Turbot Lockdown policies and Service Role/ Users

In general, Service Roles and Users, that is roles and users created via the AWS IAM Dashboard, will have Turbot lockdown policies automatically applied. Turbot lockdown policies restrict these service roles and users to using only services that have been explicitly enabled within the Turbot UI. However, lockdown policies do not explicitly allow a service role or user to interact with services - the explicit allow will need to be set in a separate policy attached to the role or the user. 

For example, by enabling Route53 in an account, the following policy is added to lockdown_2 (the exact policy name might be different in other environments):

mceclip1.png

This is not explicitly allowing Route53 permissions, but this does allow a custom policy to be attached that can be configured to explicitly allow the required permissions. This is a direct application of AWS's IAM Best Practices, which can be found here: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

Please reach out to Turbot support at help@turbot.com if any questions or issues arise.

Was this article helpful?
0 out of 0 found this helpful