diff --git a/docs/guides/aws/decommission/decommission-with-resource-deletion-ui/index.md b/docs/guides/aws/decommission/decommission-with-resource-deletion-ui/index.md new file mode 100644 index 00000000..95165b4a --- /dev/null +++ b/docs/guides/aws/decommission/decommission-with-resource-deletion-ui/index.md @@ -0,0 +1,117 @@ +--- +title: Decommission Account from Guardrails Workspace Using UI +sidebar_label: Decommission Account from Guardrails Workspace Using UI +--- + +# Decommission an AWS account from a Guardrails workspace Using UI + +In this guide, you will: +- Decommission Guardrails-managed resources in an AWS account. +- Disconnect the AWS account from the Guardrails workspace using the Guardrails console. + +As part of regular Guardrails workspace maintenance, it is sometimes necessary to remove AWS accounts. This process involves two key steps: first, [Decommission Guardrails-managed resources](#decommission-guardrails-infrastructure) in the AWS account by updating relevant policy settings—administrators should assess whether to retain resources like S3 buckets or CloudTrail, though Event Handlers must always be removed; second, [Disconnect the AWS account from Guardrails](#disconnect-aws-account-from-guardrails) workspace, which is a change made only on the Guardrails side and does not affect the AWS account itself. + +> [!NOTE] Disconnecting an AWS account from Guardrails will remove all child CMDB records and policy settings. + +## Prerequisites + +- Access to the Guardrails console with **Administrator** privileges. +- Familiarity with the Guardrails Policies. + +## Decommission Guardrails-managed resources + +To fully clean up Guardrails-managed resources in the AWS account, specific policy settings must be applied with the recommended values. If you intend to retain any of these resources, simply skip applying the corresponding policy. Once configured, allow time for Guardrails to complete the removal process. These policy settings are safe to apply even if there is no existing `Enforce: Enabled` configuration in place. + +## Step 1: Navigate to Policies + +Log into the Guardrails console with provided local credentials or by using any SAML-based login and select **Policies** from the top navigation menu. + +![Navigate to policies](/images/docs/guardrails/guides/aws/decommission/guardrails-navigate-policies.png) + +## Step 2: Remove Guardrails-Managed IAM Resources + +Set the `AWS > Turbot > Permissions` policy to `Enforce: None`. This will remove Guardrails-managed IAM policies, groups, roles and users. + +![Guardrails Permissions](/images/docs/guardrails/guides/aws/decommission/guardrails-turbot-permissions.png) + +## Step 3: Remove CloudTrail + +Set the `AWS > Turbot > Audit Trail` policy to `Enforce: Not configured`. This will remove the Guardrails-managed CloudTrail. + +![Guardrails CloudTrail](/images/docs/guardrails/guides/aws/decommission/guardrails-remove-cloudtrail.png) + +## Step 4: Remove Regional Event Handlers + +Set the `AWS > Turbot > Event Handlers` policy to `Enforce: Not configured`. This will remove Guardrails-managed Cloudwatch Event Rules and SNS topics. Refer to the [Event Handler documentation](integrations/aws/event-handlers) for additional context. + +![Guardrails Regional Event Handlers](/images/docs/guardrails/guides/aws/decommission/guardrails-regional-event-handlers.png) + +## Step 5: Remove Global Event Handlers + +Set the `AWS > Turbot > Event Handlers [Global]` policy to `Enforce: Not configured`. This will remove Guardrails-managed Cloudwatch Event Rules and SNS topics. + +![Guardrails Global Event Handlers](/images/docs/guardrails/guides/aws/decommission/guardrails-global-event-handlers.png) + +## Step 6: Remove IAM Service Roles + +Set the `AWS > Turbot > Service Roles` policy to `Enforce: Not configured`. This will remove any Guardrails-managed IAM service roles. + +![Guardrails IAM Service Roles](/images/docs/guardrails/guides/aws/decommission/guardrails-service-roles.png) + +## Step 7: Remove Logging Buckets + +Set the `AWS > Turbot > Logging > Bucket` policy to `Enforce: Not configured`. This will remove Guardrails-managed logging S3 buckets. + +> [!NOTE] Logging buckets cannot be deleted if they are not empty. Administrators can empty the bucket using the AWS console. + +![Guardrails Logging buckets](/images/docs/guardrails/guides/aws/decommission/guardrails-logging-bucket.png) + +## Step 8: Disable Event Poller + +Set the `AWS > Turbot > Event Poller` policy to `Disabled`. + +![Guardrails Event Poller](/images/docs/guardrails/guides/aws/decommission/guardrails-event-poller.png) + +> [!IMPORTANT] When event handlers are set to `Skip` or `Enforce: Not Configured`, Polling is automatically enabled. It must be explicitly disabled. Note that full cleanup of event handler resources requires event pollers to still be active. Disable Event Pollers _after_ verifying that all Event Handler infrastructure has been removed from the account. + +Once the controls associated with the above policies have completed, the AWS account can be disconnected from the Guardrails workspace. + +## Reduce Resource Count + +## Step 9: Navigate to Account + +Navigate to the AWS Account to be disconnected and select the **Metrics** tab. + +![Navigate to Account](/images/docs/guardrails/guides/aws/decommission/guardrails-locate-account.png) + +## Step 10: Locate Top Resource Types + +Look at the `Top Resource Types` on the left side. These are the resources to target first. + +![Top Resource Types](/images/docs/guardrails/guides/aws/decommission/guardrails-top-resource-types.png) + +## Step 11: Locate Policies + +Switch to the **Policies** tab. Click the **New Policy Setting** button. + +![Select policies](/images/docs/guardrails/guides/aws/decommission/guardrails-select-policies.png) + +## Step 12: Create Resource CMDB Policy + +Find the CMDB policy in the format `AWS > {Service} > {Resource Type} > CMDB`, set it to **Enforce: Disabled**, and choose **Create**. This instructs Guardrails to purge all resource records for this resource type. + +![Create Resource CMDB policy](/images/docs/guardrails/guides/aws/decommission/guardrails-locate-resource-cmdb-policy.png) + +Over the next few minutes Guardrails will purge those resource CMDB entries and the overall resource count in the account will reduce. + +> [!Note] If this Attempt to disconnect the account times out, continue steps 3 through 8 until the account is successfully + disconnected. + +## Troubleshooting + +| Issue | Description | Guide | +|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------| +| Account Disconnection Fails | Account cannot be disconnected even after drastic reductions in resource counts. | please open a ticket with [Turbot Support](mailto:help@turbot.com) for further assistance. | +| Remove from Turbot Dropdown Unavailable | The Remove from Turbot action is unavailable on the resource detail page. | Reach out to your Guardrails workspace administrator to validate proper access. | +| Common errors | Common issues that may prevent controls from running include network connectivity problems, permission issues, and API rate limits. These can cause controls to enter an error state. | Refer to [Common Troubleshooting](/guardrails/docs/guides/troubleshooting) for detailed resolution steps. | +| Further Assistance | If you encounter further issues, please open a ticket with us and attach the relevant information to assist you more efficiently. | [Open Support Ticket](https://support.turbot.com) | \ No newline at end of file diff --git a/docs/guides/aws/decommission/decommission-without-resource-deletion-using-script/index.md b/docs/guides/aws/decommission/decommission-without-resource-deletion-using-script/index.md new file mode 100644 index 00000000..29e7cf93 --- /dev/null +++ b/docs/guides/aws/decommission/decommission-without-resource-deletion-using-script/index.md @@ -0,0 +1,52 @@ +--- +title: Disconnect Account from Guardrails Workspace Using Script +sidebar_label: Disconnect Account from Guardrails Workspace Using Script +--- + +# Disconnect an AWS account from a Guardrails workspace Using Script + +In this guide, you will: +- Decommission Guardrails-managed resources in an AWS account. +- Disconnect the AWS account from the Guardrails workspace using the Guardrails console. + +As part of regular Guardrails workspace maintenance, it is sometimes necessary to remove AWS accounts. This process involves two key steps: first, [Decommission Guardrails-managed resources](#decommission-guardrails-infrastructure) in the AWS account by updating relevant policy settings—administrators should assess whether to retain resources like S3 buckets or CloudTrail, though Event Handlers must always be removed; second, [Disconnect the AWS account from Guardrails](#disconnect-aws-account-from-guardrails) workspace, which is a change made only on the Guardrails side and does not affect the AWS account itself. + +> [!NOTE] Disconnecting an AWS account from Guardrails will remove all child CMDB records and policy settings. + +## Prerequisites + +- Access to the Guardrails console with **Administrator** privileges. +- Familiarity with the Guardrails Policies. + +## Disconnect AWS Account from Guardrails + +When a user with sufficient permissions attempts to disconnect an AWS account, Guardrails will try to remove the +account, all child resources, controls, policy settings in a single SQL transactions. This is done for safety. Should +the transaction fail, it's trivial for the database to roll back to a known good state. The effect of this rollback is +that the account remains visible in Guardrails. AWS accounts with larger numbers of resources, the time required to +complete the transaction may exceed the statement timeout limit. + +## Step 1: Clone Guardrails Samples Github Repo + +Go to [guardrails-samples](https://github.com/turbot/guardrails-samples/tree/main/guardrails_utilities/python_utils/remove_aws_account) and clone the repository. + +![Clone Repository](/images/docs/guardrails/guides/aws/decommission/github-guardrails-samples-repo.png) + +## Step 2: Navigate to Remove AWS Account Directory + +In the cloned repository, navigate to the following folder: + +`guardrails_utilities/python_utils/remove_aws_account` + +## Step 3: Run AWS Remove Account Script + +Refer to the [README](https://github.com/turbot/guardrails-samples/blob/main/guardrails_utilities/python_utils/remove_aws_account/README.md) for further instructions on how to set up and run the `remove_aws_account` script. + +## Troubleshooting + +| Issue | Description | Guide | +|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------| +| Account Disconnection Fails | Account cannot be disconnected even after drastic reductions in resource counts. | please open a ticket with [Turbot Support](mailto:help@turbot.com) for further assistance. | +| Remove from Turbot Dropdown Unavailable | The Remove from Turbot action is unavailable on the resource detail page. | Reach out to your Guardrails workspace administrator to validate proper access. | +| Common errors | Common issues that may prevent controls from running include network connectivity problems, permission issues, and API rate limits. These can cause controls to enter an error state. | Refer to [Common Troubleshooting](/guardrails/docs/guides/troubleshooting) for detailed resolution steps. | +| Further Assistance | If you encounter further issues, please open a ticket with us and attach the relevant information to assist you more efficiently. | [Open Support Ticket](https://support.turbot.com) | \ No newline at end of file diff --git a/docs/guides/aws/decommission/decommission-without-resource-deletion/index.md b/docs/guides/aws/decommission/decommission-without-resource-deletion/index.md new file mode 100644 index 00000000..20c5648f --- /dev/null +++ b/docs/guides/aws/decommission/decommission-without-resource-deletion/index.md @@ -0,0 +1,58 @@ +--- +title: Disconnect Account from Guardrails Workspace +sidebar_label: Disconnect Account from Guardrails Workspace +--- + +# Disconnect an AWS account from a Guardrails workspace + +In this guide, you will: +- Decommission Guardrails-managed resources in an AWS account. +- Disconnect the AWS account from the Guardrails workspace using the Guardrails console. + +As part of regular Guardrails workspace maintenance, it is sometimes necessary to remove AWS accounts. This process involves two key steps: first, [Decommission Guardrails-managed resources](#decommission-guardrails-infrastructure) in the AWS account by updating relevant policy settings—administrators should assess whether to retain resources like S3 buckets or CloudTrail, though Event Handlers must always be removed; second, [Disconnect the AWS account from Guardrails](#disconnect-aws-account-from-guardrails) workspace, which is a change made only on the Guardrails side and does not affect the AWS account itself. + +> [!NOTE] Disconnecting an AWS account from Guardrails will remove all child CMDB records and policy settings. + +## Prerequisites + +- Access to the Guardrails console with **Administrator** privileges. +- Familiarity with the Guardrails Policies. + +## Disconnect AWS Account from Guardrails + +When a user with sufficient permissions attempts to disconnect an AWS account, Guardrails will try to remove the +account, all child resources, controls, policy settings in a single SQL transactions. This is done for safety. Should +the transaction fail, it's trivial for the database to roll back to a known good state. The effect of this rollback is +that the account remains visible in Guardrails. AWS accounts with larger numbers of resources, the time required to +complete the transaction may exceed the statement timeout limit. + +## Step 1: Navigate to Account + +In the Guardrails console, navigate to the account that needs to be removed. + +![Select Account](/images/docs/guardrails/guides/aws/decommission/guardrails-select-account.png) + +## Step 2: Delete Account + +Select **Remove from Turbot** from the **Action** drop down in the top right. If you do not see it, reach out to your Guardrails workspace administrator for proper access. + +![Remove from Turbot](/images/docs/guardrails/guides/aws/decommission/guardrails-delete-account.png) + +Copy the account ID and paste in the text box and select **Delete**. + +![Confirm Delete](/images/docs/guardrails/guides/aws/decommission/guardrails-confirm-delete.png) + +> [!WARNING] While this is not irreversible (simply reimport the account), it can be time and resource consuming. Be sure to double and triple check! + +Guardrails will begin the delete process. The time to complete the deletion will depend on the number of resources and policies that will be removed. The more resources that are being deleted, the longer the process will take. + +> [!IMPORTANT]The disconnection step may time out due to a number of factors including but not limited to overall system load, and the number of resources in the account. The general aim is to reduce the number of resources in the account. + +## Troubleshooting + +| Issue | Description | Guide | +|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------| +| Account Disconnection Fails | Account cannot be disconnected even after drastic reductions in resource counts. | please open a ticket with [Turbot Support](mailto:help@turbot.com) for further assistance. | +| Remove from Turbot Dropdown Unavailable | The Remove from Turbot action is unavailable on the resource detail page. | Reach out to your Guardrails workspace administrator to validate proper access. | +| Common errors | Common issues that may prevent controls from running include network connectivity problems, permission issues, and API rate limits. These can cause controls to enter an error state. | Refer to [Common Troubleshooting](/guardrails/docs/guides/troubleshooting) for detailed resolution steps. | +| Further Assistance | If you encounter further issues, please open a ticket with us and attach the relevant information to assist you more efficiently. | [Open Support Ticket](https://support.turbot.com) | \ No newline at end of file diff --git a/docs/guides/aws/decommission/github-guardrails-samples-repo.png b/docs/guides/aws/decommission/github-guardrails-samples-repo.png new file mode 100644 index 00000000..c6cadc59 Binary files /dev/null and b/docs/guides/aws/decommission/github-guardrails-samples-repo.png differ diff --git a/docs/guides/aws/decommission/guardrails-confirm-delete.png b/docs/guides/aws/decommission/guardrails-confirm-delete.png new file mode 100644 index 00000000..1bdc49ba Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-confirm-delete.png differ diff --git a/docs/guides/aws/decommission/guardrails-delete-account.png b/docs/guides/aws/decommission/guardrails-delete-account.png new file mode 100644 index 00000000..d24448f7 Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-delete-account.png differ diff --git a/docs/guides/aws/decommission/guardrails-event-poller.png b/docs/guides/aws/decommission/guardrails-event-poller.png new file mode 100644 index 00000000..1a32738d Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-event-poller.png differ diff --git a/docs/guides/aws/decommission/guardrails-global-event-handlers.png b/docs/guides/aws/decommission/guardrails-global-event-handlers.png new file mode 100644 index 00000000..c486bd62 Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-global-event-handlers.png differ diff --git a/docs/guides/aws/decommission/guardrails-locate-account.png b/docs/guides/aws/decommission/guardrails-locate-account.png new file mode 100644 index 00000000..0197338b Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-locate-account.png differ diff --git a/docs/guides/aws/decommission/guardrails-locate-resource-cmdb-policy.png b/docs/guides/aws/decommission/guardrails-locate-resource-cmdb-policy.png new file mode 100644 index 00000000..79171206 Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-locate-resource-cmdb-policy.png differ diff --git a/docs/guides/aws/decommission/guardrails-logging-bucket.png b/docs/guides/aws/decommission/guardrails-logging-bucket.png new file mode 100644 index 00000000..3cc0a368 Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-logging-bucket.png differ diff --git a/docs/guides/aws/decommission/guardrails-navigate-policies.png b/docs/guides/aws/decommission/guardrails-navigate-policies.png new file mode 100644 index 00000000..ec4744b6 Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-navigate-policies.png differ diff --git a/docs/guides/aws/decommission/guardrails-regional-event-handlers.png b/docs/guides/aws/decommission/guardrails-regional-event-handlers.png new file mode 100644 index 00000000..6ae4724d Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-regional-event-handlers.png differ diff --git a/docs/guides/aws/decommission/guardrails-remove-cloudtrail.png b/docs/guides/aws/decommission/guardrails-remove-cloudtrail.png new file mode 100644 index 00000000..20aaea9a Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-remove-cloudtrail.png differ diff --git a/docs/guides/aws/decommission/guardrails-select-account.png b/docs/guides/aws/decommission/guardrails-select-account.png new file mode 100644 index 00000000..d85dffc3 Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-select-account.png differ diff --git a/docs/guides/aws/decommission/guardrails-select-policies.png b/docs/guides/aws/decommission/guardrails-select-policies.png new file mode 100644 index 00000000..4f5a44e5 Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-select-policies.png differ diff --git a/docs/guides/aws/decommission/guardrails-service-roles.png b/docs/guides/aws/decommission/guardrails-service-roles.png new file mode 100644 index 00000000..7a2217e6 Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-service-roles.png differ diff --git a/docs/guides/aws/decommission/guardrails-top-resource-types.png b/docs/guides/aws/decommission/guardrails-top-resource-types.png new file mode 100644 index 00000000..51683e87 Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-top-resource-types.png differ diff --git a/docs/guides/aws/decommission/guardrails-turbot-external-id.png b/docs/guides/aws/decommission/guardrails-turbot-external-id.png new file mode 100644 index 00000000..a8df5e4d Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-turbot-external-id.png differ diff --git a/docs/guides/aws/decommission/guardrails-turbot-iam-role.png b/docs/guides/aws/decommission/guardrails-turbot-iam-role.png new file mode 100644 index 00000000..8b3abcaf Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-turbot-iam-role.png differ diff --git a/docs/guides/aws/decommission/guardrails-turbot-permissions.png b/docs/guides/aws/decommission/guardrails-turbot-permissions.png new file mode 100644 index 00000000..8b197a85 Binary files /dev/null and b/docs/guides/aws/decommission/guardrails-turbot-permissions.png differ diff --git a/docs/guides/aws/decommission/index.md b/docs/guides/aws/decommission/index.md index 0ad4a5da..d81c29ac 100644 --- a/docs/guides/aws/decommission/index.md +++ b/docs/guides/aws/decommission/index.md @@ -1,114 +1,179 @@ --- title: Disconnect Account from Guardrails Workspace -template: Documentation -nav: - order: 50 +sidebar_label: Disconnect Account from Guardrails Workspace --- # Disconnect an AWS account from a Guardrails workspace -As a part of Guardrails workspace maintenance, AWS accounts need to be removed. There are two parts to this process: - -1. [Decommission Guardrails-managed resources](#decommission-guardrails-infrastructure) in the AWS account, where - desired. Altering the relevant policy settings - will - make changes in the AWS account. Administrators should determine if they would like to keep - Guardrails-managed resources in the account, such as S3 buckets, or CloudTrail. Event Handlers should always be - removed. -2. [Disconnect the AWS account from Guardrails](#disconnect-aws-account-from-guardrails) . This is Guardrails-side only - change. No changes are made in the AWS - account. - -Note that disconnecting an AWS account from Guardrails will remove all child CMDB records and policy settings. - -## Decommission Guardrails Infrastructure - -To ensure complete cleanup of Guardrails-managed resources, create the policy settings below with the -prescribed values. If you wish to retain those resources, do not create the policy setting. Time should be allowed for -Guardrails to complete the removal process for these resources. It is safe to create these policy settings, even if -there is no corresponding `Enforce: Enabled` - -1. `AWS > Turbot > Permissions` set to `Enforce: None`. This will remove Guardrails-managed - IAM policies, groups, roles and users. -2. `AWS > Turbot > Audit Trail` set to `Enforce: Not configured`. This will - remove the Guardrails-managed CloudTrail. -3. `AWS > Turbot > Event Handlers` set to `Enforce: Not configured`. This will - remove Guardrails-managed Cloudwatch Event Rules and SNS topics. Refer to the - [Event Handler documentation](integrations/aws/event-handlers) for additional - context. -4. `AWS > Turbot > Event Handlers [Global]` set to `Enforce: Not configured`. This will - remove Guardrails-managed Cloudwatch Event Rules and SNS topics. -5. `AWS > Turbot > Service Roles` set to `Enforce: Not configured`. This will - remove any Guardrails-managed IAM service roles. -6. `AWS > Turbot > Logging > Bucket` set to `Enforce: Not configured`. This will - remove Guardrails-managed logging S3 buckets. Note: Logging buckets cannot be deleted - if they are not empty. Administrators can empty the bucket using the AWS - console. -7. `AWS > Turbot > Event Poller` to `Disabled`. When event handlers are set to - `Skip` or `Enforce: Not Configured`, Polling is automatically enabled. It - must be explicitly disabled. Note that full cleanup of event handler - resources requires event pollers to still be active. Disable Event Pollers - _after_ verifying that all Event Handler infrastructure has been removed from - the account. - -Once the controls associated with the above policies have completed, the AWS -account can be disconnected from the Guardrails workspace. +In this guide, you will: +- Decommission Guardrails-managed resources in an AWS account. +- Disconnect the AWS account from the Guardrails workspace using the Guardrails console. -## Disconnect AWS Account from Guardrails +As part of regular Guardrails workspace maintenance, it is sometimes necessary to remove AWS accounts. This process involves two key steps: first, [Decommission Guardrails-managed resources](#decommission-guardrails-infrastructure) in the AWS account by updating relevant policy settings—administrators should assess whether to retain resources like S3 buckets or CloudTrail, though Event Handlers must always be removed; second, [Disconnect the AWS account from Guardrails](#disconnect-aws-account-from-guardrails) workspace, which is a change made only on the Guardrails side and does not affect the AWS account itself. -Prior to performing the below steps, delete the policies -`AWS > Account > Turbot IAM Role > External ID` and -`AWS > Account > Turbot IAM Role` configured on the target account. Once they -have been removed, the account can be deleted from Guardrails. - -1. In the Guardrails console, navigate to the account that needs to be removed. -2. Click the **Delete** button in the top right. If you do not see the delete - button, reach out to your Guardrails workspace administrator for proper access. -3. In the pop-up dialog box, copy the account ID and paste in the text box. -4. Click `Delete`. While this is not irreversible (simply reimport the account), - it can be time and resource consuming. Be sure to double and triple check! -5. Guardrails will begin the delete process. The time to complete the deletion will - depend on the number of resources and policies that will be removed. The more - resources that are being deleted, the longer the process will take. +> [!NOTE] Disconnecting an AWS account from Guardrails will remove all child CMDB records and policy settings. -## Troubleshooting +## Prerequisites -The disconnection step may time out due to a number of factors including but not limited to overall system load, and the -number of resources in the account. The general aim is to reduce the number of resources in the account. - -### Manual Resource Count Reduction - -1. From the Guardrails landing page, find the AWS Account to be disconnected. -2. On the Account resource page, go to the little **Reports** tab. Look at the "Top Resource Types" on the left side. - These are the resource to target first. -3. Switch back to the little **Policies** tab. Click the green "New Policy Setting" button. -4. Search for the CMDB policy for the top resource type. It will be in the form - of `AWS > {Service} > {Resource Type} > CMDB`. -5. The Resource field should already be set to the AWS Account to be disconnected. -6. Set the CMDB policy to `Enforce: Disabled`. This will instruct Guardrails to purge all resource records for this - resource type. -7. Click the "Create" button. -8. Over the next few minutes Guardrails will purge those resource CMDB entries and the overall resource count in the - account will go down. -9. Attempt to disconnect the account. If this times out, continue steps 3 through 8 until the account is successfully - disconnected. +- Access to the Guardrails console with **Administrator** privileges. +- Familiarity with the Guardrails Policies. + +## Decommission Guardrails-managed resources + +To fully clean up Guardrails-managed resources in the AWS account, specific policy settings must be applied with the recommended values. If you intend to retain any of these resources, simply skip applying the corresponding policy. Once configured, allow time for Guardrails to complete the removal process. These policy settings are safe to apply even if there is no existing `Enforce: Enabled` configuration in place. + +## Step 1: Navigate to Policies + +Log into the Guardrails console with provided local credentials or by using any SAML-based login and select **Policies** from the top navigation menu. + +![Navigate to policies](/images/docs/guardrails/guides/aws/decommission/guardrails-navigate-policies.png) + +## Step 2: Remove Guardrails-Managed IAM Resources + +Set the `AWS > Turbot > Permissions` policy to `Enforce: None`. This will remove Guardrails-managed IAM policies, groups, roles and users. + +![Guardrails Permissions](/images/docs/guardrails/guides/aws/decommission/guardrails-turbot-permissions.png) + +## Step 3: Remove CloudTrail + +Set the `AWS > Turbot > Audit Trail` policy to `Enforce: Not configured`. This will remove the Guardrails-managed CloudTrail. + +![Guardrails CloudTrail](/images/docs/guardrails/guides/aws/decommission/guardrails-remove-cloudtrail.png) + +## Step 4: Remove Regional Event Handlers + +Set the `AWS > Turbot > Event Handlers` policy to `Enforce: Not configured`. This will remove Guardrails-managed Cloudwatch Event Rules and SNS topics. Refer to the [Event Handler documentation](integrations/aws/event-handlers) for additional context. + +![Guardrails Regional Event Handlers](/images/docs/guardrails/guides/aws/decommission/guardrails-regional-event-handlers.png) + +## Step 5: Remove Global Event Handlers + +Set the `AWS > Turbot > Event Handlers [Global]` policy to `Enforce: Not configured`. This will remove Guardrails-managed Cloudwatch Event Rules and SNS topics. -### Automated Resource Count Reduction +![Guardrails Global Event Handlers](/images/docs/guardrails/guides/aws/decommission/guardrails-global-event-handlers.png) -1. Use the - `aws_account_delete` [script in the Guardrails Samples Repo (GSR)](https://github.com/turbot/guardrails-samples/tree/main/guardrails_utilities/python_utils/remove_aws_account) - to automate the process of creating the CMDB policy settings and disconnecting the account. -2. Refer to - the [README](https://github.com/turbot/guardrails-samples/blob/main/guardrails_utilities/python_utils/remove_aws_account/README.md) - for further instructions on how to set up and run the script. +## Step 6: Remove IAM Service Roles -It may take several attempts to delete the account. If the account cannot be disconnected even after drastic reductions -in resource counts, please open a ticket with [Turbot Support](mailto:help@turbot.com) for further assistance. +Set the `AWS > Turbot > Service Roles` policy to `Enforce: Not configured`. This will remove any Guardrails-managed IAM service roles. -## How Disconnection Works +![Guardrails IAM Service Roles](/images/docs/guardrails/guides/aws/decommission/guardrails-service-roles.png) + +## Step 7: Remove Logging Buckets + +Set the `AWS > Turbot > Logging > Bucket` policy to `Enforce: Not configured`. This will remove Guardrails-managed logging S3 buckets. + +> [!NOTE] Logging buckets cannot be deleted if they are not empty. Administrators can empty the bucket using the AWS console. + +![Guardrails Logging buckets](/images/docs/guardrails/guides/aws/decommission/guardrails-logging-bucket.png) + +## Step 8: Disable Event Poller + +Set the `AWS > Turbot > Event Poller` policy to `Disabled`. + +![Guardrails Event Poller](/images/docs/guardrails/guides/aws/decommission/guardrails-event-poller.png) + +> [!IMPORTANT] When event handlers are set to `Skip` or `Enforce: Not Configured`, Polling is automatically enabled. It must be explicitly disabled. Note that full cleanup of event handler resources requires event pollers to still be active. Disable Event Pollers _after_ verifying that all Event Handler infrastructure has been removed from the account. + +Once the controls associated with the above policies have completed, the AWS account can be disconnected from the Guardrails workspace. + +## Disconnect AWS Account from Guardrails When a user with sufficient permissions attempts to disconnect an AWS account, Guardrails will try to remove the account, all child resources, controls, policy settings in a single SQL transactions. This is done for safety. Should the transaction fail, it's trivial for the database to roll back to a known good state. The effect of this rollback is that the account remains visible in Guardrails. AWS accounts with larger numbers of resources, the time required to -complete the transaction may exceed the statement timeout limit. \ No newline at end of file +complete the transaction may exceed the statement timeout limit. + +## Step 1: Delete Turbot IAM Role Policies + +Before disconnecting the account, delete the policies listed below from the target account. Once removed, you can proceed to delete the account from Guardrails. + +`AWS > Account > Turbot IAM Role > External ID` + +![External ID](/images/docs/guardrails/guides/aws/decommission/guardrails-turbot-external-id.png) + +`AWS > Account > Turbot IAM Role` + +![Turbot IAM Role](/images/docs/guardrails/guides/aws/decommission/guardrails-turbot-iam-role.png) + +## Step 2: Navigate to Account + +In the Guardrails console, navigate to the account that needs to be removed. + +![Select Account](/images/docs/guardrails/guides/aws/decommission/guardrails-select-account.png) + +## Step 3: Delete Account + +Select **Remove from Turbot** from the **Action** drop down in the top right. If you do not see it, reach out to your Guardrails workspace administrator for proper access. + +![Remove from Turbot](/images/docs/guardrails/guides/aws/decommission/guardrails-delete-account.png) + +Copy the account ID and paste in the text box and select **Delete**. + +![Confirm Delete](/images/docs/guardrails/guides/aws/decommission/guardrails-confirm-delete.png) + +> [!WARNING] While this is not irreversible (simply reimport the account), it can be time and resource consuming. Be sure to double and triple check! + +Guardrails will begin the delete process. The time to complete the deletion will depend on the number of resources and policies that will be removed. The more resources that are being deleted, the longer the process will take. + +> [!IMPORTANT]The disconnection step may time out due to a number of factors including but not limited to overall system load, and the number of resources in the account. The general aim is to reduce the number of resources in the account. + +## Resource Count Reduction + +### Manual + +## Step 1: Navigate to Account + +Navigate to the AWS Account to be disconnected and select the **Metrics** tab. + +![Navigate to Account](/images/docs/guardrails/guides/aws/decommission/guardrails-locate-account.png) + +## Step 2: Locate Top Resource Types + +Look at the `Top Resource Types` on the left side. These are the resources to target first. + +![Top Resource Types](/images/docs/guardrails/guides/aws/decommission/guardrails-top-resource-types.png) + +## Step 3: Locate Policies + +Switch to the **Policies** tab. Click the **New Policy Setting** button. + +![Select policies](/images/docs/guardrails/guides/aws/decommission/guardrails-select-policies.png) + +## Step 4: Create Resource CMDB Policy + +Find the CMDB policy in the format `AWS > {Service} > {Resource Type} > CMDB`, set it to **Enforce: Disabled**, and choose **Create**. This instructs Guardrails to purge all resource records for this resource type. + +![Create Resource CMDB policy](/images/docs/guardrails/guides/aws/decommission/guardrails-locate-resource-cmdb-policy.png) + +Over the next few minutes Guardrails will purge those resource CMDB entries and the overall resource count in the account will reduce. + +> [!Note] If this Attempt to disconnect the account times out, continue steps 3 through 8 until the account is successfully + disconnected. + +### Automated + +## Step 1: Clone Guardrails Samples Github Repo + +Go to [guardrails-samples](https://github.com/turbot/guardrails-samples/tree/main/guardrails_utilities/python_utils/remove_aws_account) and clone the repository. + +![Clone Repository](/images/docs/guardrails/guides/aws/decommission/github-guardrails-samples-repo.png) + +## Step 2: Navigate to Remove AWS Account Directory + +In the cloned repository, navigate to the following folder: + +`guardrails_utilities/python_utils/remove_aws_account` + +## Step 3: Run AWS Remove Account Script + +Refer to the [README](https://github.com/turbot/guardrails-samples/blob/main/guardrails_utilities/python_utils/remove_aws_account/README.md) for further instructions on how to set up and run the `remove_aws_account` script. + +## Troubleshooting + +| Issue | Description | Guide | +|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------| +| Account Disconnection Fails | Account cannot be disconnected even after drastic reductions in resource counts. | please open a ticket with [Turbot Support](mailto:help@turbot.com) for further assistance. | +| Remove from Turbot Dropdown Unavailable | The Remove from Turbot action is unavailable on the resource detail page. | Reach out to your Guardrails workspace administrator to validate proper access. | +| Common errors | Common issues that may prevent controls from running include network connectivity problems, permission issues, and API rate limits. These can cause controls to enter an error state. | Refer to [Common Troubleshooting](/guardrails/docs/guides/troubleshooting) for detailed resolution steps. | +| Further Assistance | If you encounter further issues, please open a ticket with us and attach the relevant information to assist you more efficiently. | [Open Support Ticket](https://support.turbot.com) | \ No newline at end of file