Launch Week 9 B-sides

As Launch Week 9 draws to a close, we wanted to take a moment to highlight some of the exciting updates and announcements that slipped under the radar this week across our Turbot products and open-source projects.

Guardrails: New AWS and Azure controls

AWS S3 Tables support
The new AWS S3 Tables mod is now available, bringing governance to AWS's newest analytics service. S3 Tables resources including Tables, Namespaces, and Table Buckets are now tracked in the CMDB in real-time.

In addition, you can set Active controls for all three resource types, along with Trusted Access using the AWS > S3 Table > Table Bucket > Policy > Trusted Access policies. The control takes action to revoke untrusted access to non-trusted AWS accounts in the S3 Table Bucket policy.

AWS EKS cluster endpoint access management
You can now manage endpoint access configuration for EKS clusters using the AWS > EKS > Cluster > Endpoint Access policies. Control whether your Kubernetes API server endpoint is accessible from the internet (Public), only from within your VPC (Private), or both (Public and Private). When set to enforce mode, Guardrails will automatically configure the endpoint access settings to match your policy requirements, including specific CIDR ranges for public access.

AWS IAM virtual MFA device age management
You can now configure active controls for virtual MFA devices based on their age using the AWS > IAM > MFA Virtual > Active > Age policy. This helps ensure MFA devices are refreshed regularly as part of your security hygiene practices.

AWS Secrets Manager rotation scheduling
Configure and manage automatic rotation for secrets using the new AWS > Secrets Manager > Secret > Rotation > * policies. Define rotation schedules using either rate expressions (rate(7 days)) or cron expressions (cron(0 8 1/7 * ? *)) to ensure secrets are rotated according to your security requirements. Supports intervals from 4 hours to 999 days with full AWS cron format compatibility.

CloudWatch Log Groups retention management
Set and enforce retention periods for log groups using the AWS > Logs > Log Group > Retention > * policies. Configure retention periods ranging from 1 day to 10 years to balance compliance requirements with storage costs. The control automatically detects log groups without appropriate retention periods and can enforce the required settings.

Enhanced VPC Flow Log targeting
The AWS > VPC > Flow Log > CMDB policy now supports more granular targeting at the VPC, subnet, and network interface levels. Rather than just region-wide settings, you can now enable or disable flow log collection for specific network resources, giving you finer control over monitoring and compliance.

Azure Storage Account shared key access controls
Configure shared key access for Azure storage accounts using the new Azure > Storage > Storage Account > Shared Key Access policy. This control evaluates the allowSharedKeyAccess property of each storage account and can enforce disabled or enabled states according to your security requirements and organizational policies.

Guardrails: Custom webhook notifications

Added support for custom webhook URLs in notifications through the new Turbot > Notifications > Webhook policy. Integrate with any third-party systems beyond Slack and Microsoft Teams using customizable Action and Control templates, with support for authorization headers for secure webhook authentication.

This enhancement allows you to send Guardrails notifications to any webhook-compatible service, expanding integration possibilities for incident management, ticketing systems, and custom monitoring dashboards.

Pipes: Custom tenant personal workspaces management

Custom tenant settings now allow owners to enable or disable the creation of personal workspaces, giving administrators greater control over workspace sprawl and resource allocation.

New tenants have personal workspace creation disabled by default, while existing tenants can toggle this setting through the Workspace Configuration section in their tenant settings. When disabled, users will be prevented from creating personal workspaces and must use shared tenant workspaces instead.

For more information, check out the workspace settings documentation.

Steampipe: New tables and plugin enhancements

Steampipe continues to expand its coverage of cloud and SaaS services, with new table additions, performance optimizations, and support for emerging platforms. These enhancements complement the recent post about Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins updates we highlighted during this Launch Week.

AWS plugin performance and service expansions
The AWS plugin received additional performance improvements, including optimized query times for aws_s3_bucket and aws_ecr_image_scan_finding tables through improved region handling and reduced API calls.

New service coverage includes AWS Resource Explorer (aws_resource_explorer_resource), Batch queues (aws_batch_queue), CloudWatch event rules (aws_cloudwatch_event_rule), CodeBuild fleets (aws_codebuild_fleet), Cognito user groups (aws_cognito_user_group), EC2 placement groups (aws_ec2_placement_group), EMR studios (aws_emr_studio), Macie findings (aws_macie2_finding), and much more.

GCP plugin optimizations and new services
Beyond the rate-limiter improvements highlighted during Launch Week, the GCP plugin added new service coverage including Tensor Processing Units (gcp_compute_tpu) and Firestore databases (gcp_firestore_database).

Azure AD plugin enhanced monitoring capabilities
The AzureAD plugin expanded user monitoring capabilities with the new azuread_user_registration_details_report table and additional columns for external user state and sign-in activity tracking. Conditional access policies gained disable_resilience_defaults column support, and authorization policies now include tenant creation permissions under allowedToCreateTenants.

GitHub plugin package management tables
The GitHub plugin added package management tables (github_package, github_package_version) enabling you to query GitHub Packages data using SQL.

PagerDuty plugin schedule user queries
The PagerDuty plugin introduced the pagerduty_schedule_user table for querying schedule assignments and user relationships.

Jenkins plugin user data access
The Jenkins plugin added the jenkins_user table enabling SQL queries of Jenkins user accounts and permissions.

Alibaba Cloud plugin reliability improvements
The Alibaba Cloud plugin resolved infinite loop issues, improving query reliability across multiple tables and ensuring more stable data collection for large-scale queries.

Steampipe: New plugins for FleetDM and Cortex

In addition to the Bluesky plugin recently published, there were two new community-contributed plugins expand Steampipe's reach into DevOps and security platforms:

• FleetDM plugin: Complete endpoint management visibility with tables to SQL query for activities, hosts, labels, packs, policies, queries, software, teams, and users.
• Cortex plugin: Service catalog and engineering intelligence with tables to SQL query for descriptors, entities, scorecard scores, and team management.

Community Corner

Since last Launch Week, we've seen another awesome wave of contributions, content, and creativity across our open-source projects. Here's a look at some highlights from the community:

Code and Doc Contributions

Huge thanks to our GitHub community for contributing fixes, features, and doc improvements across our open-source repos:

• @pdecat added the new gcp_firestore_database table to the Steampipe GCP plugin and fixed broken links and improved formatting in Steampipe docs.
• @2XXE-SRA contributed AWS IAM Roles Anywhere support with aws_rolesanywhere_profile and aws_rolesanywhere_trust_anchor tables to the Steampipe AWS plugin.
• @MarkusGnigler made extensive improvements to the Steampipe AzureAD plugin, including the new azuread_user_registration_details_report table, enhanced user tracking with external state and sign-in activity columns, conditional access policy resilience settings, and tenant creation permissions.
• @QiXingchuan fixed infinite loop issues in the Steampipe Alibaba Cloud plugin, improving query reliability across multiple tables.
• @codenio added the jenkins_user table to the Steampipe Jenkins plugin.
• @FuadAbdullah contributed AWS Organizations management tables including aws_organizations_delegated_administrator and aws_organizations_delegated_services_for_account to the Steampipe AWS plugin.
• @l-teles created the new Steampipe FleetDM plugin with comprehensive endpoint management tables for activities, hosts, labels, packs, policies, queries, software, teams, and users.
• @smirl created the new Steampipe Cortex plugin with service catalog and engineering intelligence tables for descriptors, entities, scorecard scores, and team management.
• @barblin fixed broken doc links on the Steampipe documentation.

Community Content & Demos

We also saw some great blog posts about Steampipe Steampipe in the wild:

• Reclaiming CSPM: How I Learned to Stop Worrying and Query the Cloud
  Matt Brown, Senior Sales Engineer at Sysdig, explores the journey to a simpler, open source, DIY approach to CSPM. He shares how tools like Steampipe offer powerful visibility and flexibility through SQL-based queries — without the noise or overhead of traditional enterprise CSPM platforms.

• Have You Ever Tried SQLing Your Cloud? The Power of Steampipe
  Omer Dolev, a DevOps Engineer at Wix, walks through how Steampipe became an essential part of his daily workflow. From answering quick questions about instance usage to cross-referencing AWS and Kubernetes resources with SQL, Omer shares real examples, tips, and favorite queries that demonstrate how Steampipe simplifies complex cloud tasks.

• Tailpipe - The Log Interrogation Game Changer
  Nikos Vaggalis explores how Tailpipe enables SQL queries on log files (select count(*) from apache_access_logs) and demonstrates security detection for Log4Shell attacks through Powerpipe dashboards. He examines the new MCP server for natural language log queries and notes how DuckDB and Parquet power the underlying analytics.

Thanks to everyone sharing your work! Whether it’s a pull request, a blog post, or a demo, we love seeing what you build!

Flip over to A-sides for the Wrap Up

Thank you for joining us for another exciting Launch Week! Check out the week's daily announcements summary in our Launch Week 9 Wrap Up post. Stay connected with us in our Slack community for our next Launch Week in a few months!