissions > Policy > Name Prefix
  • AWS > Turbot > Permissions > Role > Name Prefix

To set a global name prefix. use AWS > Turbot > Permissions > Name Prefix [Default].

To set the Name path of policy, role, user, or group, set:

  • AWS > Turbot > Permissions > Group > Name Path
  • AWS > Turbot > Permissions > Policy > Name Path
  • AWS > Turbot > Permissions > Role > Name Path
  • AWS > Turbot > Permissions > User > Name Path

A global path can be defined using the policy AWS > Turbot > Permissions > Name Path [Default].