Launch Week 8 B-sides

As Launch Week 8 draws to a close, we wanted to take a moment to highlight some of the exciting updates and announcements that slipped under the radar this week across our Turbot products and open-source projects.

Guardrails: New scheduling tag options for RDS

You can now configure custom tag names to control when your RDS clusters and instances start and stop, giving you more flexibility in applying schedules across your environments.

• RDS DB Clusters: Set a custom tag name using the AWS > RDS > DB Cluster > Schedule > Schedule Tag > Name policy.
• RDS DB Instances: Set a custom tag name using the AWS > RDS > DB Instance > Schedule > Schedule Tag > Name policy.

This is especially useful when you have standardized tag names across services or want more descriptive labels in your automation workflows.

Guardrails: AWS and Azure mod changes

The Azure Security Center mod now uses the latest Azure SDK which has breaking changes introduced with the Security Center data model. If you rely on these CMDB attributes in your Guardrails policies, be sure to update your settings:

• Added: policy.enforcementMode, policy.nonComplianceMessages, policy.systemData
• Removed: policy.sku
• Renamed: settings[*].properties.enabled → settings[*].enabled

We also updated default behaviors based on vendor service retirement notices:

• AWS CloudSearch: The AWS > CloudSearch > Domain > CMDB policy is now set to Skip by default due to CloudSearch being deprecated by AWS and will be removed in the next major release. AWS CloudSearch retirement announcement
• Azure Database for MySQL – Single Server: The AWS > MySQL > Server > CMDB policy is now set to Skip by default due to service retirement from Azure. Azure MySQL Single Server retirement announcement

Guardrails: New UI for managing multi-query calculated policies

In Launch Week 6, we introduced improvements to calculated policies that made it easier to reference common context fields directly, such as resource IDs, tags, and URIs, without writing multiple queries.

Now we're making it even easier to build and test these policies with a new UI that supports multiple queries. You can define additional input queries, inspect their outputs in real time, and reference them directly in your final policy template, all from a single interface.

This upgrade gives policy authors a complete end-to-end experience for building multi-query calculated policies. It simplifies development, reduces the need for external testing, and makes it easier to debug and maintain complex logic.

Guardrails: Workspace activity retention defaults

We’ve updated the default for the Turbot > Workspace > Retention > Activity Retention policy to 90 days (previously unlimited) for all Guardrails environments — both SaaS (Turbot Guardrails Cloud) and self-hosted (Turbot Guardrails Enterprise).

Limiting retention helps improve UI performance and reduce storage costs, while still supporting most compliance and auditing needs. You can adjust the retention period using the Turbot > Workspace > Retention > Activity Retention policy:

This change takes effect automatically in Turbot Guardrails Cloud, and when Enterprise customers upgrade to Turbot v5.51.0.

Guardrails: Turbot Enterprise Foundation and Database updates

For Turbot Guardrails Enterprise (self-hosted) customers, recent updates add more flexibility to parameters helping environments stay performant and resilient:

• Multi-region KMS encryption:
  Workspaces now use a multi-region KMS key to re-encrypt the Tenant Master Key for greater resiliency and portability. This change is included in TE v5.49.0 and TEF v1.65.0+.

• TEF v1.66.0 updates:
  New parameters to control ALB timeouts, API Gateway domains, and queue message rates. S3 lifecycle rules now clean up expired and incomplete uploads, and routing was improved with GatewayPrefix support in Route53.

• TED v1.47.0 enhancements:
  Support for PostgreSQL up to version 16.8, improved defaults for DB/cache instances (e.g., db.m6g.large, 400 GB, 12,000 IOPS), and CloudWatch log forwarding.

Guardrails: New Guides for disaster recovery, configuration, and troubleshooting

We’ve recently added a new set of step-by-step Guides to help Guardrails admins configure, operate, and troubleshoot their environments more easily.

Disaster recovery and upgrade planning
Explore new guides focused on resilience and recovery for self-hosted environments:

• Understand Guardrails DR architecture options for different levels of availability and risk tolerance
• Set up single-region workspace recovery to test backup and restore procedures
• Configure multi-region deployment and failover using Tier 3 architecture
• Upgrade and optimize your Guardrails RDS databases with guidance on resizing storage and upgrading engine versions

Configuration and automation guides
For teams configuring Guardrails in new environments or streamlining operations, we’ve added guides for:

• Configuring custom tags for RDS start/stop scheduling
• Skipping Azure management groups and subscriptions during import
• Importing AWS resources using Native Stacks
• Running controls and policies using scripts

Troubleshooting and monitoring
For real-world visibility and diagnostics, new guides now cover:

• Monitoring Lambda invocation patterns and cost spikes
• Resolving calculated policy evaluation errors

These join many other new and updated guides that support the latest Launch Week announcements. You can explore them all in the Guardrails Docs or contribute directly on GitHub.

Guardrails: Updated Hub documentation for policy and permission dependencies

The Guardrails Hub now provides deeper visibility into how each control works, making it easier for teams to implement least privilege access and understand the impact of every control and policy pack.

Control pages now display the specific policies that influence how a control behaves, along with the cloud permissions required for the control to execute its actions. These updates help clarify not only how controls function, but also what access is needed behind the scenes.

Permissions are now also mapped within policy packs, giving teams a faster way to evaluate which cloud write permissions are required for groups of related controls.

With this improved documentation, Guardrails users and administrators gain clearer guidance on control behavior, policy relationships, and execution requirements. These changes are especially valuable when designing least privilege access or auditing what access is needed for the specific Guardrails capabilities your teams rely on.

Steampipe: New tables and plugin enhancements

Steampipe continues to expand its coverage of cloud and SaaS services, with new tables and plugin improvements to help you query more of your infrastructure using SQL.

AWS Steampipe plugin added four new tables, including aws_rds_pending_maintenance_action for visibility into upcoming database maintenance events, and expanded support for Lake Formation with aws_lakeformation_permission, aws_lakeformation_resource, and aws_lakeformation_tag. Enhancements across AWS services include support for SSE-C filters in aws_s3_object, pending_modified_values in aws_rds_db_instance, and logging_config in aws_lambda_function. Tagging support has also been added to the aws_glue_* tables, and parent hydrate logic was introduced to aws_ecr_image_scan_finding to support more complex joins.

Jira Steampipe plugin introduced several updates to improve performance and query flexibility. You can now access the changelog on issues, filter worklogs by updated timestamp, and avoid redundant API calls when querying jira_issue_comment with filters. The plugin also resolves prior issues when filtering on resolution_date and status.

Alibaba Cloud Steampipe plugin now supports profile authentication for the alicloud_oss_bucket table and adds support for six new regions including me-central-1, cn-wuhan-lr, and ap-southeast-7.

Tailpipe & Steampipe Hub: Explore ready-to-run queries

The Tailpipe Hub and Steampipe Hub now feature a new Queries tab on each mod, making it easier than ever to explore real-world SQL examples.

You can browse, filter, and search across the queries surfaced from table docs and related Powerpipe mods. This gives you quick access to examples for security, compliance, cost, and operations use cases. Whether you're learning Steampipe or Tailpipe, or building dashboards and detections, the Queries tab offers instant inspiration and ready-to-run patterns.

Powerpipe: GitHub Audit Log detections, MITRE mapping & activity dashboard

The new Powerpipe GitHub Audit Log Detections mod adds powerful new capabilities for detecting risky behavior and understanding activity across your GitHub organizations.

Using Tailpipe to collect GitHub Audit Logs, you can visualize patterns and trends with the included Audit Log Activity dashboard, designed to help you quickly answer key questions like:

• Who are the top actors (excluding bots)?
• What are the top source IPs?
• What are the most frequently occurring actions?
• Which repositories have had the highest number of secret scanning alerts created?

The mod also includes a detection benchmark that highlight risks tied to sensitive actions across branches, repositories, and organizations. Plus, a dedicated view which maps those detections to the MITRE ATT&CK framework to support threat modeling and compliance efforts.

Powerpipe: AWS VPC Flow Log detections, network graphs & MITRE mapping

The new Powerpipe AWS VPC Flow Log Detections mod unlocks deep insights into your AWS network activity by analyzing VPC Flow Logs collected with Tailpipe. With pre-built detections, dashboards, and visualizations, this mod helps you surface risky behavior and understand how data moves through your environment.

Detections highlight key network security concerns such as:

• Unusual port activity
• Suspicious outbound traffic
• Access to internal services from public IPs
• Communication with known bad IPs

These detections are organized in a benchmark view, and are also mapped to the MITRE ATT&CK framework to help align network detections with adversary tactics.

The mod also includes interactive Network Graph dashboards to explore VPC flow data across regions, IPs, protocols, and traffic patterns, with visual graphs that reveal relationships between IP addresses and highlight high-volume or suspicious activity.

Pipes: New AWS PCI DSS v4.0 benchmark

Powerpipe has added a PCI DSS v4.0 benchmark to the AWS Compliance mod, helping you evaluate your AWS environment against the latest Payment Card Industry Data Security Standard. This benchmark is now available in Turbot Pipes to assess your security posture and share compliance status with your team.

Pipes: SSD storage, larger queries & mod install upgrades

Several key upgrades landed in Pipes this cycle, improving performance, flexibility, and data access at scale:

• Persistent workspaces now run on high-performance SSD storage, delivering faster query execution and lower latency for demanding workloads. All new persistent workspaces will use SSDs by default, with existing workspaces migrating gradually — at no additional cost.

• Mods can now be installed from archive files, making it easier to work with local mod bundles or distribute custom/private mods. This feature is available for both Powerpipe and Flowpipe mods inside Pipes. Learn more about installing mod archives.

• The Query API now supports:

  • Up to 25,000 rows per request (previously 5,000)
  • Partial results for long-running queries — data returned before the 2-minute limit is preserved and returned with a 206 Partial Content status
  • Improved timeout clarity, distinguishing between partial (206) and full (408) timeouts

Community Corner

Since last Launch Week, we've seen another awesome wave of contributions, content, and creativity across our open-source projects. Here's a look at some highlights from the community:

Code and Doc Contributions

Huge thanks to our GitHub community for contributing fixes, features, and doc improvements across our open-source repos:

• @fyqtian added the new aws_rds_pending_maintenance_action table to the Steampipe AWS plugin.
• @mariusgrigaitis made multiple improvements to the Steampipe Jira plugin, including changelog support, worklog filtering, bug fixes, and performance enhancements.
• @pdecat added tag support across the AWS Steampipe plugin aws_glue_* tables.
• @adrianstanislaus fixed the iam_user_one_active_key query in the Powerpipe AWS Compliance mod.
• @ido123ziv updated the Powerpipe GitHub Action to use upload-artifact v4, resolving deprecation errors.
• @sbldevnet updated Steampipe docs to reference SDK v5, improving the plugin development experience.
• @sdil fixed typos and improved code examples in the Powerpipe docs.

Community Content & Demos

We also saw some great blog posts, demos, and explorations of Steampipe in the wild:

• Steampipe: Simplifying Cloud Queries & Compliance with SQL
  Prabu Balasubramanian from Altimetrik shares how Steampipe helps teams simplify cloud visibility and compliance reporting using SQL.

• Steampipe: Query your cloud infrastructure with SQL for faster insights
  Giuseppe Santoro from Elastic introduces Steampipe and explores how it speeds up cloud investigations and reporting.

• Trino Meets Steampipe on Mars
  Vivek Jain from JPMorgan Chase showcases a fun mashup of Trino and Steampipe in a creative integration.

• Using MCP + Steampipe to analyze cloud configs
  Chi Duong from Stratus Cyber demos how Steampipe helps analyze cloud data via MCP in a real-world security use case.

• DIY SAP Integration Suite plugin for Steampipe
  On the Boring Enterprise Nerds podcast, Vadim Klimov demonstrates a homegrown Steampipe plugin to query SAP OData APIs with SQL.

Thanks to everyone sharing your work! Whether it’s a pull request, a blog post, or a demo, we love seeing what you build!

Turbot at Open Cloud Security Conference 2025: The Power of Composability

On April 8, 2025, we joined the Open Cloud Security Conference—a full day of practical talks on securing AWS, Azure, GCP, and Kubernetes with tools you can see, trust, and contribute to. The event brought together security engineers, open source builders, and cloud practitioners committed to transparency and collaboration.

Our Founder & CEO, Nathan Wallace, presented The Power of Composability: Building Security with Open Source Ecosystems, highlighting how composable architectures are transforming cloud security. Using open source frameworks like Steampipe, Tailpipe, Powerpipe, and Flowpipe, teams can treat detections, queries, and controls like building blocks that are easy to share, extend, and plug into any environment.

The session explored how modular tools accelerate DevSecOps workflows, support least privilege enforcement, and enable teams to build open, auditable security systems with the broader community.

Following so many recent contributions from our community, this message hits close to home that security isn’t just something we build. It’s something we build together.

Flip over to A-sides for the Wrap Up

Thank you for joining us for another exciting Launch Week! Check out the week's daily announcements summary in our Launch Week 8 Wrap Up post. Stay connected with us in our Slack community for our next Launch Week in a few months!