Managing Policies & Exceptions

Exceptions in Turbot are enforced settings which are inherited lower in the Resource hierarchy. With appropriate permissions, a Turbot/Admin can make an exception on policies.

Users with Turbot/Metadata or higher can view the policies in Turbot. Depending on their level of access (e.g. Cluster or Account), they can view different tiers as applicable. For altering policies, a user will need to have at least Turbot/Admin permissions.

Background information on Turbot Guardrails Policy Engine Overview

Turbot Policies Page Overview

The Policies page can be accessed from different layers of the hierarchy. Navigate to the home page of the Turbot Console, click on the Cluster Level (if you have access), or click on your Account from the drop down.

Select account

From the Account Dashboard page, click on the Policies tab

Select Policies tab

On the Policies page, you can see the list of policies that can be set across the account. You can filter by:

  • Important
  • Exceptions & orphans for this level
  • Exceptions & orphans for this level & below
  • Set at this level
  • All relevant to this level
  • All visible at this level

Policies list filter

Setting a Turbot Policy

When setting a policy, click on the resource policy name (or anywhere in the row). This will load the Policy Setting page. Example of the AWS > S3 > ACL Management policy:


Policies detail

In the above example, ACL Management is Disabled at the Turbot level as a recommended setting. As a Turbot/Admin in the Account, you can change the value of a recommended setting by clicking the New for button. A pop-up box will appear where you can choose the requirement to stay as Default or change to Policy, and Enable or Disable this feature. In this example, we will Enable ACL Management by Default which will allow S3/Admins in the account to manage bucket and object ACLs.

Policies edit

Now you can clearly see at the Turbot level that the above policy is Disabled by Default, but at the Account level it is Enabled.

Policies hierarchy defaults

Orphaned Setting Example

Going back to the earlier example, a Turbot/Admin at the Turbot level can go to the AWS > S3 > ACL Management policy at the same level and view the settings across the hierarchy.

Policies hierarchy defaults parent

If the Turbot/Admin changed the policy to Disabled, the previously marked Account setting will be Orphaned since now the higher setting supersedes the lower default value. The policy is now orphaned as it is inheriting the enforced requirement from the Turbot level.

Policy orphan

Setting Exceptions in Turbot

A Turbot/Admin can set Required policies as enforced settings which are inherited lower in the Resource hierarchy. Required policies that are inherited CANNOT be altered by Turbot/Admins within their respective access hierarchy. (e.g. a Turbot/Admin can set the policy “S3 ACL Management” to “Disabled” by the Required policy, then an Account Level Turbot/Admin CANNOT change the value to Enabled. Only a higher level Turbot/Admin can alter this by an exception policy).

Example error when a Turbot/Admin is prevented from adjusting a policy (making an exception they do not have access to).

Policy denied edit by policy

With appropriate permissions, a Turbot/Admin can make an exception on the policies by clicking on the Create Exception button, setting the requirement to Required and changing the Value. For example, S3 ACL Management is already set at the Turbot level as Disabled, for Account AAB to make an exception, the Turbot/Admin at the Turbot level can set the exception as Enabled.

Resource exception

Turbot will then clearly mark the exception in the account showing which option setting is active in the hierarchy.

Was this article helpful?
0 out of 0 found this helpful