Launch Week 11 B-sides

As Launch Week 11 draws to a close, we wanted to take a moment to highlight some of the exciting updates and announcements that slipped under the radar this week across our Turbot products and open-source projects.

Guardrails: New Runtime Prevention Controls

Turbot Guardrails continues expanding runtime prevention capabilities across cloud providers with new resource types, controls, and enhanced CMDB tracking for real-time drift detection.

AWS

AWS QuickSight Account Settings governance

The AWS QuickSight mod now tracks QuickSight Account Settings in the CMDB, with event handlers processing real-time configuration changes for immediate visibility and drift detection across your analytics infrastructure.

AWS Cognito Identity Pool runtime controls

The AWS Cognito mod now provides runtime prevention controls for Identity Pools, ensuring these resources meet policy requirements for active state, authentication configurations, allowed regions, and tag compliance.

AWS Neptune and DocumentDB cluster snapshot protection

Protect and auto-remediate misconfigurations of DB Cluster Snapshots for both Neptune and DocumentDB, ensuring snapshots meet policy requirements for retention, encryption, tagging, and allowed configurations.

AWS Lambda layer and function URL controls

The AWS Lambda mod now enforces allowed configurations for Lambda layer trusted access and function URL authentication types, automatically remediating insecure public endpoint access.

AWS OpenSearch anonymous authentication enforcement

The AWS OpenSearch mod now enforces allowed anonymous authentication configurations for OpenSearch domains, ensuring public-facing search infrastructure meets security policy requirements.

AWS IAM access key lifecycle management

The AWS IAM mod now automatically removes unallowed access keys from CMDB, maintaining least-privilege access patterns and credential hygiene.

AWS EC2 AMI parent hierarchy tracking

The AWS > EC2 > AMI > CMDB control now automatically tracks the parent AMI hierarchy, capturing up to three ancestry levels with source details for improved supply chain security and compliance auditing.

AWS allowed regions default policy

Added AWS > Account > Allowed Regions [Default] policy type for setting regional restrictions at the account level.

Azure

Azure Virtual Desktop mod launch

The new Azure Virtual Desktop mod provides runtime prevention controls to protect and auto-remediate misconfigurations of Virtual Desktop Host Pools and Workspaces, ensuring these resources meet policy requirements for active state (e.g. TTL, last modified), allowed configurations, and tag compliance.

Azure Redis Cache mod launch

The new Azure Redis Cache mod provides runtime prevention controls for Redis Cache resources, ensuring caches meet policy requirements for active state, allowed configurations, and tag compliance. Firewall rule details are now tracked in CMDB for real-time network security configuration drift detection.

Azure Cognitive Services provider tracking

The Azure Provider mod now provides runtime prevention controls for Cognitive Services Provider resources, ensuring these AI and machine learning services meet policy requirements for active state, allowed configurations, and tag compliance.

Azure Cosmos DB public network access enforcement

The Azure Cosmos DB mod now enforces allowed public network access configurations for Database Accounts, automatically remediating insecure database exposure.

Azure Synapse Analytics security posture management

The Azure Synapse Analytics mod now enforces allowed advanced data security, threat protection, and vulnerability assessment configurations on Synapse Workspaces. Firewall rules, security alert policies, and vulnerability assessments are now tracked in CMDB for real-time security configuration drift detection.

Azure Automation network access enforcement

The Azure Automation mod now enforces allowed public network access configurations for Automation Accounts, preventing insecure network exposure.

Azure Container Registry access controls

The Azure Container Registry mod now enforces allowed anonymous pull access configurations for Registries, balancing public container distribution with security policy requirements.

Azure SQL and MySQL network security visibility

Virtual network rule details are now tracked in SQL server CMDB, and firewall rule details are now tracked in MySQL flexible server CMDB, providing real-time network security configuration drift detection.

Azure allowed regions default policy

Added Azure > Subscription > Allowed Regions [Default] policy type for setting regional restrictions at the subscription level.

GCP

GCP Vertex AI real-time configuration tracking

The GCP mod now processes enable/disable real-time events for Vertex AI via Service Usage APIs, providing immediate visibility and drift detection for AI service configuration changes.

Pipes: New features and updates

Archive logs for longer retention

Tenant owners can now archive audit and database logs to daily files for extended retention and downloads. Choose which log types to archive: Audit Logs track administrative actions like role assignments and resource creation, while Database Logs capture queries performed against workspace Steampipe databases. A daily background job automatically archives the previous day's logs to storage, providing long-term compliance and audit capabilities. Note that disabling an archive prevents future generations but preserves existing archives in storage.

Stop in-progress queries

The query console now includes a Cancel button to stop long-running queries and free up resources. This provides better control over query execution, particularly useful when exploring large datasets or troubleshooting complex queries.

Developer tools: Terraform Provider and SDK updates

The Pipes Terraform Provider v0.17.0 added service account resources for tenant and organization levels, plus enhanced workspace_datatank_table with skip_initial_refresh for improved infrastructure-as-code workflows. The Pipes SDK Go v0.16.0 added AI Key Management, Workspace Conversations, AI Models, and Service Account APIs with improved state enums and token workflows for enhanced programmatic access.

Steampipe: New tables and plugin enhancements

Steampipe continues expanding coverage of cloud and SaaS services with new table additions and plugin improvements.

AWS plugin includes 10 new AWS services

New tables include aws_budgets_budget, aws_ce_anomaly_monitor, aws_ce_cost_allocation_tags, aws_config_rule_compliance_detail, aws_bedrock_guardrail, aws_opensearch_reserved_instance, aws_sesv2_suppressed_destination, aws_ssoadmin_customer_managed_policy_attachment, aws_eks_access_entry, and aws_eks_access_policy_association.

Many existing tables now include expanded columns for additional configuration details, including aws_api_gateway_rest_api (api_status, api_status_message, disable_execute_api_endpoint, endpoint_access_mode, security_policy), aws_ebs_snapshot (full_snapshot_size_in_bytes), and aws_lambda_alias (code column).

Azure plugin cost analysis and enhancements

New tables include azure_cost_forecast_daily and azure_cost_forecast_monthly.

Many existing tables now include expanded columns for additional configuration details, including azure_storage_account (CreationTime details to access_keys), azure_tenant (subscription_policy), azure_databricks_workspace (public_network_access, required_nsg_rules), and azure_virtual_network (dhcp_options).

AzureAD plugin enhanced monitoring capabilities

New tables include azuread_device_registration_policy, azuread_access_review_schedule_definition, azuread_authentication_method_policy, and azuread_external_identity_policy.

Many existing tables now include expanded columns for additional configuration details, including azuread_user (eight mailbox setting columns), azuread_authorization_policy (allowed_to_read_bitlocker_keys_for_owned_device), and azuread_conditional_access_policy (additional_data).

GCP plugin workstations support

Added gcp_workstations_workstation and gcp_workstations_workstation_cluster tables with enhanced rate limiter for Resource Manager APIs.

GitHub plugin Actions variables

Added github_actions_environment_variable, github_actions_organization_variable, and github_actions_repository_variable tables for querying GitHub Actions configuration.

Microsoft 365 plugin expanded coverage

Added five new tables (microsoft365_group, microsoft365_list, microsoft365_site, microsoft365_user), enhanced microsoft365_drive table with additional columns, and fixed user table population.

Alibaba Cloud plugin log and security tables

Added alicloud_log_project, alicloud_log_store, alicloud_security_center_asset, alicloud_security_center_vulnerability, and alicloud_sls_alert tables. The alicloud_rds_instance table now includes expanded columns for additional configuration details.

OVH plugin infrastructure and IAM tables

Added ovh_dedicated_server, ovh_ceph, and ovh_iam_resource tables. The ovh_cloud_project table now includes an iam column for identity and access management details.

Additional plugin enhancements

• OCI plugin: Expanded oci_identity_domain and oci_identity_dynamic_group tables
• Cloudflare plugin: Added cloudflare_managed_transform table and enhanced cloudflare_zone with leaked_credential_check_enabled column
• Scaleway plugin: Added billing_period column to scaleway_billing_consumption table
• Grafana plugin: Added grafana_alert_rule and grafana_dashboard_permission tables for querying alert configurations and dashboard access controls
• Google Workspace plugin: Enhanced OAuth2 scope handling for improved authentication
• Config plugin: Added xml_file table, enabling SQL queries of XML configuration files alongside existing support for JSON, YAML, INI, and CSV formats
• Jira plugin: Enhanced jira_issue_comment table for improved data retrieval

Powerpipe: New CIS benchmark versions

Powerpipe compliance mods have been updated with the latest CIS benchmark versions across multiple clouds, providing organizations with up-to-date security and compliance assessments aligned with industry best practices.

The compliance mod library now includes:

• AWS CIS v6.0.0 - Latest AWS security configuration benchmark
• Azure CIS v5.0.0 - Updated Azure security baseline with new Databricks controls
• Microsoft 365 CIS v6.0.0 - Latest Microsoft 365 security configuration baseline
• Microsoft 365 CIS v5.0.0 - Updated configuration standards
• Alibaba Cloud CIS v2.0.0 - Latest Alibaba Cloud security benchmarks
• OCI CIS v3.0.0 - Updated Oracle Cloud Infrastructure security baseline

These updates ensure compliance assessments reflect the latest security guidance and best practices from the Center for Internet Security. The AWS Compliance mod also received 48 new AWS Foundational Security Best Practices controls covering Cognito password policies, DMS multi-AZ replication, EC2 launch templates, RDS TLS connections, and more.

Community Corner

Since last Launch Week, we've seen another awesome wave of contributions, content, and creativity across our open-source projects. Here's a look at some highlights from the community:

Code and Doc Contributions

Huge thanks to our GitHub community for contributing fixes, features, and doc improvements across our open-source repos:

• @tdannenmuller added billing_period column to the Scaleway plugin and ovh_dedicated_server table to the OVH plugin.
• @Theo-Bouguet contributed the cloudflare_managed_transform table and enhanced the cloudflare_zone table with leaked_credential_check_enabled column in the Cloudflare plugin.
• @ustndagsemih added four new tables to the AWS plugin including budgets_budget, ce_anomaly_monitor, ce_cost_allocation_tags, and config_rule_compliance_detail.
• @pdecat added default rate limiter configuration for GCP plugin tables using GCP Resource Manager APIs, added ovh_iam_resource table and iam column to ovh_cloud_project in the OVH plugin, and contributed SDK cache improvements to fix matrix item filtering in cache keys.
• @jdfresser added ovh_ceph table to the OVH plugin.
• @SatoriSec contributed Bedrock tables to the AWS plugin.
• @jramosf contributed OpenSearch tables to the AWS plugin.
• @nickthejagger contributed SESv2 tables to the AWS plugin.
• @bahybintang added full_snapshot_size_in_bytes column to aws_ebs_snapshot table.
• @KingBrewer added Databricks and IAM controls to the Azure Compliance mod and fixed multiple query issues.
• @manzomanze added dhcp_options to azure_virtual_network table.
• @codenio added grafana_alert_rule and grafana_dashboard_permission tables to the Grafana plugin, plus bug fixes for grafana_folder_permission.
• @vil02 added xml_file table to the Config plugin.
• @Romariok created the Yandex Cloud Cost and Usage Insights Tailpipe mod for monitoring and analyzing costs across Yandex Cloud folders using Billing exports.

Community Content & Demos

We've seen engaging blog posts, community projects, and presentations showcasing Turbot projects across the globe:

• CMMC: The Reckoning Illumen published an in-depth analysis of the CMMC 2.0 launch on November 10, 2025, revealing that only 0.5% (431 out of 80,000) Defense Industrial Base contractors have achieved certification. The article provides a detailed guide on using Steampipe to automate quarterly access reviews across multiple cloud services (AWS, Google Workspace, GitHub, Azure, Okta) using SQL queries, transforming weeks of manual compliance work into automated, auditable processes. The post demonstrates how GRC engineering with free, open-source tools like Steampipe enables continuous compliance and automated evidence collection for CMMC, SOC 2, and ISO 27001 requirements.

• Steampipe: El cuchillo suizo de SQL para travesuras en la nube Jose Ramon Palanco published a comprehensive DevSecOps guide exploring Steampipe as a tool that transforms cloud APIs into queryable SQL tables for security teams to audit multi-cloud infrastructure. The article covers enterprise deployment patterns using Docker and Kubernetes, provides sample SQL queries for identifying security issues like publicly accessible databases and overprivileged IAM users, and demonstrates advanced features including custom CIEM rules, Terraform drift detection, and dashboard creation for executive reporting.

• Verifying compliance.tf Modules: From Guardrails to Audit Evidence AWS Hero and Terraform influencer Anton Babenko published a detailed article explaining how to validate that compliance.tf (CTF) modules actually enforce their security controls in practice. The post describes a two-stage verification approach combining pre-apply Infrastructure-as-Code scanners (Checkov, Trivy) with post-apply infrastructure scanners like Powerpipe, Prowler, and AWS Config to provide repeatable audit evidence for compliance teams.

• Pruning Garden Paths in AWS with Neph Security Risk Advisors' Evan Perotti introduced Neph, a graph-based security assessment tool that identifies attack paths within AWS environments. Neph leverages Steampipe as its collection engine, connecting Neo4j to Steampipe's PostgreSQL interface via JDBC to enable highly scalable resource collection without requiring explicit tool modifications. The tool is available as an alpha release on GitHub.

• Visualizing AWS Environments with Steampipe yes_dog from Cybersecurity Cloud Inc. published a guide (in Japanese) demonstrating how to use Steampipe combined with Powerpipe for AWS infrastructure visibility. The article walks through installing Steampipe and the AWS plugin on an EC2 instance, configuring multi-region access, and layering Powerpipe on top to transform query results into interactive web dashboards, eliminating manual parameter sheet maintenance.

• JOU CloudSec Platform JOU Lifestyle released a cloud-native security tool combining Cloud Security Posture Management and Cloud Workload Protection Platform capabilities. The platform integrates a FastAPI backend with a Next.js frontend, utilizing Steampipe as the policy evaluation engine to check compliance and identify policy violations via Steampipe queries alongside OPA (Open Policy Agent) for multi-layered compliance checking.

• Engineering Metrics Beyond DORA: Measuring What Matters Danilo Spinelli shared how their team built a custom engineering metrics system using Steampipe and Powerpipe instead of purchasing commercial tools that required excessive customization. Steampipe exposes APIs from cloud and SaaS services like GitHub as SQL-queryable database tables for extracting development data, while Powerpipe creates tailored dashboards and reports for reproducible, code-based analytics. This open-source stack enables defining and visualizing metrics aligned with engineering goals using publicly available data.

• AWS Security Foundation: Security in AWS environments This comprehensive course teaches how to build a secure and scalable foundation for AWS cloud environments, covering topics from the AWS Control Plane and IAM to AWS Organizations and security best practices based on industry-recognized frameworks. The course includes dedicated sections on performing security assessments in AWS using Steampipe and Powerpipe, teaching students how to install Steampipe, configure the AWS plugin, write SQL queries against AWS resources, and create dashboards for security analytics and reporting.

• AWS Well-Architected User Group Meetup - Milan Community user Alessio Vintari, Senior Cloud Architect in NTT DATA Italy, presented to the local Milan, Italy AWS Well-Architected User Group on how to manage governance as code with Steampipe and Powerpipe.

CloudGovernance.org

Since last Launch Week, the Herding Clouds newsletter has explored cloud governance anti-patterns and their solutions:

• Edition #12: The Ownership Void - When cloud resources exist but nobody knows who's accountable for them, creating ungoverned infrastructure and unallocated costs.
• Edition #11: The Rollout Rush - When governance changes deploy too fast without communication, preparation time, or considering whether teams are ready to adapt.
• Edition #10: Lift and Shift Governance - When infrastructure automation outpaces governance automation, creating cloud-native tech with datacenter-era controls.
• Edition #9: The Hidden Blocker - When teams learn about governance by encountering errors instead of proactive communication.
• Edition #8: The Permanent Exception - When temporary workarounds become permanent because teams don't build review processes into exception approvals.
• Edition #7: The Standards Drift - When teams start with the same policy but gradually diverge, creating inconsistent implementations across environments.

In other CloudGovernance.org news, How to Herd Clouds and Influence People hit No. 1 New Release in the Cloud Computing category on Amazon! The book is available on Amazon.com in Paperback and Kindle formats.

Community Events

AWS re:Invent 2025 Recap

The Turbot team had an incredible week at AWS re:Invent 2025 in Las Vegas (December 1-5) connecting with the cloud community. We showcased our prevention-first cloud security features at booth #1449 to thousands of cloud professionals, gave out approximately 100 copies of "How to Herd Clouds and Influence People," and spent valuable time with customers and partners throughout the week. Thank you to everyone who stopped by to chat about cloud governance challenges and see live demos of our latest features!

See You at RSAC 2026

We'll be heading to San Francisco next for the RSAC 2026 Conference Expo, March 23-26, 2026. Stop by booth S-0365 in the Moscone South Expo to meet our team, see live demos, and discuss your cloud governance and security challenges. We'd love to connect with you!

Flip over to A-sides for the Wrap Up

Thank you for joining us for another exciting Launch Week! Check out the week's daily announcements summary in our Launch Week 11 Wrap Up post. Stay connected with us in our Slack community for our next Launch Week in a few months!