As Launch Week 12 draws to a close, we wanted to take a moment to highlight some of the exciting updates and announcements that slipped under the radar this week across our Turbot products and open-source projects.
Guardrails: CIS Benchmark Refresh
Turbot Guardrails now has complete CIS benchmark coverage across AWS, Azure, and GCP -- every published version from the earliest through the latest. CIS benchmarks are the industry standard for cloud security configuration, and keeping up with new versions as CIS publishes them is critical for compliance programs that reference specific benchmark versions.
Since Launch Week 11, we've shipped new Guardrails mods for AWS CIS v4.0 through v6.0, Azure CIS v4.0 and v5.0, and GCP CIS v3.0 and v4.0 -- while also fixing policy mappings across all earlier versions. Whether your organization is on the latest benchmark or still transitioning from an older version, Guardrails has you covered.
Guardrails: Allowed Controls Replace Approved
The Approved guardrails are now deprecated. Over the last few launch weeks, we've been rolling out the new Allowed guardrails across AWS and Azure -- completing the transition to a more flexible control model.
To understand why, consider how Approved works with an EC2 instance. The AWS > EC2 > Instance > Approved control checks all sub-policies together -- region, instance type, encryption, image, public IP -- as a single pass/fail. If any check fails, the entire resource is unapproved, and one enforcement action applies to everything. You can't stop an instance in a bad region while only alarming on a wrong instance type. It's all or nothing.
Allowed controls break this apart. Instead of one monolithic Approved control, you get independent controls for each objective:
- AWS > EC2 > Instance > Allowed > Region -- stop or terminate instances in unapproved regions
- AWS > EC2 > Instance > Allowed > Instance Type -- alarm on unapproved instance types
- AWS > EC2 > Instance > Allowed > Public IP -- delete instances with public IPs
- AWS > EC2 > Instance > Allowed > Root Volume Encryption at Rest -- enforce encryption requirements
Each control has its own enforcement action and its own sub-policies. You can deploy, update, or remove each one independently. Allowed controls also support enforcement regardless of resource age -- a capability Approved controls never had. And custom checks let you write your own validation rules against any resource attribute using calculated policies.
Guardrails: New Azure Mods & Resource Types
Three brand new Azure mods expand Guardrails coverage into new service areas:
- Azure Alerts Management -- Track and manage alert management resources with runtime prevention controls.
- Azure Bot Service -- Track and manage bot service resources with runtime prevention controls.
- Azure Cognitive Services -- Track and manage cognitive services resources with runtime prevention controls.
New resource types in existing mods include Monitor (data collection endpoints), App Service (connections), Key Vault (certificates), Network (WAF policies and NAT Gateways), and Storage (protocol settings and versioning).
The Azure mod added a Management Group Activity Log Poller, and tenant-level identity and access resource types including Access Review Schedule Definitions, Authentication Methods Policy, and Conditional Access Policy.
Guardrails: New AWS Mods and Resource Types
Two new AWS mods since Launch Week 11:
- AWS MSK Connect -- Track and manage MSK Connect resources with runtime prevention controls.
- AWS Control Tower -- Track and manage Control Tower resources with runtime prevention controls.
New resource types in existing mods include Transfer (servers and connectors), Comprehend (document classifiers and flywheels), MSK (serverless clusters and VPC connections), FSx (volumes and storage VMs), DataSync (agents), API Gateway (VPC links), and CloudFormation (hooks).
EC2 now includes AMI details in instance CMDB data with improved AMI lineage discovery using native AWS APIs.
Guardrails: Integrated Documentation
Guardrails now includes the full product documentation and mod reference directly in the console. The documentation is version-matched to your installed Turbot Enterprise release and the specific mods in your environment -- so the guides, policy references, and examples you see are always relevant to your actual deployment.
Previously, documentation was only available on the public website at the latest release version, which may not match what you have installed. Bringing it into the product makes it more contextual and also feeds into the integrated chat -- so when you ask a question, the answers draw from docs that match your environment.
Guardrails: AWS Bedrock & Azure OpenAI Support
In Launch Week 9, we introduced AI-powered features for Guardrails -- Intelligent Assessment for natural language explanations of your security posture, Intelligent Fixes for step-by-step remediation guidance, and Intelligent Summaries for policy pack overviews. Those initial integrations supported Anthropic and OpenAI API keys directly.
Now you can also use AWS Bedrock and Azure OpenAI as AI providers, giving you the flexibility to use your organization's existing cloud AI infrastructure. This powers all AI features in Guardrails -- Intelligent Assessment, Intelligent Fixes, Intelligent Summaries, and the integrated chat.
Pipes: New Capabilities
Turbot Pipes shipped several new capabilities since Launch Week 11:
Service Account API Management -- Owner-role service accounts can now programmatically create, update, and delete non-owner service accounts and manage their tokens via API. Lateral escalation prevention ensures the security model is sound, enabling fully automated service account lifecycle management via Terraform and IaC.
TLS by Default for PostgreSQL -- All internal PostgreSQL connections now default to sslmode=require, encrypting database traffic in transit.
AI Model Updates -- Refreshed the supported AI model set with GPT 5.1 and GPT 5.2.
Centralized Log Retention -- New automated log cleanup with plan-based retention policies, managing storage growth per plan tier.
Mod Installation UX -- GitHub and GitLab repository listing now shows all accessible repos, not just the first 100. Customers with large GitHub orgs or GitLab instances can now find and install any mod.
Vanta OAuth2 Integration -- Vanta plugin switched to OAuth2 client credentials authentication, eliminating manual API key rotation.
Steampipe: New Tables
The AWS plugin added the new aws_ec2_fleet table along with enhanced columns on aws_health_event, aws_cloudfront_distribution, and aws_ssoadmin_instance tables.
The Vanta plugin added the new vanta_vulnerability table for querying vulnerability data from your Vanta account.
Powerpipe: Azure CIS v5.0.0 Benchmark
The Azure Compliance mod added new controls for the CIS Azure Foundations Benchmark v5.0.0, covering MFA enforcement for all users, diagnostic settings for subscription activity logs, and storage account access key rotation. Query fixes also improved handling of edge cases in storage account soft delete and access key checks.
Community Corner
Since last Launch Week, we've seen another awesome wave of contributions, content, and creativity across our open-source projects. Here's a look at some highlights from the community:
Code and Doc Contributions
Huge thanks to our GitHub community for contributing fixes, features, and doc improvements across our open-source repos:
- @pdecat added the new aws_ec2_fleet table to the AWS plugin and contributed two SDK fixes for cache key handling in the Steampipe Plugin SDK.
- @dj00808 added monitoring_subscription column to aws_cloudfront_distribution and fixed high severity vulnerabilities in the AWS plugin.
- @Recurzion added an actionability column to AWS Health Events in the AWS plugin.
- @urkle added a control for showing unattached EBS snapshots to the AWS Thrifty mod.
- @mattkeeler fixed ASN field mapping in the IPInfo plugin.
- @steakunderscore fixed a filename issue in the AWS Compliance mod.
- @KingBrewer fixed storage account soft delete query handling in the Azure Compliance mod.
We also want to recognize @ramirezj from Grendel Consulting for building and maintaining the Kolide Steampipe plugin. Following 1Password's acquisition of Kolide, the underlying Kolide K2 v0 API has been deprecated and the plugin is now archived. Thanks James for the contribution to the Steampipe ecosystem!
Community Content & Demos
-
Rajiv wrote a detailed walkthrough of automating AWS Well-Architected Framework checks with Steampipe and Powerpipe, complete with a GitHub Actions workflow that runs benchmarks on a schedule and uploads HTML reports as artifacts.
-
Salim Amine Bou Aram showed how to monitor your cloud environment with Steampipe and Grafana, connecting Steampipe's live SQL queries to Grafana dashboards for real-time EC2 instance monitoring across all AWS regions.
-
Damien Burks explored how prevention-first cloud security helps escape alert fatigue, contrasting CNAPP detection with Turbot's approach of enforcing guardrails at deployment time to eliminate exposure windows before they open.
-
Caleb Oni shared a quick take on why cloud security detection isn't enough, making the case for preventive controls with Turbot Guardrails.
-
Patrick Gorman walked through how prevention-first cloud security works in practice, with a concrete example of blocking non-compliant S3 buckets at the API level and auto-remediating drift.
-
Rajdeep Saha broke down why alert volumes grow 388% year over year in large projects and how prevention-first security reduces the attack surface instead of chasing alerts.
-
Marcel Velica compared detection vs prevention approaches, explaining how Preventive Security Posture Management blocks risky actions at the API level before resources are created.
-
Matthew Rosenquist highlighted how Turbot's preventive model complements CNAPPs by making sense of alerts and coordinating proactive actions through automated policy management.
Turbot's prevention-first approach was also featured in TL;DR InfoSec, CloudSecList, and Cybersecurity Dive.
We love seeing what you build with our tools! Whether it's a pull request, a blog post, or a demo, keep sharing your work with the community.
Events
RSAC 2026
It's been an incredible week -- Launch Week 12 ran alongside RSAC 2026 in San Francisco, and we had a great time connecting with the cloud security community at booth S-0365 in the Moscone South Expo. Thanks to everyone who stopped by for demos and conversations about prevention-first cloud security!
Up Next: Gartner Security & Risk Management Summit
We'll be at the Gartner Security & Risk Management Summit in National Harbor, MD, June 1-3, 2026. Come find us to talk cloud governance, preventive security, and see live demos of everything we launched this week. We'd love to connect!
Flip over to A-sides for the Wrap Up
Thank you for joining us for another exciting Launch Week! Check out the week's daily announcements summary in our Launch Week 12 Wrap Up post. Stay connected with us in our Slack community for our next Launch Week in a few months!