Guide on how to connect an account to Guardrails into a read-only state

[Joeturbot]

What are the steps to connect a cloud account to a mature Guardrails workspace with lots of policy settings in Enforce? This is a different requirement than a POC customer who is testing out Guardrails for the first time.

Process Proposal

1. Create a folder specifically for this sensitive account (aka: ZZZ)
2. On the folder set these policy settings:
3. Turbot > Change Window to No Changes.
4. AWS > Turbot > Event Handlers [Global] to Skip. (We do this so the event pollers will automatically enable in this account.)
5. Import the ZZZ account into the new folder using the Guardrails console.
6. Discovery happens as usual.
7. Identify any controls in error.
8. Evaluate the alarms that pop up. Be very thorough.
9. If you're comfy with what Guardrails would do, delete the Change Window and Event Handlers [Global] policies.
10. Move the ZZZ account to the same folder as all the other accounts of this type (NonProd, Prod, Sandbox).

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 90 days with no activity.