Launch Week 5 B-sides

As Launch Week 5 draws to a close, we wanted to take a moment to highlight some of the exciting updates and announcements that slipped under the radar this week across our Turbot products and open-source projects.

Pipes and Guardrails docs now available for contributions on GitHub

Similar to Steampipe, Powerpipe, and Flowpipe docs, Turbot Pipes and Turbot Guardrails docs are now publicly available on GitHub, and we are accepting contributions! Moving our docs to a public repository invites our community to participate in improving them. Also, our Turbot Guardrails Samples repo now includes a section for contributing to Policy Packs that can be published to the Turbot Guardrails Hub.

Check out the docs and start contributing today:

• Turbot Pipes Docs
• Turbot Guardrails Docs
• Turbot Guardrails Samples

Guardrails: 75+ controls added

Guardrails now supports several new resource types, 100s of new policies, and over 75 new controls for security, compliance, and operational guardrails. Many of the new Guardrails features were in support of auto-remediation of CIS benchmarks for Azure and GCP, ServiceNow import set support, and ongoing customer feedback. They include:

• Azure Security Center auto-provisioning
• Azure Network Watcher Flow Log Retention policies
• Azure App Service Web Apps client certificate Mode
• GCP DNS Managed Zone DNSSEC configurations
• and 70+ more

Guardrails: Static CIDR ranges

You can now configure Guardrails Mod Lambda functions to operate with static CIDR ranges. That makes it easier to whitelist Guardrails in your organization cloud ingress policies with a consistent set of IP ranges from Guardrails to your cloud providers.

This feature is an optional setting for Turbot Guardrails Enterprise and is already enabled in Turbot Guardrails Cloud. Reach out to your Turbot Customer Success lead for more information.

Guardrails: Increases performance at lower runtime costs

For Turbot Guardrails Enterprise customers, the latest Turbot Guardrails Enterprise (TE) v5.45.0 release massively Redis memory consumption that smooths cache operation. Also enabled in this release: conversion from x86 to ARM64 architecture for all AWS Lambda functions. This has increased performance and reduced runtime costs by 30%.

Image Credit

Pipes: Connection folders

Formerly, connections created at Tenant, Organization or workspace level were displayed and managed as flat lists. That was unwieldy both for administrators who create connections for use in workspaces, and workspace owners who create connections in their own workspaces. Now, at all levels, connections can be bundled into connection folders that are much easier to display and manage.

You can create connection folders manually, or automatically with the new AWS, Azure and GCP integrations. These integrations import accounts, subscriptions, and project as Pipes connections organized into Pipes connection folders that mirror the administrative structure of the imported organizations (AWS, GCP) or tenants (Azure), so that delegation of permissions in Pipes matches delegation in the origin systems.

When a folder contains two connections of the same type (aws1, aws2), Pipes automatically creates an aggregator (all_aws) that bundles them for all-at-once query. Although connections and connection folders can exist at any level, aggregators are — as before — purely workspace-level constructs.

Pipes: Workspace-level connections

Formerly, unprivileged workspace owners — including those with Developer accounts — needed to ask administrators to create connections for them. Now a workspace owner is empowered to create non-shareable connections scoped to the workspace. Less friction, faster development.

Pipes: Enterprise-scale Datatank performance

The new integrations(AWS, Azure, GCP) make it fast and easy to create large numbers of connections that may want to leverage Datatank to speed up queries. Datatank's new "fleet" mode will handle the larger workloads arising from the new integrations.

Pipes: New Connections - CrowdStrike and Semgrep

Pipes now supports new connections with CrowdStrike and Semgrep to centrally query, report and collaborate on:

• Semgrep deployments, findings, and projects. Special thanks to community member @gabrielsoltz for publishing the community-built Semgrep Steampipe plugin.
• CrowdStrike detections, hosts, intel_actors, users, and more.

Pipes: Quality of life improvements

Changes to make the user experience friendlier include:

• Set search path prefix in your workspace settings to override default aggregators with custom ones.
• Refreshed Azure and AzureAD (Entra) connection instructions.
• Prefix of all_ in schema names now reserved to avoid conflicts.
• Process logs now have a copy button to easily extract logs from UI.
• Improved breadcrumb navigation among Pipes tenants, organizations and workspaces.

Pipes & Powerpipe: 8 new security benchmarks supported

Powerpipe has added eight new security benchmarks to our AWS, Azure, and GCP compliance mods. These new benchmarks are available in the Powerpipe Hub and in Turbot Pipes to assess your security posture and share status with your team.

• AWS:
  • RBI ITF NBFC
• Azure:
  • FedRAMP High
  • NIST 800-171 Rev 2
  • RBI ITF NBFC
• GCP:
  • NIST Cybersecurity Framework (CSF) v1.0
  • NIST 800-53 Revision 5
  • HIPAA
  • PCI DSS v3.2.1

Pipes & Powerpipe: Automatically manage duplicate column names in snapshots

The latest version of Powerpipe CLI, v0.4.0, now automatically handles duplicate column names in Powerpipe and Pipes snapshots. The rows property in the JSON and snapshot output will now have unique column names for duplicate column names, while the columns property will have the original column name as original_name. For example, when running a query with the same column names:

powerpipe query run "select arn as title, account_id as title, title as title from aws_account" --output pps

Here is the updated JSON output behind the scenes:

{
 "columns": [
  {
   "name": "title",
   "data_type": "text"
  },
  {
   "name": "title_t5zj1",
   "data_type": "text",
   "original_name": "title"
  },
  {
   "name": "title_t5zj2",
   "data_type": "text",
   "original_name": "title"
  }
 ],
 "rows": [
  {
   "title": "arn:aws:::882789663776",
   "title_t5zj1": "882789663776",
   "title_t5zj2": "882789663776"
  }
 ],
 ...
}

Flowpipe: Use files, branches, or tags for Flowpipe mod dependencies

Flowpipe CLI v0.5.0 now supports installing mods from a branch or from the local file system, similar to our Powerpipe CLI v0.3.0 release. This update makes it easier to manage and refactor mods, enabling you to extract shared components into dependent mods for rapid development and testing.

You've also now got a lot more flexibility when installing or updating mods, using the --pull argument to specify various update strategies.

If you haven't tried writing your own Flowpipe mods, now's a great time to get started. Build something useful and tell us about it!

Flowpipe: 125 pipelines added

Over the past few months 125 pipelines have been added to the AWS, Azure and GCP mods. Many were in support of the new detect and correct Tagging and Thrifty mods, as well as pipelines added based on community feedback. Examples of a few of the pipelines added:

• Detach AWS EBS Volumes
• Release AWS EIPs
• Update AWS Route53 records
• Delete Azure Kubernetes Cluster
• Remove GCP IAM Policy Binding from KMS Key
• and 120 more

Flip over to A-sides for the Wrap Up

Thank you for joining us for another exciting Launch Week! Check out the week's daily announcements summary in our Launch Week 5 Wrap Up post. Stay connected with us in our Slack community for our next Launch Week in a few months!