Apply baseline guardrails to your AWS landing zone

As a Cloud Security Operations administrator, you must know continuously that the organizational units in your AWS landing zone comply with the policies you applied to it. The desired state templates help you detect the drift from your policies, and enforce compliance on your accounts and resources.

To ensure that the organizational units in your AWS landing zone comply with your security policies, you can attach security baseline guardrails to your AWS landing zone by using the security templates that include policies and configuration rules. The security templates enforce the configuration rules on the organizational units in your AWS landing zone.

As a Cloud Operations administrator, you can apply baseline security guardrail policies that are mandatory, strongly recommended, and elective. Setting up your AWS landing zone enables the mandatory guardrails by default. During the setup, you can select the strongly recommended guardrails and elective guardrails.

Where to begin

Apply guardrails to your AWS landing zone

  1. To apply the security policies on the organizational units your AWS landing zone, access the desired state templates in Tanzu Hub.
    1. Click Guardrails > Policies.
    2. On the Templates card, click View Templates.
    3. Click the Library tab, and click the Security filter.
  2. Select the following desired state templates. For more information about the desired state templates, go to Library of desired state templates in VMware Tanzu Guardrails.

    Type of security guardrail Supported security templates
    Mandatory guardrails Create or verify AWS SCP policies - AWS recommended mandatory and strongly Recommended Guardrails
    Strongly recommended guardrails Create or verify strongly recommended AWS Config Rules
    Elective guardrails Create or verify AWS SCP policies - AWS recommended elective Guardrails
    Create or verify elective AWS Config Rules
  3. Click Import to Curated Templates.

  4. In the Imported Templates dialog box, review each desired state template.
  5. For each desired state template, only select a project if you only intend to monitor the desired states in the desired state template but not enforce them. If you intend to enforce the desired states, you must not select a project and have elevated privileges on the account.
  6. Click Finish to import the desired state templates that you selected into the curated list of desired state templates.
  7. To create desired states for your account, click each desired state template, click Apply Policy, and provide the information in the Apply Desired State Templates sections.
    1. For the general section, select an account and region.
    2. For the desired state section, provide the input parameters for the desired state template to run, and click Validate Inputs.
    3. For the monitor or enforce section, select an option. To enforce the policies, you must have elevated credentials on the account. For details, see Add Guardrails credentials to AWS cloud accounts.
    4. Click Apply Desired State Templates.
  8. Review the findings and the results history for the desired state policy drift on the account.
    1. Click Guardrails > Findings.
    2. Filter the findings to display security drifts.
    3. Expand the finding that has the highest attention score.
    4. View the drift details by clicking View diff.
    5. To view the timeline of the drift, click the desired state, and click View Results History.
    6. To take action on the desired state, click Desired States Actions, and select an option. You monitor or enforce the desired state, or view the desired state inputs and code and the accounts associated with the desired state.

Monitor your accounts for drifts from the desired state templates

Monitor the findings for your accounts, filter the results to display the drifts, and investigate the drift findings that have the highest attention score. Refer to Investigate VMware Tanzu Guardrails findings.

Parent topic:Define and apply governance policies in VMware Tanzu Hub

check-circle-line exclamation-circle-line close-line
Scroll to top icon