As [Launch Week 8](https://turbot.com/launch-week/08) draws to a close, we wanted to take a moment to highlight some of the exciting updates and announcements that slipped under the radar this week across our Turbot products and open-source projects. ## Guardrails: New scheduling tag options for RDS You can now configure custom tag names to control when your RDS clusters and instances start and stop, giving you more flexibility in applying [schedules](https://turbot.com/guardrails/docs/concepts/guardrails/scheduling) across your environments. - **[RDS DB Clusters](https://hub.guardrails.turbot.com/mods/aws/controls/aws-rds/dbClusterSchedule)**: Set a custom tag name using the `AWS > RDS > DB Cluster > Schedule > Schedule Tag > Name` policy. - **[RDS DB Instances](https://hub.guardrails.turbot.com/mods/aws/controls/aws-rds/instanceSchedule)**: Set a custom tag name using the `AWS > RDS > DB Instance > Schedule > Schedule Tag > Name` policy. This is especially useful when you have standardized tag names across services or want more descriptive labels in your automation workflows. ## Guardrails: AWS and Azure mod changes The [Azure Security Center mod](https://hub.guardrails.turbot.com/mods/azure/mods/azure-securitycenter) now uses the latest Azure SDK which has breaking changes introduced with the Security Center data model. If you rely on these CMDB attributes in your Guardrails policies, be sure to update your settings: - **Added**: `policy.enforcementMode`, `policy.nonComplianceMessages`, `policy.systemData` - **Removed**: `policy.sku` - **Renamed**: `settings[*].properties.enabled` → `settings[*].enabled` We also updated default behaviors based on vendor service retirement notices: - **AWS CloudSearch**: The `AWS > CloudSearch > Domain > CMDB` policy is now set to `Skip` by default due to CloudSearch being deprecated by AWS and will be removed in the next major release. [AWS CloudSearch retirement announcement](https://docs.aws.amazon.com/cloudsearch/latest/developerguide/what-is-cloudsearch.html) - **Azure Database for MySQL – Single Server**: The `AWS > MySQL > Server > CMDB` policy is now set to `Skip` by default due to service retirement from Azure. [Azure MySQL Single Server retirement announcement](https://techcommunity.microsoft.com/blog/adformysql/azure-database-for-mysql---single-server-retirement---key-updates-and-migration-/4055198) ## Guardrails: New UI for managing multi-query calculated policies In [Launch Week 6](https://turbot.com/blog/2024/10/launch-week-6-b-sides#guardrails-improved-multi-query-in-calculated-policies), we introduced improvements to calculated policies that made it easier to reference common context fields directly, such as resource IDs, tags, and URIs, without writing multiple queries. Now we're making it even easier to build and test these policies with a new UI that supports multiple queries. You can define additional input queries, inspect their outputs in real time, and reference them directly in your final policy template, all from a single interface. This upgrade gives policy authors a complete end-to-end experience for building multi-query calculated policies. It simplifies development, reduces the need for external testing, and makes it easier to debug and maintain complex logic. ## Guardrails: Workspace activity retention defaults We’ve updated the default for the [Turbot > Workspace > Retention > Activity](https://hub.guardrails.turbot.com/mods/turbot/policies/turbot/activityRetention) Retention policy to **90 days** (previously unlimited) for all Guardrails environments — both SaaS (Turbot Guardrails Cloud) and self-hosted (Turbot Guardrails Enterprise). Limiting retention helps improve UI performance and reduce storage costs, while still supporting most compliance and auditing needs. You can adjust the retention period using the `Turbot > Workspace > Retention > Activity Retention` policy: | Retention Period | Ideal For | | ---------------- | ------------------------------------- | | 30 days | High-performance environments | | 60 days | Balanced usage | | **90 days** | **New default — standard compliance** | | 180 / 365 days | Long-term auditing policies | This change takes effect automatically in Turbot Guardrails Cloud, and when Enterprise customers upgrade to [Turbot v5.51.0](https://turbot.com/guardrails/changelog/turbot-v5-51-0). ## Guardrails: Turbot Enterprise Foundation and Database updates For **Turbot Guardrails Enterprise (self-hosted)** customers, recent updates add more flexibility to parameters helping environments stay performant and resilient: - **Multi-region KMS encryption**: Workspaces now use a multi-region KMS key to re-encrypt the Tenant Master Key for greater resiliency and portability. This change is included in [TE v5.49.0](https://turbot.com/guardrails/changelog/te-v5-49-0) and [TEF v1.65.0+](https://turbot.com/guardrails/changelog/tef-v1-65-0). - **[TEF v1.66.0](https://turbot.com/guardrails/changelog/tef-v1-66-0) updates**: New parameters to control ALB timeouts, API Gateway domains, and queue message rates. S3 lifecycle rules now clean up expired and incomplete uploads, and routing was improved with GatewayPrefix support in Route53. - **[TED v1.47.0](https://turbot.com/guardrails/changelog/ted-v1-47-0) enhancements**: Support for PostgreSQL up to version 16.8, improved defaults for DB/cache instances (e.g., `db.m6g.large`, 400 GB, 12,000 IOPS), and CloudWatch log forwarding. ## Guardrails: New Guides for disaster recovery, configuration, and troubleshooting We’ve recently added a new set of [step-by-step Guides](https://turbot.com/guardrails/docs/guides) to help Guardrails admins configure, operate, and troubleshoot their environments more easily. **Disaster recovery and upgrade planning** Explore new guides focused on resilience and recovery for self-hosted environments: - [Understand Guardrails DR architecture options](https://turbot.com/guardrails/docs/guides/hosting-guardrails/disaster-recovery/architecture-options) for different levels of availability and risk tolerance - [Set up single-region workspace recovery](https://turbot.com/guardrails/docs/guides/hosting-guardrails/disaster-recovery/restore-workspace) to test backup and restore procedures - [Configure multi-region deployment and failover](https://turbot.com/guardrails/docs/guides/hosting-guardrails/disaster-recovery/multi-region-deployment) using Tier 3 architecture - [Upgrade and optimize your Guardrails RDS databases](https://turbot.com/guardrails/docs/guides/hosting-guardrails/disaster-recovery/database-upgrade#database-upgrade) with guidance on resizing storage and upgrading engine versions **Configuration and automation guides** For teams configuring Guardrails in new environments or streamlining operations, we’ve added guides for: - [Configuring custom tags for RDS start/stop scheduling](https://turbot.com/guardrails/docs/guides/using-guardrails/scheduling) - [Skipping Azure management groups and subscriptions during import](https://turbot.com/guardrails/docs/guides/azure/import/skip-management-groups-and-subscriptions) - [Importing AWS resources using Native Stacks](https://turbot.com/guardrails/docs/guides/using-guardrails/stacks/import) - [Running controls and policies using scripts](https://turbot.com/guardrails/docs/guides/using-guardrails/troubleshooting/run-controls-using-scripts) **Troubleshooting and monitoring** For real-world visibility and diagnostics, new guides now cover: - [Monitoring Lambda invocation patterns and cost spikes](https://turbot.com/guardrails/docs/guides/hosting-guardrails/monitoring/investigate-lambda-invocation) - [Resolving calculated policy evaluation errors](https://turbot.com/guardrails/docs/guides/using-guardrails/troubleshooting/fix-calc-policy-evaluation-errors) These join many other new and updated guides that support the latest Launch Week announcements. You can explore them all in the [Guardrails Docs](https://turbot.com/guardrails/docs/guides) or contribute directly on [GitHub](https://github.com/turbot/guardrails-docs). ## Guardrails: Updated Hub documentation for policy and permission dependencies The [Guardrails Hub](https://hub.guardrails.turbot.com) now provides deeper visibility into how each control works, making it easier for teams to implement least privilege access and understand the impact of every control and policy pack. Control pages now display the specific [policies](https://hub.guardrails.turbot.com/mods/azure/controls/azure/resourceGroupDiscovery#policies) that influence how a control behaves, along with the [cloud permissions](https://hub.guardrails.turbot.com/mods/azure/controls/azure/resourceGroupDiscovery#permissions) required for the control to execute its actions. These updates help clarify not only how controls function, but also what access is needed behind the scenes. Permissions are now also mapped within [policy packs](https://hub.guardrails.turbot.com/policy-packs/azure_compute_enforce_vms_use_approved_amis_from_trusted_publishers/permissions), giving teams a faster way to evaluate which cloud write permissions are required for groups of related controls. With this improved documentation, Guardrails users and administrators gain clearer guidance on control behavior, policy relationships, and execution requirements. These changes are especially valuable when designing least privilege access or auditing what access is needed for the specific Guardrails capabilities your teams rely on. ## Steampipe: New tables and plugin enhancements [Steampipe](https://steampipe.io) continues to expand its coverage of cloud and SaaS services, with new tables and plugin improvements to help you query more of your infrastructure using SQL. **[AWS Steampipe plugin](https://hub.steampipe.io/plugins/turbot/aws)** added four new tables, including `aws_rds_pending_maintenance_action` for visibility into upcoming database maintenance events, and expanded support for Lake Formation with `aws_lakeformation_permission`, `aws_lakeformation_resource`, and `aws_lakeformation_tag`. Enhancements across AWS services include support for SSE-C filters in `aws_s3_object`, `pending_modified_values` in `aws_rds_db_instance`, and `logging_config` in `aws_lambda_function`. Tagging support has also been added to the `aws_glue_*` tables, and parent hydrate logic was introduced to `aws_ecr_image_scan_finding` to support more complex joins. **[Jira Steampipe plugin](https://hub.steampipe.io/plugins/turbot/jira)** introduced several updates to improve performance and query flexibility. You can now access the `changelog` on issues, filter worklogs by `updated` timestamp, and avoid redundant API calls when querying `jira_issue_comment` with filters. The plugin also resolves prior issues when filtering on `resolution_date` and `status`. **[Alibaba Cloud Steampipe plugin](https://hub.steampipe.io/plugins/turbot/alicloud)** now supports `profile` authentication for the `alicloud_oss_bucket` table and adds support for six new regions including `me-central-1`, `cn-wuhan-lr`, and `ap-southeast-7`. ## Tailpipe & Steampipe Hub: Explore ready-to-run queries The [Tailpipe Hub](https://hub.tailpipe.io) and [Steampipe Hub](https://hub.steampipe.io) now feature a new **Queries** tab on each mod, making it easier than ever to explore real-world SQL examples. You can browse, filter, and search across the queries surfaced from table docs and related [Powerpipe](https://powerpipe.io) mods. This gives you quick access to examples for security, compliance, cost, and operations use cases. Whether you're learning Steampipe or Tailpipe, or building dashboards and detections, the Queries tab offers instant inspiration and ready-to-run patterns.

## Powerpipe: GitHub Audit Log detections, MITRE mapping & activity dashboard The new **[Powerpipe GitHub Audit Log Detections mod](https://hub.powerpipe.io/mods/turbot/tailpipe-mod-github-audit-log-detections)** adds powerful new capabilities for detecting risky behavior and understanding activity across your GitHub organizations. Using [Tailpipe](https://tailpipe.io) to collect [GitHub Audit Logs](https://hub.tailpipe.io/plugins/turbot/github/tables/github_audit_log), you can visualize patterns and trends with the included [Audit Log Activity dashboard](https://hub.powerpipe.io/mods/turbot/tailpipe-mod-github-audit-log-detections/dashboards/dashboard.activity_dashboard), designed to help you quickly answer key questions like: - Who are the top actors (excluding bots)? - What are the top source IPs? - What are the most frequently occurring actions? - Which repositories have had the highest number of secret scanning alerts created? The mod also includes a [detection benchmark](https://hub.powerpipe.io/mods/turbot/tailpipe-mod-github-audit-log-detections/benchmarks/benchmark.audit_log_detections) that highlight risks tied to sensitive actions across branches, repositories, and organizations. Plus, a dedicated view which maps those detections to the [MITRE ATT&CK framework](https://hub.powerpipe.io/mods/turbot/tailpipe-mod-github-audit-log-detections/benchmarks/benchmark.mitre_attack_v161) to support threat modeling and compliance efforts.

Powerpipe GitHub Audit Log Detections MITRE ATT&CK benchmark

## Powerpipe: AWS VPC Flow Log detections, network graphs & MITRE mapping The new **[Powerpipe AWS VPC Flow Log Detections mod](https://hub.powerpipe.io/mods/turbot/tailpipe-mod-aws-vpc-flow-log-detections)** unlocks deep insights into your AWS network activity by analyzing VPC Flow Logs collected with Tailpipe. With pre-built detections, dashboards, and visualizations, this mod helps you surface risky behavior and understand how data moves through your environment. Detections highlight key network security concerns such as: - Unusual port activity - Suspicious outbound traffic - Access to internal services from public IPs - Communication with known bad IPs These detections are organized in a [benchmark view](https://hub.powerpipe.io/mods/turbot/tailpipe-mod-aws-vpc-flow-log-detections/benchmarks/benchmark.vpc_flow_log_detections), and are also mapped to the [MITRE ATT&CK framework](https://hub.powerpipe.io/mods/turbot/tailpipe-mod-aws-vpc-flow-log-detections/benchmarks/benchmark.mitre_attack_v161) to help align network detections with adversary tactics. The mod also includes interactive Network Graph [dashboards](https://hub.powerpipe.io/mods/turbot/tailpipe-mod-aws-vpc-flow-log-detections/dashboards) to explore VPC flow data across regions, IPs, protocols, and traffic patterns, with visual graphs that reveal relationships between IP addresses and highlight high-volume or suspicious activity.

Powerpipe AWS VPC Flow Log Network Graph

## Pipes: New AWS PCI DSS v4.0 benchmark [Powerpipe](https://powerpipe.io) has added a [PCI DSS v4.0 benchmark](https://hub.powerpipe.io/mods/turbot/steampipe-mod-aws-compliance/benchmarks/benchmark.pci_dss_v40) to the AWS Compliance mod, helping you evaluate your AWS environment against the latest Payment Card Industry Data Security Standard. This benchmark is now available in [Turbot Pipes](https://turbot.com/pipes) to assess your security posture and share compliance status with your team.

## Pipes: SSD storage, larger queries & mod install upgrades Several key upgrades landed in Pipes this cycle, improving performance, flexibility, and data access at scale: - **Persistent workspaces now run on high-performance SSD storage**, delivering faster query execution and lower latency for demanding workloads. All new persistent workspaces will use SSDs by default, with existing workspaces migrating gradually — at no additional cost. - **Mods can now be installed from archive files**, making it easier to work with local mod bundles or distribute custom/private mods. This feature is available for both Powerpipe and Flowpipe mods inside Pipes. [Learn more about installing mod archives](https://turbot.com/pipes/docs/using/powerpipe/mods#installing-a-mod-from-an-archive-file). - The [Query API](https://turbot.com/pipes/docs/develop/query-api) now supports: - Up to **25,000 rows** per request (previously 5,000) - **Partial results** for long-running queries — data returned before the 2-minute limit is preserved and returned with a `206 Partial Content` status - Improved timeout clarity, distinguishing between partial (`206`) and full (`408`) timeouts ## Community Corner Since last Launch Week, we've seen another awesome wave of contributions, content, and creativity across our open-source projects. Here's a look at some highlights from the community: ### Code and Doc Contributions Huge thanks to our GitHub community for contributing fixes, features, and doc improvements across our [open-source repos](https://github.com/turbot): - [@fyqtian](https://github.com/fyqtian) added the new `aws_rds_pending_maintenance_action` table to the Steampipe AWS plugin. - [@mariusgrigaitis](https://github.com/mariusgrigaitis) made multiple improvements to the Steampipe Jira plugin, including changelog support, worklog filtering, bug fixes, and performance enhancements. - [@pdecat](https://github.com/pdecat) added tag support across the AWS Steampipe plugin `aws_glue_*` tables. - [@adrianstanislaus](https://github.com/adrianstanislaus) fixed the `iam_user_one_active_key` query in the Powerpipe AWS Compliance mod. - [@ido123ziv](https://github.com/ido123ziv) updated the Powerpipe GitHub Action to use `upload-artifact` v4, resolving deprecation errors. - [@sbldevnet](https://github.com/sbldevnet) updated Steampipe docs to reference SDK v5, improving the plugin development experience. - [@sdil](https://github.com/sdil) fixed typos and improved code examples in the Powerpipe docs. ### Community Content & Demos We also saw some great blog posts, demos, and explorations of Steampipe in the wild: - **[Steampipe: Simplifying Cloud Queries & Compliance with SQL](https://www.altimetrik.com/blog/steampipe-cloud-queries-management)** [Prabu Balasubramanian](https://www.linkedin.com/in/prabu-balasubramanian/) from [Altimetrik](https://www.altimetrik.com/) shares how Steampipe helps teams simplify cloud visibility and compliance reporting using SQL. - **[Steampipe: Query your cloud infrastructure with SQL for faster insights](https://cloudnativeengineer.substack.com/p/steampipe-query-your-cloud-infrastructure)** [Giuseppe Santoro](https://www.linkedin.com/in/santorogiuseppe/) from [Elastic](https://www.elastic.co/) introduces Steampipe and explores how it speeds up cloud investigations and reporting. - **[Trino Meets Steampipe on Mars](https://medium.com/@vjain143/trino-meets-steampipe-on-mars-63382e9e7bfb)** [Vivek Jain](https://www.linkedin.com/in/vjain143/) from [JPMorgan Chase](https://www.jpmorganchase.com/) showcases a fun mashup of Trino and Steampipe in a creative integration. - **[Using MCP + Steampipe to analyze cloud configs](https://www.youtube.com/watch?v=4lmQO6G8Gog)** [Chi Duong](https://www.linkedin.com/in/duongchi/) from Stratus Cyber demos how Steampipe helps analyze cloud data via MCP in a real-world security use case. - **[DIY SAP Integration Suite plugin for Steampipe](https://www.youtube.com/watch?v=hPAd2NzcwE0&t=2990s)** On the _Boring Enterprise Nerds_ podcast, [Vadim Klimov](https://www.linkedin.com/in/vadim-klimov/) demonstrates a homegrown Steampipe plugin to query SAP OData APIs with SQL. Thanks to everyone sharing your work! Whether it’s a pull request, a blog post, or a demo, we love seeing what you build! ## Turbot at Open Cloud Security Conference 2025: The Power of Composability On April 8, 2025, we joined the [Open Cloud Security Conference](https://opencloudsecurity.org)—a full day of practical talks on securing AWS, Azure, GCP, and Kubernetes with tools you can see, trust, and contribute to. The event brought together security engineers, open source builders, and cloud practitioners committed to transparency and collaboration. Our Founder & CEO, Nathan Wallace, presented **[The Power of Composability: Building Security with Open Source Ecosystems](https://www.youtube.com/watch?v=Ydj-Jprkt_I)**, highlighting how composable architectures are transforming cloud security. Using open source frameworks like [Steampipe](https://steampipe.io), [Tailpipe](https://tailpipe.io), [Powerpipe](https://powerpipe.io), and [Flowpipe](https://flowpipe.io), teams can treat detections, queries, and controls like building blocks that are easy to share, extend, and plug into any environment. The session explored how modular tools accelerate DevSecOps workflows, support least privilege enforcement, and enable teams to build open, auditable security systems with the broader community. Following so many recent contributions from our community, this message hits close to home that security isn’t just something we build. It’s something we build together. ## Flip over to A-sides for the Wrap Up Thank you for joining us for another exciting Launch Week! Check out the week's daily announcements summary in our [Launch Week 8 Wrap Up](https://turbot.com/blog/2025/04/launch-week-8-wrap) post. Stay connected with us in our [Slack community](https://turbot.com/community/join) for our next Launch Week in a few months!

Launch Week 8 B-sides