What resources does Turbot create in my AWS child accounts?

Turbot will create various sets of AWS account infrastructure based on the value of the Turbot > Environment > Maintenance Window.  The policy specifies one of three levels of enforcement on an AWS account.  These levels are:

  • No Changes
  • Forced Changes (sometimes referred to as 'Check Mode')
  • Anytime (sometimes referred to as 'Full Mode')

Turbot will (or will not) create AWS infrastructure depending on value of the Maintenance Window policy. Infrastructure created by Turbot is cumulative.  Switching from No Changes to Anytime will create all the infrastructure that would have been made in Forced Changes mode.  Switching from Anytime to a lower level does not destroy the infrastructure created to support Anytime mode.

No Changes

As the status name indicates, no changes are made.  No infrastructure is created in the AWS account.

Forced Changes

Turbot will create:

  • Turbot_superuser IAM role
  • Turbot VPC Flow Logs IAM role and policy
  • Turbot regional S3 Logging buckets.


Turbot will create:

  • Turbot directory IAM users, lockdown policies and groups including but not limited to:
    • turbot_metadata
    • maintenance_window
    • ec2_instance_default
    • cloudcheckr
    • and turbot_config IAM roles,
  • CloudWatch Events Rules for processing AWS events,
  • SNS topics and topic policy for pushing CloudWatch events to the Turbot Master account,
  • and other resources dictated by certain policies, such:
    • AWS > VPC > VPC Flow Logs Configuration


Was this article helpful?
0 out of 0 found this helpful