Launch Week 10 B-sides

As Launch Week 10 draws to a close, we wanted to take a moment to highlight some of the exciting updates and announcements that slipped under the radar this week across our Turbot products and open-source projects.

Guardrails: New AWS, Azure and GCP controls

AWS Bedrock governance controls The new AWS Bedrock mod brings AI governance to your AWS foundation models and custom AI workloads. Track Agents, Custom Models, Foundation Models, Imported Models, Knowledge Bases, and Settings in the Guardrails CMDB with real-time visibility into your AI infrastructure. Enforce tags, ensure Bedrock resources are active, and ensure Agents are encrypted at rest.

AWS CloudWatch Logs cross-account delivery governance
Based on customer feedback, the CloudWatch Logs mod now includes governance controls for cross-account log delivery mechanisms. New resource types include Delivery, Delivery Destination, Delivery Source, and Destination resources, all tracked in the Guardrails CMDB with real-time visibility. These controls enable you to evaluate whether log delivery components are approved, active, and properly tagged, ensuring complete governance over your cross-account logging architecture and data flows to services like S3, Kinesis Data Streams, and Lambda functions.

Azure virtual machine and network security enhancements
New Azure compute controls provide enhanced VM security and monitoring capabilities. VM boot diagnostics management ensures proper diagnostic data collection for troubleshooting, while guest configuration extension controls manage compliance and configuration drift detection on your virtual machines.

The new Azure Bastion Host resource type brings governance to secure remote access infrastructure. Azure Bastion provides RDP/SSH connectivity to VMs directly through the Azure portal over TLS, eliminating the need to expose virtual machines to the public internet while maintaining secure access with features like file copy, tunneling, and session recording.

Azure storage data protection and access controls
The new soft delete protection control helps with granular file share retention management, allowing retention periods from 1 to 365 days with configurable policies for different data protection requirements.

Cross-tenant replication controls provide governance over data sharing across Azure AD tenants, ensuring secure geo-redundant replication follows organizational policies.

And now the storage account access tier policy supports "Cold" storage tier enforcement, expanding cost optimization options beyond the existing "Cool" and "Hot" tiers.

GCP IAM role binding approval controls
The GCP > IAM > Project User > Role Bindings > Approved policy ensures only approved role bindings remain active for project users. For service accounts, both Service Account > Role Bindings > Approved and Service Account > Project Role Bindings > Approved policies provide granular control over permissions. When set to enforce mode, these controls automatically remove unapproved role bindings while preserving approved permissions, ensuring your GCP IAM follows least-privilege principles.

Additional multi-cloud trusted access controls added Added trusted access policies include controls to determine whether GCP subnetworks allow instances without external IP addresses to reach Google APIs and servicesto by enabling private Google access, and GCP BigQuery datasets only to trusted domains, groups, services and users. For AWS, new policies were added to restrict access on AWS DynamoDB tables and AWS Lambda function policies to specific accounts, organizations, CloudFront origins, and AWS services, ensuring these critical resources maintain secure boundaries across your multi-cloud infrastructure.

Expanded configuration details for existing supported resource types
We continue to add more configuration details on existing supported resource types based on new capabilities available from cloud providers. GCP Compute Engine region disks now support real-time event processing for immediate visibility into disk lifecycle changes. Azure resources gained expanded diagnostic settings visibility across subscriptions and storage accounts, network rule set details for Service Bus namespaces, HyperV generation tracking for virtual machines, and conditional access policies plus directory roles for Azure AD directories.

New resource types and expanded configuration details
The AWS IAM mod now supports "Service-specific credentials" to govern active configurations and tagging of them. GCP Compute Engine region disks gained real-time event processing for immediate visibility into disk lifecycle changes. Azure resources received expanded diagnostic settings visibility across subscriptions and storage accounts, network rule set details for Service Bus namespaces, HyperV generation tracking for virtual machines, and conditional access policies plus directory roles for Azure AD directories.

Guardrails: Expanded Azure Stack [Native] controls

Building on Guardrails' OpenTofu-powered Stack [Native] controls, new resource-level stacks are now available for Azure Key Vault and Azure Storage Account resources. These controls enable you to deploy and manage standardized configurations directly associated with individual Key Vaults and Storage Accounts, complementing existing subscription, resource group, and network-level stacks. With automated drift detection and correction, these resource-targeted stacks ensure consistent governance patterns like access policies, diagnostic settings, encryption configurations, and compliance requirements are maintained across your Azure infrastructure without manual state file management.

Guardrails: Real-time Azure CIS v3.0.0 compliance framework

Building on the Azure CIS v2.0.0 benchmark support announced in a previous Launch Week, Guardrails now supports the latest Azure CIS v3.0.0 framework with expanded coverage of Azure security controls and best practices.

Like v2.0.0, the new framework delivers real-time compliance assessment as Azure resources are created or modified, with instant alerts and actionable remediation guidance. Features include controlled attestations for manual controls, time-based exceptions for non-applicable recommendations, and detailed reporting with CSV exports.

Cloud teams can progress from monitoring to enforcement using Guardrails' quick actions for human-approved fixes or continuous enforcement for fully automated compliance, with integration to Slack, Microsoft Teams, and email for real-time security posture updates.

Guardrails: Enhanced GitHub Enterprise support

Building on Guardrails for GitHub announced in a previous Launch Week, the GitHub mod now includes enhanced enterprise capabilities for organizations using GitHub Enterprise deployments.

GitHub Enterprise organization support enables Guardrails to connect to GitHub Enterprise Cloud and GitHub Enterprise Server instances, extending governance capabilities to repositories and organizations on enterprise GitHub platforms. This allows teams using enterprise GitHub deployments to apply the same real-time detection, compliance monitoring, and automated remediation that's available for standard GitHub organizations.

Enterprise proxy support addresses network security requirements for organizations operating behind corporate firewalls or in air-gapped environments. All GitHub API communications can now route through authenticated proxy servers, ensuring compliance with enterprise IT policies while enabling full governance visibility across repositories, access policies, and development workflows.

Guardrails: New operational guides for deployment, monitoring, and troubleshooting

We've expanded our step-by-step Guides with new operational procedures to help Guardrails administrators deploy, monitor, and maintain their environments more effectively.

Deployment and infrastructure management
New guides focus on production deployment strategies and infrastructure optimization:

• Perform Blue-Green Deployment using the Deployment Trigger parameter to refresh CloudFormation stacks with minimal downtime and risk
• Enable PgBouncer Connection Pooling to reduce database connection load and protect against connection storms
• Install a Mod using Guardrails CLI for Government Cloud environments, CI/CD pipelines, and restricted environments where web access is limited

Monitoring and troubleshooting workflows
For operational visibility and issue resolution, new guides cover:

• Monitor Maintenance Container using CloudWatch to validate the health of background ECS services
• Find Deleted Resources History through the Activity tab for auditing and debugging purposes
• Run Controls Using Scripts to efficiently resolve controls in error states and maintain system stability

You can explore all guides in the Guardrails Docs or contribute directly on GitHub.

Pipes: Enhanced developer tooling and infrastructure management

The Turbot Pipes Go SDK v0.15.0 expands programmatic control with enhanced connection monitoring capabilities that provide detailed status tracking including error timestamps, process IDs, and update attempt history. New features include improved token management with creation tracking and expiration controls, tenant settings configuration for PostgreSQL endpoints and session timeouts, and comprehensive connection status monitoring across all connection types.

The Turbot Pipes Terraform provider v0.16.0 introduces write-only configuration support through new config_wo and config_wo_version arguments across connection and integration resources, enabling secure credential management without exposing sensitive data in Terraform state files. The provider also adds the new pipes_tenant_settings resource for infrastructure-as-code management of tenant-level controls including PostgreSQL endpoint management, session timeouts, and token expiration policies.

Steampipe: New tables and plugin enhancements

Steampipe continues expanding coverage of cloud and SaaS services with new table additions, performance optimizations, and support for emerging platforms. These enhancements build on the open-source SQL interface that makes any API queryable.

AWS plugin service expansions and Bedrock AI governance
The AWS plugin added Bedrock AI service coverage with new tables for aws_bedrock_agent, aws_bedrock_custom_model, aws_bedrock_foundation_model, aws_bedrock_imported_model, and aws_bedrock_knowledge_base.

Additional service coverage includes Trusted Advisor check results, AppSync APIs, Connect instances, DataSync tasks, EC2 Spot Fleet requests, Glue ML transforms, S3 directory buckets, and VPC security group associations.

Azure plugin cost analysis and enhanced monitoring
The Azure plugin introduced cost management capabilities with new tables for daily and monthly cost analysis by resource group and service, plus general cost usage tracking. Network visibility expanded with the azure_network_profile table, while existing tables gained diagnostic settings columns for storage accounts, Databricks workspaces, and app services, plus key vault rotation policies and storage account file services configuration.

GCP plugin audit policy management
The GCP plugin added the gcp_organization_audit_policy table for tracking organizational audit configurations, providing visibility into GCP's audit logging policies at the organization level.

GitHub plugin discussion and traffic analytics
The GitHub plugin expanded community management with the new github_repository_discussion table and added repository analytics through github_traffic_clone_daily and github_traffic_clone_weekly tables for tracking repository clone activity.

CrowdStrike plugin alert modernization
The CrowdStrike plugin introduced the new crowdstrike_alert table while deprecating the crowdstrike_detection table due to API changes. The alert table provides enhanced security event monitoring aligned with CrowdStrike's current API capabilities.

Cloudflare plugin expanded service coverage
The Cloudflare plugin received significant updates including new tables for custom certificates, health checks, worker scripts, custom pages, notification policies, and rulesets. The plugin also deprecated the firewall rules table in favor of the more capable rulesets functionality.

Vanta plugin major API migration
The Vanta plugin underwent a major update migrating from Vanta's deprecated GraphQL API to the new REST API. This breaking change required new authentication configuration using either OAuth client credentials or access tokens, and removed numerous columns across all tables due to API differences. Users need to update existing queries, dashboards, and benchmarks that reference the removed columns. The migration ensures continued compatibility as Vanta has ended GraphQL API support, making the REST API the only supported interface.

Plugin reliability and performance improvements
Additional plugins received enhancements including Google Workspace with activity reporting, Okta with authenticator support, and Hetzner Cloud with firewall management. Rate limiting improvements across multiple plugins enhance API stability, while bug fixes addressed data retrieval issues in Kubernetes pod resources, Jira issue fields, and various Azure table queries.

Steampipe: Enhanced rate limiting across AWS, Azure, and GCP plugins

Steampipe's rate limiter framework helps manage API request pacing to prevent cloud provider throttling errors. Building on the success of AWS IAM rate limiters that delivered 60-75% compute usage reductions in Pipes, specific tables in Steampipe AWS, Azure and GCP plugins now include expanded default rate limiting configurations to reduce throttling errors and improve query reliability.

AWS plugin enhancements added rate limiters for CloudFormation, Kinesis, Route 53, WAF Classic, and WAF v2 services, plus additional EC2, S3, CloudTrail, Config, RDS, and Lambda operations. These join the existing IAM rate limiters that have proven effective at preventing API throttling while maintaining query performance.

Azure plugin improvements introduced default rate limiting for eight tables prone to throttling issues, including virtual machines, Key Vault secrets, storage accounts, and activity logs. The configurations use token bucket algorithms tailored to Microsoft's documented API limits for ARM, Compute, Storage, and Monitor services.

GCP plugin additions implemented rate limiting across nine service categories based on Google Cloud Platform quotas, covering Resource Manager, Compute Engine, Storage, Secret Manager, Logging, Pub/Sub, IAM, Cloud Functions, and Cloud DNS operations. These address the most throttle-prone GCP services that frequently hit per-minute and per-project quota limits.

All rate limiters use appropriate fill rates and bucket sizes based on each service's documented constraints, while remaining configurable for users with specific requirements. By pacing requests intelligently to avoid throttling, the result is smoother query execution with fewer 429 errors across all three major cloud providers.

Steampipe: New plugins for enterprise security and operations

New plugin additions expand Steampipe's reach into endpoint management, cybersecurity intelligence, and enterprise integration platforms:

• BigFix plugin v1.0.0: Endpoint management visibility with SQL queries for actions, analysis, computers, fixlets, properties, roles, sites, and tasks.
• Hudson Rock plugin v1.0.0: Cybersecurity threat intelligence with search capabilities by domain, email, IP address, and username for breach and compromise detection.
• SAP Cloud Integration plugin v0.0.2: SAP Cloud Platform Integration (CPI) management with tables for integration flows, packages, message mappings, script collections, and value mappings.
• SentinelOne plugin v0.0.4: Endpoint security visibility with SQL queries for activities, agents, alerts, applications, CVE vulnerabilities, threat notes, threat data, and activity timelines.

Tailpipe: Enhanced GitHub security monitoring

Tailpipe expanded GitHub monitoring capabilities with the new github_security_log table for personal account security analysis. This table enables SQL queries of personal GitHub security events including sign-in activities, SSH key modifications, application authorizations, and personal access token usage, providing detailed visibility into account-level security events.

The security log table complements the existing github_audit_log table for organization-level audit data, giving security teams complete coverage of both organizational and individual account activity.

The plugin documentation includes 33 query examples across key security areas including access token management, authentication events, device security monitoring, repository access patterns, SSH key lifecycle tracking, and security analysis for detecting unusual activities like multiple failed logins or rapid token creation.

Powerpipe: GitHub Security Log detections, MITRE mapping & account monitoring

The new Powerpipe GitHub Security Log Detections mod brings new threat detection capabilities to GitHub account monitoring, complementing the existing organizational audit log benchmarks.

Building upon the new Tailpipe github_security_log table above, you can visualize account activity patterns with the included Security Log Activity dashboard, designed to help you quickly answer key questions like:

• How many failed login attempts have occurred?
• What actions occur most frequently in the security log?
• How are MFA-related events trending over time?
• Which integrations are generating the most security log activity?

The mod includes security detections covering access token management, authentication events, account modifications, and credential lifecycle activities. Plus, a dedicated MITRE ATT&CK framework mapping that maps account security events to attack techniques spanning Initial Access (login from unrecognized devices), Persistence (credential creation), and Defense Evasion (MFA manipulation) to support threat modeling across both organizational and individual GitHub account security posture.

Powerpipe: Expanded AWS and Azure compliance coverage

AWS Compliance mod enhanced security benchmarks
The AWS Compliance mod received significant expansions to the AWS Foundational Security Best Practices benchmark, adding 89 new automated controls across multiple releases. Recent additions include new controls spanning AppSync, Athena, CodeBuild, Cognito, Data Firehouse, DataSync, DocumentDB, DMS, EC2, EFS, ELB, EMR, FSx, Glue, GuardDuty, Inspector, Kinesis, KMS, MQ, MSK, NetworkFirewall, RDS, Redshift, Redshift Serverless, S3, SageMaker, Service Catalog, SNS, SQS, SSM, Transfer services, and WorkSpaces.

Enhanced CIS benchmark coverage includes automated query implementations for root user MFA controls across CIS versions 1.2.0 through 5.0.0, plus new EC2 instance IAM role validation queries added to the All AWS Compliance Controls benchmark for improved infrastructure security assessment.

Azure Compliance mod strengthened governance controls
The Azure Compliance mod expanded with new controls for Databricks workspace diagnostic logging and network security group configurations, Key Vault automatic key rotation, and enhanced storage account protections including soft delete and SMB encryption requirements. Recent updates added 13 new automated query implementations across CIS versions 1.5.0 through 4.0.0, covering identity management, network security, storage configuration, and compute resource governance.

Variable support enhancements provide configurable validation for App Service runtime versions including Python and Java across both web apps and function apps, enabling organizations to customize compliance requirements based on their specific technology standards and security policies.

Community Corner

Since last Launch Week, we've seen another awesome wave of contributions, content, and creativity across our open-source projects. Thanks to everyone sharing your work! Whether it’s a pull request, a blog post, or a demo, we love seeing what you build!

Here's a look at some highlights from the community:

Code and Doc Contributions

Huge thanks to our GitHub community for contributing fixes, features, and doc improvements across our open-source repos:

• @l-teles contributed pagination fixes to the Datadog plugin, added support for the DD_CLIENT_API_URL environment variable for configuring API URLs, and fixed Jira issue field handling to consistently return custom fields.
• @kuang87 added the hcloud_firewall table to the Hetzner Cloud plugin and fixed the bound_to column in the hcloud_image table to correctly return data.
• @Theo-Bouguet made extensive contributions to the Cloudflare plugin, adding tables for custom certificates, health checks, worker scripts, custom pages, logpush jobs, and notifications, plus enhanced zone configurations with smart tiered cache settings and improved load balancer pool details.
• @sohanmaheshwar added GitHub traffic analytics capabilities with github_traffic_clone_daily and github_traffic_clone_weekly tables in the GitHub plugin for tracking repository clone activity.
• @assakafpix contributed the googleworkspace_activity_report table to the Google Workspace plugin for comprehensive activity monitoring.
• @michalpl-monday added the aws_elasticache_serverless_cache table to the AWS plugin for ElastiCache serverless monitoring.
• @ameyer117 contributed the okta_authenticator table to the Okta plugin for enhanced authentication device management.
• @pdecat added default rate limiter configurations for AWS CloudFormation, Kinesis, Route 53, WAF, and WAF v2 service tables to improve API throttling management in the AWS plugin, and fixed documentation examples in the Exec plugin to use the correct column name exec_output instead of output.
• @vadimklimov created the new SAP Cloud Platform Integration plugin with tables for integration flows, packages, message mappings, script collections, and value mappings.
• @xybytes created the new SentinelOne plugin with 8 tables for endpoint security monitoring, including agents, alerts, threats, CVE vulnerabilities, and activity timelines.
• @oguzhan-yilmaz created a Helm chart for deploying Steampipe and Powerpipe to Kubernetes.
• @lucascherzer identified and reported conflicting Powerpipe documentation between the online docs and CLI help for the POWERPIPE_LISTEN environment variable default value, helping improve documentation accuracy for server configuration.

Community Content and Events

We also saw engaging blog posts, community projects, and industry recognition showcasing our projects:

• Reclaiming CSPM: More Than Checks, It's a Cloud Story
  Matt Brown, Senior Sales Engineer at Sysdig, follows up on Part 1 of this series with advanced Steampipe queries that build context by joining tables across multiple AWS services. He demonstrates how to identify Lambda functions with overly-permissive IAM roles, public-facing ALBs with direct EC2 targets, and EBS volumes without recent snapshots, then shows how to transform these queries into custom Powerpipe dashboards and compliance controls alongside the built-in AWS benchmarks.
• AWS Fundamentals Resource Directory
  Steampipe and Powerpipe were featured in the AWS Fundamentals resource directory as recommended tools for cloud security and compliance assessment.
• Turbot Sponsoring AWS re:Invent 2025
  We'll be sponsoring AWS re:Invent 2025 in Las Vegas from December 1-5 and would love to connect with fellow members of the Turbot community. Stop by booth #1449 to meet our team, see live demos of our latest features, and grab some Turbot swag. If you're planning to attend, reach out to us and we'll coordinate a time to meet up and discuss your latest challenges and use cases.

CloudGovernance.org Updates

Following the launch of CloudGovernance.org announced in our last Launch Week, thousands of community members have visited the site to explore Cloud Governance resources. The platform provides free access to practical guidance, industry insights, and thought leadership on implementing effective Cloud Governance strategies across enterprise organizations. If you haven't already, check out the resources and subscribe to the Herding Clouds newsletter.

A key resource gaining attention is "How to Herd Clouds and Influence People", which is heading to print soon after positive reception from early access readers. The book follows Gary's 500-day transformation of chaotic cloud operations into structured Cloud Governance that enables innovation, focusing on the organizational challenges rather than technical best practices. Early readers have praised its practical approach to change management, calling it "essential reading for anyone bringing order to cloud chaos through effective Cloud Governance."

Flip over to A-sides for the Wrap Up

Thank you for joining us for another exciting Launch Week! Check out the week's daily announcements summary in our Launch Week 10 Wrap Up post. Stay connected with us in our Slack community for our next Launch Week in a few months!