Skip to content

Commit

Permalink
revise everything
Browse files Browse the repository at this point in the history
  • Loading branch information
@judell
judell committed Jul 2, 2024
1 parent fa01034 commit ab8dbf7
Show file tree
Hide file tree
Showing 78 changed files with 626 additions and 676 deletions.
75 changes: 24 additions & 51 deletions docs/integrations/aws/getting-started-aws/apply_quick_action.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,86 +6,59 @@ nav:
---


## Apply a Quick Action
# Apply a Quick Action

## Introduction

**Purpose**: This runbook shows a Guardrails administrator how to apply a Quick Action to fix a problem.

**Prerequisites**:

- [Connect an AWS account to Guardrails with readonly permissions]()

- [Review and test a Guardrails AWS control]()

- [Enable event handlers for fast change detection]()

- [Set a Guardrails policy for AWS resources]()

- [Create a static exception to a Guardrails AWS policy]()

- [Create a calculated exception to a Guardrails AWS policy]()
- [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
- [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
- [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
- [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
- [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
- [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)

- [Set an alert on an AWS Guardrails control]()

## Procedure

### Step 1: Update the Turbot IAM role

In [Enable event handlers for fast change detection]() we added the minimum permissions needed for Event Handlers. Now we’ll add on more permission to enable Guardrails to take one specific action on buckets: enable (or disable) versioning.

Attach the policy to the role.

```json
{
        "Version": "2012-10-17",
        "Statement": [
                {
                        "Effect": "Allow",
                        "Action": [
                                "s3:PutBucketVersioning"
                        ],
                        "Resource": "arn:aws:s3:::*"
                }
        ]
}
````

### Step 2: Enable Quick Actions
### Step 1: Enable Quick Actions

Click the top-level `Policies` tab and search for `Quick Actions`.
<p><img alt="aws_start_6_find_quick_actions_policies" style={{"width":"50%"}} src="/images/docs/guardrails/runbook/aws_start_6_find_quick_actions_policies.png"/></p>
<p><img alt="aws_start_6_find_quick_actions_policies" style={{"width":"50%"}} src="/images/docs/guardrails/runbook/aws_start_6_find_quick_actions_policies.png"/></p><br/>

Click into `Turbot > Quick Actions > Enabled`, click the `Settings` tab, and click the edit (pencil) icon.
<p><img alt="aws_start_6_ready_to_enable_quick_actions" src="/images/docs/guardrails/runbook/aws_start_6_ready_to_enable_quick_actions.png"/></p>
<p><img alt="aws_start_6_ready_to_enable_quick_actions" src="/images/docs/guardrails/runbook/aws_start_6_ready_to_enable_quick_actions.png"/></p><br/>

Now change the setting to `Enabled` and update the policy setting.
<p><img alt="aws_start_6_set_quick_actions_enabled" style={{"width":"50%"}} src="/images/docs/guardrails/runbook/aws_start_6_set_quick_actions_enabled.png"/></p>
<p><img alt="aws_start_6_set_quick_actions_enabled" style={{"width":"50%"}} src="/images/docs/guardrails/runbook/aws_start_6_set_quick_actions_enabled.png"/></p><br/>

### Step 3: Find a bucket in `Alarm` for versioning


From the top-level `Controls` tab, search for `s3 bucket versioning`, click into `AWS > S3 > Bucket > Versioning`, then click the `Controls` tab there.
<p><img alt="aws_start_6_find_bucket_in_alarm_for_versioning" style={{"width":"50%"}} src="/images/docs/guardrails/runbook/aws_start_6_find_bucket_in_alarm_for_versioning.png"/></p>
<p><img alt="aws_start_6_find_bucket_in_alarm_for_versioning" style={{"width":"50%"}} src="/images/docs/guardrails/runbook/aws_start_6_find_bucket_in_alarm_for_versioning.png"/></p><br/>

Buckets are either in `Alarm` as a result of the Sandbox-level policy set in  [Set a Guardrails policy for AWS resources](), or `Skipped` as a result of an account-level exception.


Click into `AWS > S3 > Bucket > Versioning` and click the `Controls` tab to view individual buckets.
<p><img alt="aws_start_6_buckets_in_alarm_for_versioning" src="/images/docs/guardrails/runbook/aws_start_6_buckets_in_alarm_for_versioning.png"/></p>
<p><img alt="aws_start_6_buckets_in_alarm_for_versioning" src="/images/docs/guardrails/runbook/aws_start_6_buckets_in_alarm_for_versioning.png"/></p><br/>

### Step 4: Take a Quick Action to enable versioning on a bucket

Click into one of the buckets in `Alarm`, and expand the `Actions` dropdown.
<p><img alt="aws_start_6_versioning_quick_action_dropdown" src="/images/docs/guardrails/runbook/aws_start_6_versioning_quick_action_dropdown.png"/></p>
<p><img alt="aws_start_6_versioning_quick_action_dropdown" src="/images/docs/guardrails/runbook/aws_start_6_versioning_quick_action_dropdown.png"/></p><br/>

Select `Enable Versioning`.

Guardrails reports that the action was successful.
<p><img alt="aws_start_6_quick_action_reports_success" src="/images/docs/guardrails/runbook/aws_start_6_quick_action_reports_success.png"/></p>
<p><img alt="aws_start_6_quick_action_reports_success" src="/images/docs/guardrails/runbook/aws_start_6_quick_action_reports_success.png"/></p><br/>

Soon after, the control goes to green.
<p><img alt="aws_start_6_quick_action_yields_green_versioning_control" src="/images/docs/guardrails/runbook/aws_start_6_quick_action_yields_green_versioning_control.png"/></p>
<p><img alt="aws_start_6_quick_action_yields_green_versioning_control" src="/images/docs/guardrails/runbook/aws_start_6_quick_action_yields_green_versioning_control.png"/></p><br/>



Expand All @@ -95,18 +68,18 @@ Soon after, the control goes to green.

## Runbook Progress Tracker

1. [Connect a readonly AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_readonly_aws_account)
1. [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)

2. [Review and test a Guardrails AWS control](/guardrails/docs/integrations/aws/getting-started-aws/review_and_test_control)
2. [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)

3. [Enable event handlers for fast change detection](/guardrails/docs/integrations/aws/getting-started-aws/enable_event_handlers)
3. [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)

4. [Set a Guardrails policy for AWS resources](/guardrails/docs/integrations/aws/getting-started-aws/set_an_aws_policy)
4. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)

5. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
5. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)

6. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
6. [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)

7. [Set an alert on an AWS Guardrails control](/guardrails/docs/integrations/aws/getting-started-aws/set_alert_on_control)
7. **Apply a Quick Action**

8. **Apply a Quick Action**
8. [Enable enforcement](/guardrails/docs/integrations/aws/getting-started-aws/enable_enforcement)
110 changes: 110 additions & 0 deletions docs/integrations/aws/getting-started-aws/attach_a_policy.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
---
title: "Attach a Guardrails policy"
template: Documentation
nav:
  title: "Attach a policy"
---


# Attach a Guardrails policy

## Introduction

**Purpose**: This runbook shows a Guardrails administrator how to set a policy for a type of AWS resource.  

**Prerequisites**:

- [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
- [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)


## Procedure

### Step 1: Review bucket properties

Check the properties of the bucket you created in [Observe AWS activity](). In that runbook you switched bucket versioning from the default (`Suspended`) to `Enabled`.
<p><img alt="aws_start_3_review_bucket_versioning" style={{"width":"60%"}} src="/images/docs/guardrails/runbook/aws_start_3_review_bucket_versioning.png"/></p><br/>

### Step 2:  Find and view the `AWS > S3 > Bucket > Versioning` policy type.

Do a top-level search for `aws s3 bucket versioning`.
<p><img alt="aws_start_3_search_bucket_versioning" src="/images/docs/guardrails/runbook/aws_start_3_search_bucket_versioning.png"/></p><br/>

Click into the `AWS > S3 > Bucket > Versioning` policy type.
<p><img alt="aws_start_3_view_bucket_versioning_no_policy" src="/images/docs/guardrails/runbook/aws_start_3_view_bucket_versioning_no_policy.png"/></p><br/>

There’s a policy type, `AWS > S3 > Bucket > Versioning`, but as yet there are no policy settings. The default value for the setting is `Skip`.

### Step 3: Find and view the `AWS > S3 > Bucket > Versioning` control.

Repeat the search from step 2 and click the link (or status bar) for controls.
<p><img alt="aws_start_3_view_bucket_controls" src="/images/docs/guardrails/runbook/aws_start_3_view_bucket_controls.png"/></p><br/>



Select the `Controls` tab, and note that – per the default – versioning for your bucket is set to skip.
<p><img alt="aws_start_3_versioning_set_to_skip_overview" src="/images/docs/guardrails/runbook/aws_start_3_versioning_set_to_skip_overview.png"/></p><br/>

### Step 4: Attach a policy


Click the top-level `Resources` tab, navigate to your Sandbox folder, select the `Detail` tab, and click the `Manage` link next to `Policy Packs`.
<p><img alt="aws_start_3_find_policy_packs_manage" src="/images/docs/guardrails/runbook/aws_start_3_find_policy_packs_manage.png"/></p><br/>

In the `Edit policy pack attachments` dialog, select your baseline and click `Save`.
<p><img alt="aws_start_3_edit_attachments_select_baseline" style={{"width":"40%"}} src="/images/docs/guardrails/runbook/aws_start_3_edit_attachments_select_baseline.png"/></p><br/>



Now switch to the `Policies` tab and select `New Policy Setting`.
<p><img alt="aws_start_3_edit_ready_to_create_policy_setting" src="/images/docs/guardrails/runbook/aws_start_3_edit_ready_to_create_policy_setting.png"/></p><br/>



Under `Create Policy Setting`, search for and select `AWS > S3 > Bucket > Versioning`, select `Check: Enabled`, and click `Create`.
<p><img alt="aws_start_3_create_policy_setting" style={{"width":"50%"}} src="/images/docs/guardrails/runbook/aws_start_3_create_policy_setting.png"/></p><br/>



Guardrails returns you to the `Policy Setting` page. Click the `Hierarchy` tab.
<p><img alt="aws_start_3_sandbox_level_policy_in_hierarchy" src="/images/docs/guardrails/runbook/aws_start_3_sandbox_level_policy_in_hierarchy.png"/></p><br/>



Here you can see that the Sandbox-level policy, which you just created, overrides the default.

Now click the `Activity` tab, find your bucket, and click into that row.
<p><img alt="aws_start_3_bucket_skipped_to_ok" src="/images/docs/guardrails/runbook/aws_start_3_bucket_skipped_to_ok.png"/></p><br/>


### Step 5: Observe a policy-driven alarm

Now, in the AWS console, set versioning for your bucket back to the default, `Suspended`.
<p><img alt="aws_start_3_bucket_now_in_alarm" src="/images/docs/guardrails/runbook/aws_start_3_bucket_now_in_alarm.png"/></p><br/>



When you attached the policy, Guardrails switched the bucket from `Skipped` to `OK` because the bucket – with versioning enabled – was in compliance with the attached policy.

With versioning disabled, the bucket no longer complies with that policy so Guardrails puts the bucket into the `Alarm` state for that policy.

You can override policies at any level. In the next runbook, we’ll create an exception that enables your test bucket to return to the `OK` state.


## Runbook Progress Tracker

1. [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)

2. [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)

3. **Attach a Guardrails policy**

4. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)

5. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)

6. [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)

7. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)

8. [Enable enforcement](/guardrails/docs/integrations/aws/getting-started-aws/enable_enforcement)
120 changes: 120 additions & 0 deletions docs/integrations/aws/getting-started-aws/connect_an_account.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
---
title: "Connect an AWS account to Guardrails"
template: Documentation
nav:
  title: Connect an AWS account"
---


# Connect an AWS account to Guardrails

## Introduction

**Purpose**: This runbook shows a Guardrails administrator how to create a connection from Guardrails to an account in the standard AWS partition.

**Prerequisites**:

An AWS role created by you (or on your behalf) that grants Turbot the minimum permissions needed to inventory your AWS account and watch for changes, receive change events in real time, and take one specific action (enable versioning on S3 buckets).

## Procedure (Outdated, awaiting new flow)

### Step 1: Create an AWS IAM role for Guardrails

Follow these steps to create the role in the AWS Management Console. (You can alternatively use [CloudFormation]() or [Terraform]().)


Log in to the AWS Management Console.

Navigate to the IAM Roles and click Create Role.

Select "AWS account" as the trusted entity type.

Select "Another AWS account" as the entity that can act in your account.

Enter `287590803701` as the Account ID (or `xxx` for Turbot Guardrails EU SaaS).

Check `Require external ID` and provide a unique ID.


Leave `Require MFA unchecked`
<p><img alt="aws_start_1_create_role_1" src="/images/docs/guardrails/runbook/aws_start_1_create_role_1.png"/></p><br/>


Click `Next`.

In the permissions step, attach the policy `arn:aws:iam::aws:policy/ReadOnlyAccess`.
<p><img alt="aws_start_1_create_role_2" src="/images/docs/guardrails/runbook/aws_start_1_create_role_2.png"/></p><br/>

Note: There are many policies matching `ReadOnlyAccess`, reverse-sorting the list helps you get to the one you want.

Click `Next`.


Name the role appropriately (e.g. `turbot-role`)


Review the trust policy and permissions
<p><img alt="aws_start_1_review_trust_policy" src="/images/docs/guardrails/runbook/aws_start_1_review_trust_policy.png"/></p><br/>


Click `Create Role`

### Step 2: Connect the AWS Account

Login to Guardrails

Click the top-level `Connect`
<p><img alt="aws_start_1_top_level_connect" src="/images/docs/guardrails/runbook/aws_start_1_top_level_connect.png"/></p><br/>

Click `AWS Account`

Use the Parent Resource dropdown to select the Sandbox folder.

Enter the AWS Account ID for the account you are importing.

Copy the IAM Role ARN created earlier and paste it into the field.

Override the suggested [External ID](https://turbot.com/guardrails/docs/faq/general-faq#how-does-guardrails-protect-my-aws-account-from-the-confused-deputy-problem) with the one you created in Step 1.
<p><img alt="aws_start_1_ready_to_import" src="/images/docs/guardrails/runbook/aws_start_1_ready_to_import.png"/></p><br/>

Click `Import`.


Wait for the progress bar to complete.
<p><img alt="aws_start_1_aws_progress_bar" src="/images/docs/guardrails/runbook/aws_start_1_aws_progress_bar.png"/></p><br/>

This process takes a while, and you’ll see the bars fluctuate. Note that error messages, like "Try again later: error in handling command", are not uncommon and should resolve as the process iterates to completion.


When the process completes, navigate to `Turbot > Sandbox > YOUR_ACCOUNT`


Search for `aws account cmdb`
<p><img alt="aws_start_1_account_cmdb" src="/images/docs/guardrails/runbook/aws_start_1_account_cmdb.png"/></p><br/>

When the control is green, Turbot has successfully connected to your account.








## Runbook Progress Tracker

1. **Connect an AWS account to Guardrails**

2. [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)

3. [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)

4. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)

5. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)

6. [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)

7. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)

8. [Enable enforcement](/guardrails/docs/integrations/aws/getting-started-aws/enable_enforcement)
Loading

0 comments on commit ab8dbf7

Please sign in to comment.