Launch Week 13 B-sides

As Launch Week 13 draws to a close, we wanted to take a moment to highlight some of the exciting updates and announcements that slipped under the radar this week across our Turbot products and open-source projects.

Guardrails: Service governance and reliability improvements

Guardrails coverage of everyday cloud services expanded across AWS, Azure, GCP, and GitHub along with a wave of reliability work.

New service governance capabilities

• AWS EC2: new Active > Running policy for EC2 instances with thresholds for inactivity at 24 and 48 hours and a "Delete inactive with 2 days warning" enforcement option; AMI deregistration protection; and 21 new ELB security policies covering FIPS, Post-Quantum, and combined FIPS+PQ categories.
• AWS ECR: new Lifecycle Policy > Required control to enforce lifecycle policy rules on private repositories.
• AWS account: account CMDB now captures Operations and Billing alternate contacts alongside the existing Security contact.
• AWS Lambda: expanded Allowed and Region controls across Function, Function Alias, Function Version, and Layer (with GovCloud and China partition compatibility).
• Azure Redis: firewall rules and approved IP-range governance for Redis Cache.
• Azure SQL: configure public network access for managed instances.
• Azure API Management: new API resource tracking with protocol controls. Note: includes breaking CMDB changes (legacyPortalStatus and developerPortalStatus added, portalUrl removed, platformVersion value reformatted), so review existing policy settings before upgrading.
• Azure Virtual Desktop: configure public network access for workspaces and host pools.
• Azure Search Management: configure public network access for search services.

New prevention objectives

• github-prevention: two supply-chain objectives -- Prohibit modification of published GitHub release assets and Require GitHub Actions to use pinned commit SHAs.
• gcp-prevention: Terraform examples and Guardrails control mappings for DNSSEC, API key restrictions, KMS key rotation, Dataproc CMEK, Confidential Computing for Compute Engine, and DNS managed zone logging.

Quieter DR replication snapshots in Guardrails CMDB

AWS Elastic Disaster Recovery (DRS) and AWS Application Migration Service (MGN) continuously snapshot replication volumes to keep their staging copies fresh, often hundreds of CreateSnapshot events per hour from a single replication account, with snapshots that live for minutes before AWS deletes them. None of it represents state worth tracking, but every event still flows through CloudTrail to a Guardrails EventBridge rule, fires a Lambda, and lands an upsert in CMDB before the matching delete arrives. The churn drowns real signal -- a developer copying a production snapshot, an out-of-policy snapshot share.

Two new AWS EC2 mod policies cut the noise at the two layers it shows up at. AWS > EC2 > Snapshot > CMDB > Excluded Services is a multi-select of service-managed snapshot owners (AWS Backup, DRS, MGN) that stops new snapshots from those services from landing in CMDB and cleans up any already there on the next CMDB run. AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-ec2 > Excluded Roles is a list of IAM role names whose CloudTrail events get dropped at the EventBridge layer before they reach Guardrails at all, intended for the AWS-managed service-linked roles DRS and MGN use for replication (AWSServiceRoleForElasticDisasterRecovery, AWSElasticDisasterRecoveryReplicationServerRole, AWSApplicationMigrationReplicationServerRole). Both default to empty and compose with each other, and for full DR coverage you set both: one controls state, the other controls flow.

Event handler and cross-mod fixes

A coordinated reliability pass across the AWS Lambda, EKS, ECS, ECR, Control Tower, and Athena mods restored per-resource CMDB respect for CloudWatch event patterns, so disabling CMDB on a sub-resource type at the region or account level now correctly suppresses event forwarding. Global Event Handlers also now forward every detail-type defined in event patterns from non-primary regions, including EBS volume notifications, EC2 state-change, AppStream and QuickSight service events, Organizations events, and Billing Console region enable/disable.

Smaller reliability fixes landed across the AWS IAM managed-permissions stack, Azure Network Security Group approved-rule handling on large NSGs, Azure multi-tenant Discovery scoping by tenantId, GCP Organization CMDB Discovery Level support, and custom AKA preservation on AWS Organization resources, plus the EFS, QuickSight, MSK, and OCI mods.

Guardrails: Flexible AI model and endpoint policies

Two AI configuration policies got more flexible in Turbot 5.59.0:

• Model selection now accepts any model your provider offers, so you can adopt a freshly-released model the same day it ships, on your own timeline. Existing policy settings carry forward without change.
• Per-provider endpoint policies for Bedrock, Anthropic, Azure OpenAI, and OpenAI let you route AI traffic through a custom endpoint per provider.

Steampipe: New tables and plugin improvements

The AWS plugin added five new tables:

• aws_ecr_registry
• aws_eks_pod_identity_association
• aws_msk_topic
• aws_rds_global_cluster
• aws_synthetics_canary

Operational fixes in the AWS plugin removed the Location presigned-URL field from aws_lambda_function.code (which had allowed unauthenticated Lambda package download) and fixed ExpiredToken errors on long-running queries when Turbot Pipes rotates STS credentials mid-query.

The Kubernetes plugin added inline kubeconfig support and a time_zone column on the kubernetes_cronjob table.

Powerpipe: Compliance and Thrifty mod updates

The AWS Thrifty mod added a new ebs_unused_snapshots control for surfacing EBS snapshots that no longer back any live volume.

The GCP Compliance mod corrected the bigquery_table_encrypted_with_cmk query to skip BigQuery views (which don't store data and can't be CMK-encrypted) and fixed AWS references in compute control descriptions to correctly reference GCP.

The Azure Compliance mod updated the securitycenter_notify_alerts_configured query to use the non-deprecated notifications_by_role and notifications_sources columns, removing false positives on the CIS v5.0.0 8.1.14 control.

Community Corner

Since last Launch Week, we've seen another awesome wave of contributions, content, and creativity across our open-source projects. Here's a look at some highlights from the community.

Code and doc contributions

Huge thanks to our GitHub community for contributing fixes, features, and table additions across our open-source repos:

• @Abhi011999 added inline kubeconfig support to the Kubernetes plugin, and also contributed to the AWS plugin with a fix to skip Infrequent Access log groups in aws_cloudwatch_log_subscription_filter and recognition of the il-* and mx-* commercial region prefixes.
• @andriizavoiko added the new aws_eks_pod_identity_association table to the AWS plugin.
• @chammock added the new aws_ecr_registry table to the AWS plugin.
• @dark-panda corrected AWS references in compute control descriptions in the GCP Compliance mod.
• @ellisvalentiner updated his Confluence plugin with new Confluence Data Center authentication support, Cloud-optimization fixes, and new content columns.
• @karolszmndy added the new aws_msk_topic table to the AWS plugin.
• @KingBrewer fixed the securitycenter_notify_alerts_configured query in the Azure Compliance mod.
• @leongzhiyong added the new aws_synthetics_canary table to the AWS plugin.
• @l-teles updated his FleetDM plugin with bug fixes for fleetdm_host_detail MDM check-in and enrollment timestamps.
• @mikkeloscar added the time_zone column to the kubernetes_cronjob table in the Kubernetes plugin.
• @pdecat made standalone FDW connections parallel-safe in the steampipe-postgres-fdw and improved pluralize.Client caching in the Steampipe Plugin SDK.
• @ppapishe added the new aws_rds_global_cluster table to the AWS plugin.
• @tpoindessous fixed BigQuery view handling in the GCP Compliance mod.
• @urkle added the new ebs_unused_snapshots control to the AWS Thrifty mod.

A special thank-you also goes to Anita Mittal for the responsible disclosure on one of our open-source repositories. That kind of community-led security review is exactly what makes the open-source ecosystem stronger.

Community content & demos

We also saw new tutorials, community-built tools, and discussion content land across the OSS ecosystem and LinkedIn since Launch Week 12.

• Bala Paranj wrote The contract is the interface: agent-driven Steampipe Stave in one command on how the Stave cloud-security policy engine uses Steampipe as its primary data source, with declarative YAML mappings from Steampipe columns into Stave's standardized observation schema.

• DevOps IA Solutions published a community-maintained Powerpipe Docker image, tracking releases through the latest v1.5 line.

• Gabrielle Botbol walked through her Shield + Radar metaphor for cloud security, with Turbot Guardrails as the Shield (prevention) and CNAPP detection as the Radar, arguing for automation that preserves human control through policy simulation.

• IPGeolocation released the new steampipe-plugin-ipgeolocation for querying IP geolocation data via Steampipe SQL.

• Rajiv, an AWS Community Builder, continued his Well-Architected series with Automating AWS Well-Architected Reviews with AI Agents, using Steampipe as the data-collection layer in an agent pipeline alongside Security Hub, Inspector, GuardDuty, and IAM Access Analyzer.

• Rowan Udell shared a take on PSPM as the prevention complement to detection, framing Turbot Guardrails for enforcement at the point of change, policy simulation before org-wide rollout, mapping controls to standards, and per-control choice between prevention and remediation.

• Vanessa Bezerra shared a walkthrough of building an AWS infrastructure observability environment from scratch using Powerpipe, Steampipe, and the AWS Insights mod, with dashboards covering S3 versioning and encryption, VPC security groups, EC2 public instances, and IAM.

We love seeing what you build with our tools! Whether it's a pull request, a plugin, a Docker image, a blog post, or a demo, keep sharing your work with the community.

Events

Gartner Security & Risk Management Summit 2026

Turbot sponsored the Gartner Security & Risk Management Summit in National Harbor, MD, June 1-3, landing right alongside Launch Week 13. Thanks to everyone who stopped by the booth for demos and conversations about prevention-first cloud and AI security!

fwd:cloudsec North America

We also reconnected with the cloud security community at fwd:cloudsec North America at the Meydenbauer Center in Bellevue, WA, June 1-2. We enjoyed the practitioner-led conversations around AI security and the real-world cloud security work the community is pushing forward.

Up Next: Black Hat USA 2026

We're sponsoring Black Hat USA 2026 at Mandalay Bay in Las Vegas, August 1-6, 2026. Find us at booth 5742 to talk cloud governance, preventive security, and AI Guardrails, and see live demos of everything we launched this week. We'd love to connect!

Up Next: Ai4 2026

We'll also be in Vegas the same week at Ai4 2026 at the Venetian, August 4-6, 2026. Stop by booth 1527 to talk AI governance, the new AI prevention objectives across Bedrock, Foundry, Vertex AI, Anthropic, and OpenAI, and how Turbot Guardian fits into your AI security story.

Flip over to A-sides for the Wrap Up

Thank you for joining us for another exciting Launch Week! Check out the week's daily announcements summary in our Launch Week 13 Wrap Up post. Stay connected with us in our Slack community for our next Launch Week in a few months!