diff --git a/docs/integrations/aws/getting-started-aws/apply_quick_action.md b/docs/integrations/aws/getting-started-aws/apply_quick_action.md
index 95812c4b..d4f220d8 100644
--- a/docs/integrations/aws/getting-started-aws/apply_quick_action.md
+++ b/docs/integrations/aws/getting-started-aws/apply_quick_action.md
@@ -6,7 +6,7 @@ nav:
---
-## Apply a Quick Action
+# Apply a Quick Action
## Introduction
@@ -14,78 +14,51 @@ nav:
**Prerequisites**:
-- [Connect an AWS account to Guardrails with readonly permissions]()
-
-- [Review and test a Guardrails AWS control]()
-
-- [Enable event handlers for fast change detection]()
-
-- [Set a Guardrails policy for AWS resources]()
-
-- [Create a static exception to a Guardrails AWS policy]()
-
-- [Create a calculated exception to a Guardrails AWS policy]()
+- [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
+- [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
+- [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
+- [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
+- [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
+- [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)
-- [Set an alert on an AWS Guardrails control]()
## Procedure
-### Step 1: Update the Turbot IAM role
-
-In [Enable event handlers for fast change detection]() we added the minimum permissions needed for Event Handlers. Now we’ll add on more permission to enable Guardrails to take one specific action on buckets: enable (or disable) versioning.
-
-Attach the policy to the role.
-
-```json
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "s3:PutBucketVersioning"
- ],
- "Resource": "arn:aws:s3:::*"
- }
- ]
-}
-````
-
-### Step 2: Enable Quick Actions
+### Step 1: Enable Quick Actions
Click the top-level `Policies` tab and search for `Quick Actions`.
-
+
Click into `Turbot > Quick Actions > Enabled`, click the `Settings` tab, and click the edit (pencil) icon.
-
+
Now change the setting to `Enabled` and update the policy setting.
-
+
### Step 3: Find a bucket in `Alarm` for versioning
From the top-level `Controls` tab, search for `s3 bucket versioning`, click into `AWS > S3 > Bucket > Versioning`, then click the `Controls` tab there.
-
+
Buckets are either in `Alarm` as a result of the Sandbox-level policy set in [Set a Guardrails policy for AWS resources](), or `Skipped` as a result of an account-level exception.
Click into `AWS > S3 > Bucket > Versioning` and click the `Controls` tab to view individual buckets.
-
+
### Step 4: Take a Quick Action to enable versioning on a bucket
Click into one of the buckets in `Alarm`, and expand the `Actions` dropdown.
-
+
Select `Enable Versioning`.
Guardrails reports that the action was successful.
-
+
Soon after, the control goes to green.
-
+
@@ -95,18 +68,18 @@ Soon after, the control goes to green.
## Runbook Progress Tracker
-1. [Connect a readonly AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_readonly_aws_account)
+1. [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
-2. [Review and test a Guardrails AWS control](/guardrails/docs/integrations/aws/getting-started-aws/review_and_test_control)
+2. [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
-3. [Enable event handlers for fast change detection](/guardrails/docs/integrations/aws/getting-started-aws/enable_event_handlers)
+3. [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
-4. [Set a Guardrails policy for AWS resources](/guardrails/docs/integrations/aws/getting-started-aws/set_an_aws_policy)
+4. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
-5. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
+5. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
-6. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
+6. [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)
-7. [Set an alert on an AWS Guardrails control](/guardrails/docs/integrations/aws/getting-started-aws/set_alert_on_control)
+7. **Apply a Quick Action**
-8. **Apply a Quick Action**
+8. [Enable enforcement](/guardrails/docs/integrations/aws/getting-started-aws/enable_enforcement)
diff --git a/docs/integrations/aws/getting-started-aws/attach_a_policy.md b/docs/integrations/aws/getting-started-aws/attach_a_policy.md
new file mode 100644
index 00000000..fb4adc97
--- /dev/null
+++ b/docs/integrations/aws/getting-started-aws/attach_a_policy.md
@@ -0,0 +1,110 @@
+---
+title: "Attach a Guardrails policy"
+template: Documentation
+nav:
+ title: "Attach a policy"
+---
+
+
+# Attach a Guardrails policy
+
+## Introduction
+
+**Purpose**: This runbook shows a Guardrails administrator how to set a policy for a type of AWS resource.
+
+**Prerequisites**:
+
+- [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
+- [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
+
+
+## Procedure
+
+### Step 1: Review bucket properties
+
+Check the properties of the bucket you created in [Observe AWS activity](). In that runbook you switched bucket versioning from the default (`Suspended`) to `Enabled`.
+
+
+### Step 2: Find and view the `AWS > S3 > Bucket > Versioning` policy type.
+
+Do a top-level search for `aws s3 bucket versioning`.
+
+
+Click into the `AWS > S3 > Bucket > Versioning` policy type.
+
+
+There’s a policy type, `AWS > S3 > Bucket > Versioning`, but as yet there are no policy settings. The default value for the setting is `Skip`.
+
+### Step 3: Find and view the `AWS > S3 > Bucket > Versioning` control.
+
+Repeat the search from step 2 and click the link (or status bar) for controls.
+
+
+
+
+Select the `Controls` tab, and note that – per the default – versioning for your bucket is set to skip.
+
+
+### Step 4: Attach a policy
+
+
+Click the top-level `Resources` tab, navigate to your Sandbox folder, select the `Detail` tab, and click the `Manage` link next to `Policy Packs`.
+
+
+In the `Edit policy pack attachments` dialog, select your baseline and click `Save`.
+
+
+
+
+Now switch to the `Policies` tab and select `New Policy Setting`.
+
+
+
+
+Under `Create Policy Setting`, search for and select `AWS > S3 > Bucket > Versioning`, select `Check: Enabled`, and click `Create`.
+
+
+
+
+Guardrails returns you to the `Policy Setting` page. Click the `Hierarchy` tab.
+
+
+
+
+Here you can see that the Sandbox-level policy, which you just created, overrides the default.
+
+Now click the `Activity` tab, find your bucket, and click into that row.
+
+
+
+### Step 5: Observe a policy-driven alarm
+
+Now, in the AWS console, set versioning for your bucket back to the default, `Suspended`.
+
+
+
+
+When you attached the policy, Guardrails switched the bucket from `Skipped` to `OK` because the bucket – with versioning enabled – was in compliance with the attached policy.
+
+With versioning disabled, the bucket no longer complies with that policy so Guardrails puts the bucket into the `Alarm` state for that policy.
+
+You can override policies at any level. In the next runbook, we’ll create an exception that enables your test bucket to return to the `OK` state.
+
+
+## Runbook Progress Tracker
+
+1. [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
+
+2. [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
+
+3. **Attach a Guardrails policy**
+
+4. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
+
+5. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
+
+6. [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)
+
+7. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
+
+8. [Enable enforcement](/guardrails/docs/integrations/aws/getting-started-aws/enable_enforcement)
diff --git a/docs/integrations/aws/getting-started-aws/connect_an_account.md b/docs/integrations/aws/getting-started-aws/connect_an_account.md
new file mode 100644
index 00000000..42810d6c
--- /dev/null
+++ b/docs/integrations/aws/getting-started-aws/connect_an_account.md
@@ -0,0 +1,120 @@
+---
+title: "Connect an AWS account to Guardrails"
+template: Documentation
+nav:
+ title: Connect an AWS account"
+---
+
+
+# Connect an AWS account to Guardrails
+
+## Introduction
+
+**Purpose**: This runbook shows a Guardrails administrator how to create a connection from Guardrails to an account in the standard AWS partition.
+
+**Prerequisites**:
+
+An AWS role created by you (or on your behalf) that grants Turbot the minimum permissions needed to inventory your AWS account and watch for changes, receive change events in real time, and take one specific action (enable versioning on S3 buckets).
+
+## Procedure (Outdated, awaiting new flow)
+
+### Step 1: Create an AWS IAM role for Guardrails
+
+Follow these steps to create the role in the AWS Management Console. (You can alternatively use [CloudFormation]() or [Terraform]().)
+
+
+Log in to the AWS Management Console.
+
+Navigate to the IAM Roles and click Create Role.
+
+Select "AWS account" as the trusted entity type.
+
+Select "Another AWS account" as the entity that can act in your account.
+
+Enter `287590803701` as the Account ID (or `xxx` for Turbot Guardrails EU SaaS).
+
+Check `Require external ID` and provide a unique ID.
+
+
+Leave `Require MFA unchecked`
+
+
+
+Click `Next`.
+
+In the permissions step, attach the policy `arn:aws:iam::aws:policy/ReadOnlyAccess`.
+
+
+Note: There are many policies matching `ReadOnlyAccess`, reverse-sorting the list helps you get to the one you want.
+
+Click `Next`.
+
+
+Name the role appropriately (e.g. `turbot-role`)
+
+
+Review the trust policy and permissions
+
+
+
+Click `Create Role`
+
+### Step 2: Connect the AWS Account
+
+Login to Guardrails
+
+Click the top-level `Connect`
+
+
+Click `AWS Account`
+
+Use the Parent Resource dropdown to select the Sandbox folder.
+
+Enter the AWS Account ID for the account you are importing.
+
+Copy the IAM Role ARN created earlier and paste it into the field.
+
+Override the suggested [External ID](https://turbot.com/guardrails/docs/faq/general-faq#how-does-guardrails-protect-my-aws-account-from-the-confused-deputy-problem) with the one you created in Step 1.
+
+
+Click `Import`.
+
+
+Wait for the progress bar to complete.
+
+
+This process takes a while, and you’ll see the bars fluctuate. Note that error messages, like "Try again later: error in handling command", are not uncommon and should resolve as the process iterates to completion.
+
+
+When the process completes, navigate to `Turbot > Sandbox > YOUR_ACCOUNT`
+
+
+Search for `aws account cmdb`
+
+
+When the control is green, Turbot has successfully connected to your account.
+
+
+
+
+
+
+
+
+## Runbook Progress Tracker
+
+1. **Connect an AWS account to Guardrails**
+
+2. [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
+
+3. [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
+
+4. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
+
+5. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
+
+6. [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)
+
+7. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
+
+8. [Enable enforcement](/guardrails/docs/integrations/aws/getting-started-aws/enable_enforcement)
diff --git a/docs/integrations/aws/getting-started-aws/connect_readonly_aws_account.md b/docs/integrations/aws/getting-started-aws/connect_readonly_aws_account.md
deleted file mode 100644
index 75dc3e19..00000000
--- a/docs/integrations/aws/getting-started-aws/connect_readonly_aws_account.md
+++ /dev/null
@@ -1,127 +0,0 @@
----
-title: "Connect a readonly AWS account to Guardrails"
-template: Documentation
-nav:
- title: Connect a readonly AWS account"
----
-
-
-# Connect an AWS account to Guardrails
-
-## Introduction
-
-**Purpose**: This runbook shows a Guardrails administrator how to create a read-only connection from Guardrails to an account in the standard AWS partition. This connection will enable you to inventory assets and check for policy compliance. For other partitions see [GovCloud]() or [China](). To enable Guardrails remediation, use [this runbook](). For many accounts see [this runbook]().
-
-
-To import your AWS account into Guardrails you will:
-
-1. Create a read-only AWS IAM role that Guardrails will use to connect to your AWS account.
-2. Connect Turbot Guardrails Cloud to that AWS account using the IAM role you created.
-
-**Prerequisites**:
-
-- A POC (proof-of-concept) Guardrails workspace with an AWS baseline
-
-
-## Procedure
-
-### Step 1: Create an AWS IAM role for Guardrails
-
-Follow these steps to create the role in the AWS Management Console. (You can alternatively use [CloudFormation]() or [Terraform]().)
-
-
-Log in to the AWS Management Console.
-
-Navigate to the IAM Roles and click Create Role.
-
-Select "AWS account" as the trusted entity type.
-
-Select "Another AWS account" as the entity that can act in your account.
-
-Enter `287590803701` as the Account ID (or `xxx` for Turbot Guardrails EU SaaS).
-
-Check `Require external ID` and provide a unique ID.
-
-
-Leave `Require MFA unchecked`
-
-
-
-Click `Next`.
-
-In the permissions step, attach the policy `arn:aws:iam::aws:policy/ReadOnlyAccess`.
-
-
-Note: There are many policies matching `ReadOnlyAccess`, reverse-sorting the list helps you get to the one you want.
-
-Click `Next`.
-
-
-Name the role appropriately (e.g. `turbot-role`)
-
-
-Review the trust policy and permissions
-
-
-
-Click `Create Role`
-
-### Step 2: Connect the AWS Account
-
-Login to Guardrails
-
-Click the top-level `Connect`
-
-
-Click `AWS Account`
-
-Use the Parent Resource dropdown to select the Sandbox folder.
-
-Enter the AWS Account ID for the account you are importing.
-
-Copy the IAM Role ARN created earlier and paste it into the field.
-
-Override the suggested [External ID](https://turbot.com/guardrails/docs/faq/general-faq#how-does-guardrails-protect-my-aws-account-from-the-confused-deputy-problem) with the one you created in Step 1.
-
-
-Click `Import`.
-
-
-Wait for the progress bar to complete.
-
-
-This process takes a while, and you’ll see the bars fluctuate. Note that error messages, like "Try again later: error in handling command", are not uncommon and should resolve as the process iterates to completion.
-
-
-When the process completes, navigate to `Turbot > Sandbox > YOUR_ACCOUNT`
-
-
-Search for `aws account cmdb`
-
-
-When the control is green, Turbot has successfully connected to your account.
-
-
-
-
-
-
-
-
-## Runbook Progress Tracker
-
-1. **Connect a readonly AWS account to Guardrails**
-
-2. [Review and test a Guardrails AWS control](/guardrails/docs/integrations/aws/getting-started-aws/review_and_test_control)
-
-3. [Enable event handlers for fast change detection](/guardrails/docs/integrations/aws/getting-started-aws/enable_event_handlers)
-
-4. [Set a Guardrails policy for AWS resources](/guardrails/docs/integrations/aws/getting-started-aws/set_an_aws_policy)
-
-5. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
-
-6. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
-
-7. [Set an alert on an AWS Guardrails control](/guardrails/docs/integrations/aws/getting-started-aws/set_alert_on_control)
-
-8. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
diff --git a/docs/integrations/aws/getting-started-aws/create_calculated_exception.md b/docs/integrations/aws/getting-started-aws/create_calculated_exception.md
index c9dbda8d..181e5b5d 100644
--- a/docs/integrations/aws/getting-started-aws/create_calculated_exception.md
+++ b/docs/integrations/aws/getting-started-aws/create_calculated_exception.md
@@ -14,161 +14,125 @@ nav:
**Prerequisites**:
-- [Connect an AWS account to Guardrails with readonly permissions]()
-
-- [Review and test a Guardrails AWS control]()
-
-- [Enable event handlers for fast change detection]()
-
-
-
-- [Set a Guardrails policy for AWS resources]()
+- [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
+- [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
+- [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
+- [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
-- [Create a static exception to a Guardrails AWS policy]()
## Procedure
-### Step 1: Delete the previously-created static exception
+### Step 1: Find the policy for your bucket
-In [Create a static exception]() we overrode the global default for bucket versioning (`Skip`) with a Sandbox-level setting (`Check: Enabled`).
-
+In [Create a static exception]() we created a policy setting for your test bucket to override the Sandbox-level setting (`Check: Enabled`) with a bucket-level setting (`Skip`).
+
-Now we’ll delete that static exception and create a new calculated exception.
-
-To delete the execution, find it using `Reports -> Policy Setting Exceptions`
-
-
-Click into the policy setting and click `Delete`.
-
-
-Now click the account id (or alias) in the breadcrumb trail.
-
+Now let’s refine that bucket-level policy setting to use a calculated value. Click the top-level `Policy Settings` card, and search for `s3 bucket versioning`.
+
+
+Guardrails reports both of the policy settings you created. Click the row for your test bucket.
+
-### Step 2: Launch the calculated policy builder
+### Step 2: Switch to calculated mode
-We’ve already overridden the default policy (`Skip`) with a Sandbox-level policy (`Check: Enabled`). And we’ve seen how to refine that Sandbox-level policy with an exception for a single bucket. Now we’ll create a calculated policy to apply that exception to a set of buckets in this account.
+On the `Policy Setting` page, click `Edit`.
-Click into the account, select the `Policies` tab, search for `s3 bucket versioning`, and click `Descendant`.
-
+
-Click into it, and click `New Policy Setting`. The policy type is `AWS > S3 > Bucket > Versioning`. Under `Resource` navigate to the account you imported in [Connect a readonly AWS Account to Guardrails]().
-
+On the `Update Policy Setting` page, click `Enable calculated mode`.
+
-Now click `Enable calculated mode` and then `Launch calculated policy builder`.
-
+Then click `Launch calculated policy builder`.
+
-Here’s the initial state of the policy builder.
-
+### Step 3: Query the bucket
-### Step 3: Tag your test bucket
+On the builder page, under `Step 2: Query data using GraphQL`, click the `Select snippet` dropdown and prepare to choose the `Get bucket` option.
+
-We want this policy to act on buckets in your imported account that are tagged with `SkipVersioning`. So, in the AWS console, apply that tag to your test bucket. Use `SkipVersioning` as the key, and leave the value empty.
-
+Note that your bucket is the `Test Resource` that will be the target of the `Get bucket` query. Now select `Get bucket`.
+
-### Step 4: Query for the tag
+By default, the `Get bucket` query in the `Input` pane looks for tags. If you’ve added no tags to your test bucket, the `Output` pane reports `{}`.
-Back in the policy builder, under `Test Resource`, choose your test bucket and, in the `Input [GraphQL]` dropdown, choose `Get bucket`. Guardrails inserts a GraphQL query that, by default, looks for tags on the test resource. Verify that the output matches the tag you assigned.
-
-
-### Step 5: Configure the template to check for the existence of the tag
+### Step 4: Tag the bucket and query again
-Paste this code into the Nunjucks template.
+Now, in the AWS console, add this tag to your test bucket.
+
-```nunjucks
-{% set tag_exists = false %}
-{% if 'SkipVersioning' in $.bucket.turbot.tags %}
- {% set tag_exists = true %}
-{% endif %}
-"{{ tag_exists }}"
-```
-
+And repeat the query.
+
-Our ultimate goal here is to return a valid value for the `AWS > S3 > Bucket > Versioning` policy type. But first, we’ll verify that the template can detect the existence of the tag. Here we can see that it does: the output value is `true`. The `Result` is in error because `true` isn’t one of the allowed values for this policy type, we’ll take care of that in the next step.
-
+Your tag now appears in the query output.
-### Step 6: Configure the template to return a valid value
+### Step 5: Write a template to verify the Environment tag is ‘dev’
-Paste this code into the template.
+Our ultimate goal here is to return the value `Skip` if the `Environment` tag on the bucket is `dev`. But first, let’s check that we can test that condition in the template.
```nunjucks
-{% set result = 'Check: Enabled' %}
-{% if 'SkipVersioning' in $.bucket.turbot.tags %}
- {% set result = 'Skip' %}
+{% set tag_is_dev = false %}
+{% if $.bucket.turbot.tags.Environment == 'dev' %}
+ {% set tag_is_dev = true %}
{% endif %}
-"{{ result }}"
-```
-
-Now the output is `Skip`, which is valid for this policy type.
-
-
-To verify that the calculated policy only applies to buckets with the `SkipVersioning` tag, set the test resource to another bucket under your account that lacks the tag. Verify that the ancestor Sandbox-level setting, `Check: Enabled`, is the result.
-
-Click `Update` to return the `Create Policy Setting` page.
-
-### Step 7: Create the calculated policy
-
-Click `Create` to create the policy.
+"{{ tag_is_dev }}"
+```
+
-Note: To enable the `Create` button you may need to switch `Precedence` from `Required` to `Recommended` and then back to `Required`.
-
+The template’s output is the string `true`. That isn’t a valid value for this policy setting, so Step 4 is in error, but we have now seen how to write a Nunjucks template that will check if the tag exists on the bucket.
-You’ll land on the `Policy Setting` page. Select the `Hierarchy` tab to review the situation. The Turbot default is `Skip`, we have overridden it to `Check: Enabled` at the Sandbox level, and refined it at the account level with our calculated policy.
-
-
+### Step 6: Write a template to return the policy setting `Skip` if the Environment tag is ‘dev’
+Now replace the template with this code.
-### Step 8: Observe the effect of the calculated policy
+```nunjucks
+{% set policy_setting = 'Check: Enabled' %}
+{% if $.bucket.turbot.tags.Environment == 'dev' %}
+ {% set policy_setting = true %}
+{% endif %}
+"{{ policy_setting }}"
+```
+
-Go to `Reports > Controls by State` and search for `s3 bucket versioning`.
+Step 4 is green because the calculated value is valid for this policy type.
-Your test bucket should be in the `Skipped` state. Other buckets that don’t enable versioning should be in `Alarm` per the ancestor Sandbox-level policy.
-
+Click `Update`.
+And on the `Update Policy Setting` page, click `Update` again.
+
+### Step 7: Review the bucket versioning control
-To verify that the new calculated policy applies to all buckets in the account, tag another bucket with `SkipVersioning`, and go back to `Reports > Controls by State` and search for `s3 bucket versioning`. This time, set the `State` filter to `Skipped`.
+From the top-level `Controls` tab, search for `s3 bucket versioning`, find the row for your bucket (you can search, if needed), click into that row, and select the `Control` tab.
+
-The report initially reports only your original test bucket which was the only one exempted from the ancestor `Check: Enabled` policy for bucket versioning. Wait for Guardrails to notice that you assigned `SkipVersioning` to a second bucket.
+All buckets are in `Alarm`, subject to the Sandbox-level policy setting `Check Enabled`, except for the test bucket which is `Skipped`. Click into the `AWS > S3 > Bucket > Versioning` policy type, then click into the row for your test bucket.
+
+Now change the tag on your test bucket from `Environment:dev` to `Environment:prod`.
-Both tagged buckets are now in the `Skipped` state.
-
-
-Click into your test control, and observe that it’s in the `Skipped` state.
-
-
-### Step 9: Find the policies you created
-
-On the Guardrails home page, click `POLICY SETTINGS` (🔧).
-
-Search for `s3 bucket versioning`.
-
-
-This view shows the static Sandbox-level exception you created in [this runbook](/guardrails/docs/integrations/aws/getting-started-readonly/create_static_exception) along with the calculated exception you created here.
-
+The calculated policy now returns `Check: Enabled` and the bucket, which does not comply, goes to `Alarm`.
-
-
+
## Runbook Progress Tracker
-1. [Connect a readonly AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_readonly_aws_account)
+1. [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
-2. [Review and test a Guardrails AWS control](/guardrails/docs/integrations/aws/getting-started-aws/review_and_test_control)
+2. [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
-3. [Enable event handlers for fast change detection](/guardrails/docs/integrations/aws/getting-started-aws/enable_event_handlers)
+3. [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
-4. [Set a Guardrails policy for AWS resources](/guardrails/docs/integrations/aws/getting-started-aws/set_an_aws_policy)
+4. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
-5. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
+5. **Create a calculated exception to a Guardrails AWS policy**
-6. **Create a calculated exception to a Guardrails AWS policy**
+6. [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)
-7. [Set an alert on an AWS Guardrails control](/guardrails/docs/integrations/aws/getting-started-aws/set_alert_on_control)
+7. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
-8. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
+8. [Enable enforcement](/guardrails/docs/integrations/aws/getting-started-aws/enable_enforcement)
diff --git a/docs/integrations/aws/getting-started-aws/create_static_exception.md b/docs/integrations/aws/getting-started-aws/create_static_exception.md
index 060338af..4c1cc15b 100644
--- a/docs/integrations/aws/getting-started-aws/create_static_exception.md
+++ b/docs/integrations/aws/getting-started-aws/create_static_exception.md
@@ -14,74 +14,72 @@ nav:
**Prerequisites**:
-- [Connect an AWS account to Guardrails with readonly permissions]()
-
-- [Review and test a Guardrails AWS control]()
-
-- [Enable event handlers for fast change detection]()
-
-
+- [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
+- [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
+- [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
-- [Set a Guardrails policy for AWS resources]()
## Procedure
-### Step 1: Suspend bucket versioning for your test bucket
+### Step 1: Find your test bucket
-In [Set an AWS policy]() we attached a policy to your Sandbox that overrides the global default for bucket versioning, so that the effective setting for buckets in your Sandbox is `Check: Enabled`. You saw Guardrails react with `Alarm` when the bucket was in its default state (versioning disabled). You then saw Guardrails react with `OK` when you enabled versioning for the bucket.
+In [Set an AWS policy]() we attached a policy to your Sandbox that overrides the global default for bucket versioning (`Skip`), so that the effective setting for buckets in your Sandbox is `Check: Enabled`. Because you had set versioning for that bucket to `Enabled`, it complied with the policy, and you saw the bucket transition from `Skipped` to `OK`. Then you switched versioning to `Disabled`. Now the bucket no longer complied with the policy, and you saw it transition from `OK` to `Alarm`.
-Now suspend versioning for that bucket and use top-level-search to find your test bucket.
-
+### Step 2: Create policy setting
-Click into the resource, select the `Activity` tab, and verify that the control for the bucket is in `Alarm` (or wait until it is).
+Now we’ll create an exception for the bucket that overrides the Sandbox-level policy and enables Guardrails to again `Skip` the bucket. To start, click the top-level `Alerts` card and search for your bucket.
+
-### Step 2: Create a bucket-level policy exception
+Under `Resources`, click into the row for your bucket.
+
+Now find the `Policies` tab, search for `s3 bucket versioning`, and note that the bucket inherits the `Check: Enabled` setting you attached by way of the Sandbox.
+
+
+Click into the `Bucket > Versioning` row to see the details.
+
-Select the `Policies` tab and click `New Policy Setting`.
-
+Click `Create Setting`.
+
-Under `Policy Type` search for `aws s3 bucket versioning` and select that policy type.
+Choose the `Skip` setting and click `Create`.
-Under `Setting` select `Skip`.
+Then select the `Hierarchy` tab to review the new situation.
+
-Click `Create`.
-
+The default for bucket versioning was `Skip`, the Sandbox overrides it to `Check: Enabled`, and the bucket overrides that setting so the bucket reverts to `Skip`.
-On the ensuing `Policy Setting` page, select the `Hierarchy` tab.
-
-### Step 3: Observe the effect of the exception.
+### Step 3: Review Guardrails activity for the bucket
+Use the top-level search to find your test bucket.
+
-You’ve now overridden the Sandbox-level setting for this bucket. Select the `Activity` tab and wait for Guardrails to notice the change.
-
+Click into the row for your test bucket, then select the `Activity` tab.
+
-The control for this bucket has transitioned from `Alarm` to `Skipped`.
+Here you can see the whole history. When you attached the Sandbox-level policy that set versioning to `Check: Enabled` the bucket switched from `Skipped` (the Turbot-level default) to `OK` (because you had switched the bucket’s setting for versioning from the AWS default (`Disabled`) to `Enabled`.
-Now search for `s3 bucket versioning`.
-
-
-Observe both policies: `Check: Enabled` at the Sandbox level, and `Skip` for the test bucket.
+When you then switched the versioning setting back to `Disabled` the bucket went into `Alarm`.
-Note that only one control (for your test bucket) is skipped; all others are subject to the Sandbox-level policy and are in `Alarm`.
+And then, when you attached the bucket-level policy to create an exception for your test bucket, the bucket’s state went to `Skipped`.
## Runbook Progress Tracker
-1. [Connect a readonly AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_readonly_aws_account)
+1. [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
-2. [Review and test a Guardrails AWS control](/guardrails/docs/integrations/aws/getting-started-aws/review_and_test_control)
+2. [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
-3. [Enable event handlers for fast change detection](/guardrails/docs/integrations/aws/getting-started-aws/enable_event_handlers)
+3. [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
-4. [Set a Guardrails policy for AWS resources](/guardrails/docs/integrations/aws/getting-started-aws/set_an_aws_policy)
+4. **Create a static exception to a Guardrails AWS policy**
-5. **Create a static exception to a Guardrails AWS policy**
+5. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
-6. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
+6. [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)
-7. [Set an alert on an AWS Guardrails control](/guardrails/docs/integrations/aws/getting-started-aws/set_alert_on_control)
+7. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
-8. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
+8. [Enable enforcement](/guardrails/docs/integrations/aws/getting-started-aws/enable_enforcement)
diff --git a/docs/integrations/aws/getting-started-aws/enable_enforcement.md b/docs/integrations/aws/getting-started-aws/enable_enforcement.md
new file mode 100644
index 00000000..d06ffda4
--- /dev/null
+++ b/docs/integrations/aws/getting-started-aws/enable_enforcement.md
@@ -0,0 +1,51 @@
+---
+title: "Enable enforcement"
+template: Documentation
+nav:
+ title: "Enable enforcement"
+---
+
+
+
+
+# Extend AWS permissions for remediation
+
+## Introduction
+
+**Purpose**: This runbook shows a Guardrails administrator how to
+
+
+**Prerequisites**:
+
+- [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
+- [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
+- [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
+- [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
+- [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
+- [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)
+- [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
+
+
+
+## Procedure
+
+### Step 1:
+
+
+## Runbook Progress Tracker
+
+1. [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
+
+2. [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
+
+3. [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
+
+4. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
+
+5. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
+
+6. [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)
+
+7. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
+
+8. **Enable enforcement**
diff --git a/docs/integrations/aws/getting-started-aws/enable_event_handlers.md b/docs/integrations/aws/getting-started-aws/enable_event_handlers.md
deleted file mode 100755
index 679b8845..00000000
--- a/docs/integrations/aws/getting-started-aws/enable_event_handlers.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: "Enable event handlers for fast change detection"
-template: Documentation
-nav:
- title: "Enable event handlers"
----
-
-
-
-
-# Enable event handlers for fast change detection
-
-## Introduction
-
-**Purpose**: This runbook shows a Guardrails administrator how to enable event handlers to speed up change detection.
-
-
-**Prerequisites**:
-
-- [Connect an AWS account to Guardrails with readonly permissions]()
-
-- [Review and test a Guardrails AWS control]()
-
-## Procedure
-
-### Step 1: Update the Turbot IAM role
-
-
-When you [imported your account](), the IAM role you created for Guardrails only attached only the policy `arn:aws:iam::aws:policy/ReadOnlyAccess`. With that level of access, Guardrails must poll AWS to detect changes. As you’ve now seen, it can take a few minutes for Guardrails to notice a change. Polling also entails heavy and thus costly use of AWS APIs.
-
-Switching from polling to event handlers enables Guardrails to detect changes almost instantly, and lightens the API load. This requires a slight elevation of privilege. Along with `ReadOnlyAccess`, attach `AmazonSNSFullAccess` and `CloudWatchEventsFullAccess`.
-
-
-
-
-### Step 2: Enable event handlers
-
-Click the top-level `Policies`, search for `AWS Turbot Event Handlers`, open the setting, and change the value to `Enforce: Configured`.
-
-
-### Step 3: Observe immediate reaction to change!
-
-
-Click the top-level `Resources` tab, navigate to the top (Turbot) level (if not already there), search for your test bucket, and click the `Activity` tab.
-
-Then, in the AWS console, toggle the `Block public setting` back and forth. Guardrails now detects the changes, and updates the control state immediately.
-
-
-###
-
-
-## Runbook Progress Tracker
-
-1. [Connect a readonly AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_readonly_aws_account)
-
-2. [Review and test a Guardrails AWS control](/guardrails/docs/integrations/aws/getting-started-aws/review_and_test_control)
-
-3. **Enable event handlers for fast change detection**
-
-4. [Set a Guardrails policy for AWS resources](/guardrails/docs/integrations/aws/getting-started-aws/set_an_aws_policy)
-
-5. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
-
-6. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
-
-7. [Set an alert on an AWS Guardrails control](/guardrails/docs/integrations/aws/getting-started-aws/set_alert_on_control)
-
-8. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
diff --git a/docs/integrations/aws/getting-started-aws/index.md b/docs/integrations/aws/getting-started-aws/index.md
old mode 100755
new mode 100644
index 4cbcdaf7..c391e031
--- a/docs/integrations/aws/getting-started-aws/index.md
+++ b/docs/integrations/aws/getting-started-aws/index.md
@@ -5,26 +5,24 @@ nav:
title: "Getting started with AWS"
---
-# Getting started with AWS in Guardrails: ReadOnly
+# Getting started with AWS in Guardrails
In this series of runbooks you'll learn how to:
-- Import an AWS account with readonly permission
+- Connect an AWS account (outdated, awaiting new flow)
-- Review and test a control
+- Observe AWS activity
-- Enable event handlers for fast change detection
-
-- Set a Guardrails policy
+- Attach a policy
- Create a static exception
- Create a calculated exception
-- Set an alert on a control
-
-- Apply a Quick Action to fix an alarm
+- Send an alert to email (got stuck here this time around)
-Start [here](/guardrails/docs/integrations/aws/getting-started-aws/connect_readonly_aws_account).
+- Apply a Quick Action (to be revised when email is working)
+- Enable enforcement (tbd)
+Start [here](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account).
\ No newline at end of file
diff --git a/docs/integrations/aws/getting-started-aws/observe_aws_activity.md b/docs/integrations/aws/getting-started-aws/observe_aws_activity.md
new file mode 100644
index 00000000..4df68f09
--- /dev/null
+++ b/docs/integrations/aws/getting-started-aws/observe_aws_activity.md
@@ -0,0 +1,90 @@
+---
+title: "Observe AWS activity"
+template: Documentation
+nav:
+ title: Observe AWS activity"
+---
+
+
+# Observe AWS activity
+
+## Introduction
+
+**Purpose**: This runbook shows a Guardrails administrator how to observe activity in a connected AWS account.
+
+**Prerequisites**:
+
+- [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
+
+
+## Procedure
+
+### Step 1: Create a S3 bucket
+
+We’ll use the name `aws-guardrails-getting-started-bucket-01`, choose your own name.
+
+
+
+Accept the defaults, including this one for bucket versioning which will be the focus of this series of runbooks.
+
+
+### Step 2: See Guardrails discover the new bucket
+
+From the home page, click the chart icon to open `Reports`.
+
+
+Scroll down and select `Resource Activities`.
+
+
+In the `Resource Activities` report, open the `Resource Type` filter, search for bucket, and select `AWS > S3 > Bucket`.
+
+
+
+
+Guardrails reports two notifications related to the bucket creation. `RESOURCE CREATED` indicates discovery of the bucket. `RESOURCE UPDATED` indicates that Guardrails has processed the bucket.
+
+
+Click into the `RESOURCE UPDATED` notification.
+
+
+
+
+Here you can see a transition from `TBD` to `OK`. That applies to the CMDB control for the bucket. Click the `Control` tab for more detail.
+
+
+Just as the CMDB control for your account went from `TBD` to `OK` when you [imported your account](), the CMDB control that was instantiated for this bucket went from `TBD` to `OK` once Guardrails completed its discovery of the bucket.
+
+### Step 3: See Guardrails react to a bucket change
+
+
+Now visit your bucket in the AWS console, choose the `Properties` tab, and enable versioning.
+
+
+Revisit `Reports > Resource Activities`, and reapply the `Resource Type` filter as `AWS > S3 > Bucket`.
+
+
+Click into the new notification for your bucket, and scroll down in the diff to see the change that Guardrails has recorded.
+
+
+We’ve now seen how Guardrails detects the creation of a new resource in a connected account, and also notices and records changes to the configuration of that resource.
+
+Next we’ll explore how to set a policy that requires buckets to enable versioning.
+
+
+## Runbook Progress Tracker
+
+1. [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
+
+2. **Observe AWS activity**
+
+3. [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
+
+4. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
+
+5. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
+
+6. [Send an alert to email](/guardrails/docs/integrations/aws/getting-started-aws/send_alert_to_email)
+
+7. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
+
+8. [Enable enforcement](/guardrails/docs/integrations/aws/getting-started-aws/enable_enforcement)
diff --git a/docs/integrations/aws/getting-started-aws/review_and_test_control.md b/docs/integrations/aws/getting-started-aws/review_and_test_control.md
deleted file mode 100644
index 31327ff0..00000000
--- a/docs/integrations/aws/getting-started-aws/review_and_test_control.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: "Review and test a Guardrails AWS control"
-template: Documentation
-nav:
- title: "Review and test a control"
----
-
-
-# Review and test a Guardrails AWS control
-
-## Introduction
-
-**Purpose**: This runbook shows a cloud engineer or DevOps specialist how to review and test an AWS control and its associated policies.
-
-**Prerequisites**:
-
-- [Connect an AWS account to Guardrails with readonly permissions]()
-
-## Procedure
-
-### Step 1: Observe a control in the OK state
-
-Create an AWS S3 bucket, and verify that `Block public access` is on.
-
-
-Go to the `Reports` tab at the top of the Guardrails console, then search for `Controls by Control Type`.
-
-Search for your bucket and `public access`.
-
-
-
-
-Click the bucket name to view the `Public Access Block` control for that bucket.
-
-
-Click the `Policies` tab to review the associated policy. The value is `Check` which means Guardrails will check that the bucket blocks public access and report `OK` if so. Otherwise, it will raise an `Alarm`. No actions will be taken on the bucket in `Check` mode.
-
-
-### Step 2: Put the control into Alarm
-
-Go back to the AWS console and turn off `Block all public access`
-
-
-In Guardrails, go back to the `Control` tab. In a few minutes, the control will go to `Alarm`.
-
-
-Why not immediately? In the [prerequisite runbook]() we connected Guardrails to your AWS account in readonly mode which means Guardrails can observe, but not act in, your account. In that ReadOnly configuration, Guardrails polls for changes at one minute intervals. Event Handlers offer lower latency but require write access into the account. To enable event-handling, so that Guardrails reacts immediately to changes, see [this runbook]().
-
-Click the `Activity` tab to see that Guardrails has logged the transition from `OK` to `Alarm`.
-
-
-
-### Step 3: Restore the control to OK
-
-
-Now revisit the AWS console and enable `Block all public access` again for your bucket.
-
-As soon as Guardrails notices the change, the control is again green.
-
-
-
-
-
-
-## Runbook Progress Tracker
-
-1. [Connect a readonly AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_readonly_aws_account)
-
-2. **Review and test a Guardrails AWS control**
-
-3. [Enable event handlers for fast change detection](/guardrails/docs/integrations/aws/getting-started-aws/enable_event_handlers)
-
-4. [Set a Guardrails policy for AWS resources](/guardrails/docs/integrations/aws/getting-started-aws/set_an_aws_policy)
-
-5. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
-
-6. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
-
-7. [Set an alert on an AWS Guardrails control](/guardrails/docs/integrations/aws/getting-started-aws/set_alert_on_control)
-
-8. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
diff --git a/docs/integrations/aws/getting-started-aws/send_alert_to_email.md b/docs/integrations/aws/getting-started-aws/send_alert_to_email.md
new file mode 100644
index 00000000..96f15163
--- /dev/null
+++ b/docs/integrations/aws/getting-started-aws/send_alert_to_email.md
@@ -0,0 +1,110 @@
+---
+title: "Send an alert to email"
+template: Documentation
+nav:
+ title: "Send an alert to email"
+---
+
+
+# Send an alert to email
+
+## Introduction
+
+**Purpose**: This runbook shows a Guardrails administrator how to notify by email on an alert.
+
+**Prerequisites**:
+
+- [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
+- [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
+- [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
+- [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
+- [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
+
+
+## Procedure
+
+### Step 1: Enable your workspace for notifications
+
+
+To enable notifications for your workspace, set the `Turbot > Notifications` policy to `Enabled` at the root level of your workspace.
+
+
+### Step 2: Review the versioning control for your test bucket
+
+From the top-level `Controls` tab, search for `s3 bucket versioning`, find the row for your bucket (you can search, if needed), click into that row, and select the `Control` tab. The current value of the bucket’s `Environment` tag is `prod`, not `dev`, so the [calculated exception you created]() fails to match, and the bucket is in `Alarm`.
+
+
+
+
+
+### Step 3: Create a notification rule
+
+Click the top-level `Policies` tab, search for `rule-based routing`, click into the policy type `Turbot > Notifications > Rule-Based Routing`.
+
+Select `Turbot` as the resource. This policy must apply at that level.
+
+Enter these rules, along with one or more email addresses you want to notify.
+
+```yaml
+- rules: |
+ NOTIFY $.oldControl.state:alarm $.control.state:skipped
+ NOTIFY $.oldControl.state:skipped $.control.state:alarm
+ emails:
+ - you@yourcompany.com
+```
+
+Click `Create`.
+
+
+
+The rule will send an alert to the configured email address when the control’s state switches between `Alarm` and `Skipped`.
+
+### Step 4: Trigger the notification rule
+
+Now, in the AWS console, switch the `Environment` tag on your test bucket back to `dev`, and revisit the versioning control for the bucket.
+
+Click `View Log` to see notification details.
+
+
+
+Step 4: Check email
+
+
+[image: aws_start_5_view_email_notification]
+
+
+View the email in your inbox.
+
+[tbd]
+
+
+### Step 4: Restore the calculated exception
+
+In the AWS console, restore the `SkipVersioning` tag to your test bucket.
+
+Watch the control log, and wait for Guardrails to notice the change.
+
+[image: aws_start_5_view_log_with_email_notification_2]
+
+[tbd]
+
+[[a]](#cmnt_ref1)@joe@turbot.com this was working on Friday, I didn't change notification rules or settings, do you know what's happening here?
+
+
+## Runbook Progress Tracker
+
+1. [Connect an AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_an_account)
+
+2. [Observe AWS activity](/guardrails/docs/integrations/aws/getting-started-aws/observe_aws_activity)
+
+3. [Attach a Guardrails policy](/guardrails/docs/integrations/aws/getting-started-aws/attach_a_policy)
+
+4. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
+
+5. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
+
+6. **Send an alert to email**
+
+7. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
+
+8. [Enable enforcement](/guardrails/docs/integrations/aws/getting-started-aws/enable_enforcement)
diff --git a/docs/integrations/aws/getting-started-aws/set_alert_on_control.md b/docs/integrations/aws/getting-started-aws/set_alert_on_control.md
deleted file mode 100644
index 449806a6..00000000
--- a/docs/integrations/aws/getting-started-aws/set_alert_on_control.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: "Set an alert on an AWS Guardrails control"
-template: Documentation
-nav:
- title: "Set an alert on a control"
----
-
-
-# Set an alert on an AWS Guardrails control
-
-## Introduction
-
-**Purpose**: This runbook shows a Guardrails administrator how to notify by email on an alert.
-
-**Prerequisites**:
-
-- [Connect an AWS account to Guardrails with readonly permissions]()
-
-- [Review and test a Guardrails AWS control]()
-
-- [Enable event handlers for fast change detection]()
-
-- [Set a Guardrails policy for AWS resources]()
-
-- [Create a static exception to a Guardrails AWS policy]()
-
-- [Create a calculated exception to a Guardrails AWS policy]()
-
-## Procedure
-
-### Step 1: Enable your workspace for notifications
-
-
-To enable notifications for your workspace, set the `Turbot > Notifications` policy to `Enabled` at the root level of your workspace.
-
-
-### Step 2: Create a notification rule
-
-Click the top-level `Policies` tab, search for `rule-based routing`, click into the policy type `Turbot > Notifications > Rule-Based Routing`.
-
-Select `Turbot` as the resource. This policy must apply at that level.
-
-Enter these rules, along with one or more email addresses you want to notify.
-
-```yaml
-- rules: |
- NOTIFY $.oldControl.state:alarm $.control.state:skipped
- NOTIFY $.oldControl.state:skipped $.control.state:alarm
- emails:
- - you@yourcompany.com
-```
-
-Click `Create`.
-
-
-
-### Step 3: Trigger the notification rule
-
-In [Set a Guardrails policy for AWS resources]() you set a Sandbox-level policy to override the default setting for S3 bucket versioning from `Skip` to `Check: Enabled`.
-
-Then, in [Create a calculated exception]() you refined that policy at the AWS account level. The superseding policy exempts buckets from the Sandbox-level `Check: Enabled` if they are tagged with `SkipVersioning`.
-
-To find your test bucket, use the top-level `Controls` tab, search for `s3 bucket versioning`, click the `Controls` tab, and verify that it’s in the `Skipped` state.
-
-
-Now, in the AWS console, visit your test bucket and remove the `SkipVersioning` tag. When Guardrails notices the change, the versioning policy will revert to the ancestor `Check: Enabled` setting and – because we left the bucket in its default state, with versioning suspended – the bucket will be in `Alarm`.
-
-Click `View Log` to see notification details.
-
-
-
-The log reports that the control is in `Alarm` because the Sandbox-level `Check: Enabled` policy is no longer overridden by the account-level calculated exception. And it shows that an email notification was sent to the email address you specified in the routing rule.
-
-
-
-### Step 4: Check email
-
-
-
-### Step 4: Restore the calculated exception
-
-In the AWS console, restore the `SkipVersioning` tag to your test bucket.
-
-Watch the control log, and wait for Guardrails to notice the change.
-
-
-Note that the message includes `Quick Actions` to enable or disable versioning. We’ll explore that mechanism in the next runbook.
-
-
-## Runbook Progress Tracker
-
-1. [Connect a readonly AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_readonly_aws_account)
-
-2. [Review and test a Guardrails AWS control](/guardrails/docs/integrations/aws/getting-started-aws/review_and_test_control)
-
-3. [Enable event handlers for fast change detection](/guardrails/docs/integrations/aws/getting-started-aws/enable_event_handlers)
-
-4. [Set a Guardrails policy for AWS resources](/guardrails/docs/integrations/aws/getting-started-aws/set_an_aws_policy)
-
-5. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
-
-6. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
-
-7. **Set an alert on an AWS Guardrails control**
-
-8. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
diff --git a/docs/integrations/aws/getting-started-aws/set_an_aws_policy.md b/docs/integrations/aws/getting-started-aws/set_an_aws_policy.md
deleted file mode 100644
index f8a73e12..00000000
--- a/docs/integrations/aws/getting-started-aws/set_an_aws_policy.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: "Set a Guardrails policy for AWS resources"
-template: Documentation
-nav:
- title: "Set an AWS Policy"
----
-
-
-# Set a Guardrails policy for AWS resources
-
-## Introduction
-
-**Purpose**: This runbook shows a Guardrails administrator how to set a policy for a type of AWS resource.
-
-**Prerequisites**:
-
-- [Connect an AWS account to Guardrails with readonly permissions]()
-
-- [Review and test a Guardrails AWS control]()
-
-- [Enable event handlers for fast change detection]()
-
-## Procedure
-
-### Step 1: Observe a policy type and an S3 bucket unaffected by the policy
-
-Check the properties of the bucket you created in [Review and test a Guardrails AWS control](). Unless you changed the default, bucket versioning is disabled.
-
-
-
-Now, in Guardrails, search for `aws bucket versioning`.
-
-
-There’s a policy type, `AWS > S3 > Bucket > Versioning`, but the control that’s instantiated for that policy type – for each of your buckets – is in the skipped state by default. Guardrails won’t apply that policy to your buckets.
-
-### Step 2: Create a policy setting to check bucket versioning
-
-Click into the `AWS > S3 > Bucket > Versioning` policy type, and click `New Policy Setting`.
-
-
-Choose your Sandbox, select `Check: Enabled`, and click `Create`.
-
-
-On the policy setting page, click the `Hierarchy` tab. Here you can see that the new setting, applied at the level of your Sandbox, overrides the default value `Skip`. And you can see that no intermediate levels touch this policy setting.
-
-
-### Step 3: Observe the effect of the policy setting
-
-Now search again for `aws bucket versioning` and wait for the bar to turn red.
-
-
-The control that’s instantiated for that policy type – for each of your buckets – is now in `Alarm`. Click the red bar to see details for all your buckets.
-
-
-Now enable bucket versioning for your test bucket, click into its detail page, select the `Activity` tab, and wait for the control to go green.
-
-
-
-
-Note two transitions, first from `Skipped` to `Alarm` (when you set the policy) and then from `Alarm` to `OK` (when you turned on versioning).
-
-
-
-
-
-## Runbook Progress Tracker
-
-1. [Connect a readonly AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-aws/connect_readonly_aws_account)
-
-2. [Review and test a Guardrails AWS control](/guardrails/docs/integrations/aws/getting-started-aws/review_and_test_control)
-
-3. [Enable event handlers for fast change detection](/guardrails/docs/integrations/aws/getting-started-aws/enable_event_handlers)
-
-4. **Set a Guardrails policy for AWS resources**
-
-5. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_static_exception)
-
-6. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-aws/create_calculated_exception)
-
-7. [Set an alert on an AWS Guardrails control](/guardrails/docs/integrations/aws/getting-started-aws/set_alert_on_control)
-
-8. [Apply a Quick Action](/guardrails/docs/integrations/aws/getting-started-aws/apply_quick_action)
diff --git a/docs/sidebar.json b/docs/sidebar.json
index ca56e1cd..4d99f6ee 100644
--- a/docs/sidebar.json
+++ b/docs/sidebar.json
@@ -194,14 +194,14 @@
"id": "getting-started-readonly",
"link": "integrations/aws/getting-started-aws",
"items": [
- "integrations/aws/getting-started-aws/connect_readonly_aws_account",
- "integrations/aws/getting-started-aws/review_and_test_control",
- "integrations/aws/getting-started-aws/enable_event_handlers",
- "integrations/aws/getting-started-aws/set_an_aws_policy",
+ "integrations/aws/getting-started-aws/connect_an_account",
+ "integrations/aws/getting-started-aws/observe_aws_activity",
+ "integrations/aws/getting-started-aws/attach_a_policy",
"integrations/aws/getting-started-aws/create_static_exception",
"integrations/aws/getting-started-aws/create_calculated_exception",
- "integrations/aws/getting-started-aws/set_alert_on_control",
- "integrations/aws/getting-started-aws/apply_quick_action"
+ "integrations/aws/getting-started-aws/send_alert_to_email",
+ "integrations/aws/getting-started-aws/apply_quick_action",
+ "integrations/aws/getting-started-aws/enable_enforcement"
]
},
{
diff --git a/images/runbook/aws_start_0_account_cmdb.png b/images/runbook/aws_start_1_account_cmdb.png
similarity index 100%
rename from images/runbook/aws_start_0_account_cmdb.png
rename to images/runbook/aws_start_1_account_cmdb.png
diff --git a/images/runbook/aws_start_1_aws_bucket_default.png b/images/runbook/aws_start_1_aws_bucket_default.png
deleted file mode 100644
index 84841772..00000000
Binary files a/images/runbook/aws_start_1_aws_bucket_default.png and /dev/null differ
diff --git a/images/runbook/aws_start_0_aws_progress_bar.png b/images/runbook/aws_start_1_aws_progress_bar.png
similarity index 100%
rename from images/runbook/aws_start_0_aws_progress_bar.png
rename to images/runbook/aws_start_1_aws_progress_bar.png
diff --git a/images/runbook/aws_start_1_aws_search_for_bucket.png b/images/runbook/aws_start_1_aws_search_for_bucket.png
deleted file mode 100644
index 6094239c..00000000
Binary files a/images/runbook/aws_start_1_aws_search_for_bucket.png and /dev/null differ
diff --git a/images/runbook/aws_start_1_console_unblock_public_access.png b/images/runbook/aws_start_1_console_unblock_public_access.png
deleted file mode 100644
index 24c62eda..00000000
Binary files a/images/runbook/aws_start_1_console_unblock_public_access.png and /dev/null differ
diff --git a/images/runbook/aws_start_0_create_role_1.png b/images/runbook/aws_start_1_create_role_1.png
similarity index 100%
rename from images/runbook/aws_start_0_create_role_1.png
rename to images/runbook/aws_start_1_create_role_1.png
diff --git a/images/runbook/aws_start_0_create_role_2.png b/images/runbook/aws_start_1_create_role_2.png
similarity index 100%
rename from images/runbook/aws_start_0_create_role_2.png
rename to images/runbook/aws_start_1_create_role_2.png
diff --git a/images/runbook/aws_start_1_public_access_block_control_initial_green.png b/images/runbook/aws_start_1_public_access_block_control_initial_green.png
deleted file mode 100644
index 4448e61c..00000000
Binary files a/images/runbook/aws_start_1_public_access_block_control_initial_green.png and /dev/null differ
diff --git a/images/runbook/aws_start_1_public_access_block_control_is_red.png b/images/runbook/aws_start_1_public_access_block_control_is_red.png
deleted file mode 100644
index e71f21c7..00000000
Binary files a/images/runbook/aws_start_1_public_access_block_control_is_red.png and /dev/null differ
diff --git a/images/runbook/aws_start_1_public_access_block_notification_alarm_to_ok.png b/images/runbook/aws_start_1_public_access_block_notification_alarm_to_ok.png
deleted file mode 100644
index 27d5de82..00000000
Binary files a/images/runbook/aws_start_1_public_access_block_notification_alarm_to_ok.png and /dev/null differ
diff --git a/images/runbook/aws_start_1_public_access_block_notification_ok_to_alarm.png b/images/runbook/aws_start_1_public_access_block_notification_ok_to_alarm.png
deleted file mode 100644
index 8b91f823..00000000
Binary files a/images/runbook/aws_start_1_public_access_block_notification_ok_to_alarm.png and /dev/null differ
diff --git a/images/runbook/aws_start_1_public_access_block_policy.png b/images/runbook/aws_start_1_public_access_block_policy.png
deleted file mode 100644
index 2877895d..00000000
Binary files a/images/runbook/aws_start_1_public_access_block_policy.png and /dev/null differ
diff --git a/images/runbook/aws_start_0_ready_to_import.png b/images/runbook/aws_start_1_ready_to_import.png
similarity index 100%
rename from images/runbook/aws_start_0_ready_to_import.png
rename to images/runbook/aws_start_1_ready_to_import.png
diff --git a/images/runbook/aws_start_0_review_trust_policy.png b/images/runbook/aws_start_1_review_trust_policy.png
similarity index 100%
rename from images/runbook/aws_start_0_review_trust_policy.png
rename to images/runbook/aws_start_1_review_trust_policy.png
diff --git a/images/runbook/aws_start_0_top_level_connect.png b/images/runbook/aws_start_1_top_level_connect.png
similarity index 100%
rename from images/runbook/aws_start_0_top_level_connect.png
rename to images/runbook/aws_start_1_top_level_connect.png
diff --git a/images/runbook/aws_start_2_bucket_cmdb_control_ok.png b/images/runbook/aws_start_2_bucket_cmdb_control_ok.png
new file mode 100644
index 00000000..7edffe1e
Binary files /dev/null and b/images/runbook/aws_start_2_bucket_cmdb_control_ok.png differ
diff --git a/images/runbook/aws_start_2_bucket_tbd_to_ok.png b/images/runbook/aws_start_2_bucket_tbd_to_ok.png
new file mode 100644
index 00000000..7befbd95
Binary files /dev/null and b/images/runbook/aws_start_2_bucket_tbd_to_ok.png differ
diff --git a/images/runbook/aws_start_2_click_chart_icon_to_open_reports.png b/images/runbook/aws_start_2_click_chart_icon_to_open_reports.png
new file mode 100644
index 00000000..78705f46
Binary files /dev/null and b/images/runbook/aws_start_2_click_chart_icon_to_open_reports.png differ
diff --git a/images/runbook/aws_start_2_create_bucket_name.png b/images/runbook/aws_start_2_create_bucket_name.png
new file mode 100644
index 00000000..66f473e1
Binary files /dev/null and b/images/runbook/aws_start_2_create_bucket_name.png differ
diff --git a/images/runbook/aws_start_2_create_bucket_versioning.png b/images/runbook/aws_start_2_create_bucket_versioning.png
new file mode 100644
index 00000000..06478d51
Binary files /dev/null and b/images/runbook/aws_start_2_create_bucket_versioning.png differ
diff --git a/images/runbook/aws_start_2_diff_the_first_change.png b/images/runbook/aws_start_2_diff_the_first_change.png
new file mode 100644
index 00000000..82133375
Binary files /dev/null and b/images/runbook/aws_start_2_diff_the_first_change.png differ
diff --git a/images/runbook/aws_start_2_enable_versioning_to_observe_change.png b/images/runbook/aws_start_2_enable_versioning_to_observe_change.png
new file mode 100644
index 00000000..caa36b4d
Binary files /dev/null and b/images/runbook/aws_start_2_enable_versioning_to_observe_change.png differ
diff --git a/images/runbook/aws_start_2_filter_resource_activities_by_aws_s3_bucket.png b/images/runbook/aws_start_2_filter_resource_activities_by_aws_s3_bucket.png
new file mode 100644
index 00000000..e2bfa901
Binary files /dev/null and b/images/runbook/aws_start_2_filter_resource_activities_by_aws_s3_bucket.png differ
diff --git a/images/runbook/aws_start_2_resource_activities_initial_notifications.png b/images/runbook/aws_start_2_resource_activities_initial_notifications.png
new file mode 100644
index 00000000..76a91757
Binary files /dev/null and b/images/runbook/aws_start_2_resource_activities_initial_notifications.png differ
diff --git a/images/runbook/aws_start_2_resource_activities_with_change_detected.png b/images/runbook/aws_start_2_resource_activities_with_change_detected.png
new file mode 100644
index 00000000..120e3800
Binary files /dev/null and b/images/runbook/aws_start_2_resource_activities_with_change_detected.png differ
diff --git a/images/runbook/aws_start_2_select_resource_activities.png b/images/runbook/aws_start_2_select_resource_activities.png
new file mode 100644
index 00000000..b841db79
Binary files /dev/null and b/images/runbook/aws_start_2_select_resource_activities.png differ
diff --git a/images/runbook/aws_start_3_bucket_now_in_alarm.png b/images/runbook/aws_start_3_bucket_now_in_alarm.png
new file mode 100644
index 00000000..a791469a
Binary files /dev/null and b/images/runbook/aws_start_3_bucket_now_in_alarm.png differ
diff --git a/images/runbook/aws_start_3_bucket_skipped_to_ok.png b/images/runbook/aws_start_3_bucket_skipped_to_ok.png
new file mode 100644
index 00000000..8ae1db54
Binary files /dev/null and b/images/runbook/aws_start_3_bucket_skipped_to_ok.png differ
diff --git a/images/runbook/aws_start_3_create_policy_setting.png b/images/runbook/aws_start_3_create_policy_setting.png
new file mode 100644
index 00000000..b3fc3685
Binary files /dev/null and b/images/runbook/aws_start_3_create_policy_setting.png differ
diff --git a/images/runbook/aws_start_3_edit_attachments_select_baseline.png b/images/runbook/aws_start_3_edit_attachments_select_baseline.png
new file mode 100644
index 00000000..5842bea6
Binary files /dev/null and b/images/runbook/aws_start_3_edit_attachments_select_baseline.png differ
diff --git a/images/runbook/aws_start_3_edit_ready_to_create_policy_setting.png b/images/runbook/aws_start_3_edit_ready_to_create_policy_setting.png
new file mode 100644
index 00000000..c90eb30b
Binary files /dev/null and b/images/runbook/aws_start_3_edit_ready_to_create_policy_setting.png differ
diff --git a/images/runbook/aws_start_3_find_policy_packs_manage.png b/images/runbook/aws_start_3_find_policy_packs_manage.png
new file mode 100644
index 00000000..0b454721
Binary files /dev/null and b/images/runbook/aws_start_3_find_policy_packs_manage.png differ
diff --git a/images/runbook/aws_start_3_review_bucket_versioning.png b/images/runbook/aws_start_3_review_bucket_versioning.png
new file mode 100644
index 00000000..7d1ba824
Binary files /dev/null and b/images/runbook/aws_start_3_review_bucket_versioning.png differ
diff --git a/images/runbook/aws_start_3_sandbox_level_policy_in_hierarchy.png b/images/runbook/aws_start_3_sandbox_level_policy_in_hierarchy.png
new file mode 100644
index 00000000..e958875b
Binary files /dev/null and b/images/runbook/aws_start_3_sandbox_level_policy_in_hierarchy.png differ
diff --git a/images/runbook/aws_start_3_search_bucket_versioning.png b/images/runbook/aws_start_3_search_bucket_versioning.png
new file mode 100644
index 00000000..2edab0e7
Binary files /dev/null and b/images/runbook/aws_start_3_search_bucket_versioning.png differ
diff --git a/images/runbook/aws_start_3_versioning_set_to_skip_overview.png b/images/runbook/aws_start_3_versioning_set_to_skip_overview.png
new file mode 100644
index 00000000..2da25374
Binary files /dev/null and b/images/runbook/aws_start_3_versioning_set_to_skip_overview.png differ
diff --git a/images/runbook/aws_start_3_view_bucket_controls.png b/images/runbook/aws_start_3_view_bucket_controls.png
new file mode 100644
index 00000000..b51a8155
Binary files /dev/null and b/images/runbook/aws_start_3_view_bucket_controls.png differ
diff --git a/images/runbook/aws_start_3_view_bucket_versioning_no_policy.png b/images/runbook/aws_start_3_view_bucket_versioning_no_policy.png
new file mode 100644
index 00000000..1a0277d6
Binary files /dev/null and b/images/runbook/aws_start_3_view_bucket_versioning_no_policy.png differ
diff --git a/images/runbook/aws_start_4_find_bucket_to_review_activity.png b/images/runbook/aws_start_4_find_bucket_to_review_activity.png
new file mode 100644
index 00000000..d481f980
Binary files /dev/null and b/images/runbook/aws_start_4_find_bucket_to_review_activity.png differ
diff --git a/images/runbook/aws_start_4_find_the_bucket.png b/images/runbook/aws_start_4_find_the_bucket.png
new file mode 100644
index 00000000..582c48e5
Binary files /dev/null and b/images/runbook/aws_start_4_find_the_bucket.png differ
diff --git a/images/runbook/aws_start_4_hierarchy_with_bucket_exception.png b/images/runbook/aws_start_4_hierarchy_with_bucket_exception.png
new file mode 100644
index 00000000..baed7678
Binary files /dev/null and b/images/runbook/aws_start_4_hierarchy_with_bucket_exception.png differ
diff --git a/images/runbook/aws_start_4_observe_bucket_policy.png b/images/runbook/aws_start_4_observe_bucket_policy.png
new file mode 100644
index 00000000..0dae46a1
Binary files /dev/null and b/images/runbook/aws_start_4_observe_bucket_policy.png differ
diff --git a/images/runbook/aws_start_4_observe_bucket_policy_details.png b/images/runbook/aws_start_4_observe_bucket_policy_details.png
new file mode 100644
index 00000000..c3c4d277
Binary files /dev/null and b/images/runbook/aws_start_4_observe_bucket_policy_details.png differ
diff --git a/images/runbook/aws_start_4_ready_to_create_policy_setting.png b/images/runbook/aws_start_4_ready_to_create_policy_setting.png
new file mode 100644
index 00000000..bdf49165
Binary files /dev/null and b/images/runbook/aws_start_4_ready_to_create_policy_setting.png differ
diff --git a/images/runbook/aws_start_4_review_bucket_activity.png b/images/runbook/aws_start_4_review_bucket_activity.png
new file mode 100644
index 00000000..9ed6fb04
Binary files /dev/null and b/images/runbook/aws_start_4_review_bucket_activity.png differ
diff --git a/images/runbook/aws_start_5_calc_policy_ready_to_get_bucket.png b/images/runbook/aws_start_5_calc_policy_ready_to_get_bucket.png
new file mode 100644
index 00000000..fceb7e23
Binary files /dev/null and b/images/runbook/aws_start_5_calc_policy_ready_to_get_bucket.png differ
diff --git a/images/runbook/aws_start_5_enable_calculated_mode.png b/images/runbook/aws_start_5_enable_calculated_mode.png
new file mode 100644
index 00000000..0c4da00f
Binary files /dev/null and b/images/runbook/aws_start_5_enable_calculated_mode.png differ
diff --git a/images/runbook/aws_start_5_initial_get_bucket_query.png b/images/runbook/aws_start_5_initial_get_bucket_query.png
new file mode 100644
index 00000000..b39e0489
Binary files /dev/null and b/images/runbook/aws_start_5_initial_get_bucket_query.png differ
diff --git a/images/runbook/aws_start_5_initial_get_bucket_query_finds_tag.png b/images/runbook/aws_start_5_initial_get_bucket_query_finds_tag.png
new file mode 100644
index 00000000..0f3e8bde
Binary files /dev/null and b/images/runbook/aws_start_5_initial_get_bucket_query_finds_tag.png differ
diff --git a/images/runbook/aws_start_5_ready_to_launch_calculated_policy_builder.png b/images/runbook/aws_start_5_ready_to_launch_calculated_policy_builder.png
new file mode 100644
index 00000000..315434d3
Binary files /dev/null and b/images/runbook/aws_start_5_ready_to_launch_calculated_policy_builder.png differ
diff --git a/images/runbook/aws_start_5_review_bucket_level_policy.png b/images/runbook/aws_start_5_review_bucket_level_policy.png
new file mode 100644
index 00000000..baed7678
Binary files /dev/null and b/images/runbook/aws_start_5_review_bucket_level_policy.png differ
diff --git a/images/runbook/aws_start_5_review_policy_settings.png b/images/runbook/aws_start_5_review_policy_settings.png
new file mode 100644
index 00000000..0076c51b
Binary files /dev/null and b/images/runbook/aws_start_5_review_policy_settings.png differ
diff --git a/images/runbook/aws_start_5_search_controls_for_bucket_versioning.png b/images/runbook/aws_start_5_search_controls_for_bucket_versioning.png
new file mode 100644
index 00000000..c833f174
Binary files /dev/null and b/images/runbook/aws_start_5_search_controls_for_bucket_versioning.png differ
diff --git a/images/runbook/aws_start_5_search_policy_types_for_bucket_versioning.png b/images/runbook/aws_start_5_search_policy_types_for_bucket_versioning.png
new file mode 100644
index 00000000..ac4a67a7
Binary files /dev/null and b/images/runbook/aws_start_5_search_policy_types_for_bucket_versioning.png differ
diff --git a/images/runbook/aws_start_5_tag_the_bucket.png b/images/runbook/aws_start_5_tag_the_bucket.png
new file mode 100644
index 00000000..2d0570cf
Binary files /dev/null and b/images/runbook/aws_start_5_tag_the_bucket.png differ
diff --git a/images/runbook/aws_start_5_test_bucket_skipped_because_calculated_policy.png b/images/runbook/aws_start_5_test_bucket_skipped_because_calculated_policy.png
new file mode 100644
index 00000000..e6d60404
Binary files /dev/null and b/images/runbook/aws_start_5_test_bucket_skipped_because_calculated_policy.png differ
diff --git a/images/runbook/aws_start_5_update_policy_setting_with_calc_value.png b/images/runbook/aws_start_5_update_policy_setting_with_calc_value.png
new file mode 100644
index 00000000..7286ad82
Binary files /dev/null and b/images/runbook/aws_start_5_update_policy_setting_with_calc_value.png differ
diff --git a/images/runbook/aws_start_5_use_template_to_check_for_tag.png b/images/runbook/aws_start_5_use_template_to_check_for_tag.png
new file mode 100644
index 00000000..3801ae37
Binary files /dev/null and b/images/runbook/aws_start_5_use_template_to_check_for_tag.png differ
diff --git a/images/runbook/aws_start_5_use_template_to_output_skip.png b/images/runbook/aws_start_5_use_template_to_output_skip.png
new file mode 100644
index 00000000..a42d50e2
Binary files /dev/null and b/images/runbook/aws_start_5_use_template_to_output_skip.png differ
diff --git a/images/runbook/aws_start_5_view_log_with_email_notification_1.png b/images/runbook/aws_start_5_view_log_with_email_notification_1.png
index a6a59e6c..c824a700 100644
Binary files a/images/runbook/aws_start_5_view_log_with_email_notification_1.png and b/images/runbook/aws_start_5_view_log_with_email_notification_1.png differ
diff --git a/images/runbook/aws_start_enable_event_handlers.png b/images/runbook/aws_start_enable_event_handlers.png
deleted file mode 100644
index 8b86b2a3..00000000
Binary files a/images/runbook/aws_start_enable_event_handlers.png and /dev/null differ
diff --git a/images/runbook/aws_start_observe_event_handlers_in_action.png b/images/runbook/aws_start_observe_event_handlers_in_action.png
deleted file mode 100644
index c38d1be6..00000000
Binary files a/images/runbook/aws_start_observe_event_handlers_in_action.png and /dev/null differ
diff --git a/images/runbook/aws_start_role_permissions_for_event_handlers.png b/images/runbook/aws_start_role_permissions_for_event_handlers.png
deleted file mode 100644
index bcf2f295..00000000
Binary files a/images/runbook/aws_start_role_permissions_for_event_handlers.png and /dev/null differ