Turbot Grants Overview

Grants Overview

The Turbot Grants Model is a cleaner & more explicit separation of duties for how users are managed in Turbot. Before Grants, privileged user accounts for Turbot and AWS were not separate, which made it harder for larger cloud teams to ensure they are following the best practice of least privilege. For example, the old Turbot/Owner Role is the equivalent of four grants: Turbot/Owner, Turbot/Admin, AWS/Owner and AWS/Admin. Other key SOD enhancements include:

  • SuperUser is the highest role, exempt from any controls.
  • Owner no longer includes Admin permissions, instead it inherits from Metadata.
  • AWS permissions are completely separate from Turbot permissions.

Also, all user rights were only set to permanent access before the Grants model. With the Grants Model, Owners can set time limited rights to individuals and also set time based activation of their grant.

Time Limited Grants and Activation

An important concept to understand with the new Grant model is that Granting a Right is separate from Activating the Grant. For example, a user can be granted AWS/SuperUser for the Cluster, but then Activate that grant for a specific AWS account for a specific time period. This means that Grants and their Activation can each be set to automatically expire, opening up a whole new range of control around elevated permissions and time limited access. Turbot users with appropriate permissions can use the web interface to set these expiration time limits across their own accounts (no Lambda or CloudFormation scripting necessary):

This capability enables new options for user management where individuals can be set with temporary rights for periods of time. Use case examples:

  • Enforce Periodic Review: Owners to set expiry rights for individuals with elevated permissions to ensure no-one has permanent access without a periodic review (e.g. Owner can set Linux/Admin rights to be granted for 6 months, after 6 months, Turbot will alarm of the expiration and can auto-revoke the grant if it is not renewed (thus forcing good control on reviewing elevated access)).
  • Manage Shared Services Access across multiple accounts: The Cloud Team can set temporary grants to shared services team (e.g. Linux Operations Team can have the right to be a Linux/Admin on all EC2 Linux Instances, however they are only activated for time based sessions when they need to use the right).
  • Manage short term engagements: Grants can be useful for collaboration patterns or development project engagements that are just temporary (e.g. A development project with X Software Development partner is scheduled for 3 months, an Owner can set AWS/Admin rights to be granted for 3 months for the Application Developers for a specific account. After the 3 months the Owner can let the rights expire or extend).

AWS IAM Management Improvements

With the Grants model, many improvements were made within Turbot to make life easier for Turbot administrators and users:

  • Simpler group names (e.g. s3_admin instead of abc-S3Admin-ABCD1234).
  • Automatic splitting of large permissions across statements (e.g. whitelist).
  • Automatic splitting of large statement lists across policies (e.g. complex resource-based rules in lockdown).
  • Enable 20+ AWS services simultaneously (no more CloudFormation output limits).
  • IAM policies for all rights (e.g. s3_admin), for manual use with custom Service Roles.
  • True lockdown of IAM Roles with complex resource-based policies (was previously only whitelist).
  • AWS/SuperUser and AWS/Metadata are user permissions like all others - no more special user login via roles.
  • AWS/SuperUser can be granted on a per-account basis.
  • Rights are only created when different, reducing noise. For example, if Operator has the same permissions as Admin, then only Operator is created.


Turbot Grants makes it even easier to manage user privileges across all of your AWS accounts, clearly delineates privileged account access to support separation of duties in large cloud teams, and enables a incredible array of new collaboration and elevated access use cases with time limited Grants and Activations.

Was this article helpful?
0 out of 0 found this helpful