Guardrails for CloudCheckr

CloudCheckr Integration Overview

Turbot Guardrails for CloudCheckr provide a central management of many CloudCheckr configurations which maintains a consistent administration of options and user management models across other AWS and integrated services. Turbot Guardrails for CloudCheckr provide simple setup and continuous management of CloudCheckr accounts synced with your AWS accounts, extending user management with CloudCheckr/* roles for permanent or temporary access per Turbot cluster or account, and setup of CloudCheckr multi-account views.

Overview of Features:

  • Automated Account Sync
    • Keep Turbot / AWS Accounts in sync with CloudCheckr Accounts
    • Ability to globally sync all accounts or specific accounts
  • Automated User Sync
    • Extend IAM model from AD to include CloudCheckr
    • Simply assign CloudCheckr/SuperUser or CloudCheckr/ReadOnly
    • Permanent or Temporary access per Turbot cluster or account
  • Automated Multi-Account Views (MAVs)
    • Auto-creation of MAVs per Turbot Implementation & Clusters

How to Setup CloudCheckr Integration


You will first need to sign up for CloudCheckr, either contacting sales or sign up for a free trial.

Once you have an account; under Admin functions on your landing page, select the Admin API Access Keys selection from the drop down menu.

Select “Create New Admin Access Key”, name the Access Key, and then click on the “Create” button. Note the long access key string, this will be used later to input into Turbot.

Overview of Turbot CloudCheckr Options

  • CloudCheckr > App Enabled = Allows for Turbot to enable the integration and rest of options
  • CloudCheckr > Account Management = Allows for Turbot to sync your AWS Accounts as CloudCheckr Projects (Accounts).
  • CloudCheckr > Rights = Allows for Turbot manage users within CloudCheckr, Enabling this option allows for CloudCheckr/SuperUser and CloudCheckr/ReadOnly roles to be associated to users.
    • CloudCheckr/SuperUser Role = can be assigned at the Cluster Level Only. This role maps to the CloudCheckr Administrator permission.
    • CloudCheckr/ReadOnly = can be assigned at the Cluster or Account Level. This role maps to the CloudCheckr Basic User permission and automatically provides all applicable read permissions in the associated CloudCheckr Project (Account)
  • CloudCheckr > Secret Access Key = Input your CloudCheckr Admin API key here at the Cluster Level (not relevant at the Account Level)
  • CloudCheckr > AWS Account = backend Turbot controlled option to capture the associated account. You do not alter this option.
  • CloudCheckr > IAM Role External ID = backend Turbot controlled option to capture the CloudCheckr IAM role external ID. You do not alter this option.

Required Steps

To enable CloudCheckr, the following steps are recommended to take to enable the integration.

1) First, go to your Turbot Cluster level, then go to “Options”. Filter on CloudCheckr to see the applicable options. Set the following Options to the following settings: (note: this will preset the integration but turn it on until CloudCheckr > App Enabled is turned on)

  • CloudCheckr > Account Management = Enforce: Enabled if CloudCheckr > App Enabled
  • CloudCheckr > Rights = Enforce: Enabled if CloudCheckr > App Enabled
  • CloudCheckr > Secret Access Key = input the CloudCheckr Admin API Key acquired earlier.

2) Next, still within the Cluster Level, go to “Roles”. Assign at least one resource CloudCheckr/SuperUser grants. Active the grant immediately and set the permission not to expire. CloudCheckr requires at least one SuperUser (Administrator) for the integration to work. Feel free to add other SuperUsers and ReadOnly roles as applicable.

Note: once users are added to CloudCheckr, they will receive an automated e-mail asking them to activate their user and set a password for CloudCheckr. Users will then gain access to CloudCheckr directly through the site (unless you have setup SSO/SAML with CloudCheckr separately).

3) Once you have at least one Administrator defined, Account Management & Rights Enforced, and the Secret Access Key inputted; you can then Enable the integration.

Go back to your Options enable the following:

  • CloudCheckr > App Enabled = Enabled

Turbot will then automatically start adding IAM Cloudcheckr roles in each account, syncing your AWS accounts to CloudCheckr Projects, syncing users, and setting up Multi-Account Views. If interested, you can see Turbot in running these stacks and guardrails in action by watching the “Activity” tab at the cluster level. This will take a number of minutes to complete depending on the number of accounts you are syncing for the first time. CloudCheckr will then take a few few minutes to register items on their end. If time allows, after the 1st sync, allow 20-60 minutes for all automations in Turbot, AWS, and CloudCheckr to complete.

Optional Per Account Steps

Once CloudCheckr is setup at the cluster level, you can then enable or disable specific accounts from syncing, you can also specify individuals to only having access to CloudCheckr/ReadOnly per account.

To Disable an Account from Syncing in CloudCheckr: go to the applicable account in Turbot, go to “Options”, set CloudCheckr > Account Management = Disabled. Turbot will then remove the account from CloudCheckr immediately.

To add/remove a ReadOnly user per account: go to the applicable account in Turbot, go to “Roles”, go to the applicable user and add/remove the CloudCheckr/ReadOnly permission. Turbot will automatically add or remove the user’s rights to the account.

Manage Notifications per User

By default users will have all reports and notifications enabled in CloudCheckr. To turn off selected reports, you can edit your notification communications in each account, see the following CloudCheckr Help Article in the Notifications section for more information.

Setup Detailed Billing Reports

When your Consolidated Billing account syncs to CloudCheckr, as a CloudCheckr/SuperUser you can go into that CloudCheckr account, go to your Settings, and then setup your Detailed Billing Bucket settings.

Please feel free to reach out to Turbot Support through your Slack channel for further assistance – we are happy to help you setup the integration.

Was this article helpful?
0 out of 0 found this helpful