How to manage a large number of service users in AWS

Traditionally, Turbot allows admins to provision permissions via the Permissions tab in Turbot, but this does not work when attempting to manage users created within the AWS console. For example, one might want to create a user in AWS IAM that can be used for some sort of automation.

In general, you can utilize this guide to prevent Turbot from applying lock down policies that will often interfere with automation. The following link has some more background information on how Turbot interacts with service users: Using AWS IAM Service Users for Applications and Automation

However, when the scope of the job becomes large enough and more and more service users are required, it can become frustrating going to each individual user to apply the correct Turbot policies. This bring us to Resource Groups

At the Turbot account level or higher, the Organization tab is visible.

The resource group will only be visible to the level it is created on and any decendents. This means that if the resource group Test is created at the Turbot account level AAB, the resource group can ONLY be applied to accounts within the Turbot account AAB and the associated resources. However, creating the resource group at the Turbot level will allow administrators to attach any resource to the group, including entire clusters, multiple accounts, and/or multiple resources. 

Clicking on that tab will present three options: ClustersAccounts, and Resource Groups


Clicking on the Resource Groups tab will allow you to create a new resource group. This can be titled whatever makes sense for easy identification.

Once the resource group is created, clicking on the link will bring you to the resource group Overview page, from which policies can be configured. In this situation, the objective is to limit either restrict or apply lock down policies to a range of IAM service users. Again, the following guide can be referenced on how to do it for one user: Prevent Turbot from applying lock down policies to service users.

Using the same concept, the policy setting can be done at the resource group level, then the particular service user in question can be attached to the resource group. 

To attach an IAM user to the resource group, navigate to the Turbot account that contains the user. On the Overview page, use the left side to click the AWS account, then select IAM, and then scroll down the list to find the service user. The URL can also be built using the following format:

<turbot URL>/r/urn:turbot:<clusterID>:<accountID>:<awsAccountID>::iam:user%7C<userName>/overview

If I had a Turbot URL of, cluster ID of test, account ID of test1234, AWS account ID 533723851415, and IAM user name test_user, the complete URL would be:

Once at the overview page, the left side will have a picture of a folder next to the user name. mceclip1.png

Clicking the folder brings up the Edit Resource Groups dialoug box.


Click Add, select the resource group from the drop down menu, then select Save. Once the user is attached to the resource group, the resource group policies will be automatically applied. 

Groups in AWS can then be used to apply a set of custom permissions to a wide range of users. Using both Turbot resource groups as well as AWS groups can significantly reduce the amount of time spent configuring a large number of users in AWS.

Was this article helpful?
0 out of 0 found this helpful