-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
14 changed files
with
160 additions
and
73 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
66 changes: 66 additions & 0 deletions
66
docs/integrations/aws/getting-started-readonly/enable_event_handlers.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| --- | ||
| title: "Enable event handlers for fast change detection" | ||
| template: Documentation | ||
| nav: | ||
| title: "Enable event handlers" | ||
| --- | ||
|
|
||
|
|
||
|
|
||
|
|
||
| # Enable event handlers for fast change detection | ||
|
|
||
| ## Introduction | ||
|
|
||
| **Purpose**: This runbook shows a Guardrails administrator how to enable event handlers to speed up change detection. | ||
|
|
||
|
|
||
| **Prerequisites**: | ||
|
|
||
| - [Connect an AWS account to Guardrails with readonly permissions]() | ||
|
|
||
| - [Review and test a Guardrails AWS control]() | ||
|
|
||
| ## Procedure | ||
|
|
||
| ### Step 1: Update the Turbot IAM role | ||
|
|
||
|
|
||
| When you [imported your account](), the IAM role you created for Guardrails only attached only the policy `arn:aws:iam::aws:policy/ReadOnlyAccess`. With that level of access, Guardrails must poll AWS to detect changes. As you’ve now seen, it can take a few minutes for Guardrails to notice a change. Polling also entails heavy and thus costly use of AWS APIs. | ||
|
|
||
| Switching from polling to event handlers enables Guardrails to detect changes almost instantly, and lightens the API load. This requires a slight elevation of privilege. Along with `ReadOnlyAccess`, attach `AmazonSNSFullAccess` and `CloudWatchEventsFullAccess`. | ||
| <p><img alt="aws_start_role_permissions_for_event_handlers" src="/images/docs/guardrails/runbook/aws_start_role_permissions_for_event_handlers.png"/></p> | ||
|
|
||
|
|
||
|
|
||
| ### Step 2: Enable event handlers | ||
|
|
||
| Click the top-level `Policies`, search for `AWS Turbot Event Handlers`, open the setting, and change the value to `Enforce: Configured`. | ||
| <p><img alt="aws_start_enable_event_handlers" src="/images/docs/guardrails/runbook/aws_start_enable_event_handlers.png"/></p> | ||
|
|
||
| ### Step 3: Observe immediate reaction to change! | ||
|
|
||
|
|
||
| Click the top-level `Resources` tab, navigate to the top (Turbot) level (if not already there), search for your test bucket, and click the `Activity` tab. | ||
|
|
||
| Then, in the AWS console, toggle the `Block public setting` back and forth. Guardrails now detects the changes, and updates the control state immediately. | ||
| <p><img alt="aws_start_observe_event_handlers_in_action" src="/images/docs/guardrails/runbook/aws_start_observe_event_handlers_in_action.png"/></p> | ||
|
|
||
| ### | ||
|
|
||
|
|
||
| ## Runbook Progress Tracker | ||
|
|
||
| 1. [Connect a readonly AWS account to Guardrails](/guardrails/docs/integrations/aws/getting-started-readonly/connect_readonly_aws_account) | ||
|
|
||
| 2. [Review and test a Guardrails AWS control](/guardrails/docs/integrations/aws/getting-started-readonly/review_and_test_control) | ||
|
|
||
| 3. **Enable event handlers for fast change detection** | ||
|
|
||
| 4. [Set a Guardrails policy for AWS resources](/guardrails/docs/integrations/aws/getting-started-readonly/set_an_aws_policy) | ||
|
|
||
| 5. [Create a static exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-readonly/create_static_exception) | ||
|
|
||
| 6. [Create a calculated exception to a Guardrails AWS policy](/guardrails/docs/integrations/aws/getting-started-readonly/create_calculated_exception) | ||
|
|
||
| 7. [Set an alert on an AWS Guardrails control](/guardrails/docs/integrations/aws/getting-started-readonly/set_alert_on_control) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 changes: 0 additions & 14 deletions
14
docs/integrations/aws/getting-started-remediation/connect_writeable_aws_account.md
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,16 +1,13 @@ | ||
| --- | ||
| title: "Getting started with AWS: remediation" | ||
| title: "Getting started with AWS: Remediation" | ||
| template: Documentation | ||
| nav: | ||
| title: "Getting started: remediation" | ||
| --- | ||
|
|
||
| # Getting started with AWS in Guardrails: remediation | ||
| # Getting started with AWS in Guardrails: Remediation | ||
|
|
||
| In this series of runbooks you'll learn how to: | ||
|
|
||
| - Import an AWS account with write access | ||
| - ... | ||
|
|
||
| - Enable event handling | ||
|
|
||
| Start [here](integrations/aws/getting-started-remediation/connect_writeable_aws_account). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.