Changelog

Subscribe to all changelog posts via RSS or follow #changelog on our Slack community to stay updated on everything we ship.

Bug fixes

  • Fixed the issue where the search path setting was not retained while navigating to a different dashboard. (#325)

What's new?

  • Added support to process enable and disable real-time events for Dataplex.

Resource Types

  • GCP > Dataplex
  • GCP > Dataplex > Lake
  • GCP > Dataplex > Task
  • GCP > Dataplex > Zone

Control Types

  • GCP > Dataplex > API Enabled
  • GCP > Dataplex > CMDB
  • GCP > Dataplex > Discovery
  • GCP > Dataplex > Lake > Active
  • GCP > Dataplex > Lake > Approved
  • GCP > Dataplex > Lake > CMDB
  • GCP > Dataplex > Lake > Discovery
  • GCP > Dataplex > Lake > Labels
  • GCP > Dataplex > Lake > Usage
  • GCP > Dataplex > Task > Active
  • GCP > Dataplex > Task > Approved
  • GCP > Dataplex > Task > CMDB
  • GCP > Dataplex > Task > Discovery
  • GCP > Dataplex > Task > Labels
  • GCP > Dataplex > Task > Usage
  • GCP > Dataplex > Zone > Active
  • GCP > Dataplex > Zone > Approved
  • GCP > Dataplex > Zone > CMDB
  • GCP > Dataplex > Zone > Discovery
  • GCP > Dataplex > Zone > Labels
  • GCP > Dataplex > Zone > Usage

Policy Types

  • GCP > Dataplex > API Enabled
  • GCP > Dataplex > Approved Regions [Default]
  • GCP > Dataplex > CMDB
  • GCP > Dataplex > Enabled
  • GCP > Dataplex > Labels Template [Default]
  • GCP > Dataplex > Lake > Active
  • GCP > Dataplex > Lake > Active > Age
  • GCP > Dataplex > Lake > Active > Last Modified
  • GCP > Dataplex > Lake > Approved
  • GCP > Dataplex > Lake > Approved > Custom
  • GCP > Dataplex > Lake > Approved > Regions
  • GCP > Dataplex > Lake > Approved > Usage
  • GCP > Dataplex > Lake > CMDB
  • GCP > Dataplex > Lake > Labels
  • GCP > Dataplex > Lake > Labels > Template
  • GCP > Dataplex > Lake > Regions
  • GCP > Dataplex > Lake > Usage
  • GCP > Dataplex > Lake > Usage > Limit
  • GCP > Dataplex > Permissions
  • GCP > Dataplex > Permissions > Levels
  • GCP > Dataplex > Permissions > Levels > Modifiers
  • GCP > Dataplex > Regions
  • GCP > Dataplex > Task > Active
  • GCP > Dataplex > Task > Active > Age
  • GCP > Dataplex > Task > Active > Last Modified
  • GCP > Dataplex > Task > Approved
  • GCP > Dataplex > Task > Approved > Custom
  • GCP > Dataplex > Task > Approved > Regions
  • GCP > Dataplex > Task > Approved > Usage
  • GCP > Dataplex > Task > CMDB
  • GCP > Dataplex > Task > Labels
  • GCP > Dataplex > Task > Labels > Template
  • GCP > Dataplex > Task > Regions
  • GCP > Dataplex > Task > Usage
  • GCP > Dataplex > Task > Usage > Limit
  • GCP > Dataplex > Zone > Active
  • GCP > Dataplex > Zone > Active > Age
  • GCP > Dataplex > Zone > Active > Last Modified
  • GCP > Dataplex > Zone > Approved
  • GCP > Dataplex > Zone > Approved > Custom
  • GCP > Dataplex > Zone > Approved > Regions
  • GCP > Dataplex > Zone > Approved > Usage
  • GCP > Dataplex > Zone > CMDB
  • GCP > Dataplex > Zone > Labels
  • GCP > Dataplex > Zone > Labels > Template
  • GCP > Dataplex > Zone > Regions
  • GCP > Dataplex > Zone > Usage
  • GCP > Dataplex > Zone > Usage > Limit
  • GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-dataplex
  • GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-dataplex
  • GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-dataplex

Action Types

  • GCP > Dataplex > Lake > Delete
  • GCP > Dataplex > Lake > Router
  • GCP > Dataplex > Lake > Set Labels
  • GCP > Dataplex > Set API Enabled
  • GCP > Dataplex > Task > Delete
  • GCP > Dataplex > Task > Router
  • GCP > Dataplex > Task > Set Labels
  • GCP > Dataplex > Zone > Delete
  • GCP > Dataplex > Zone > Router
  • GCP > Dataplex > Zone > Set Labels

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage compute resources in Guardrails. This release includes breaking changes in the CMDB data for virtual machine. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below

Added:

In Azure > Compute > Disk:

  • supportedCapabilities.diskControllerTypes
  • diskIopsReadWrite
  • lastOwnershipUpdateTime

In Azure > Compute > Virtual Machine:

  • resources
  • timeCreated
  • etag

In Azure > Compute > Virtual Machine Scale Set:

  • constrainedMaximumCapacity
  • etag
  • scaleInPolicy
  • timeCreated
  • upgradePolicy
  • storageProfile. diskControllerType

In Azure > Compute > Snapshot:

  • dataAccessAuthMode
  • incrementalSnapshotFamilyId

Removed:

In Azure > Compute > Virtual Machine:

  • statuses.time

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage App Service resources in Guardrails.

Added:

Azure > App Service > App Service Plan

  • elasticScaleEnabled
  • numberOfWorkers
  • zoneRedundant

Azure > App Service > Function App

  • configuration.acrUseManagedIdentityCreds
  • configuration.acrUserManagedIdentityID
  • configuration.elasticWebAppScaleLimit
  • configuration.ipSecurityRestrictionsDefaultAction
  • configuration.metadata
  • configuration.minTlsCipherSuite
  • configuration.scmIpSecurityRestrictionsDefaultAction
  • dnsConfiguration
  • publicNetworkAccess
  • vnetBackupRestoreEnabled
  • vnetContentShareEnabled
  • vnetImagePullEnabled
  • vnetRouteAllEnabled

Azure > App Service > Web App

  • configuration.acrUseManagedIdentityCreds
  • configuration.acrUserManagedIdentityID
  • configuration.elasticWebAppScaleLimit
  • configuration.ipSecurityRestrictionsDefaultAction
  • configuration.metadata
  • configuration.minTlsCipherSuite
  • configuration.scmIpSecurityRestrictionsDefaultAction
  • dnsConfiguration
  • publicNetworkAccess
  • vnetBackupRestoreEnabled
  • vnetContentShareEnabled
  • vnetImagePullEnabled
  • vnetRouteAllEnabled

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage API Management resources in Guardrails.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Security Center resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below

Renamed:

  • JitNetworkAccessPolicies to jitNetworkAccessPolicies
  • Pricing to pricing
  • Locations to locations

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage MySQL resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Front Door Service resources in Guardrails. This release includes breaking changes in the CMDB data for Front Door Service. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.

Added:

  • frontdoorId
  • rulesEngines
  • extendedProperties
  • backendPoolsSettings
  • backendPool.privateLinkAlias
  • backendPool.privateLinkLocation
  • backendPool.privateEndpointStatus
  • backendPool.privateLinkResourceId
  • backendPool.privateLinkApprovalMessage
  • routingRule.rulesEngine
  • routingRule.routeConfiguration.odataType
  • routingRule.routeConfiguration.cacheConfiguration.cacheDuration
  • routingRule.routeConfiguration.cacheConfiguration.queryParameters
  • routingRule.webApplicationFirewallPolicyLink

Modified:

  • routingRule.backendPool to routingRule.routeConfiguration.backendPool
  • routingRule.forwardingProtocol to routingRule.routeConfiguration.forwardingProtocol
  • routingRule.customForwardingPath to routingRule.routeConfiguration.customForwardingPath
  • routingRule.cacheConfiguration.dynamicCompression to routingRule.routeConfiguration.cacheConfiguration. dynamicCompression
  • routingRule.cacheConfiguration.queryParameterStripDirective to routingRule.routeConfiguration.cacheConfiguration. queryParameterStripDirective

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Data Factory resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage AKS resources in Guardrails.

Added:

  • networkProfile.podCidrs
  • networkProfile.ipFamilies
  • networkProfile.outboundType
  • networkProfile.serviceCidrs
  • networkProfile.networkPolicy
  • networkProfile.loadBalancerProfile.backendPoolType
  • networkProfile.loadBalancerProfile.countIPv6
  • networkProfile.loadBalancerProfile.idleTimeoutInMinutes
  • networkProfile.loadBalancerProfile.allocatedOutboundPorts
  • agentPoolProfiles.mode
  • agentPoolProfiles.osSKU
  • agentPoolProfiles.enableFips
  • agentPoolProfiles.osDiskType
  • agentPoolProfiles.spotMaxPrice
  • agentPoolProfiles.scaleDownMode
  • agentPoolProfiles.enableUltraSSD
  • agentPoolProfiles.kubeletDiskType
  • agentPoolProfiles.upgradeSettings.maxSurge
  • agentPoolProfiles.nodeImageVersion
  • agentPoolProfiles.enableEncryptionAtHost
  • agentPoolProfiles.currentOrchestratorVersion

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage SignalR resources in Guardrails.

Added:

  • hostNamePrefix
  • serverless. connectionTimeoutInSeconds

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Service Bus resources in Guardrails.

Added:

Azure > Service Bus > Namespace

  • disableLocalAuth
  • status
  • zoneRedundant

Azure > Service Bus > Queue

  • maxMessageSizeInKilobytes

Azure > Service Bus > Topic

  • maxMessageSizeInKilobytes

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Relay resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Recovery Service resources in Guardrails.

Added: Azure > Recovery Service > Vault

  • properties.backupStorageVersion
  • properties.bcdrSecurityLevel
  • properties.publicNetworkAccess
  • properties.restoreSettings
  • properties.secureScore
  • properties.securitySettings

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The AWS > RoboMaker > Robot Application > CMDB, AWS > RoboMaker > Fleet > CMDB and AWS > RoboMaker > Robot > CMDB policies will now be set to Skip by default because the resource types have been deprecated and will be removed in the next major version. Please check end of support for more information.

What's new?

  • Track and manage Fargate FIPS Mode for Gov cloud accounts via Guardrails. To get started, set the AWS > ECS > Account Settings > Fargate FIPS Mode policy.
  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Resource Types

  • AWS > ECS > Account Settings

Control Types

  • AWS > ECS > Account Settings > CMDB
  • AWS > ECS > Account Settings > Discovery
  • AWS > ECS > Account Settings > Fargate FIPS Mode

Policy Types

  • AWS > ECS > Account Settings > CMDB
  • AWS > ECS > Account Settings > Fargate FIPS Mode
  • AWS > ECS > Account Settings > Regions

Action Types

  • AWS > ECS > Account Settings > Router
  • AWS > ECS > Account Settings > Update Fargate FIPS Mode

What's new?

  • Server

    • Introduced support for multi-architecture images, now compatible with both ARM64 and x86_64.
    • Added a default resource query to the context of calculated policies.
    • Updated several node packages to newer versions for improved functionality and security.
    • Updated Lambda to support recursive loops.
  • UI

    • Now you can use the + sign to grant permissions in the context of both the identity and resource.
    • Updated several node packages to newer versions for improved functionality and security.

Bug fixes

  • Server

    • Azure Credential Resolver now respects proxy settings, adding full proxy support.
  • UI

    • Updated policy pack Terraform to correctly reference turbot_policy_pack.
    • Adjusted the Admin page layout for improved usability.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Enhancements

  • Added an optional param blocks to the post_message pipeline. (#24) (Thanks @johnlayton for the contribution!)

Bug fixes

  • resource/turbot_policy_pack_attachment: terraform apply failed to detect existing Policy Pack attachments. (#181)

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Application Insights resources in Guardrails. This release includes changes in the CMDB data as below.

Added:

  • flowType
  • requestSource

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Application Gateway resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Resource Types

  • AWS > Support

Policy Types

  • AWS > Support > API Enabled
  • AWS > Support > Enabled
  • AWS > Support > Permissions
  • AWS > Support > Permissions > Levels
  • AWS > Support > Permissions > Levels > Modifiers
  • AWS > Support > Permissions > Lockdown
  • AWS > Support > Permissions > Lockdown > API Boundary
  • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-support
  • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-support
  • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-support

What's new?

  • Users can now manage whether AWS/User grant should include support:* permissions. To get started, set the AWS > Account > Permissions > Support Level policy.

Policy Types

  • AWS > Account > Permissions > Support Level

Bug fixes

  • The AWS > Turbot > IAM stack control did not correctly evaluate user memberships in custom IAM groups when the AWS > Turbot > Permissions > Custom Group Levels [Account] policy was set, and users were granted permissions for those custom IAM groups. This issue has now been fixed.

Bug fixes

  • The AWS > EC2 > Volume > CMDB control would sometimes run unnecessarily due to a bad internal GraphQL dependency. This is now fixed.

Bug fixes

  • Fixed put_s3_bucket_encryption pipeline to correctly encrypt an S3 bucket without returning an error. (#68) (Thanks @gcasilva for the contribution!)

Bug fixes

  • A precheck dependency on the Kubernetes > Cluster > CMDB > Expiration policy was inadvertently added to the Kubernetes > Cluster > CMDB control. This precheck condition has now been removed.

Resource Types

  • GCP > Vertex AI
  • GCP > Vertex AI > Endpoint
  • GCP > Vertex AI > Notebook Runtime Template

Control Types

  • GCP > Vertex AI > API Enabled
  • GCP > Vertex AI > CMDB
  • GCP > Vertex AI > Discovery
  • GCP > Vertex AI > Endpoint > Active
  • GCP > Vertex AI > Endpoint > Approved
  • GCP > Vertex AI > Endpoint > CMDB
  • GCP > Vertex AI > Endpoint > Discovery
  • GCP > Vertex AI > Endpoint > Labels
  • GCP > Vertex AI > Endpoint > Usage
  • GCP > Vertex AI > Notebook Runtime Template > Active
  • GCP > Vertex AI > Notebook Runtime Template > Approved
  • GCP > Vertex AI > Notebook Runtime Template > CMDB
  • GCP > Vertex AI > Notebook Runtime Template > Discovery
  • GCP > Vertex AI > Notebook Runtime Template > Router
  • GCP > Vertex AI > Notebook Runtime Template > Usage

Policy Types

  • GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-vertexai
  • GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-vertexai
  • GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-vertexai
  • GCP > Vertex AI > API Enabled
  • GCP > Vertex AI > Approved Regions [Default]
  • GCP > Vertex AI > CMDB
  • GCP > Vertex AI > Enabled
  • GCP > Vertex AI > Endpoint > Active
  • GCP > Vertex AI > Endpoint > Active > Age
  • GCP > Vertex AI > Endpoint > Active > Last Modified
  • GCP > Vertex AI > Endpoint > Approved
  • GCP > Vertex AI > Endpoint > Approved > Custom
  • GCP > Vertex AI > Endpoint > Approved > Regions
  • GCP > Vertex AI > Endpoint > Approved > Usage
  • GCP > Vertex AI > Endpoint > CMDB
  • GCP > Vertex AI > Endpoint > Labels
  • GCP > Vertex AI > Endpoint > Labels > Template
  • GCP > Vertex AI > Endpoint > Regions
  • GCP > Vertex AI > Endpoint > Usage
  • GCP > Vertex AI > Endpoint > Usage > Limit
  • GCP > Vertex AI > Labels Template [Default]
  • GCP > Vertex AI > Notebook Runtime Template > Active
  • GCP > Vertex AI > Notebook Runtime Template > Active > Age
  • GCP > Vertex AI > Notebook Runtime Template > Active > Last Modified
  • GCP > Vertex AI > Notebook Runtime Template > Approved
  • GCP > Vertex AI > Notebook Runtime Template > Approved > Custom
  • GCP > Vertex AI > Notebook Runtime Template > Approved > Regions
  • GCP > Vertex AI > Notebook Runtime Template > Approved > Usage
  • GCP > Vertex AI > Notebook Runtime Template > CMDB
  • GCP > Vertex AI > Notebook Runtime Template > Regions
  • GCP > Vertex AI > Notebook Runtime Template > Usage
  • GCP > Vertex AI > Notebook Runtime Template > Usage > Limit
  • GCP > Vertex AI > Permissions
  • GCP > Vertex AI > Permissions > Levels
  • GCP > Vertex AI > Permissions > Levels > Modifiers
  • GCP > Vertex AI > Regions

Action Types

  • GCP > Vertex AI > Endpoint > Delete
  • GCP > Vertex AI > Endpoint > Router
  • GCP > Vertex AI > Endpoint > Set Labels
  • GCP > Vertex AI > Notebook Runtime Template > Delete
  • GCP > Vertex AI > Set API Enabled

What's new?

  • Added support to process real-time enable and disable events for Vertex AI API via Service Usage APIs.

What's new?

Bug fixes

  • Fixed the rules column in okta_signon_policy, okta_password_policy, okta_idp_discovery_policy and okta_authentication_policy tables to correctly return data instead of null. (#145)

Dependencies

All Pipes workspaces are now running Steampipe v0.24.0.

For more information on this Steampipe release, see the release notes.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Search Management resources in Guardrails.

Added:

  • authOptions
  • disableLocalAuth
  • encryptionWithCmk
  • networkRuleSet
  • privateEndpointConnections
  • publicNetworkAccess
  • semanticSearch
  • sharedPrivateLinkResources

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Enhancements

  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package.
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed pagination across all the tables. (#34)

Dependencies

What's new?

  • Initial release with support for installing Powerpipe and adding it to $PATH.

What's new?

  • Initial release with support for running Powerpipe benchmarks and controls, creating annotations for Infrastructure as Code (IaC) checks, and uploading snapshots to Turbot Pipes.

What's new?

Action Types

  • GCP > Storage > Bucket > Set Fine-grained Access Control
  • GCP > Storage > Bucket > Set Uniform Access Control

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Synapse Analytics resources in Guardrails.

Added: Azure > Synapse Analytics > Workspace

  • azureADOnlyAuthentication
  • createManagedPrivateEndpoint
  • encryption
  • extraProperties
  • publicNetworkAccess
  • settings
  • trustedServiceBypassEnabled
  • workspaceUID

Azure > Synapse Analytics > SQL Pool

  • storageAccountType

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

Action Types

  • Azure > Storage > Storage Account > Set Minimum TLS Version

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage PostgreSQL resources in Guardrails. This release includes breaking changes in the CMDB data for server and flexible server. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below

Added:

  • authConfig

  • dataEncryption

  • standbyAvailabilityZone

  • network. delegatedSubnetResourceId

  • network. privateDnsZoneArmResourceId

  • replicaCapacity

  • replicationRole

  • systemData

  • configurations.documentationLink

  • configurations.isConfigPendingRestart

  • configurations.isDynamicConfig

  • configurations.isReadOnly

  • configurations.unit

Modified:

  • The data type of the attribute firewallRules has been changed from array ([]) to object ({}).

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Network Watcher resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • Fixed an issue where credentials from the imported foreign schema were lost after restarting the session in the Postgres FDW extension of the plugin. (#2275)

Dependencies

What's new?

Enhancements

  • Added connection_info column to the gcp_alloydb_instance table. (#651)

Bug fixes

  • Removed the name column from the gcp_bigquery_table table since the API response did not include this field. (#648)

Dependencies

Enhancements

  • Added the event_region column to the aws_health_event table. (#2293)
  • Added the location_type column to the aws_ec2_instance_type table. (#2294)

Bug fixes

  • Removed unnecessary hydration of the instance_type column in aws_ec2_instance_type table. (#2294)
  • Fixed an issue where credentials from import foreign schema were lost after restarting session in the Posgres FDW extensions of the plugin. (#2275)

Bug fixes

  • Fixed the CLI to correctly display the latest released version when using the steampipe -v command. (#4388)

Bug fixes

  • Fixed an issue where Steampipe failed to download the embedded PostgreSQL database and FDW during installation. (#4382)

Deprecations

Bug fixes

  • Fixed secret references for AWS creds in README.

Dependencies

  • Bumped @actions/core from v0.10.0 to v0.10.1.
  • Bumped @vercel/ncc from v0.38.0 to v0.38.1.
  • Bumped actions/setup-node from 3 to 4. (#95)
  • Bumped actions/upload-artifact from 3 to 4. (#100)
  • Bumped braces from 3.0.2 to 3.0.3. (#109)
  • Bumped eslint from 8.52.0 to 8.56.0. (#101)
  • Bumped eslint from 8.56.0 to 9.2.0. (#108)
  • Bumped github/codeql-action from 2 to 3. (#99)
  • Bumped semver from v7.5.4 to v7.6.3.
  • Update to node v20 in action and check-dist workflow (#104) (Thanks @francois2metz for the contribution!)

Bug fixes

  • trigger introspection output correctly shows param attribute. (#900)

Bug fixes

  • The serviceProperties.table.clientRequestId and serviceProperties.table.requestId properties for storage accounts have now been made dynamic to avoid unnecessary notifications in the activity tab.

Bug fixes

  • Fixed incorrect references to various Quick Actions.

Whats new

  • Added the ability to configure plugin startup timeout. (#4320)
  • Installed FDW and embedded Postgres database from GHCR instead of GCP. (#4344)
  • Updated query JSON output format to add a columns property containing the column information. This allows us to handle duplicate column names by appending a unique suffix to duplicate column name (#4317)

Existing query JSON format:

$ steampipe query "select account_id, arn from aws_account" --output json
{
"rows": [
{
"account_id": "123456789012",
"arn": "arn:aws:::123456789012"
}
]
}

New query JSON format(with new columns property):

$ steampipe query "select account_id, arn from aws_account" --output json
{
"columns": [
{
"name": "account_id",
"data_type": "text"
},
{
"name": "arn",
"data_type": "text"
}
],
"rows": [
{
"account_id": "123456789012",
"arn": "arn:aws:::123456789012"
}
]
}

Bug fixes

  • Fixed the issue where the plugin manager was incorrectly reporting a shutdown. (#4365)

What's new?

  • tags argument in pipeline param and mod variable resources. (#898).
  • Updated Docker dependency to v27.1.2.

What's new?

Policy Types

  • Kubernetes > Cluster > ServiceNow > Import Set > Insert Mode
  • Kubernetes > ConfigMap > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Deployment > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Namespace > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Node > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Pod > ServiceNow > Import Set > Insert Mode
  • Kubernetes > ReplicaSet > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Service > ServiceNow > Import Set > Insert Mode

Bug fixes

  • Improved error handling for osquery error events.

Bug fixes

  • Query controls for various resource types will now go into an invalid state if we receive an error from the osquery agent.

What's new?

Enhancements

  • Added time_created column to the azure_compute_virtual_machine table. (#831)
  • Added ip_configuration, linked_public_ip_address, nat_gateway and service_public_ip_address columns to the azure_public_ip table. (#836)
  • Added 20 new columns to the azure_postgresql_flexible_server table. (#824)

Bug fixes

  • Fixed the ip_configurations column of the azure_subnet table to correctly return data instead of null. (#822)
  • Fixed the web_application_firewall_configuration column of azure_application_gateway table to correctly return data instead of null. (#835)

Dependencies

  • Recompiled plugin with Go version 1.22. (#832)
  • Recompiled plugin with steampipe-plugin-sdk v5.10.4 that fixes logging in the plugin export tool.
  • Updated the azure_mysql_flexible_server and azure_postgresql_flexible_server tables to use the new Azure ARM Go package. (#820)

What's new?

Enhancements

  • Updated the aws_ec2_ami table to correctly return disabled AMIs on passing the disabled value to the state optional qual (where state = 'disabled'). (#2277)
  • Added 100+ new columns across all tables per AWS Go SDK v2 1.27.0. (#2139)

Dependencies

Bug fixes

  • source attribute in function step is now evaluated relative to the its mod directory rather than the root mod directory. (#895).

What's new?

  • Added Australian Cyber Security Center (ACSC) Essential Eight benchmark (powerpipe benchmark run aws_compliance.benchmark.acsc_essential_eight). (#823)

What's new?

Policy Types

  • GCP > Storage > Bucket > ServiceNow > Import Set > Insert Mode
  • GCP > Storage > Object > ServiceNow > Import Set > Insert Mode

Control Types

  • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set

Policy Types

  • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set > Archive Columns
  • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set > Insert Mode
  • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set > Record
  • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set > Table Name
  • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set > Archive Columns
  • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set > Insert Mode
  • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set > Record
  • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set > Table Name
  • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set > Archive Columns
  • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set > Insert Mode
  • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set > Record
  • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set > Table Name
  • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set > Archive Columns
  • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set > Insert Mode
  • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set > Record
  • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set > Table Name

What's new?

Policy Types

  • GCP > Global Region > ServiceNow > Import Set > Insert Mode
  • GCP > Multi-Region > ServiceNow > Import Set > Insert Mode
  • GCP > Project > ServiceNow > Import Set > Insert Mode
  • GCP > Region > ServiceNow > Import Set > Insert Mode
  • GCP > Zone > ServiceNow > Import Set > Insert Mode

Control Types

  • Azure > AKS > Managed Cluster > ServiceNow > Import Set

Policy Types

  • Azure > AKS > Managed Cluster > ServiceNow > Import Set
  • Azure > AKS > Managed Cluster > ServiceNow > Import Set > Archive Columns
  • Azure > AKS > Managed Cluster > ServiceNow > Import Set > Insert Mode
  • Azure > AKS > Managed Cluster > ServiceNow > Import Set > Record
  • Azure > AKS > Managed Cluster > ServiceNow > Import Set > Table Name

What's new?

Policy Types

  • Azure > Subscription > ServiceNow > Import Set > Insert Mode

What's new?

Policy Types

  • ServiceNow > Import Set > Insert Mode [Default]

Bug fixes

  • Guardrails did not correctly raise the real-time modifyVolume event for EBS Volume Notifications. This issue is now fixed.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

Action Types

  • AWS > SWF > Domain > Delete from AWS

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

Bug fixes

  • Fixed incorrect references to various Quick Actions.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

What's new?

  • Volume's metadata will now also include createdBy details in Guardrails CMDB.
  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • The AWS > EC2 > Volume > Performance Configuration control would sometimes fail to set the expected configuration per AWS > EC2 > Volume > Performance Configuration > * policies and move to an Invalid state if the required data was not available for new volumes in the CMDB. The control will now move to TBD instead and retry after 5 minutes to fetch the required data correctly and set the performance configuration as expected.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Enhancements

  • The VPC Security Group detail page now includes information on the following associated services: (#352) (Thanks @maxcorbin for the contribution!)
    • Amazon MQ broker
    • ECS service
    • ECS task

GCP integrations now make use of temporary credentials via service account impersonation using the Service Account Token Creator role.

For more information, check out the docs.

What's new?

  • trigger list command includes triggers from root mod's immediate dependencies. (#892).

Bug fixes

  • Function step will no longer randomly fail in slower host machines. (#888).
  • Mod variable definition now matches Powerpipe's definition. (#889).

What's new?

  • The Azure > Storage> Storage Account > CMDB control will now also fetch diagnostic settings details and store them in CMDB.
  • Track and manage storage account access keys in Guardrails CMDB.

Resource Types

  • Azure > Storage > Access Key

Control Types

  • Azure > Storage > Access Key > CMDB
  • Azure > Storage > Access Key > Discovery

Policy Types

  • Azure > Storage > Access Key > CMDB

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed the AKA format for rule group v2 global and regional resource types.

What's new?

  • Added SOC2 2017 benchmark (powerpipe benchmark run gcp_compliance.benchmark.soc_2_2017). (#181)

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Control Types

  • GCP > Global Region > ServiceNow
  • GCP > Global Region > ServiceNow > Configuration Item
  • GCP > Global Region > ServiceNow > Import Set
  • GCP > Global Region > ServiceNow > Table
  • GCP > Multi-Region > ServiceNow
  • GCP > Multi-Region > ServiceNow > Configuration Item
  • GCP > Multi-Region > ServiceNow > Import Set
  • GCP > Multi-Region > ServiceNow > Table
  • GCP > Region > ServiceNow
  • GCP > Region > ServiceNow > Configuration Item
  • GCP > Region > ServiceNow > Import Set
  • GCP > Region > ServiceNow > Table
  • GCP > Zone > ServiceNow
  • GCP > Zone > ServiceNow > Configuration Item
  • GCP > Zone > ServiceNow > Import Set
  • GCP > Zone > ServiceNow > Table

Policy Types

  • GCP > Global Region > ServiceNow
  • GCP > Global Region > ServiceNow > Configuration Item
  • GCP > Global Region > ServiceNow > Configuration Item > Record
  • GCP > Global Region > ServiceNow > Configuration Item > Table Definition
  • GCP > Global Region > ServiceNow > Import Set
  • GCP > Global Region > ServiceNow > Import Set > Archive Columns
  • GCP > Global Region > ServiceNow > Import Set > Record
  • GCP > Global Region > ServiceNow > Import Set > Table Name
  • GCP > Global Region > ServiceNow > Table
  • GCP > Global Region > ServiceNow > Table > Definition
  • GCP > Multi-Region > ServiceNow
  • GCP > Multi-Region > ServiceNow > Configuration Item
  • GCP > Multi-Region > ServiceNow > Configuration Item > Record
  • GCP > Multi-Region > ServiceNow > Configuration Item > Table Definition
  • GCP > Multi-Region > ServiceNow > Import Set
  • GCP > Multi-Region > ServiceNow > Import Set > Archive Columns
  • GCP > Multi-Region > ServiceNow > Import Set > Record
  • GCP > Multi-Region > ServiceNow > Import Set > Table Name
  • GCP > Multi-Region > ServiceNow > Table
  • GCP > Multi-Region > ServiceNow > Table > Definition
  • GCP > Region > ServiceNow
  • GCP > Region > ServiceNow > Configuration Item
  • GCP > Region > ServiceNow > Configuration Item > Record
  • GCP > Region > ServiceNow > Configuration Item > Table Definition
  • GCP > Region > ServiceNow > Import Set
  • GCP > Region > ServiceNow > Import Set > Archive Columns
  • GCP > Region > ServiceNow > Import Set > Record
  • GCP > Region > ServiceNow > Import Set > Table Name
  • GCP > Region > ServiceNow > Table
  • GCP > Region > ServiceNow > Table > Definition
  • GCP > Zone > ServiceNow
  • GCP > Zone > ServiceNow > Configuration Item
  • GCP > Zone > ServiceNow > Configuration Item > Record
  • GCP > Zone > ServiceNow > Configuration Item > Table Definition
  • GCP > Zone > ServiceNow > Import Set
  • GCP > Zone > ServiceNow > Import Set > Archive Columns
  • GCP > Zone > ServiceNow > Import Set > Record
  • GCP > Zone > ServiceNow > Import Set > Table Name
  • GCP > Zone > ServiceNow > Table
  • GCP > Zone > ServiceNow > Table > Definition

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

What's new?

  • You can now configure parameter groups for DB clusters. To get started, set the AWS > RDS > DB Cluster > Parameter Group > * policies.

Control Types

  • AWS > RDS > DB Cluster > Parameter Group

Policy Types

  • AWS > RDS > DB Cluster > Parameter Group
  • AWS > RDS > DB Cluster > Parameter Group > Name

Action Types

  • AWS > RDS > DB Cluster > Update Parameter Group

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Whats new

  • Added JSON extension support for DuckDB backends. (#467)

Bug fixes

  • Fixed the incorrect mod reference in the output of powerpipe help command. (#471)

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • Added detect_and_correct_sql_database_instances_with_incorrect_labels pipleine for SQL Database Instance. (#6)

Enhancements

  • Added a default value for the base_label_rules variable. (#7)

Enhancements

  • Added a default value for the base_tag_rules variable. (#18)

Enhancements

  • Added a default value for the base_tag_rules variable. (#28)

Bug fixes

  • Fixed an issue where Steampipe failed to create a new connection if it was outside the defined search path. (#4353)

Bug fixes

  • Server

    • Resolved an issue where policy values were not being terminated due to a race condition.
    • The ServiceNow credentials resolver will now display a clear message when the instance is hibernate or unavailable state.
  • UI

    • Fixed an issue where filters on the Resource Explorer page were not functioning correctly.
    • The Import button on the Connect page has been updated to Connect.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • We have updated various policies set during project imports to allow for a smoother import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • You can now configure Master Authorized Networks for region and zone clusters via Guardrails. To get started, set the GCP > Kubernetes Engine > Region Cluster > Master Authorized Networks Config and GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config policies respectively.

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Control Types

  • GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config

Policy Types

  • GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config

Action Types

  • GCP > Kubernetes Engine > Region Cluster > Set Desired Master Authorized Network Config
  • GCP > Kubernetes Engine > Zone Cluster > Set Desired Master Authorized Network Config

What's new?

  • We have updated various policies set during subscription imports to allow for a smoother import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Resource Types

  • Azure > Network > Private Link Service

Control Types

  • Azure > Network > Private Link Service > Active
  • Azure > Network > Private Link Service > Approved
  • Azure > Network > Private Link Service > CMDB
  • Azure > Network > Private Link Service > Discovery
  • Azure > Network > Private Link Service > Tags

Policy Types

  • Azure > Network > Private Link Service > Active
  • Azure > Network > Private Link Service > Active > Age
  • Azure > Network > Private Link Service > Active > Last Modified
  • Azure > Network > Private Link Service > Approved
  • Azure > Network > Private Link Service > Approved > Custom
  • Azure > Network > Private Link Service > Approved > Regions
  • Azure > Network > Private Link Service > Approved > Usage
  • Azure > Network > Private Link Service > CMDB
  • Azure > Network > Private Link Service > Regions
  • Azure > Network > Private Link Service > Tags
  • Azure > Network > Private Link Service > Tags > Template

Action Types

  • Azure > Network > Private Link Service > Delete
  • Azure > Network > Private Link Service > Router
  • Azure > Network > Private Link Service > Set Tags

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • In version 5.25.0, we added support to ignore permission errors on a bucket via the CMDB policy Enforce: Enabled but ignore permission errors. However, the CMDB control previously ignored permission errors only on the HeadBucket operation and still entered an error state for permission errors on sub-API calls. The CMDB control will now ignore all sub-API calls if the HeadBucket operation is denied access. If the HeadBucket operation is successful, the control will attempt to make all sub-API calls and ignore access denied errors if encountered.

Bug fixes

  • Complex nested map data type in pipeline param no longer fails with a mismatched types error. (#879).

What's new?

  • On-demand trigger execution. (#864).
  • param support for trigger. (#840).

Bug fixes

  • Complex data type in pipeline param no longer fails with a mismatched types error. (#879).
  • Pipeline param default value is not nested in a map data type. (#880).

Whats new

  • Recompiled CLI with Go v1.22. (#448)

Bug fixes

  • Fixed issue where CLI notifications interfered with the Powerpipe JSON outputs resulting in invalid JSON outputs. (#452)
  • Fixed an issue where Powerpipe crashed when running a benchmark with the --dry-run flag set. (#455)

What's new?

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Resource Types

  • Azure > Provider > Container Registry

Control Types

  • Azure > Provider > Container Registry > CMDB
  • Azure > Provider > Container Registry > Discovery
  • Azure > Provider > Container Registry > Registered

Policy Types

  • Azure > Provider > Container Registry > CMDB
  • Azure > Provider > Container Registry > Registered

Action Types

  • Azure > Provider > Container Registry > Set Registered

Resource Types

  • Azure > Container Registry
  • Azure > Container Registry > Registry

Control Types

  • Azure > Container Registry > Registry > Active
  • Azure > Container Registry > Registry > Approved
  • Azure > Container Registry > Registry > CMDB
  • Azure > Container Registry > Registry > Discovery
  • Azure > Container Registry > Registry > Tags

Policy Types

  • Azure > Container Registry > Approved Regions [Default]
  • Azure > Container Registry > Enabled
  • Azure > Container Registry > Permissions
  • Azure > Container Registry > Permissions > Levels
  • Azure > Container Registry > Permissions > Levels > Modifiers
  • Azure > Container Registry > Regions
  • Azure > Container Registry > Registry > Active
  • Azure > Container Registry > Registry > Active > Age
  • Azure > Container Registry > Registry > Active > Last Modified
  • Azure > Container Registry > Registry > Approved
  • Azure > Container Registry > Registry > Approved > Custom
  • Azure > Container Registry > Registry > Approved > Regions
  • Azure > Container Registry > Registry > Approved > Usage
  • Azure > Container Registry > Registry > CMDB
  • Azure > Container Registry > Registry > Regions
  • Azure > Container Registry > Registry > Tags
  • Azure > Container Registry > Registry > Tags > Template
  • Azure > Container Registry > Tags Template [Default]
  • Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-containerregistry
  • Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-containerregistry

Action Types

  • Azure > Container Registry > Registry > Delete
  • Azure > Container Registry > Registry > Router
  • Azure > Container Registry > Registry > Set Tags

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The AWS > VPC > VPC > Stack control would sometimes go into an error state while upserting newly created flow logs in Guardrails due to incorrect mapping of its parent resource. This issue has now been fixed, and the control will upsert flow logs more consistently and reliably than before.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.

What's new?

  • Added support for Postgres versions 13.14, 13.15, 13.16, 14.11, 14.12, 14.13 and 15.8.
  • Updated Default value for the RDS certificate to rds-ca-rsa4096-g1.

5.0.0 (2024-08-13)

Resource Types

  • Azure > Managed Identity
  • Azure > Managed Identity > User Assigned Identity

Control Types

  • Azure > Managed Identity > User Assigned Identity > Active
  • Azure > Managed Identity > User Assigned Identity > Approved
  • Azure > Managed Identity > User Assigned Identity > CMDB
  • Azure > Managed Identity > User Assigned Identity > Discovery
  • Azure > Managed Identity > User Assigned Identity > Tags

Policy Types

  • Azure > Managed Identity > Approved Regions [Default]
  • Azure > Managed Identity > Enabled
  • Azure > Managed Identity > Permissions
  • Azure > Managed Identity > Permissions > Levels
  • Azure > Managed Identity > Permissions > Levels > Modifiers
  • Azure > Managed Identity > Regions
  • Azure > Managed Identity > Tags Template [Default]
  • Azure > Managed Identity > User Assigned Identity > Active
  • Azure > Managed Identity > User Assigned Identity > Active > Age
  • Azure > Managed Identity > User Assigned Identity > Active > Last Modified
  • Azure > Managed Identity > User Assigned Identity > Approved
  • Azure > Managed Identity > User Assigned Identity > Approved > Custom
  • Azure > Managed Identity > User Assigned Identity > Approved > Regions
  • Azure > Managed Identity > User Assigned Identity > Approved > Usage
  • Azure > Managed Identity > User Assigned Identity > CMDB
  • Azure > Managed Identity > User Assigned Identity > Regions
  • Azure > Managed Identity > User Assigned Identity > Tags
  • Azure > Managed Identity > User Assigned Identity > Tags > Template
  • Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-managedidentity
  • Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-managedidentity

Action Types

  • Azure > Managed Identity > User Assigned Identity > Delete
  • Azure > Managed Identity > User Assigned Identity > Router
  • Azure > Managed Identity > User Assigned Identity > Set Tags

Whats new

  • Recompiled CLI with Go v1.22. (#4340)

Bug fixes

  • Fixed query error message to not include internal function names. (#4335)

What's new?

  • Added CIS AWS Compute Services v1.0.0 benchmark (powerpipe benchmark run aws_compliance.benchmark.cis_compute_service_v100). (#814)

Bug fixes

  • Fixed iam_root_user_hardware_mfa_enabled query to correctly return ok when hardware MFA is enabled for the root user. (#815)

What's new?

  • The AWS > Turbot > Logging > Bucket > Default Encryption policy is now deprecated because all buckets are now encrypted by default in AWS. As a result, all buckets created and managed via the AWS > Turbot > Logging > Bucket stack control will now be encrypted by AWS SSE by default. We've also removed ACL settings for buckets and now apply bucket ownership controls instead via the stack control to align with the latest AWS recommendations. Please upgrade the @turbot/aws-s3 mod to v5.26.0 for the stack control to work reliably as before.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Policy Types

Renamed

  • AWS > Turbot > Logging > Bucket > Default Encryption to AWS > Turbot > Logging > Bucket > Default Encryption [Deprecated]

What's new?

  • Added support for aws_s3_bucket_ownership_controls Terraform resource for buckets.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • Users can now configure the Terraform version for the AWS > Config > Configuration Recording stack control. To get started, set the AWS > Config > Configuration Recording > Terraform Version policy. We recommend using versions 0.11, 0.12, or 0.15 for this control to create and manage resources effectively and reliably.

Policy Types

  • AWS > Config > Configuration Recording > Terraform Version

What's new?

Enhancements

  • The euuid column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linode accounts. (#56)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#60)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

What's new?

  • Users can now create and manage labels on Pub/Sub topics created via the GCP > Turbot > Event Handlers > Pub/Sub control. To get started, set the GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels policy.

Policy Types

  • GCP > Turbot > Event Handlers > Pub/Sub > Subscription > Labels > Ignore Changes
  • GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels
  • GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels > Ignore Changes

Bug fixes

  • Guardrails failed to cleanup deleted security group rules via the real-time ec2:RevokeSecurityGroupEgress and ec2:RevokeSecurityGroupIngress events. This issue is now fixed.

Bug fixes

  • The AWS > Turbot > Event Handlers control did not correctly raise the real-time CreateTags and DeleteTags events for VPC security group rules. This issue is now fixed.

Bug fixes

  • Fixed the okta_factor table to correctly return data instead of a nil pointer dereference error. (#137)
  • Fixed the caching issue in the standalone plugin FDW extensions. (#480)

Enhancements

  • Added the GetConfig in the github_repository_content table. (#445)

Bug fixes

  • Fixed the caching issue in the standalone plugin FDW extensions. (#480)

Enhancements

  • Added Reader and Data Access role assignment information to the docs/index.md file. (#811)

Bug fixes

  • Fixed the azure_compute_virtual_machine table to correctly populate the guest_configuration_assignments column across all Azure environments. (#816)
  • Fixed the azure_role_assignment table to correctly return the result while using any mode of plugin authentication. (#809)
  • Fixed the paging issue in the azure_monitor_activity_log_event table. (#810)
  • Fixed the caching issue in the standalone plugin FDW extensions. (#480)

Enhancements

  • Added location_type column as an optional qual to the aws_ec2_instance_availability table and 6 new columns to the aws_ec2_instance_type table. (#2078)
  • Updated docs for aws_appautoscaling_policy and aws_appautoscaling_target tables to add information on required quals. (#2247)
  • Added the type column as an optional qual to the aws_auditmanager_control table. (#2254)

Bug fixes

  • Fixed the GetConfig definition of the aws_auditmanager_control table to correctly return data instead of an error. (#2254)
  • Fixed the aws_kms_key_rotation table to correctly return nil whenever an AccessDeniedException error is returned by the API. (#2253)
  • Fixed the caching issue in the standalone plugin FDW extensions. (#480)

What's new?

  • Users can now configure flow logging for subnetworks. To get started, set the GCP > Network > Subnetwork > Flow Log policy.

Control Types

  • GCP > Network > Subnetwork > Flow Log

Policy Types

  • GCP > Network > Subnetwork > Flow Log

Action Types

  • GCP > Network > Subnetwork > Set Flow Log

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Resource Types

  • Azure > Provider > Elastic
  • Azure > Provider > Managed Identity

Control Types

  • Azure > Provider > Elastic > CMDB
  • Azure > Provider > Elastic > Discovery
  • Azure > Provider > Elastic > Registered
  • Azure > Provider > Managed Identity > CMDB
  • Azure > Provider > Managed Identity > Discovery
  • Azure > Provider > Managed Identity > Registered

Policy Types

  • Azure > Provider > Elastic > CMDB
  • Azure > Provider > Elastic > Registered
  • Azure > Provider > Managed Identity > CMDB
  • Azure > Provider > Managed Identity > Registered

Action Types

  • Azure > Provider > Elastic > Set Registered
  • Azure > Provider > Managed Identity > Set Registered

Bug fixes

  • The variable command no longer fails if the .flowpipe directory in the user's home directory is not created yet. (#872).

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • You can now disable inactive or unapproved service accounts via Guardrails. To get started, set the GCP > IAM > Service Account > Active or GCP > IAM > Service Account > Approved policy to Enforce: Disable inactive with <x> days warning or Enforce: Disable unapproved respectively.

Action Types

  • GCP > IAM > Service Account > Disable

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Bug fixes

  • The AWS > ECR > Repository > CMDB control went into an error state for shared repositories upserted incorrectly in Guardrails CMDB. Shared repositories will now not be upserted under shared accounts or regions, but will only be upserted under their owner accounts and regions.

Bug fixes

  • Guardrails failed to process the real-time event ec2:CreateReplaceRootVolumeTask for instances. This is now fixed.

Enhancements

  • Added the following controls to the All Controls benchmark: (#176)
    • alloydb_instance_log_error_verbosity_database_flag_default_or_stricter
    • alloydb_instance_log_min_error_statement_database_flag_configured
    • alloydb_instance_log_min_messages_database_flag_error

Enhancements

  • Added the following controls to the All Controls benchmark: (#274)
    • application_gateway_waf_uses_specified_mode
    • application_insights_block_log_ingestion_and_querying_from_public
    • log_analytics_workspace_block_log_ingestion_and_querying_from_public
    • log_analytics_workspace_block_non_azure_ingestion

Bug fixes

  • Fixed the storage_account_block_public_access query to correctly check if the public_network_access column of the azure_storage_account table is correctly set to disabled or not as per the CIS documentation. (#277)

What's new?

  • Added NIST 800-172 benchmark (powerpipe benchmark run aws_compliance.benchmark.nist_800_172). (#807)

Bug fixes

  • Fixed sqs_queue_encrypted_at_rest query to ensure queues using SQS-SSE encryption at rest remain in an ok state instead of alarm. (#805) (Thanks @duncward for the contribution!)

v0.14.0 of the Terraform Provider for Pipes is now available.

Breaking Changes

  • Functionality for resource resources/pipes_workspace_connection moved to manage connections at the workspace level. Previously, the resource used to manage attachment of connections to the workspace defined at the respective identity level. Please follow the migration guide for migrating your existing configuration into the new model.
  • Resource resources/pipes_connection does not support management of user level connections in line with changes in Pipes.

What's new?

  • Resource pipes_organization_connection
  • Resource pipes_organization_connection_folder
  • Resource pipes_organization_connection_folder_permission
  • Resource pipes_organization_connection_permission
  • Resource pipes_organization_integration
  • Resource pipes_tenant_connection
  • Resource pipes_tenant_connection_folder
  • Resource pipes_tenant_connection_folder_permission
  • Resource pipes_tenant_connection_permission
  • Resource pipes_tenant_integration
  • Resource pipes_user_integration
  • Resource pipes_workspace_connection_folder
  • Resource pipes_workspace_schema

Enhancements

  • Resource resources/pipes_workspace_mod add support for storing attribute state_reason

v0.10.0 of the Pipes SDK Go is now available.

What's new?

  • Intregation Management APIs for Tenants, Users, Organizations, UserWorkspaces and OrgWorkspaces.
  • Tenant Connection Management APIs.
  • Tenant Connection Folder Management APIs.
  • User Connection Folder Management APIs.
  • Organization Connection Management APIs.
  • Organization Connection Folder Management APIs.
  • Workspace Connection Management APIs.
  • Workspace Connection Folder Management APIs.
  • Permission Management APIs for Connections and ConnectionFolders.

Enhancements

  • Add support for installing mods that are associated to integrations.
  • Add support for setting search path prefix for a workspace.

What's new?

  • Server

    • Made notifications faster by improving the query, which enhances the performance of the resource activity tab.
  • UI

    • Fixed a bug where policy pack creation would fail if the AKA was not provided from the user interface.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The Azure > Resource Group > ServiceNow > Configuration Item control would fail to fetch instance credentials internally and did not process the data correctly in ServiceNow. This issue has now been fixed.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Control Types

  • GCP > Project > ServiceNow > Import Set

Policy Types

  • GCP > Project > ServiceNow > Import Set
  • GCP > Project > ServiceNow > Import Set > Archive Columns
  • GCP > Project > ServiceNow > Import Set > Record
  • GCP > Project > ServiceNow > Import Set > Table Name

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to poll events from Azure Monitor and process them in Guardrails. You won't notice any difference, and things will continue to work smoothly as before.

What's new?

  • AWS/DynamoDB/Admin, AWS/DynamoDB/Metadata and AWS/DynamoDB/Operator now include permissions for Resource Policy, Imports, Time to Live and Global Table Version.

Breaking changes

  • Removed the following columns in gcp_cloudfunctions_function table to align with the new API response structure: (#612)
    • environment_variables
    • source_upload_url
    • version_id

What's new?

  • Added the impersonate_access_token config argument to support plugin authentication by using a pre-generated temporary access token. (#621)

Enhancements

  • Added 17 new columns to the gcp_cloudfunctions_function table. (#612)

Bug fixes

  • Fixed the cache key issue in the SecretManager service client creation. (#624)

What's new?

Control Types

  • Azure > Network > Network Security Group > ServiceNow > Import Set

Policy Types

  • Azure > Network > Network Security Group > ServiceNow > Import Set
  • Azure > Network > Network Security Group > ServiceNow > Import Set > Archive Columns
  • Azure > Network > Network Security Group > ServiceNow > Import Set > Record
  • Azure > Network > Network Security Group > ServiceNow > Import Set > Table Name

What's new?

Control Types

  • Azure > Subscription > ServiceNow > Import Set

Policy Types

  • Azure > Subscription > ServiceNow > Import Set
  • Azure > Subscription > ServiceNow > Import Set > Archive Columns
  • Azure > Subscription > ServiceNow > Import Set > Record
  • Azure > Subscription > ServiceNow > Import Set > Table Name

What's new?

  • Users can now enable/disable Table logging for Storage Accounts via Azure > Storage > Storage Account > Table > Logging control. To get started, set the Azure > Storage > Storage Account > Table > Logging policy.

Control Types

  • Azure > Storage > Storage Account > Encryption at Rest
  • Azure > Storage > Storage Account > Table
  • Azure > Storage > Storage Account > Table > Logging

Policy Types

  • Azure > Storage > Storage Account > Encryption at Rest
  • Azure > Storage > Storage Account > Encryption at Rest > Customer Managed Key
  • Azure > Storage > Storage Account > Table
  • Azure > Storage > Storage Account > Table > Logging
  • Azure > Storage > Storage Account > Table > Logging > Properties
  • Azure > Storage > Storage Account > Table > Logging > Retention Days

Action Types

  • Azure > Storage > Storage Account > Update Encryption at Rest

  • Azure > Storage > Storage Account > Update Storage Account Table Logging

  • The Storage Account CMDB data will now also include information about the account's table service properties.

  • We've removed the dependency on listKeys permission for Azure > Storage Account > Container > Discovery to run its course to completion. This release includes breaking changes in the CMDB data for containers. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.

Renamed: isImmutableStorageWithVersioningEnabled to isImmutableStorageWithVersioning.enabled

Removed: preventEncryptionScopeOverride

Bug fixes

  • The Azure > Storage > Storage Account > CMDB control would go into an error state while trying to fetch default Queue and Blob properties if Guardrails did not have permission to list the storage account keys. The control will now not attempt to fetch default Queue and Blob properties if Guardrails does not have the required access for listKeys, and will run its course to completion without going into an error state.

Bug fixes

  • Improved error message for the AWS > S3 > Bucket > CMDB control if it would go into an error state due to insufficient permissions for the headBucket operation.

What's new?

  • Server
    • Migrated from Node.js 18 to Node.js 20 for improved performance and security.
    • Updated the Mod Lambda architecture to ARM64 for better efficiency.
    • Added support for Node.js 20 in the Lambda runtime.

Bug fixes

  • Server
    • Resolved an issue where the next tick timestamp was not being set for large commands

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • UI
    • Resolved deletion issue from UI for Policy Packs with latest Turbot Mod(5.45.0) and TE 5.45.0.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Fixed the issue where the --arg flag was not working for control and query runs. (#439)
  • Fixed data inconsistency issue in snapshot output when the same control was included in multiple benchmarks. (#436)

Import a tree of folders and projects as Pipes connections, control permissions for workspaces, and auto-create aggregators.

For more information, see the launch post or check out the docs.

You can now create connections at the custom tenant, organization or workspace level in Pipes, along with grouping of these within folders to allow easier sharing of related connections.

This is coupled with a fine-grained permissions model, allowing you to share connections & folders broadly across a custom tenant, or restrict access to specific organizations and/or their workspaces.

For more information, check out the docs:

Import a tree of management groups and subscriptions as Pipes connections, control permissions for workspaces, and auto-create aggregators.

For more information, see the launch post or check out the docs.

Import a tree of OUs and accounts as Pipes connections, control permissions for workspaces, and auto-create aggregators.

For more information, see the launch post or check out the docs.

What's new?

Control Types

  • Kubernetes > CronJob > ServiceNow
  • Kubernetes > CronJob > ServiceNow > Configuration Item
  • Kubernetes > CronJob > ServiceNow > Table
  • Kubernetes > DaemonSet > ServiceNow
  • Kubernetes > DaemonSet > ServiceNow > Configuration Item
  • Kubernetes > DaemonSet > ServiceNow > Table
  • Kubernetes > Ingress > ServiceNow
  • Kubernetes > Ingress > ServiceNow > Configuration Item
  • Kubernetes > Ingress > ServiceNow > Table
  • Kubernetes > Job > ServiceNow
  • Kubernetes > Job > ServiceNow > Configuration Item
  • Kubernetes > Job > ServiceNow > Table
  • Kubernetes > Persistent Volume > ServiceNow
  • Kubernetes > Persistent Volume > ServiceNow > Configuration Item
  • Kubernetes > Persistent Volume > ServiceNow > Table
  • Kubernetes > ReplicationController > ServiceNow
  • Kubernetes > ReplicationController > ServiceNow > Configuration Item
  • Kubernetes > ReplicationController > ServiceNow > Table
  • Kubernetes > StatefulSet > ServiceNow
  • Kubernetes > StatefulSet > ServiceNow > Configuration Item
  • Kubernetes > StatefulSet > ServiceNow > Table

Policy Types

  • Kubernetes > CronJob > ServiceNow
  • Kubernetes > CronJob > ServiceNow > Configuration Item
  • Kubernetes > CronJob > ServiceNow > Configuration Item > Record
  • Kubernetes > CronJob > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > CronJob > ServiceNow > Table
  • Kubernetes > CronJob > ServiceNow > Table > Definition
  • Kubernetes > DaemonSet > ServiceNow
  • Kubernetes > DaemonSet > ServiceNow > Configuration Item
  • Kubernetes > DaemonSet > ServiceNow > Configuration Item > Record
  • Kubernetes > DaemonSet > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > DaemonSet > ServiceNow > Table
  • Kubernetes > DaemonSet > ServiceNow > Table > Definition
  • Kubernetes > Ingress > ServiceNow
  • Kubernetes > Ingress > ServiceNow > Configuration Item
  • Kubernetes > Ingress > ServiceNow > Configuration Item > Record
  • Kubernetes > Ingress > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Ingress > ServiceNow > Table
  • Kubernetes > Ingress > ServiceNow > Table > Definition
  • Kubernetes > Job > ServiceNow
  • Kubernetes > Job > ServiceNow > Configuration Item
  • Kubernetes > Job > ServiceNow > Configuration Item > Record
  • Kubernetes > Job > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Job > ServiceNow > Table
  • Kubernetes > Job > ServiceNow > Table > Definition
  • Kubernetes > Persistent Volume > ServiceNow
  • Kubernetes > Persistent Volume > ServiceNow > Configuration Item
  • Kubernetes > Persistent Volume > ServiceNow > Configuration Item > Record
  • Kubernetes > Persistent Volume > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Persistent Volume > ServiceNow > Table
  • Kubernetes > Persistent Volume > ServiceNow > Table > Definition
  • Kubernetes > ReplicationController > ServiceNow
  • Kubernetes > ReplicationController > ServiceNow > Configuration Item
  • Kubernetes > ReplicationController > ServiceNow > Configuration Item > Record
  • Kubernetes > ReplicationController > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > ReplicationController > ServiceNow > Table
  • Kubernetes > ReplicationController > ServiceNow > Table > Definition
  • Kubernetes > StatefulSet > ServiceNow
  • Kubernetes > StatefulSet > ServiceNow > Configuration Item
  • Kubernetes > StatefulSet > ServiceNow > Configuration Item > Record
  • Kubernetes > StatefulSet > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > StatefulSet > ServiceNow > Table
  • Kubernetes > StatefulSet > ServiceNow > Table > Definition

What's new?

Resource Types

  • Kubernetes > CronJob
  • Kubernetes > DaemonSet
  • Kubernetes > Ingress
  • Kubernetes > Job
  • Kubernetes > Persistent Volume
  • Kubernetes > ReplicationController
  • Kubernetes > StatefulSet

Control Types

  • Kubernetes > ConfigMap > Active
  • Kubernetes > CronJob > Active
  • Kubernetes > CronJob > Annotations
  • Kubernetes > CronJob > Approved
  • Kubernetes > CronJob > CMDB
  • Kubernetes > CronJob > Labels
  • Kubernetes > CronJob > Query
  • Kubernetes > DaemonSet > Active
  • Kubernetes > DaemonSet > Annotations
  • Kubernetes > DaemonSet > Approved
  • Kubernetes > DaemonSet > CMDB
  • Kubernetes > DaemonSet > Labels
  • Kubernetes > DaemonSet > Query
  • Kubernetes > Deployment > Active
  • Kubernetes > Ingress > Active
  • Kubernetes > Ingress > Annotations
  • Kubernetes > Ingress > Approved
  • Kubernetes > Ingress > CMDB
  • Kubernetes > Ingress > Labels
  • Kubernetes > Ingress > Query
  • Kubernetes > Job > Active
  • Kubernetes > Job > Annotations
  • Kubernetes > Job > Approved
  • Kubernetes > Job > CMDB
  • Kubernetes > Job > Labels
  • Kubernetes > Job > Query
  • Kubernetes > Namespace > Active
  • Kubernetes > Node > Active
  • Kubernetes > Persistent Volume > Active
  • Kubernetes > Persistent Volume > Annotations
  • Kubernetes > Persistent Volume > Approved
  • Kubernetes > Persistent Volume > CMDB
  • Kubernetes > Persistent Volume > Labels
  • Kubernetes > Persistent Volume > Query
  • Kubernetes > Pod > Active
  • Kubernetes > ReplicaSet > Active
  • Kubernetes > ReplicationController > Active
  • Kubernetes > ReplicationController > Annotations
  • Kubernetes > ReplicationController > Approved
  • Kubernetes > ReplicationController > CMDB
  • Kubernetes > ReplicationController > Labels
  • Kubernetes > ReplicationController > Query
  • Kubernetes > Service > Active
  • Kubernetes > StatefulSet > Active
  • Kubernetes > StatefulSet > Annotations
  • Kubernetes > StatefulSet > Approved
  • Kubernetes > StatefulSet > CMDB
  • Kubernetes > StatefulSet > Labels
  • Kubernetes > StatefulSet > Query

Policy Types

  • Kubernetes > Cluster > CMDB > Expiration
  • Kubernetes > Cluster > CMDB > Expiration > Expiration Days
  • Kubernetes > Cluster > osquery
  • Kubernetes > Cluster > osquery > Configuration
  • Kubernetes > ConfigMap > Active
  • Kubernetes > ConfigMap > Active > Age
  • Kubernetes > ConfigMap > Active > Last Modified
  • Kubernetes > CronJob > Active
  • Kubernetes > CronJob > Active > Age
  • Kubernetes > CronJob > Active > Last Modified
  • Kubernetes > CronJob > Annotations
  • Kubernetes > CronJob > Annotations > Template
  • Kubernetes > CronJob > Approved
  • Kubernetes > CronJob > Approved > Custom
  • Kubernetes > CronJob > CMDB
  • Kubernetes > CronJob > Labels
  • Kubernetes > CronJob > Labels > Template
  • Kubernetes > CronJob > osquery
  • Kubernetes > CronJob > osquery > Configuration
  • Kubernetes > CronJob > osquery > Configuration > Columns
  • Kubernetes > CronJob > osquery > Configuration > Interval
  • Kubernetes > CronJob > osquery > Configuration > Name
  • Kubernetes > DaemonSet > Active
  • Kubernetes > DaemonSet > Active > Age
  • Kubernetes > DaemonSet > Active > Last Modified
  • Kubernetes > DaemonSet > Annotations
  • Kubernetes > DaemonSet > Annotations > Template
  • Kubernetes > DaemonSet > Approved
  • Kubernetes > DaemonSet > Approved > Custom
  • Kubernetes > DaemonSet > CMDB
  • Kubernetes > DaemonSet > Labels
  • Kubernetes > DaemonSet > Labels > Template
  • Kubernetes > DaemonSet > osquery
  • Kubernetes > DaemonSet > osquery > Configuration
  • Kubernetes > DaemonSet > osquery > Configuration > Columns
  • Kubernetes > DaemonSet > osquery > Configuration > Interval
  • Kubernetes > DaemonSet > osquery > Configuration > Name
  • Kubernetes > Deployment > Active
  • Kubernetes > Deployment > Active > Age
  • Kubernetes > Deployment > Active > Last Modified
  • Kubernetes > Ingress > Active
  • Kubernetes > Ingress > Active > Age
  • Kubernetes > Ingress > Active > Last Modified
  • Kubernetes > Ingress > Annotations
  • Kubernetes > Ingress > Annotations > Template
  • Kubernetes > Ingress > Approved
  • Kubernetes > Ingress > Approved > Custom
  • Kubernetes > Ingress > CMDB
  • Kubernetes > Ingress > Labels
  • Kubernetes > Ingress > Labels > Template
  • Kubernetes > Ingress > osquery
  • Kubernetes > Ingress > osquery > Configuration
  • Kubernetes > Ingress > osquery > Configuration > Columns
  • Kubernetes > Ingress > osquery > Configuration > Interval
  • Kubernetes > Ingress > osquery > Configuration > Name
  • Kubernetes > Job > Active
  • Kubernetes > Job > Active > Age
  • Kubernetes > Job > Active > Last Modified
  • Kubernetes > Job > Annotations
  • Kubernetes > Job > Annotations > Template
  • Kubernetes > Job > Approved
  • Kubernetes > Job > Approved > Custom
  • Kubernetes > Job > CMDB
  • Kubernetes > Job > Labels
  • Kubernetes > Job > Labels > Template
  • Kubernetes > Job > osquery
  • Kubernetes > Job > osquery > Configuration
  • Kubernetes > Job > osquery > Configuration > Columns
  • Kubernetes > Job > osquery > Configuration > Interval
  • Kubernetes > Job > osquery > Configuration > Name
  • Kubernetes > Namespace > Active
  • Kubernetes > Namespace > Active > Age
  • Kubernetes > Namespace > Active > Last Modified
  • Kubernetes > Node > Active
  • Kubernetes > Node > Active > Age
  • Kubernetes > Node > Active > Last Modified
  • Kubernetes > Persistent Volume > Active
  • Kubernetes > Persistent Volume > Active > Age
  • Kubernetes > Persistent Volume > Active > Last Modified
  • Kubernetes > Persistent Volume > Annotations
  • Kubernetes > Persistent Volume > Annotations > Template
  • Kubernetes > Persistent Volume > Approved
  • Kubernetes > Persistent Volume > Approved > Custom
  • Kubernetes > Persistent Volume > CMDB
  • Kubernetes > Persistent Volume > Labels
  • Kubernetes > Persistent Volume > Labels > Template
  • Kubernetes > Persistent Volume > osquery
  • Kubernetes > Persistent Volume > osquery > Configuration
  • Kubernetes > Persistent Volume > osquery > Configuration > Columns
  • Kubernetes > Persistent Volume > osquery > Configuration > Interval
  • Kubernetes > Persistent Volume > osquery > Configuration > Name
  • Kubernetes > Pod > Active
  • Kubernetes > Pod > Active > Age
  • Kubernetes > Pod > Active > Last Modified
  • Kubernetes > ReplicaSet > Active
  • Kubernetes > ReplicaSet > Active > Age
  • Kubernetes > ReplicaSet > Active > Last Modified
  • Kubernetes > ReplicationController > Active
  • Kubernetes > ReplicationController > Active > Age
  • Kubernetes > ReplicationController > Active > Last Modified
  • Kubernetes > ReplicationController > Annotations
  • Kubernetes > ReplicationController > Annotations > Template
  • Kubernetes > ReplicationController > Approved
  • Kubernetes > ReplicationController > Approved > Custom
  • Kubernetes > ReplicationController > CMDB
  • Kubernetes > ReplicationController > Labels
  • Kubernetes > ReplicationController > Labels > Template
  • Kubernetes > ReplicationController > osquery
  • Kubernetes > ReplicationController > osquery > Configuration
  • Kubernetes > ReplicationController > osquery > Configuration > Columns
  • Kubernetes > ReplicationController > osquery > Configuration > Interval
  • Kubernetes > ReplicationController > osquery > Configuration > Name
  • Kubernetes > Service > Active
  • Kubernetes > Service > Active > Age
  • Kubernetes > Service > Active > Last Modified
  • Kubernetes > StatefulSet > Active
  • Kubernetes > StatefulSet > Active > Age
  • Kubernetes > StatefulSet > Active > Last Modified
  • Kubernetes > StatefulSet > Annotations
  • Kubernetes > StatefulSet > Annotations > Template
  • Kubernetes > StatefulSet > Approved
  • Kubernetes > StatefulSet > Approved > Custom
  • Kubernetes > StatefulSet > CMDB
  • Kubernetes > StatefulSet > Labels
  • Kubernetes > StatefulSet > Labels > Template
  • Kubernetes > StatefulSet > osquery
  • Kubernetes > StatefulSet > osquery > Configuration
  • Kubernetes > StatefulSet > osquery > Configuration > Columns
  • Kubernetes > StatefulSet > osquery > Configuration > Interval
  • Kubernetes > StatefulSet > osquery > Configuration > Name

Action Types

  • Kubernetes > Cluster > Router
  • Kubernetes > CronJob > Router
  • Kubernetes > DaemonSet > Router
  • Kubernetes > Ingress > Router
  • Kubernetes > Job > Router
  • Kubernetes > Persistent Volume > Router
  • Kubernetes > ReplicationController > Router
  • Kubernetes > StatefulSet > Router

Bug fixes

  • CMDB controls for various resources sometimes failed to process a large number of updates that occurred in quick succession via Cluster events. We’ve improved our GraphQL queries to handle such a load, and the controls will now be able to process such events more smoothly and reliably than before.

What's new?

  • The AWS > S3 > Bucket > CMDB control would go into an error state if Guardrails did not have permissions to call the headBucket operation on a bucket. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > S3 > Bucket > CMDB policy to Enforce: Enabled but ignore permission errors.

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • In the previous version, we fixed an issue with the Azure > App Service > Web App > Client Certificate Mode control, ensuring that the Client Certificate Mode is set to Require correctly. However, we missed an edge case where the control wouldn’t enforce any mode other than the default setting of Ignore. We have now addressed all cases, and the control will work more reliably and consistently than before.

What's new?

  • Interactive workflows in the terminal via console integration. Blog.
  • Simplified progress output for flowpipe pipeline run command when running in Client mode and not using the --verbose arg.
  • --data-dir parameter to specify the location of the event store database. (#852).
  • --execution-id parameter to specify custom execution id for pipeline run. (#856).
  • Update Go version to v1.22.4.

Bug fixes

  • Return a non-zero exit code if there's a failure. (#855).
  • loop block now respect the if step attribute. (#858).

What's new?

  • Added 22 detect and correct pipelines to identify unused and underutilized GCP resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see GCP Thrifty Mod.

What's new?

  • Detect and correct misconfigured labels across 8 GCP resource types.
  • Automatically add mandatory labels (e.g. env, owner).
  • Clean up prohibited labels (e.g. secret, key).
  • Reconcile shorthand or misspelled label keys to standardized keys (e.g. cc to cost_center).
  • Update label values to conform to expected standards, ensuring consistency (e.g. Prod to prod).

For detailed usage information and a full list of pipelines, please see GCP Labels Mod.

What's new?

  • Added 24 detect and correct pipelines to identify unused and underutilized Azure resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see Azure Thrifty Mod.

What's new?

  • Detect and correct misconfigured tags across 55+ Azure resource types.
  • Automatically add mandatory tags (e.g. env, owner).
  • Clean up prohibited tags (e.g. secret, key).
  • Reconcile shorthand or misspelled tag keys to standardized keys (e.g. cc to cost_center).
  • Update tag values to conform to expected standards, ensuring consistency (e.g. Prod to prod).

For detailed usage information and a full list of pipelines, please see Azure Tags Mod.

What's new?

  • The mod has been updated to run in the Wizard mode by default.

What's new?

  • Detect and correct misconfigured tags across 65+ AWS resource types.
  • Automatically add mandatory tags (e.g. env, owner).
  • Clean up prohibited tags (e.g. secret, key).
  • Reconcile shorthand or misspelled tag keys to standardized keys (e.g. cc to cost_center).
  • Update tag values to conform to expected standards, ensuring consistency (e.g. Prod to prod).

For detailed usage information and a full list of pipelines, please see AWS Tags Mod.

What's new?

  • Updated AWS Lambda function architecture to ARM64 for improved performance and cost efficiency.

What's new?

  • Server

    • Improved memory optimization for Redis.
    • Updated all AWS Lambda functions in the TE environment to use ARM64 architecture for improved performance and cost efficiency.
    • Allow notifications rules to accept nunjucks for Email address.
    • Updated several node packages to newer versions for improved functionality and security.
  • UI

    • Smart Folders are now called Policy Packs.
    • Now you can add AKA while creating Policy Packs from UI.

Bug fixes

  • Server

    • Fixed an issue where controls remained in TBD state for accounts imported without an External ID.
  • UI

    • Removed the unsupported feature for rearranging Policy Packs from the UI.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The Import Set policies for various Kubernetes resources will no longer include the Enforce: Sync policy value for integrating Import Sets in ServiceNow.

Control Types

  • GCP > Storage > Object > ServiceNow > Import Set

Policy Types

  • GCP > Storage > Object > ServiceNow > Import Set
  • GCP > Storage > Object > ServiceNow > Import Set > Archive Columns
  • GCP > Storage > Object > ServiceNow > Import Set > Record
  • GCP > Storage > Object > ServiceNow > Import Set > Table Name

Control Types

  • GCP > Compute Engine > Disk > ServiceNow > Import Set
  • GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > Image > ServiceNow > Import Set
  • GCP > Compute Engine > Instance > ServiceNow > Import Set
  • GCP > Compute Engine > Instance Template > ServiceNow > Import Set
  • GCP > Compute Engine > Node Group > ServiceNow > Import Set
  • GCP > Compute Engine > Node template > ServiceNow > Import Set
  • GCP > Compute Engine > Project > ServiceNow > Import Set
  • GCP > Compute Engine > Region Disk > ServiceNow > Import Set
  • GCP > Compute Engine > Region Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > Snapshot > ServiceNow > Import Set

Policy Types

  • GCP > Compute Engine > Disk > ServiceNow > Import Set
  • GCP > Compute Engine > Disk > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Disk > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Disk > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Record
  • GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Record
  • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > Health Check > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Health Check > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Health Check > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Image > ServiceNow > Import Set
  • GCP > Compute Engine > Image > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Image > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Image > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Instance > ServiceNow > Import Set
  • GCP > Compute Engine > Instance > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Instance > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Instance > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Instance Template > ServiceNow > Import Set
  • GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Node Group > ServiceNow > Import Set
  • GCP > Compute Engine > Node Group > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Node Group > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Node Group > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Node template > ServiceNow > Import Set
  • GCP > Compute Engine > Node template > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Node template > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Node template > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Project > ServiceNow > Import Set
  • GCP > Compute Engine > Project > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Project > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Project > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Region Disk > ServiceNow > Import Set
  • GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Region Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Snapshot > ServiceNow > Import Set
  • GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Table Name

Control Types

  • Azure > Storage > Container > ServiceNow > Import Set
  • Azure > Storage > FileShare > ServiceNow > Import Set
  • Azure > Storage > Queue > ServiceNow > Import Set

Policy Types

  • Azure > Storage > Container > ServiceNow > Import Set
  • Azure > Storage > Container > ServiceNow > Import Set > Archive Columns
  • Azure > Storage > Container > ServiceNow > Import Set > Record
  • Azure > Storage > Container > ServiceNow > Import Set > Table Name
  • Azure > Storage > FileShare > ServiceNow > Import Set
  • Azure > Storage > FileShare > ServiceNow > Import Set > Archive Columns
  • Azure > Storage > FileShare > ServiceNow > Import Set > Record
  • Azure > Storage > FileShare > ServiceNow > Import Set > Table Name
  • Azure > Storage > Queue > ServiceNow > Import Set
  • Azure > Storage > Queue > ServiceNow > Import Set > Archive Columns
  • Azure > Storage > Queue > ServiceNow > Import Set > Record
  • Azure > Storage > Queue > ServiceNow > Import Set > Table Name

Control Types

  • Azure > Compute > Availability Set > ServiceNow > Import Set
  • Azure > Compute > Disk > ServiceNow > Import Set
  • Azure > Compute > Disk Encryption Set > ServiceNow > Import Set
  • Azure > Compute > Image > ServiceNow > Import Set
  • Azure > Compute > Snapshot > ServiceNow > Import Set
  • Azure > Compute > Ssh Public Key > ServiceNow > Import Set
  • Azure > Compute > Virtual Machine > ServiceNow > Import Set
  • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set

Policy Types

  • Azure > Compute > Availability Set > ServiceNow > Import Set
  • Azure > Compute > Availability Set > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Availability Set > ServiceNow > Import Set > Record
  • Azure > Compute > Availability Set > ServiceNow > Import Set > Table Name
  • Azure > Compute > Disk > ServiceNow > Import Set
  • Azure > Compute > Disk > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Disk > ServiceNow > Import Set > Record
  • Azure > Compute > Disk > ServiceNow > Import Set > Table Name
  • Azure > Compute > Disk Encryption Set > ServiceNow > Import Set
  • Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Record
  • Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Table Name
  • Azure > Compute > Image > ServiceNow > Import Set
  • Azure > Compute > Image > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Image > ServiceNow > Import Set > Record
  • Azure > Compute > Image > ServiceNow > Import Set > Table Name
  • Azure > Compute > Snapshot > ServiceNow > Import Set
  • Azure > Compute > Snapshot > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Snapshot > ServiceNow > Import Set > Record
  • Azure > Compute > Snapshot > ServiceNow > Import Set > Table Name
  • Azure > Compute > Ssh Public Key > ServiceNow > Import Set
  • Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Record
  • Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Table Name
  • Azure > Compute > Virtual Machine > ServiceNow > Import Set
  • Azure > Compute > Virtual Machine > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Virtual Machine > ServiceNow > Import Set > Record
  • Azure > Compute > Virtual Machine > ServiceNow > Import Set > Table Name
  • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set
  • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Record
  • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Table Name

Control Types

  • AWS > S3 > Bucket > ServiceNow > Import Set

Policy Types

  • AWS > S3 > Bucket > ServiceNow > Import Set
  • AWS > S3 > Bucket > ServiceNow > Import Set > Archive Columns
  • AWS > S3 > Bucket > ServiceNow > Import Set > Record
  • AWS > S3 > Bucket > ServiceNow > Import Set > Table Name

What's new?

  • Added support to archive Import Sets in ServiceNow.

Enhancements

  • Added column create_time to gcp_sql_database_instance table. (#615)

Bug fixes

  • Fixed the gcp_alloydb_cluster and gcp_alloydb_instance tables to correctly return values for project column instead of null. (#617)

What's new?

Bug fixes

  • Fixed the power_state column of the azure_compute_virtual_machine table to correctly return data instead of a nil pointer dereference error. (#804)

Bug fixes

  • The Azure > App Service > Web App > Client Certificate Mode control did not apply Enforce: Require settings correctly. This is now fixed.

What's new?

  • Added support for google_monitoring_alert_policy and google_monitoring_notification_channel Terraform resources.

Control Types

  • GCP > Monitoring > Alert Policy > Configured
  • GCP > Monitoring > Notification Channel > Configured

Policy Types

  • GCP > Monitoring > Alert Policy > Configured
  • GCP > Monitoring > Alert Policy > Configured > Claim Precedence
  • GCP > Monitoring > Alert Policy > Configured > Source
  • GCP > Monitoring > Notification Channel > Configured
  • GCP > Monitoring > Notification Channel > Configured > Claim Precedence
  • GCP > Monitoring > Notification Channel > Configured > Source

What's new?

  • Added support for google_logging_metric Terraform resource.

Control Types

  • GCP > Logging > Metric > Configured

Policy Types

  • GCP > Logging > Metric > Configured
  • GCP > Logging > Metric > Configured > Claim Precedence
  • GCP > Logging > Metric > Configured > Source

Bug fixes

  • The Azure > Storage > Storage Account > Queue > Logging control failed to set queue logging properties correctly. This issue has been fixed, and the control will now function correctly as intended.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • Fixed plugin loading issues by eliminating the need for manual caching, ensuring smoother and more reliable plugin installations. (#50)

What's new?

  • Added the insecure_skip_verify connection config argument to support bypassing the SSL/TLS certificate verification while querying the tables. (#48)

Enhancements

  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package.

Dependencies

Bug fixes

  • Fixed issue where local Docker config for the credential store was used when installing plugins from GHCR, enabling installation from GHCR to work even if docker-credential-desktop is not in PATH. (#4323)
  • Fixed issue where Steampipe returned a 0 exit code even if it failed to export a snapshot. (#4276)
  • Fixed issue where the query command did not support the legacy 'true' and 'false' values for the --timing flag. (#4282)
  • Fixed issue where SPS output was not working. (#4297)
  • Fixed issue where loading connection plugins did not return successfully created connections if some connections failed due to the configuration not being available. (#474)
  • Fixed issue where scan info in query JSON output was shown even when the timing configuration was not set to verbose. (#4292)

What's new?

  • Users can now configure Shielded Instance Configuration for instances. To get started, set GCP > Compute > Instance > Shielded Instance Configuration > * policies.

Control Types

  • GCP > Compute Engine > Instance > Shielded Instance Configuration

Policy Types

  • GCP > Compute Engine > Instance > Shielded Instance Configuration
  • GCP > Compute Engine > Instance > Shielded Instance Configuration > Integrity Monitoring
  • GCP > Compute Engine > Instance > Shielded Instance Configuration > Secure Boot
  • GCP > Compute Engine > Instance > Shielded Instance Configuration > vTPM

Action Types

  • GCP > Compute Engine > Instance > Set Shielded Instance Configuration

What's new?

  • The Azure > CIS v2.0 > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) control will also evaluate SQL databases for SKU Basic/Consumption.

Control Types

  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.06 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics

Policy Types

  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.06 - Ensure that Network Security Group flow logs are captured and sent to Log Analytics

Bug fixes

  • The Azure > CIS v2.0 > 4 - Database Services > 01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key control did not evaluate the result correctly, as expected. This is now fixed.

What's new?

DOCUMENTATION:

  • resource/turbot_policy_pack: Added documentation for akas attribute for the resource. (#179)

What's new?

  • Users can now configure Encryption In Transit for instances. To get started, set the GCP > SQL > Instance > Encryption In Transit policy.

Control Types

  • GCP > SQL > Instance > Encryption In Transit

Policy Types

  • GCP > SQL > Instance > Encryption In Transit

Action Types

  • GCP > SQL > Instance > Update Encryption in Transit

What's new?

Control Types

  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure API Keys Only Exist for Active Services
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure API Keys Are Restricted to Only APIs That Application Needs Access
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure API Keys Are Rotated Every 90 Days

Policy Types

  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure API Keys Only Exist for Active Services
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure API Keys Are Restricted to Only APIs That Application Needs Access
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure API Keys Are Rotated Every 90 Days

What's new?

  • Users can now upgrade the SKU from Basic to Standard for Public IP Addresss via Azure > Network > Public IP Address > Standard SKU control. To get started, set the Azure > Network > Public IP Address > Standard SKU policy.

Control Types

  • Azure > Network > Public IP Address > Standard SKU

Policy Types

  • Azure > Network > Public IP Address > Standard SKU
  • Azure > Network > Public IP Address > Standard SKU > SKU Tier

Action Types

  • Azure > Network > Public IP Address > Update SKU to Standard

What's new?

  • We've added guardrails to help secure access to your database accounts' public endpoints. All database accounts have public endpoints that are accessible through the internet by default. This access can be limited to specific IP ranges, virtual network subnets, and trusted Microsoft services by defining firewall and virtual network rules.

To get started configuring these rules through Guardrails, the following policies should set according to your desired firewall rules configuration:

Azure > Cosmos DB > Database Account > Firewall - Configure default access rules for the public endpoint Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved - Remove unapproved IP ranges Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required - Grant access to specific IP ranges Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved - Remove unapproved virtual network subnets Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required - Grant access to specific virtual network subnets Please note that if the Azure > Cosmos DB > Database Account > Firewall policy is set to Enforce: Allow only approved virtual networks and IP ranges, only applications in the configured IP ranges, virtual network subnets, and trusted Microsoft services will be allowed to access the database accounts. If these boundaries are not properly configured beforehand or an application is outside of these boundaries, it will lose access to the database accounts.

Control Types

  • Azure > Cosmos DB > Database Account > Firewall
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required

Policy Types

  • Azure > Cosmos DB > Database Account > Firewall
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > CIDR Ranges
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > Compiled Rules
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > Rules
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Compiled Items
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Exceptions
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Items
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Compiled Rules
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Rules
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Subnets
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required > Items

Action Types

  • Azure > Cosmos DB > Database Account > Update Firewall Default Access Rule
  • Azure > Cosmos DB > Database Account > Update Firewall IP Ranges
  • Azure > Cosmos DB > Database Account > Update Firewall Virtual Networks

Bug fixes

  • Various Discovery and CMDB controls entered an error state because they used outdated APIs that no longer functioned as expected. We have updated internal package dependencies, and those controls now operate smoothly as intended.

Bug fixes

  • Resolved an issue where an empty outbound_cidr_ranges SSM parameter caused a validation error. Now, if the outbound_cidr_ranges parameter is empty, it will be set to None.

What's new?

  • Added M7i and M7i-flex instance type.
  • Updated the HealthCheckProxy lambda function to use python 3.10.

Bug fixes

  • The GCP > Project > CMDB control went into an error state while fetching Access Approval settings for the project if Access Transparency was disabled at the organization level. We have now handled such cases gracefully, and the control will fetch all available details without going into an error state.

What's new?

  • Users can now configure authorized networks for instances in Guardrails. To get started, set the GCP > SQL > Instance > Authorized Network > * policies.
  • Users can now configure Database Flags for instances in Guardrails. To get started, set the GCP > SQL > Instance > Database Flags policy.
  • Users can now clean up and stop tracking SQL resources in Guardrails. To get started, set the GCP > SQL > CMDB policy to Enforce: Disabled.

Control Types

  • GCP > SQL > Instance > Authorized Network
  • GCP > SQL > Instance > Authorized Network > Approved
  • GCP > SQL > Instance > Database Flags

Policy Types

  • GCP > SQL > Instance > Authorized Network
  • GCP > SQL > Instance > Authorized Network > Approved
  • GCP > SQL > Instance > Authorized Network > Approved > CIDR Ranges
  • GCP > SQL > Instance > Database Flags
  • GCP > SQL > Instance > Database Flags > MySQL
  • GCP > SQL > Instance > Database Flags > MySQL > Template
  • GCP > SQL > Instance > Database Flags > PostgreSQL
  • GCP > SQL > Instance > Database Flags > PostgreSQL > Template
  • GCP > SQL > Instance > Database Flags > SQL Server
  • GCP > SQL > Instance > Database Flags > SQL Server > Template

Action Types

  • GCP > SQL > Instance > Update Authorized Network
  • GCP > SQL > Instance > Update Database Flags

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Storage resources in Guardrails. This release includes breaking changes in the CMDB data for storage accounts. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.

    Renamed:

    • serviceProperties.blob.DeleteRetentionPolicy to serviceProperties.blob.deleteRetentionPolicy
    • serviceProperties.blob.DeleteRetentionPolicy.Days to serviceProperties.blob.deleteRetentionPolicy.days
    • serviceProperties.blob.DeleteRetentionPolicy.Enabled to serviceProperties.blob.deleteRetentionPolicy.enabled
    • serviceProperties.blob.StaticWebsite to serviceProperties.blob.staticWebsite
    • serviceProperties.blob.StaticWebsite.Enabled to serviceProperties.blob.staticWebsite.enabled
    • serviceProperties.blob.logging to serviceProperties.blob.blobAnalyticsLogging
    • serviceProperties.queue.logging to serviceProperties.queue.queueAnalyticsLogging

    Added:

    • serviceProperties.blob.deleteRetentionPolicy.AllowPermanentDelete

    Modified:

    • The data type of the attribute serviceProperties.blob.cors has been changed from string ("") to array ([]).
    • The data type of the attribute serviceProperties.queue.cors has been changed from string ("") to array ([]).
  • Users can now enable/disable Blob logging for storage accounts. To get started, set the Azure > Storage > Storage Account > Blob > Logging > * policies.

  • Users can now check if storage accounts are approved for use based on Infrastructure Encryption settings. To get started, set the Azure > Storage > Storage Account > Approved > Infrastructure Encryption policy.

Control Types

  • Azure > Storage > Storage Account > Blob
  • Azure > Storage > Storage Account > Blob > Logging

Renamed

  • Azure > Storage > Storage Account > Public Access to Azure > Storage > Storage Account > Blob Public Access

Policy Types

  • Azure > Storage > Storage Account > Approved > Infrastructure Encryption
  • Azure > Storage > Storage Account > Blob
  • Azure > Storage > Storage Account > Blob > Logging
  • Azure > Storage > Storage Account > Blob > Logging > Properties
  • Azure > Storage > Storage Account > Blob > Logging > Retention Days

Renamed

  • Azure > Storage > Storage Account > Public Access to Azure > Storage > Storage Account > Blob Public Access

Action Types

  • Azure > Storage > Storage Account > Update Storage Account Blob Logging

Renamed

  • Azure > Storage > Storage Account > Set Public Access to Azure > Storage > Storage Account > Set Blob Public Access

What's new?

  • Users can now configure Client Certificate Mode for web apps. To get started, set the Azure > App Service > Web App > Client Certificate Mode policy.

Control Types

  • Azure > App Service > Web App > Client Certificate Mode

Policy Types

  • Azure > App Service > Web App > Client Certificate Mode

Action Types

  • Azure > App Service > Web App > Set Client Certificate Mode

What's new?

Enhancements

  • The domain column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Okta organizations. (#120)
  • Added support to specify the time period in .spc file for max retries, request timeout, and max backoff time as required. (#112)
  • Added profile column to the okta_factor table. (#130)

Dependencies

  • Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#120)

Enhancements

  • The organization_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linear accounts. (#34)

Bug fixes

  • Fixed the plugin to correctly check for a valid Personal Access token. (#33)

Dependencies

  • Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#34)

Enhancements

  • Added column power_state to the azure_compute_virtual_machine_scale_set_vm table. (#800) (Thanks @pdepdecatcat for the contribution!)

Bug fixes

  • Fixed the azure_log_alert table to correctly return values for actions, condition, description, enabled, and scopes columns instead of null. (#796)

What's new?

FEATURES:

  • New Resource: turbot_policy_pack (#171)
  • New Resource: turbot_policy_pack_attachment (#173)

ENHANCEMENTS:

  • resource/turbot_smart_folder: The parent argument is now optional and defaults to tmod:@turbot/turbot#/. (#177)

What's new?

Resource Types

  • GCP > IAM > API Key

Control Types

  • GCP > IAM > API Key > Active
  • GCP > IAM > API Key > Approved
  • GCP > IAM > API Key > CMDB
  • GCP > IAM > API Key > Discovery
  • GCP > IAM > API Key > Usage

Policy Types

  • GCP > IAM > API Key > Active
  • GCP > IAM > API Key > Active > Age
  • GCP > IAM > API Key > Active > Last Modified
  • GCP > IAM > API Key > Approved
  • GCP > IAM > API Key > Approved > Custom
  • GCP > IAM > API Key > Approved > Usage
  • GCP > IAM > API Key > CMDB
  • GCP > IAM > API Key > Usage
  • GCP > IAM > API Key > Usage > Limit

Action Types

  • GCP > IAM > API Key > Delete
  • GCP > IAM > API Key > Router

What's new?

  • You can now configure Encryption at Rest for datasets. To get started, set the GCP > BigQuery > Dataset > Encryption at Rest > * policies.

Control Types

  • GCP > BigQuery > Dataset > Encryption at Rest

Policy Types

  • GCP > BigQuery > Dataset > Encryption at Rest
  • GCP > BigQuery > Dataset > Encryption at Rest > Customer Managed Key

Action Types

  • GCP > BigQuery > Dataset > Update Encryption At Rest

What's new?

Control Types

  • Kubernetes > Cluster > ServiceNow > Import Set
  • Kubernetes > ConfigMap > ServiceNow > Import Set
  • Kubernetes > Deployment > ServiceNow > Import Set
  • Kubernetes > Namespace > ServiceNow > Import Set
  • Kubernetes > Node > ServiceNow > Import Set
  • Kubernetes > Pod > ServiceNow > Import Set
  • Kubernetes > ReplicaSet > ServiceNow > Import Set
  • Kubernetes > Service > ServiceNow > Import Set

Policy Types

  • Kubernetes > Cluster > ServiceNow > Import Set
  • Kubernetes > Cluster > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Cluster > ServiceNow > Import Set > Record
  • Kubernetes > Cluster > ServiceNow > Import Set > Table Name
  • Kubernetes > ConfigMap > ServiceNow > Import Set
  • Kubernetes > ConfigMap > ServiceNow > Import Set > Archive Columns
  • Kubernetes > ConfigMap > ServiceNow > Import Set > Record
  • Kubernetes > ConfigMap > ServiceNow > Import Set > Table Name
  • Kubernetes > Deployment > ServiceNow > Import Set
  • Kubernetes > Deployment > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Deployment > ServiceNow > Import Set > Record
  • Kubernetes > Deployment > ServiceNow > Import Set > Table Name
  • Kubernetes > Namespace > ServiceNow > Import Set
  • Kubernetes > Namespace > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Namespace > ServiceNow > Import Set > Record
  • Kubernetes > Namespace > ServiceNow > Import Set > Table Name
  • Kubernetes > Node > ServiceNow > Import Set
  • Kubernetes > Node > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Node > ServiceNow > Import Set > Record
  • Kubernetes > Node > ServiceNow > Import Set > Table Name
  • Kubernetes > Pod > ServiceNow > Import Set
  • Kubernetes > Pod > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Pod > ServiceNow > Import Set > Record
  • Kubernetes > Pod > ServiceNow > Import Set > Table Name
  • Kubernetes > ReplicaSet > ServiceNow > Import Set
  • Kubernetes > ReplicaSet > ServiceNow > Import Set > Archive Columns
  • Kubernetes > ReplicaSet > ServiceNow > Import Set > Record
  • Kubernetes > ReplicaSet > ServiceNow > Import Set > Table Name
  • Kubernetes > Service > ServiceNow > Import Set
  • Kubernetes > Service > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Service > ServiceNow > Import Set > Record
  • Kubernetes > Service > ServiceNow > Import Set > Table Name

Bug fixes

  • Guardrails failed to process real-time snapshot events if the AWS > EC2 > Snapshot > CMDB policy was set to Enforce: Enabled for Snapshots not created with AWS Backup. This issue has now been fixed.

What's new?

  • Users can now configure DNSSEC for managed zones via Guardrails. To get started, set theGCP > DNS > Managed Zone > DNSSEC Configuration policy.
  • Users can now configure logging for DNS policies. To get started, set the GCP > DNS > Policy > Logging policy.

Control Types

  • GCP > DNS > Managed Zone > DNSSEC Configuration
  • GCP > DNS > Policy > Logging

Policy Types

  • GCP > DNS > Managed Zone > DNSSEC Configuration
  • GCP > DNS > Policy > Logging

Action Types

  • GCP > DNS > Managed Zone > Update DNSSEC Configuration
  • GCP > DNS > Policy > Update Logging

Bug fixes

  • Discovery controls for various resource types would go into an error state without discovering resources and upserting them in Guardrails CMDB due to a bad internal build. This issue has been fixed, and those controls will now work correctly as expected.

What's new?

  • Users can now enable/disable Trusted Launch for all second generation virtual machines. To get started, set the Azure > Compute > Virtual Machine > Trusted launch policy.
  • You can now configure Encryption at Rest for Disks. To get started, set the Azure > Compute > Disk > Encryption at Rest > * policies.

Control Types

  • Azure > Compute > Disk > Encryption at Rest
  • Azure > Compute > Virtual Machine > Trusted Launch

Policy Types

  • Azure > Compute > Disk > Encryption at Rest
  • Azure > Compute > Disk > Encryption at Rest > Disk Encryption Set
  • Azure > Compute > Virtual Machine > Trusted launch

Action Types

  • Azure > Compute > Disk > Update Encryption at Rest
  • Azure > Compute > Virtual Machine > Update Trusted Luanch

What's new?

  • User can now register web apps with Entra ID to connect to other Azure services securely without the need for usernames and passwords. To get started, set the Azure > App Service > Web App > System Assigned Identity policy.
  • Diagnostic Settings details will now also be available for Web Apps in Guardrails CMDB.

Control Types

  • Azure > App Service > Web App > System Assigned Identity

Policy Types

  • Azure > App Service > Web App > System Assigned Identity

Action Types

  • Azure > App Service > Web App > Set System Assigned Identity

Bug fixes

  • The Azure > App Service > Web App > FTPS State control failed to set the FTPS State correctly for web apps. This issue is now fixed.

What's new?

Policy Types

  • GCP > BigQuery > Dataset > Approved > Custom

What's new?

  • Users can now configure retention policy for flow logs. To get started, set the Azure > Network Watcher > Flow Log > Retention Policy > * policies.

Control Types

  • Azure > Network Watcher > Flow Log > Retention Policy

Policy Types

  • Azure > Network Watcher > Flow Log > Retention Policy
  • Azure > Network Watcher > Flow Log > Retention Policy > Days

Action Types

  • Azure > Network Watcher > Flow Log > Update Retention Policy

What's new?

  • The Azure > Active Directory > Directory > CMDB control will now also fetch named locations and authorization policy details and store them in CMDB.

Bug fixes

  • Account Password Policy details did not refresh correctly in Guardrails CMDB if those settings were reset to defaults in AWS. This resulted in the AWS > IAM > Account Password Policy > Settings control not applying custom settings correctly. This issue is fixed, and the CMDB details will now refresh correctly, allowing the corresponding Settings control to work as expected.

What's new?

Bug fixes

  • Fixed the caching issue in aws_organizations_account table. (#2236)
  • Fixed typo (missing comma) in an example query of aws_health_affected_entity table document. (#2237) (Thanks @tieum for the contribution!)

What's new?

  • The Azure > Security Center > Security Center > CMDB control will now also fetch security settings details and store them in CMDB.

Bug fixes

  • Discovery controls for various resource types would go into an error state without discovering resources and upserting them in Guardrails CMDB due to a bad internal build. This issue has been fixed, and those controls will now work correctly as expected.

Bug fixes

  • Fixed the export tool of the plugin to return a non-zero error code instead of 0 whenever an error occurred. (#79)

Enhancements

  • Added column public_network_access to the azure_storage_account table. (#794)

Bug fixes

  • Fixed the export tool of the plugin to return a non-zero error code instead of 0 whenever an error occurred. (#79)

Enhancements

  • Added 16 new columns to the aws_lambda_version table. (#2229)

Bug fixes

  • Fixed the export tool of the plugin to return a non-zero error code instead of 0 whenever an error occurred. (#79)

Bug fixes

  • Server
    • Resolved an issue that caused control targeting to accounts fail when AWS Gov accounts were imported in commercial environment.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

The default value for GCP > Storage > Bucket > ServiceNow > Import Set now shows the resource_type_uri correctly.

Control Types

Added

  • GCP > Storage > Bucket > ServiceNow > Import Set

Policy Types

Added

  • GCP > Storage > Bucket > ServiceNow > Import Set
  • GCP > Storage > Bucket > ServiceNow > Import Set > Archive Columns
  • GCP > Storage > Bucket > ServiceNow > Import Set > Record
  • GCP > Storage > Bucket > ServiceNow > Import Set > Table Name

What's new?

  • ServiceNow > Turbot > Watches > GCP Archive and Delete Record action now supports archiving Import Set records.

Control Types

Added

  • Azure > Storage > Storage Account > ServiceNow > Import Set

Policy Types

Added

  • Azure > Storage > Storage Account > ServiceNow > Import Set
  • Azure > Storage > Storage Account > ServiceNow > Import Set > Archive Columns
  • Azure > Storage > Storage Account > ServiceNow > Import Set > Record
  • Azure > Storage > Storage Account > ServiceNow > Import Set > Table Name

What's new?

  • ServiceNow > Turbot > Watches > Azure Archive and Delete Record action now supports archiving Import Set records.

Bug fixes

  • Default policy values for ServiceNow > Application > CMDB, ServiceNow > Cost Center > CMDB & ServiceNow > User > CMDB have been updated from Enforce: Enabled to Skip.

Policy Types

Added

  • ServiceNow > Import Set
  • ServiceNow > Import Set > Table Name [Default]

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • The OUTBOUND_SECURITY_GROUP_ID environment variable in Lambda functions now defaults to using the TEF outbound security group when there is no override specified in TEF and TE.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The Azure > Network > Network Security Group > Ingress Rules > Approved and Azure > Network > Network Security Group > Egress Rules > Approved controls previously deleted an entire rule if at least one of the corresponding port prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected port prefixes instead of deleting the entire rule in such cases.

Bug fixes

  • Reverted the export CLI behavior to return <nil> for null values instead of "". (#77)

Bug fixes

  • Reverted the export CLI behavior to return <nil> for null values instead of "". (#77)

Bug fixes

  • Reverted the export CLI behavior to return <nil> for null values instead of "". (#77)

Bug fixes

  • The AWS > RDS > DB Instance > Approved control will now be skipped for instances that belong to a cluster. To check if a cluster is approved for use, please set the AWS > RDS > DB Cluster > Approved > * policies.
  • The AWS > RDS > DB Instance > Approved control did not stop an unapproved instance if the corresponding policy was set to Enforce: Stop unapproved or Enforce: Stop unapproved if new, and deletion protection for the instance was enabled. The control will now stop instances correctly in such cases.

What's new

Enhancements

  • Added 9 new columns to the aws_elasticache_cluster table. (#2224)

Bug fixes

  • Fixed the aws_s3_object table not returning any rows due to panic error. (#2221)
  • Fixed no rows being returned from the ``table if an unqualified query is run before one withparent_id` specified.
  • Fixed data type for configuration_endpoint column in aws_elasticache_cluster table to be json. (#2214)

What's new?

  • Server
    • The creation of the EncryptionInTransit TopicPolicy has shifted from a custom resource to AWS CloudFormation’s AWS::SNS::TopicPolicy.

Bug fixes

  • Server
    • Changes to notifications introduced in version 5.44.2 have been rolled back due to issues with specific queries. This action restores previous functionality and ensures stability across the platform.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Enhancements

  • Optimized log_group_metric_* queries to minimize API usage, achieving faster performance. (#802)

What's new?

  • Server

    • Made notifications faster by improving the query, which enhances the performance of the activity tab.
  • UI

    • The Depends-on tab on the controls page has been renamed to Related. It now includes the information from the Depends-on tab along with additional related controls information.

Bug fixes

  • Server
    • Fixed an issue where sometimes an older mod version was used instead of the latest one after a mod upgrade. Now, the cache is properly updated to always use the latest version.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The Azure > Network > Network Security Group > Ingress Rules > Approved control would sometimes fail to revoke rejected rules when the corresponding policy was set to Enforce: Delete unapproved. This has been fixed, and the control will now work more reliably and consistently than before.

What's new?

Enhancements

  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#101)
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed the arguments column of terraform_resource table to correctly return the type field. (#99) (#92)

Dependencies

What's new?

Bug fixes

  • Improved the error messaging for file parsing in the github_workflow table. (#438)

Dependencies

  • Recompiled plugin with github.com/cloudflare/circl v1.3.7. (#418)

Bug fixes

  • Turbot > osquery > Event Handler action was not able to handle events for large payloads. This issue is now fixed.

Bug fixes

  • The GCP > Project > CMDB control would incorrectly delete a project from Guardrails CMDB if it was unable to fetch Access Approval settings for the project. This issue has been fixed and the control will now attempt to fetch all available details and will not delete the project from CMDB.

All Pipes workspaces are now running Steampipe v0.23.2.

For more information on this Steampipe release, see the release notes.

All Pipes workspaces are now running Powerpipe v0.4.0.

For more information on this Powerpipe release, see the release notes.

Bug fixes

  • Users can now configure Auto Provisioning for Azure Security Center in Guardrails. To get started, set the Azure > Security Center > Security Center > Auto Provisioning policy.

Control Types

  • Azure > Security Center > Security Center > Auto Provisioning

Policy Types

  • Azure > Security Center > Security Center > Auto Provisioning

Action Types

  • Azure > Security Center > Security Center > Update Auto Provisioning

Bug fixes

  • Fixed the issue of missing and inconsistent columns in Kubernetes CRD tables. (#229) (Thanks @dongho-jung for the contribution!!)

What's new?

Enhancements

  • Updated aws_s3_bucket, aws_s3_bucket_intelligent_tiering_configuration, aws_s3_object and aws_s3_object_version tables to use HeadBucket API instead of GetBucketLocation to fetch the region that the bucket resides in. (#2082) (Thanks @pdecat for the contribution!)
  • Added column create_time to aws_ec2_key_pair table. (#2196) (Thanks @kasadaamos for the contribution!)
  • Added instance_type column as an optional qual to the aws_ec2_instance_type table. (#2200)

Bug fixes

  • Fixed the akas column in aws_health_affected_entity table to correctly return data instead of an error by handling events that do not have any ARN. (#2189)
  • Fixed cname and endpoint_url columns of aws_elastic_beanstalk_environment table to correctly return data instead of null. (#2201)
  • Fixed the aws_api_gatewayv2_* tables to correctly return data instead of an error by excluding support for the new unsupported il-central-1 region. (#2190)

Enhancements

  • The login_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Jira connections. (#119)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#128)
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed pagination in the jira_board table to correctly return all the data instead of partial results. (#127)

Dependencies

What's new?

Bug fixes

  • Fixed the public_network_access_for_ingestion and the public_network_access_for_query columns of the azure_application_insight table to be of String data type instead of JSON. (#769)
  • Fixed the azure_role_assignment table to correctly return values for principal_id and principal_type columns instead of null. (#763)
  • Fixed the web_application_firewall_configuration column of the azure_application_gateway table to correctly return data instead of null. (#770)

What's new?

  • Added support for the profile connection config argument. (#409)

Bug fixes

  • Fixed the alicloud_cs_kubernetes_cluster table to ensure it correctly returns data when querying clusters without tags. (#426)

What's new?

  • Added FedRAMP High benchmark (powerpipe benchmark run azure_compliance.benchmark.fedramp_high). (#270)

What's new?

  • Subscription CMDB data will now also include tagging details for the subscription.

What's new?

  • The Azure > Security Center > Security Center > Defender Plan control now also supports services like Cloud Posture, Containers and Cosmos DB.

What's new?

  • Server

    • Added support for newer auth mechanism to fetch temporary Azure credentials via the @azure/msal-node package.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Users can now skip upserting snapshots in Guardrails CMDB if they are created via the AWS Backup service. To get started, set the AWS > EC2 > Snapshot > CMDB policy to Enforce: Enabled for Snapshots not created with AWS Backup.

Bug fixes

  • The AWS > Turbot > Service Roles > Source policy went to an invalid state if all but the AWS > Turbot > Service Roles > Event Handlers [Global] policy was enabled. This issue impacted the AWS > Turbot > Service Roles stack control, preventing the role from being created correctly. This has been fixed, and the AWS > Turbot > Service Roles > Source policy will now work as expected.

Bug fixes

  • The AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered control did not evaluate the result correctly, as expected. This is now fixed.

Whats new

  • Updated JSON and snapshot output to handle duplicate column names - append a unique suffix to duplicate column names. (#375)

Bug fixes

  • Fixed bug when generating a snapshot from a benchmark run, the row data is empty if any of the rows are in error. (#366)
  • Updated mod install to only install or update mods which are command targets (and their dependencies). Set default pull mode for install is latest if there is a target, and minimal if no target is given. (#381)
  • Fixed incorrect help message for output in powerpipe benchmark/control run. (#367)
  • Fixed issue where POWERPIPE_PORT env var was not being honoured. (#362)
  • Updated timing metadata output to rename duration field to duration_ms for consistency with steampipe. (#368)
  • Dashboard graph should not crash if an invalid edge category color is provided. (#364)
  • Dashboard flow/hierarchy components should show panel controls. (#363)

Updated output formats

The rows property in the JSON and snapshot output will now have unique column names for duplicate column names. The columns property will have the original column name as original_name. For example, for the query:

powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output pps

Here is the updated JSON output:

powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output json
{
"columns": [
{
"name": "title",
"data_type": "text"
},
{
"name": "title_t5zj1",
"data_type": "text",
"original_name": "title"
},
{
"name": "title_t5zj2",
"data_type": "text",
"original_name": "title"
}
],
"rows": [
{
"title": "arn:aws:::882789663776",
"title_t5zj1": "882789663776",
"title_t5zj2": "882789663776"
},
],
"metadata": {
"rows_returned": 3,
"duration_ms": "202ms"
}
}

Here is the updated snapshot output:

{
"schema_version": "20240130",
"panels": {
"custom.dashboard.sql_e5br7b82": {
"dashboard": "custom.dashboard.sql_e5br7b82",
"name": "custom.dashboard.sql_e5br7b82",
"panel_type": "dashboard",
"source_definition": "",
"status": "complete",
"title": "Custom query [e5br7b82]"
},
"custom.table.results": {
"dashboard": "custom.dashboard.sql_e5br7b82",
"name": "custom.table.results",
"panel_type": "table",
"source_definition": "",
"status": "complete",
"sql": " select arn as title, account_id as title, title as title from aws_account",
"properties": {
"name": "results"
},
"data": {
"columns": [
{
"name": "title",
"data_type": "TEXT"
},
{
"name": "title_t5zj1",
"data_type": "TEXT",
"original_name": "title"
},
{
"name": "title_t5zj2",
"data_type": "TEXT",
"original_name": "title"
}
],
"rows": [
{
"title": "arn:aws:::876515858155",
"title_t5zj1": "876515858155",
"title_t5zj2": "morales-aaa"
},
{
"title": "arn:aws:::882789663776",
"title_t5zj1": "882789663776",
"title_t5zj2": "882789663776"
},
{
"title": "arn:aws:::097350876455",
"title_t5zj1": "097350876455",
"title_t5zj2": "turbot-silverwater"
}
]
}
}
},
"inputs": {},
"variables": {},
"search_path": null,
"start_time": "2024-06-06T14:50:16.906739+01:00",
"end_time": "2024-06-06T14:50:16.991955+01:00",
"layout": {
"name": "custom.dashboard.sql_e5br7b82",
"children": [
{
"name": "custom.table.results",
"panel_type": "table"
}
],
"panel_type": "dashboard"
}
}

What's new?

  • Updated the existing Flags attribute to include new specific flags that control the operation of Mod Lambda functions within a Virtual Private Cloud (VPC). This update allows Lambdas to use static IP addresses, improving network stability and predictability across different cloud environments. New flags Added to Flags Attribute:

    • LAMBDA_IN_VPC_AWS
    • LAMBDA_IN_VPC_AZURE
    • LAMBDA_IN_VPC_GCP
    • LAMBDA_IN_VPC_SERVICENOW
  • Introduced a new SSM parameter outbound_cidr_ranges to retrieve the Elastic IPs associated with the NAT gateways.

What's new?

  • Server

    • You can now configure Mod Lambda functions to run within a VPC across various providers including AWS, Azure, ServiceNow, and GCP. This update ensures Lambdas operate with static CIDR ranges.
    • Enhanced osquery/logger API to support payloads up to 10MB.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Minor fixes and improvements.

Bug fixes

  • The AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered control did not evaluate the result correctly, as expected. This is now fixed.

What's new?

  • Added NIST Cybersecurity Framework (CSF) v1.0 benchmark (powerpipe benchmark run gcp_compliance.benchmark.nist_csf_v10). (#168)
  • Added NIST 800-53 Revision 5 benchmark (powerpipe benchmark run gcp_compliance.benchmark.nist_800_53_rev_5). (#168)

Bug fixes

  • Fixed the kms_key_users_limited_to_3 query to correctly return data by removing the hardcoded GCP connection name. (#170)
  • Fixed the logging_bucket_retention_policy_enabled query to correctly return data by adding the missing project column to the query. (#173)

What's new?

  • Added Reserve Bank of India - IT Framework for NBFC Regulatory Compliance benchmark (powerpipe benchmark run aws_compliance.benchmark.rbi_itf_nbfc). (#798)

Bug fixes

  • The Azure > Network > Network Security Group > Ingress Rules > Approved and Azure > Network > Network Security Group > Egress Rules > Approved controls previously deleted an entire rule if at least one of the corresponding address prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected address prefix instead of deleting the entire rule in such cases.

What's new?

  • Add support for installing mods from a branch or from the local file system. (#849).

    To install from a branch:

    flowpipe mod install github.com/turbot/flowpipe-mod-aws-thrifty#main

    To reference a mod in the local file system:

    flowpipe mod install ../mods/local_mod_folder
  • Add --pull flag to mod command to control the mod update strategy. (#849). Possible update strategies are:

    • full - check branch and tags for both latest and accuracy
    • latest - update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)
    • development - update branches and broken constraints to latest, leave satisfied constraints unchanged
    • minimal - only update broken constraints, do not check branches for new commits
  • Variable list and show commands. (#373)

Bug fixes

  • Pipeline references declared in subsequent files are correctly identified and processed.
  • Preserves pipeline params ordering as specified in the pipeline definition. (#408)

What's new?

  • Added HIPAA benchmark (powerpipe benchmark run gcp_compliance.benchmark.hipaa). (#165)
  • Added PCI DSS v3.2.1 benchmark (powerpipe benchmark run gcp_compliance.benchmark.pci_dss_v321). (#163)

Enhancements

  • Optimized several queries to minimize API usage, achieving faster performance. (#162)

What's new?

  • Added Reserve Bank of India - IT Framework for NBFC Regulatory Compliance benchmark (powerpipe benchmark run azure_compliance.benchmark.rbi_itf_nbfc_v2017). (#267)

Bug fixes

  • The GCP > Turbot > Event Handlers > Logging would go into an Invalid state because of incorrect filter patterns defined in the GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer policy. This is fixed and the control will now work as expected.

Bug fixes

  • Guardrails would sometimes process the real-time event compute.networks.delete for default networks incorrectly, resulting in the inadvertent deletion of those networks from CMDB. This is now fixed.

What's new?

Resource Types

  • AWS > AppFabric

Policy Types

  • AWS > AppFabric > API Enabled
  • AWS > AppFabric > Approved Regions [Default]
  • AWS > AppFabric > Enabled
  • AWS > AppFabric > Permissions
  • AWS > AppFabric > Permissions > Levels
  • AWS > AppFabric > Permissions > Levels > Modifiers
  • AWS > AppFabric > Permissions > Lockdown
  • AWS > AppFabric > Permissions > Lockdown > API Boundary
  • AWS > AppFabric > Regions
  • AWS > AppFabric > Tags Template [Default]
  • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-appfabric
  • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-appfabric
  • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-appfabric

What's new?

Control Types

  • GCP > IAM > Project User > Approved

Policy Types

  • GCP > IAM > Project User > Approved
  • GCP > IAM > Project User > Approved > Custom
  • GCP > IAM > Project User > Approved > Usage

Bug fixes

  • Respect the app version defined powerpipe block of the mod require block. (#405)
  • Dashboard UI should handle graph categories containing resource_name rather than name. (#360)

Bug fixes

  • Guardrails failed to process the real-time event s3:PutBucketReplication for buckets. This is now fixed.
  • The AWS > S3 > Bucket > Access Logging control would sometimes go into an error state if the target bucket name started with a number. This is fixed and the control will now work more smoothly and consistently than before.

Enhancements

  • The user_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Pipes connections. (#27)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#32)
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed the plugin to correctly authenticate against a custom tenant in Pipes instead of returning a 401 error. (#30)

Dependencies

What's new?

  • Added Detect and Correct pipeline for DynamoDB tables with stale data. (#34)

What's new?

  • Added the following new pipeline:
    • delete_dynamodb_table

Enhancements

  • Added runtime variable support for control lambda_function_use_latest_runtime. (#791)

Bug fixes

  • Fixed the ecr_repository_image_scan_on_push_enabled query to use the correct common dimensions. (#793)

What's new?

Enhancements

  • The login_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Github connections. (#422)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#219)
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed the plugin support for Github OAuth Access token to work correctly. (#432)

Dependencies

Bug fixes

  • Updated Postgres FDW to v1.11.2 to remove unnecessary NOTICE level log messages. (#469)

What's new?

  • Added NIST SP 800-171 Revision 2 benchmark (powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2). (#264)

Integrate your developer, team or custom tenant with GitHub, enabling you to install custom Powerpipe mods from public or private repositories. Push changes for instant deploys and live updates.

For more information, see the launch post or check out the docs.

Bug fixes

  • Guardrails failed to discover system storage containers (e.g. $logs) for storage accounts. This is now fixed.

Bug fixes

  • Added support to process enable and disable real-time events for BigQuery Data Transfer API via Service Usage APIs.

5.0.0 (2024-05-15)

What's new?

Resource Types

  • GCP > BigQuery Data Transfer
  • GCP > BigQuery Data Transfer > Transfer Config

Control Types

  • GCP > BigQuery Data Transfer > API Enabled
  • GCP > BigQuery Data Transfer > CMDB
  • GCP > BigQuery Data Transfer > Discovery
  • GCP > BigQuery Data Transfer > Transfer Config > Active
  • GCP > BigQuery Data Transfer > Transfer Config > Approved
  • GCP > BigQuery Data Transfer > Transfer Config > CMDB
  • GCP > BigQuery Data Transfer > Transfer Config > Discovery
  • GCP > BigQuery Data Transfer > Transfer Config > Usage

Policy Types

  • GCP > BigQuery Data Transfer > API Enabled
  • GCP > BigQuery Data Transfer > Approved Regions [Default]
  • GCP > BigQuery Data Transfer > CMDB
  • GCP > BigQuery Data Transfer > Enabled
  • GCP > BigQuery Data Transfer > Permissions
  • GCP > BigQuery Data Transfer > Permissions > Levels
  • GCP > BigQuery Data Transfer > Permissions > Levels > Modifiers
  • GCP > BigQuery Data Transfer > Regions
  • GCP > BigQuery Data Transfer > Transfer Config > Active
  • GCP > BigQuery Data Transfer > Transfer Config > Active > Age
  • GCP > BigQuery Data Transfer > Transfer Config > Active > Last Modified
  • GCP > BigQuery Data Transfer > Transfer Config > Approved
  • GCP > BigQuery Data Transfer > Transfer Config > Approved > Custom
  • GCP > BigQuery Data Transfer > Transfer Config > Approved > Usage
  • GCP > BigQuery Data Transfer > Transfer Config > CMDB
  • GCP > BigQuery Data Transfer > Transfer Config > Regions
  • GCP > BigQuery Data Transfer > Transfer Config > Usage
  • GCP > BigQuery Data Transfer > Transfer Config > Usage > Limit
  • GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer
  • GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-bigquerydatatransfer
  • GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-bigquerydatatransfer

Action Types

  • GCP > BigQuery Data Transfer > Set API Enabled
  • GCP > BigQuery Data Transfer > Transfer Config > Delete
  • GCP > BigQuery Data Transfer > Transfer Config > Router

Bug fixes

  • Load locals in order of dependency. (#399).

Whats new

  • Added support for installing mods from a branch or from the local file system. (#285)

    To install from a branch:

    powerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected#main

    To reference a mod in the local file system:

    powerpipe mod install ../mods/local_mod_folder
  • Added --pull flag to mod, dashboard and benchmark commands to control the mod update strategy. (#352). Possible update strategies are:

    • full - check branch and tags for both latest and accuracy
    • latest - update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)
    • development - update branches and broken constraints to latest, leave satisfied constraints unchanged
    • minimal - only update broken constraints, do not check branches for new commits

Bug fixes

  • Fixed control category titles to use osquery instead of Osquery.

Bug fixes

  • Kubernetes > Node resources will no longer include the conditions.lastHeartbeatTime or resource_version properties to avoid unnecessary notifications in the activity tab.

What's new?

Resource Types

  • AWS > EventBridge Scheduler

Policy Types

  • AWS > EventBridge Scheduler > API Enabled
  • AWS > EventBridge Scheduler > Approved Regions [Default]
  • AWS > EventBridge Scheduler > Enabled
  • AWS > EventBridge Scheduler > Permissions
  • AWS > EventBridge Scheduler > Permissions > Levels
  • AWS > EventBridge Scheduler > Permissions > Levels > Modifiers
  • AWS > EventBridge Scheduler > Permissions > Lockdown
  • AWS > EventBridge Scheduler > Permissions > Lockdown > API Boundary
  • AWS > EventBridge Scheduler > Regions
  • AWS > EventBridge Scheduler > Tags Template [Default]
  • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-eventbridgescheduler
  • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-eventbridgescheduler
  • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-eventbridgescheduler

What's new?

Resource Types

  • AWS > EventBridge Pipes

Policy Types

  • AWS > EventBridge Pipes > API Enabled
  • AWS > EventBridge Pipes > Approved Regions [Default]
  • AWS > EventBridge Pipes > Enabled
  • AWS > EventBridge Pipes > Permissions
  • AWS > EventBridge Pipes > Permissions > Levels
  • AWS > EventBridge Pipes > Permissions > Levels > Modifiers
  • AWS > EventBridge Pipes > Permissions > Lockdown
  • AWS > EventBridge Pipes > Permissions > Lockdown > API Boundary
  • AWS > EventBridge Pipes > Regions
  • AWS > EventBridge Pipes > Tags Template [Default]
  • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-eventbridgepipes
  • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-eventbridgepipes
  • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-eventbridgepipes

Enhancements

  • The tenant_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Microsoft 365 subscriptions. (#50)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#55)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

  • Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#50)

Enhancements

  • The tenant_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#175)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#180)
  • Added support for China cloud endpoint and scope based on the environment. (#174)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

  • Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#175)

What's new?

  • Added 30 new 'detect and correct' pipelines to identify unused and underutilized AWS resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see AWS Thrifty Mod.

What's new?

  • Server

    • Added a new GraphQL resolver for osquery to generate an enrollSecret.
    • Added new REST APIs for osquery management, which includes:
      • api/latest/osquery/enroll
      • api/latest/osquery/config
      • api/latest/osquery/logger
    • Introduced a dedicated worker, along with SQS FIFO queue and SNS topic FIFO, to run osquery operations.
    • Implemented a new serviceNowCredential resolver specifically for Kubernetes clusters.
    • Upgraded our SDK (@turbot/sdk) to version 5.15.0 and our fn toolkit (@turbot/fn) to version 5.22.0, to support FIFO queues.
  • UI

    • Added support for connecting to Kubernetes, facilitating easier integration and management.
    • Added report for AWS CIS v2.0.
    • Added report for AWS CIS v3.0.
    • Added report for Azure CIS v2.0.
    • Added report for GCP CIS v2.0.

Requirements

  • TEF: 1.58.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

Control Types

  • Kubernetes > Cluster > ServiceNow
  • Kubernetes > Cluster > ServiceNow > Configuration Item
  • Kubernetes > Cluster > ServiceNow > Table
  • Kubernetes > ConfigMap > ServiceNow
  • Kubernetes > ConfigMap > ServiceNow > Configuration Item
  • Kubernetes > ConfigMap > ServiceNow > Table
  • Kubernetes > Deployment > ServiceNow
  • Kubernetes > Deployment > ServiceNow > Configuration Item
  • Kubernetes > Deployment > ServiceNow > Table
  • Kubernetes > Namespace > ServiceNow
  • Kubernetes > Namespace > ServiceNow > Configuration Item
  • Kubernetes > Namespace > ServiceNow > Table
  • Kubernetes > Node > ServiceNow
  • Kubernetes > Node > ServiceNow > Configuration Item
  • Kubernetes > Node > ServiceNow > Table
  • Kubernetes > Pod > ServiceNow
  • Kubernetes > Pod > ServiceNow > Configuration Item
  • Kubernetes > Pod > ServiceNow > Table
  • Kubernetes > ReplicaSet > ServiceNow
  • Kubernetes > ReplicaSet > ServiceNow > Configuration Item
  • Kubernetes > ReplicaSet > ServiceNow > Table
  • Kubernetes > Service > ServiceNow
  • Kubernetes > Service > ServiceNow > Configuration Item
  • Kubernetes > Service > ServiceNow > Table
  • ServiceNow > Turbot > Watches > Kubernetes

Policy Types

  • Kubernetes > Cluster > ServiceNow
  • Kubernetes > Cluster > ServiceNow > Configuration Item
  • Kubernetes > Cluster > ServiceNow > Configuration Item > Record
  • Kubernetes > Cluster > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Cluster > ServiceNow > Table
  • Kubernetes > Cluster > ServiceNow > Table > Definition
  • Kubernetes > ConfigMap > ServiceNow
  • Kubernetes > ConfigMap > ServiceNow > Configuration Item
  • Kubernetes > ConfigMap > ServiceNow > Configuration Item > Record
  • Kubernetes > ConfigMap > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > ConfigMap > ServiceNow > Table
  • Kubernetes > ConfigMap > ServiceNow > Table > Definition
  • Kubernetes > Deployment > ServiceNow
  • Kubernetes > Deployment > ServiceNow > Configuration Item
  • Kubernetes > Deployment > ServiceNow > Configuration Item > Record
  • Kubernetes > Deployment > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Deployment > ServiceNow > Table
  • Kubernetes > Deployment > ServiceNow > Table > Definition
  • Kubernetes > Namespace > ServiceNow
  • Kubernetes > Namespace > ServiceNow > Configuration Item
  • Kubernetes > Namespace > ServiceNow > Configuration Item > Record
  • Kubernetes > Namespace > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Namespace > ServiceNow > Table
  • Kubernetes > Namespace > ServiceNow > Table > Definition
  • Kubernetes > Node > ServiceNow
  • Kubernetes > Node > ServiceNow > Configuration Item
  • Kubernetes > Node > ServiceNow > Configuration Item > Record
  • Kubernetes > Node > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Node > ServiceNow > Table
  • Kubernetes > Node > ServiceNow > Table > Definition
  • Kubernetes > Pod > ServiceNow
  • Kubernetes > Pod > ServiceNow > Configuration Item
  • Kubernetes > Pod > ServiceNow > Configuration Item > Record
  • Kubernetes > Pod > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Pod > ServiceNow > Table
  • Kubernetes > Pod > ServiceNow > Table > Definition
  • Kubernetes > ReplicaSet > ServiceNow
  • Kubernetes > ReplicaSet > ServiceNow > Configuration Item
  • Kubernetes > ReplicaSet > ServiceNow > Configuration Item > Record
  • Kubernetes > ReplicaSet > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > ReplicaSet > ServiceNow > Table
  • Kubernetes > ReplicaSet > ServiceNow > Table > Definition
  • Kubernetes > Service > ServiceNow
  • Kubernetes > Service > ServiceNow > Configuration Item
  • Kubernetes > Service > ServiceNow > Configuration Item > Record
  • Kubernetes > Service > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Service > ServiceNow > Table
  • Kubernetes > Service > ServiceNow > Table > Definition
  • ServiceNow > Turbot > Watches > Kubernetes

Action Types

  • ServiceNow > Turbot > Watches > Kubernetes Archive And Delete Record

What's new?

Resource Types

  • osquery

Control Types

  • Turbot > Workspace > osquery
  • Turbot > Workspace > osquery > Secret Rotation

Policy Types

  • Turbot > Workspace > osquery
  • Turbot > Workspace > osquery > Enroll Secret Expiration
  • Turbot > Workspace > osquery > Secrets
  • Turbot > Workspace > osquery > Secrets > Expiration Period
  • Turbot > Workspace > osquery > Secrets > Rotation
  • osquery > Configuration

Action Types

  • Turbot > Rotate osquery Secret
  • osquery > Event Handler

What's new?

Resource Types

  • Kubernetes
  • Kubernetes > Cluster
  • Kubernetes > ConfigMap
  • Kubernetes > Deployment
  • Kubernetes > Namespace
  • Kubernetes > Node
  • Kubernetes > Pod
  • Kubernetes > ReplicaSet
  • Kubernetes > Service

Control Types

  • Kubernetes > Cluster > CMDB
  • Kubernetes > ConfigMap > Annotations
  • Kubernetes > ConfigMap > Approved
  • Kubernetes > ConfigMap > CMDB
  • Kubernetes > ConfigMap > Labels
  • Kubernetes > ConfigMap > Query
  • Kubernetes > Deployment > Annotations
  • Kubernetes > Deployment > Approved
  • Kubernetes > Deployment > CMDB
  • Kubernetes > Deployment > Labels
  • Kubernetes > Deployment > Query
  • Kubernetes > Namespace > Annotations
  • Kubernetes > Namespace > Approved
  • Kubernetes > Namespace > CMDB
  • Kubernetes > Namespace > Labels
  • Kubernetes > Namespace > Query
  • Kubernetes > Node > Annotations
  • Kubernetes > Node > Approved
  • Kubernetes > Node > CMDB
  • Kubernetes > Node > Labels
  • Kubernetes > Node > Query
  • Kubernetes > Pod > Annotations
  • Kubernetes > Pod > Approved
  • Kubernetes > Pod > CMDB
  • Kubernetes > Pod > Labels
  • Kubernetes > Pod > Query
  • Kubernetes > ReplicaSet > Annotations
  • Kubernetes > ReplicaSet > Approved
  • Kubernetes > ReplicaSet > CMDB
  • Kubernetes > ReplicaSet > Labels
  • Kubernetes > ReplicaSet > Query
  • Kubernetes > Service > Annotations
  • Kubernetes > Service > Approved
  • Kubernetes > Service > CMDB
  • Kubernetes > Service > Labels
  • Kubernetes > Service > Query

Policy Types

  • Kubernetes > Cluster > CMDB
  • Kubernetes > ConfigMap > Annotations
  • Kubernetes > ConfigMap > Annotations > Template
  • Kubernetes > ConfigMap > Approved
  • Kubernetes > ConfigMap > Approved > Custom
  • Kubernetes > ConfigMap > CMDB
  • Kubernetes > ConfigMap > Labels
  • Kubernetes > ConfigMap > Labels > Template
  • Kubernetes > ConfigMap > osquery
  • Kubernetes > ConfigMap > osquery > Configuration
  • Kubernetes > ConfigMap > osquery > Configuration > Columns
  • Kubernetes > ConfigMap > osquery > Configuration > Interval
  • Kubernetes > ConfigMap > osquery > Configuration > Name
  • Kubernetes > Deployment > Annotations
  • Kubernetes > Deployment > Annotations > Template
  • Kubernetes > Deployment > Approved
  • Kubernetes > Deployment > Approved > Custom
  • Kubernetes > Deployment > CMDB
  • Kubernetes > Deployment > Labels
  • Kubernetes > Deployment > Labels > Template
  • Kubernetes > Deployment > osquery
  • Kubernetes > Deployment > osquery > Configuration
  • Kubernetes > Deployment > osquery > Configuration > Columns
  • Kubernetes > Deployment > osquery > Configuration > Interval
  • Kubernetes > Deployment > osquery > Configuration > Name
  • Kubernetes > Namespace > Annotations
  • Kubernetes > Namespace > Annotations > Template
  • Kubernetes > Namespace > Approved
  • Kubernetes > Namespace > Approved > Custom
  • Kubernetes > Namespace > CMDB
  • Kubernetes > Namespace > Labels
  • Kubernetes > Namespace > Labels > Template
  • Kubernetes > Namespace > osquery
  • Kubernetes > Namespace > osquery > Configuration
  • Kubernetes > Namespace > osquery > Configuration > Columns
  • Kubernetes > Namespace > osquery > Configuration > Interval
  • Kubernetes > Namespace > osquery > Configuration > Name
  • Kubernetes > Node > Annotations
  • Kubernetes > Node > Annotations > Template
  • Kubernetes > Node > Approved
  • Kubernetes > Node > Approved > Custom
  • Kubernetes > Node > CMDB
  • Kubernetes > Node > Labels
  • Kubernetes > Node > Labels > Template
  • Kubernetes > Node > osquery
  • Kubernetes > Node > osquery > Configuration
  • Kubernetes > Node > osquery > Configuration > Columns
  • Kubernetes > Node > osquery > Configuration > Interval
  • Kubernetes > Node > osquery > Configuration > Name
  • Kubernetes > Pod > Annotations
  • Kubernetes > Pod > Annotations > Template
  • Kubernetes > Pod > Approved
  • Kubernetes > Pod > Approved > Custom
  • Kubernetes > Pod > CMDB
  • Kubernetes > Pod > Labels
  • Kubernetes > Pod > Labels > Template
  • Kubernetes > Pod > osquery
  • Kubernetes > Pod > osquery > Configuration
  • Kubernetes > Pod > osquery > Configuration > Columns
  • Kubernetes > Pod > osquery > Configuration > Interval
  • Kubernetes > Pod > osquery > Configuration > Name
  • Kubernetes > ReplicaSet > Annotations
  • Kubernetes > ReplicaSet > Annotations > Template
  • Kubernetes > ReplicaSet > Approved
  • Kubernetes > ReplicaSet > Approved > Custom
  • Kubernetes > ReplicaSet > CMDB
  • Kubernetes > ReplicaSet > Labels
  • Kubernetes > ReplicaSet > Labels > Template
  • Kubernetes > ReplicaSet > osquery
  • Kubernetes > ReplicaSet > osquery > Configuration
  • Kubernetes > ReplicaSet > osquery > Configuration > Columns
  • Kubernetes > ReplicaSet > osquery > Configuration > Interval
  • Kubernetes > ReplicaSet > osquery > Configuration > Name
  • Kubernetes > Service > Annotations
  • Kubernetes > Service > Annotations > Template
  • Kubernetes > Service > Approved
  • Kubernetes > Service > Approved > Custom
  • Kubernetes > Service > CMDB
  • Kubernetes > Service > Labels
  • Kubernetes > Service > Labels > Template
  • Kubernetes > Service > osquery
  • Kubernetes > Service > osquery > Configuration
  • Kubernetes > Service > osquery > Configuration > Columns
  • Kubernetes > Service > osquery > Configuration > Interval
  • Kubernetes > Service > osquery > Configuration > Name
  • Kubernetes > osquery
  • Kubernetes > osquery > Decorators

Action Types

  • Kubernetes > ConfigMap > Router
  • Kubernetes > Deployment > Router
  • Kubernetes > Namespace > Router
  • Kubernetes > Node > Router
  • Kubernetes > Pod > Router
  • Kubernetes > ReplicaSet > Router
  • Kubernetes > Service > Router

Bug fixes

  • The GCP > IAM > Service Account Key > Active control will no longer attempt to delete a system-managed service account key deemed inactive by the control.

What's new?

  • You can now determine if an IAM access key for a user is latest and deactivate or delete any keys that are not, using Guardrails. To get started, set the AWS > IAM > Access Key > Active > Latest policy.
  • You can now determine if an IAM server certificate is active based on its expiration. To get started, set the AWS > IAM > Server Certificate > Active > Expired policy.

Policy Types

  • AWS > IAM > Access Key > Active > Latest
  • AWS > IAM > Server Certificate > Active > Expired

Enhancements

  • The tenant_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple OCI tenants. (#606)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#614)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

Enhancements

  • The project column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple GCP projects. (#564)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#580)
  • Added the version flag to the plugin's Export tool. (#65)****

Bug fixes

  • Fixed the table gcp_cloudfunctions_function to list gen2 cloud functions. (#568) (Thanks @ashutoshmore658 for the contribution!)

Dependencies

Enhancements

  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#756)

Bug fixes

  • Fixed the server_properties column in the azure_postgresql_flexible_server table to correctly return data instead of nil. (#754)

Dependencies

Enhancements

  • The account_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Alibaba Cloud accounts. (#406)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#419)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

Bug fixes

  • Updated FDW to 1.11.1 to fix bad Linux Arm build. (#4271)
  • Updated hydrates count in timing verbose mode to use integer formatting(e.g. 119,138). (#4270)

Bug fixes

  • Pipeline execution no longer stalls when concurrency limit is applied and if clause returns false. (#836).
  • Trigger's common attributes (title, description, tags, documentation) allow functions and expresions. (#394).

Bug fixes

  • The GCP > Project > CMDB control would go into an error state if Access Approval API was disabled in GCP. This is now fixed.

Enhancements

  • The context_name column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Kubernetes connections. (#217)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#219)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

v0.138.0 [2024-05-09]

Enhancements

  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package for both the Linux and Darwin systems. (#219) (#2180)

Bug fixes

  • Fixed the aws_ebs_snapshot table to correctly return data instead of an empty row. (#2185)

Dependencies

Whats new

  • Added support for connection key columns: (#768)

    A connection key column defines a column whose value maps 1-1 to a Steampipe connection and so can be used to filter connections when executing an aggregator query. These columns are treated as (optional) KeyColumns. This means they are taken into account in the query planning.

  • Added support for verbose timing information. (#4244)

  • Added support for pushing down sort order. (#447)

  • Updated limit pushdown logic to push down the limit if all sort clauses are pushed down. (#458)

  • Added support for WHERE column=val1 OR column=val2 OR column=val3...

  • Migrated from plugin registry from GCP to GHCR. (#4232)

Bug fixes

  • Fixed hang when timing is disabled. (#4237)
  • Added a signal handler for signal 16 to avoid FDW crash. (#457)

Bug fixes

  • Ensured QueryData passed to connection key column value callback is populated with ConnectionManager. (#797)

What's new?

  • Implemented SNS topic to handle critical alarms notifications.
  • Added Product, Vendor Tags to the IAM Role resources created by the TEF stack.
  • Introduced a new SSM parameter to manage the reserved concurrency settings for the osquery worker lambda function.
  • Updated Log Bucket Lifecycle Policies:
    • Increased Retention Period: Extended the retention period of the lifecycle policy for logs in the log bucket with the /processes prefix from 1 day to 2 days.
    • New Policy Addition: Implemented a new lifecycle policy for managing log retention in the log bucket for logs with the /osquery prefix.

What's new?

  • Implemented critical alarms for RDS DB CPU utilization, DB Max Connections and Redis ElastiCache Memory utilization.
  • Added Product, Vendor Tags to the IAM Role resources created by the TED stack.

Bug fixes

  • The Azure > Compute > Virtual Machine Scale Set > Tags control would sometimes fail to update tags correctly for Scale Sets launched via Azure marketplace. This is fixed and the control will now update tags correctly, as expected.

What's new?

  • Revoke ingress rules that are unapproved for use in Network ACLs. To get started, set the AWS > VPC > Network ACL > Ingress Rules > Approved > * policies.

Bug fixes

  • Minor fixes and improvements.

What's new?

  • You can now delete existing Mount Targets which are unapproved for use in the account. To get started, set the AWS > EFS > Mount Target > Approved policy to Enforce: Delete unapproved.

What's new?

  • Create and manage aws_cloudwatch_metric_alarm resources via Guardrails stacks.

Control Types

  • AWS > CloudWatch > Alarm > Configured

Policy Types

  • AWS > CloudWatch > Alarm > Configured
  • AWS > CloudWatch > Alarm > Configured > Claim Precedence
  • AWS > CloudWatch > Alarm > Configured > Source

Bug fixes

  • Added support for aws_securityhub_account Terraform resource.

What's new?

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

Control Types

  • AWS > CIS v3.0
  • AWS > CIS v3.0 > 1 - Identity and Access Management
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
  • AWS > CIS v3.0 > 2 - Storage
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
  • AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
  • AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
  • AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
  • AWS > CIS v3.0 > 3 - Logging
  • AWS > CIS v3.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
  • AWS > CIS v3.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
  • AWS > CIS v3.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions
  • AWS > CIS v3.0 > 3 - Logging > 3.04 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • AWS > CIS v3.0 > 3 - Logging > 3.06 - Ensure rotation for customer created symmetric CMKs is enabled
  • AWS > CIS v3.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs
  • AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket
  • AWS > CIS v3.0 > 4 - Monitoring
  • AWS > CIS v3.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
  • AWS > CIS v3.0 > 5 - Networking
  • AWS > CIS v3.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
  • AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
  • AWS > CIS v3.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2

Policy Types

  • AWS > CIS v3.0
  • AWS > CIS v3.0 > 1 - Identity and Access Management
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account > Attestation
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation
  • AWS > CIS v3.0 > 1 - Identity and Access Management > Maximum Attestation Duration
  • AWS > CIS v3.0 > 2 - Storage
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
  • AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
  • AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
  • AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
  • AWS > CIS v3.0 > 2 - Storage > Maximum Attestation Duration
  • AWS > CIS v3.0 > 3 - Logging
  • AWS > CIS v3.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
  • AWS > CIS v3.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
  • AWS > CIS v3.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions
  • AWS > CIS v3.0 > 3 - Logging > 3.04 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • AWS > CIS v3.0 > 3 - Logging > 3.06 - Ensure rotation for customer created symmetric CMKs is enabled
  • AWS > CIS v3.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs
  • AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > Maximum Attestation Duration
  • AWS > CIS v3.0 > 4 - Monitoring
  • AWS > CIS v3.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
  • AWS > CIS v3.0 > 4 - Monitoring > Maximum Attestation Duration
  • AWS > CIS v3.0 > 5 - Networking
  • AWS > CIS v3.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
  • AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
  • AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' > Attestation
  • AWS > CIS v3.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2
  • AWS > CIS v3.0 > 5 - Networking > Maximum Attestation Duration
  • AWS > CIS v3.0 > Maximum Attestation Duration

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Resource Types:

    • GCP > DNS > Policy
  • Control Types:

    • GCP > DNS > Policy > Active
    • GCP > DNS > Policy > Approved
    • GCP > DNS > Policy > CMDB
    • GCP > DNS > Policy > Discovery
    • GCP > DNS > Policy > Usage
  • Policy Types:

    • GCP > DNS > Policy > Active
    • GCP > DNS > Policy > Active > Age
    • GCP > DNS > Policy > Active > Last Modified
    • GCP > DNS > Policy > Approved
    • GCP > DNS > Policy > Approved > Custom
    • GCP > DNS > Policy > Approved > Usage
    • GCP > DNS > Policy > CMDB
    • GCP > DNS > Policy > Usage
    • GCP > DNS > Policy > Usage > Limit
  • Action Types:

    • GCP > DNS > Policy > Delete
    • GCP > DNS > Policy > Router

What's new?

Control Types

  • GCP > CIS v2.0
  • GCP > CIS v2.0 > 1 - Identity and Access Management
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
  • GCP > CIS v2.0 > 2 - Logging and Monitoring
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
  • GCP > CIS v2.0 > 3 - Networking
  • GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project
  • GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects
  • GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS
  • GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
  • GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
  • GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet
  • GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet
  • GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
  • GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
  • GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
  • GCP > CIS v2.0 > 4 - Virtual Machines
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
  • GCP > CIS v2.0 > 5 - Storage
  • GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
  • GCP > CIS v2.0 > 7 - BigQuery
  • GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
  • GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets

Policy Types

  • GCP > CIS v2.0
  • GCP > CIS v2.0 > 1 - Identity and Access Management
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration
  • GCP > CIS v2.0 > 2 - Logging and Monitoring
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' > Attestation
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > Maximum Attestation Duration
  • GCP > CIS v2.0 > 3 - Networking
  • GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project
  • GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects
  • GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS
  • GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
  • GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
  • GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet
  • GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet
  • GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
  • GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
  • GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
  • GCP > CIS v2.0 > 4 - Virtual Machines
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections > Attestation
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects > Attestation
  • GCP > CIS v2.0 > 4 - Virtual Machines > Maximum Attestation Duration
  • GCP > CIS v2.0 > 5 - Storage
  • GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges > Attestation
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > Maximum Attestation Duration
  • GCP > CIS v2.0 > 7 - BigQuery
  • GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
  • GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets
  • GCP > CIS v2.0 > Maximum Attestation Duration

Bug fixes

  • Minor fixes and improvements.

What's new?

  • Access approval setting details for projects is now be available in Project CMDB.

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

Enhancements

  • The subscription_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#740)
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed the plugin's Postgres FDW Extension crash issue.

Dependencies

Bug fixes

  • Action Type for Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved control did not render correctly on mod inspect. This is now fixed.

Whats new

  • It is now possible to set a timeout for benchmark and dashboard execution. These can be set:
    • In the workspace using properties: dashboard_timeout and benchmark_timeout
    • Using the --dashboard-timeout flag for the dashboard run and server commands
    • Using the --benchmark-timeout flag for the benchmark run commands.
    • Using the environment variables POWERPIPE_DASHBOARD_TIMEOUT and POWERPIPE_BENCHMARK_TIMEOUT respectively. (#336)
  • Support installing private mods using a GitHub app token. (#381).
  • Improve the layout of filter and grouping components for control tags and dimensions. (#263)
  • Remove the dashboard input list and dashboard input show commands.
  • Add thousands separator to numeric values in dashboard tables. (#315)
  • Only show benchmark cards for statuses that are contained in the current filter and add status to filter on card click. (#322)

Bug fixes

  • When calling mod update, respect the argument (if any) and only update specified mods. (#331)
  • Fix mod update display of updates to transitive dependencies. (#288)

All new Pipes workspaces will be running Powerpipe v0.2.0 and existing workspaces will be upgraded by Monday 29th April 2024.

For more information on this Powerpipe release, see the release notes.

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The Azure > Storage > Storage Account > Data Protection control would go into an error state when container delete retention policy data was not available in CMDB. This issue is fixed and the control will now work as expected.

What's new?

  • You can now removed unapproved Firewall IP Ranges on PostgreSQL servers and flexi servers. To get started, set the Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > * and Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > * policies respectively.
  • You can now stop unapproved flexi servers. To get started, set the Azure > PostgreSQL > Flexible Server > Approved policy to Enforce: Stop unapproved or Enforce: Stop unapproved if new.

Control Types

  • Azure > PostgreSQL > Flexible Server > Firewall
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
  • Azure > PostgreSQL > Server > Firewall
  • Azure > PostgreSQL > Server > Firewall > IP Ranges
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved

Policy Types

  • Azure > PostgreSQL > Flexible Server > Firewall
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > Compiled Rules
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > IP Addresses
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > Rules
  • Azure > PostgreSQL > Server > Firewall
  • Azure > PostgreSQL > Server > Firewall > IP Ranges
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > Compiled Rules
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > IP Addresses
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > Rules

Action Types

  • Azure > PostgreSQL > Flexible Server > Stop
  • Azure > PostgreSQL > Server > Update Firewall IP Ranges

Bug fixes

  • Fixed control category names for v7.2.10, v7.7.10 and v7.14.1.

What's new?

Control Types

  • Azure > CIS v2.0
  • Azure > CIS v2.0 > 01 - Identity and Access Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 Ensure That 'Number of methods required to reset' is set to '2'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
  • Azure > CIS v2.0 > 02 - Microsoft Defender
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring
  • Azure > CIS v2.0 > 03 - Storage Accounts
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"
  • Azure > CIS v2.0 > 04 - Database Services
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
  • Azure > CIS v2.0 > 05 - Logging and Monitoring
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
  • Azure > CIS v2.0 > 06 - Networking
  • Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
  • Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled'
  • Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
  • Azure > CIS v2.0 > 07 - Virtual Machines
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.02 - Ensure Virtual Machines are utilizing Managed Disks
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted
  • Azure > CIS v2.0 > 08 - Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable
  • Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
  • Azure > CIS v2.0 > 09 - Application Services
  • Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption
  • Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
  • Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.10 - Ensure FTP deployments are Disabled
  • Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets
  • Azure > CIS v2.0 > 10 - Miscellaneous
  • Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources

Policy Types

  • Azure > CIS v2.0
  • Azure > CIS v2.0 > 01 - Identity and Access Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > Maximum Attestation Duration
  • Azure > CIS v2.0 > 02 - Microsoft Defender
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' > Attestation
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' > Attestation
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' > Attestation
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring
  • Azure > CIS v2.0 > 02 - Microsoft Defender > Maximum Attestation Duration
  • Azure > CIS v2.0 > 03 - Storage Accounts
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account > Attestation
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"
  • Azure > CIS v2.0 > 03 - Storage Accounts > Maximum Attestation Duration
  • Azure > CIS v2.0 > 04 - Database Services
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible > Attestation
  • Azure > CIS v2.0 > 04 - Database Services > Maximum Attestation Duration
  • Azure > CIS v2.0 > 05 - Logging and Monitoring
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > Maximum Attestation Duration
  • Azure > CIS v2.0 > 06 - Networking
  • Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
  • Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled'
  • Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
  • Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis > Attestation
  • Azure > CIS v2.0 > 06 - Networking > Maximum Attestation Duration
  • Azure > CIS v2.0 > 07 - Virtual Machines
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.02 - Ensure Virtual Machines are utilizing Managed Disks
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed > Attestation
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed > Attestation
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted > Attestation
  • Azure > CIS v2.0 > 07 - Virtual Machines > Maximum Attestation Duration
  • Azure > CIS v2.0 > 08 - Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable
  • Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
  • Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services > Attestation
  • Azure > CIS v2.0 > 08 - Key Vault > Maximum Attestation Duration
  • Azure > CIS v2.0 > 09 - Application Services
  • Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption
  • Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
  • Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App > Attestation
  • Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App > Attestation
  • Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App > Attestation
  • Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.10 - Ensure FTP deployments are Disabled
  • Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets
  • Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets > Attestation
  • Azure > CIS v2.0 > 09 - Application Services > Maximum Attestation Duration
  • Azure > CIS v2.0 > 10 - Miscellaneous
  • Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
  • Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation
  • Azure > CIS v2.0 > 10 - Miscellaneous > Maximum Attestation Duration
  • Azure > CIS v2.0 > Maximum Attestation Duration

Bug fixes

  • Param can be used in query step's args attribute. (#830).
  • File watcher now correctly detect changes in the loop block. (#808).
  • Duplicate step names are now detected and reported as an error. (#820).
  • Better error message for invalid notifier reference. (#826).

What's new?

  • Server
    • Implemented monitoring for worker_factory in the CloudWatch Dashboard widgets "Events Queue Activity" and "Events Queue Backlog".
    • Established a CloudWatch Alarm for the _worker_factory queue.
    • Product, Vendor Tags to the IAM Role resources created by the TE stack.
    • Adjusted the threshold for the CloudWatch Alarm monitoring the _worker queue.

Bug fixes

  • Server

    • Now, users with only Turbot/User access will no longer see grants or active grants belonging to other users. This ensures that you only view grants that are relevant to your permissions.
    • Control will move to error if it fails to determine the state at precheck.
    • System resilience has been enhanced through extended TTL settings and refined management of suspended processes, aiming to improve stability and reduce backlog issues.
    • Refined management of various processes to improve stability and reduce backlog issues.
  • UI

    • Converted the template_input property of the policy setting in the Terraform plan to YAML format, improving clarity and manageability.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Moved the Turbot > Process Monitor control to operate within the priority queue, ensuring more timely and efficient processing of critical tasks.
  • Updated the Turbot > Workspace > Background Tasks control to modify the next_tick_timestamp for any policy values that previously had incorrect defaults.

Bug fixes

  • Minor fixes and improvements.

What's new?

  • You can now configure rotation reminders for access keys and soft delete for blobs and containers in storage accounts. To get started, set the Azure > Storage > Storage Account > Access Keys > Rotation Reminder > * and Azure > Storage > Storage Account > Data Protection > Soft Delete > * policies respectively.

Control Types

  • Azure > Storage > Storage Account > Access Keys
  • Azure > Storage > Storage Account > Access Keys > Rotation Reminder
  • Azure > Storage > Storage Account > Data Protection
  • Azure > Storage > Storage Account > Data Protection > Soft Delete

Policy Types

  • Azure > Storage > Storage Account > Access Keys
  • Azure > Storage > Storage Account > Access Keys > Rotation Reminder
  • Azure > Storage > Storage Account > Access Keys > Rotation Reminder > Days
  • Azure > Storage > Storage Account > Data Protection
  • Azure > Storage > Storage Account > Data Protection > Soft Delete
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs > Retention Days
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers > Retention Days

Action Types

  • Azure > Storage > Storage Account > Set Data Protection Soft Delete
  • Azure > Storage > Storage Account > Update Rotation Reminder

What's new?

  • You can now removed unapproved Firewall IP Ranges on SQL servers. To get started, set the Azure > SQL > Server > Firewall > IP Ranges > Approved > * policies.

Control Types

  • Azure > SQL > Server > Firewall
  • Azure > SQL > Server > Firewall > IP Ranges
  • Azure > SQL > Server > Firewall > IP Ranges > Approved

Policy Types

  • Azure > SQL > Server > Firewall
  • Azure > SQL > Server > Firewall > IP Ranges
  • Azure > SQL > Server > Firewall > IP Ranges > Approved
  • Azure > SQL > Server > Firewall > IP Ranges > Approved > Compiled Rules
  • Azure > SQL > Server > Firewall > IP Ranges > Approved > IP Addresses
  • Azure > SQL > Server > Firewall > IP Ranges > Approved > Rules

Action Types

  • Azure > SQL > Server > Update Firewall IP Ranges

Enhancements

  • Updated the workspace_dashboard dashboard to include information on the accounts, resources, and active controls across different workspaces. (#31)
  • Updated the workspace_account_report dashboard to display resources, policy settings, alerts, and active controls across workspaces instead of the TE version. (#31)

Enhancements

  • Optimized several queries to minimize API usage, achieving faster performance. (#786)

Bug fixes

  • The rotationPeriod and nextRotationTime attributes for Crypto Keys did not update correctly in CMDB when the rotation policy for such keys was removed. This is now fixed.

What's new?

  • You can now configure Encryption in Transit for Flexi Servers. To get started, set the Azure > MySQL > Flexible Server > Encryption in Transit > * policies.
  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Control Types

  • Azure > MySQL > Flexible Server > Encryption in Transit

Policy Types

  • Azure > MySQL > Flexible Server > Encryption in Transit

Action Types

  • Azure > MySQL > Flexible Server > Update Encryption in Transit

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Policy Types

  • Azure > App Service > App Service Plan > Approved > Custom
  • Azure > App Service > Function App > Approved > Custom
  • Azure > App Service > Web App > Approved > Custom

Bug fixes

  • The AWS > VPC > Flow Log > Configured control would sometimes go into an error state for flow logs created via the AWS console, even though they were correctly claimed by a Guardrails stack. This is now fixed.

What's new?

Enhancements

  • The account_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple AWS accounts. (#2133)

Bug fixes

  • Fixed the getDirectoryServiceSnapshotLimit and getDirectoryServiceEventTopics hydrate calls in the aws_directory_service_directory table to correctly return nil for the unsupported ADConnector services instead of an error. (#2170)

What's new?

  • You can now configure log checkpoints for Flexi Servers. To get started, set the Azure > PostgreSQL > Flexible Server > Audit Logging > * policies.
  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Control Types

  • Azure > PostgreSQL > Flexible Server > Audit Logging

Policy Types

  • Azure > PostgreSQL > Flexible Server > Audit Logging
  • Azure > PostgreSQL > Flexible Server > Audit Logging > Log Checkpoints

Action Types

  • Azure > PostgreSQL > Flexible Server > Update Audit Logging

What's new?

  • You can now configure expiration for Key Vault Keys and Secrets. To get started, set the Azure > Key Vault > Key > Expiration > * and Azure > Key Vault > Secret > Expiration > * policies respectively.

Control Types

  • Azure > Key Vault > Key > Expiration
  • Azure > Key Vault > Secret > Expiration

Policy Types

  • Azure > Key Vault > Key > Expiration
  • Azure > Key Vault > Key > Expiration > Days [Default]
  • Azure > Key Vault > Secret > Expiration
  • Azure > Key Vault > Secret > Expiration > Days [Default]

Action Types

  • Azure > Key Vault > Key > Set Expiration
  • Azure > Key Vault > Secret > Set Expiration

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • Added CIS v3.0.0 benchmark (powerpipe benchmark run gcp_compliance.benchmark.cis_v300). (#158)

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

  • The Azure > Storage > Storage Account > Queue > Logging control would go into a skipped state for storage accounts, irrespective of any policy setting for Logging. This issue is fixed and the control will now work as expected.

v0.40.0 [2024-04-12]

What's new?

Bug fixes

  • Fixed the github_workflow table to correctly return data for dynamic workflows instead of an error. (#412)
  • Fixed the plugin's Postgres FDW Extension crash issue.

What's new?

Enhancements

  • Added snapshot_block_public_access_state column to aws_ec2_regional_settings table. (#2077)

Bug fixes

  • Fixed the getDirectoryServiceSnapshotLimit and getDirectoryServiceEventTopics hydrate calls in the aws_directory_service_directory table to correctly return nil for unsupported SharedMicrosoftAD services instead of an error. (#2156)

What's new?

  • You can now delete existing Public IP Addresses which are unapproved for use in the Subscription. To get started, set the Azure > Network > Public IP Address > Approved policy to Enforce: Delete unapproved.

What's new?

  • Added support for connection key columns. (#768)
  • Added sp_ctx and sp_connection_name columns to all tables. (#769)

What's new?

  • You can now configure Encryption in Transit for Flexi Servers. To get started, set the Azure > PostgresSql > Flexible Server > Encryption in Transit > * policies.

Control Types

  • Azure > PostgreSQL > Flexible Server > Encryption in Transit

Policy Types

  • Azure > PostgreSQL > Flexible Server > Encryption in Transit

Action Types

  • Azure > PostgreSQL > Flexible Server > Update Encryption in Transit

Bug fixes

  • Updated the foundational_security_lambda_2 control to check for the latest Lambda runtimes as per the AWS FSBP document. (#778) (Thanks @sbldevnet for the contribution!)
  • Fixed the title of secretsmanager_secret_unused_90_day control. (#783)

What's new?

  • You can now delete existing Entra ID users which are unapproved to be used in the Tenant. To get started, set the Azure > Active Directory > User > Approved policy to Enforce: Delete unapproved.

Policy Types

  • Azure > Active Directory > User > Approved > Custom

What's new?

  • You can now configure TLS version for Flexi Servers. To get started, set the Azure > MySQL > Flexible Server > Minimum TLS Version > * policies.

Enhancements

  • Added the following controls to the All Controls benchmark: (#253)
    • cosmosdb_account_uses_aad_and_rbac
    • iam_user_not_allowed_to_create_tenants
    • securitycenter_image_scan_enabled

Bug fixes

  • Updated the postgres_db_server_allow_access_to_azure_services_disabled query to check if the endIpAddress column is set to 0.0.0.0 instead of 255.255.255.255 as per the CIS documentation. (#253)

What's new?

  • Account CMDB data will now also include alternate security contact details.

What's new?

Control Types

  • AWS > CIS v2.0
  • AWS > CIS v2.0 > 1 - Identity and Access Management
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
  • AWS > CIS v2.0 > 2 - Storage
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
  • AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
  • AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
  • AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
  • AWS > CIS v2.0 > 3 - Logging
  • AWS > CIS v2.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
  • AWS > CIS v2.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
  • AWS > CIS v2.0 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
  • AWS > CIS v2.0 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs
  • AWS > CIS v2.0 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions
  • AWS > CIS v2.0 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • AWS > CIS v2.0 > 3 - Logging > 3.08 - Ensure rotation for customer created symmetric CMKs is enabled
  • AWS > CIS v2.0 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs
  • AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket
  • AWS > CIS v2.0 > 4 - Monitoring
  • AWS > CIS v2.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
  • AWS > CIS v2.0 > 5 - Networking
  • AWS > CIS v2.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
  • AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
  • AWS > CIS v2.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2

Policy Types

  • AWS > CIS v2.0
  • AWS > CIS v2.0 > 1 - Identity and Access Management
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account > Attestation
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation
  • AWS > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration
  • AWS > CIS v2.0 > 2 - Storage
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
  • AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
  • AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
  • AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
  • AWS > CIS v2.0 > 2 - Storage > Maximum Attestation Duration
  • AWS > CIS v2.0 > 3 - Logging
  • AWS > CIS v2.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
  • AWS > CIS v2.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
  • AWS > CIS v2.0 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
  • AWS > CIS v2.0 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs
  • AWS > CIS v2.0 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions
  • AWS > CIS v2.0 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • AWS > CIS v2.0 > 3 - Logging > 3.08 - Ensure rotation for customer created symmetric CMKs is enabled
  • AWS > CIS v2.0 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs
  • AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > Maximum Attestation Duration
  • AWS > CIS v2.0 > 4 - Monitoring
  • AWS > CIS v2.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
  • AWS > CIS v2.0 > 4 - Monitoring > Maximum Attestation Duration
  • AWS > CIS v2.0 > 5 - Networking
  • AWS > CIS v2.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
  • AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
  • AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' > Attestation
  • AWS > CIS v2.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2
  • AWS > CIS v2.0 > 5 - Networking > Maximum Attestation Duration
  • AWS > CIS v2.0 > Maximum Attestation Duration

Enhancements

  • Added support for nested dashboards. (#4208)

Bug fixes

  • Fixed the issue where local plugins were not being loaded. (#4196)
  • Re-added support for 'implicit' local plugins (i.e. the plugin binary exists but there is no entry in the versions.json). (#4223)
  • Fixed the issue where the daily update check message showed a <nil> when there was no message to show. (#4206)

Bug fixes

  • SQL Instances were sometimes not updated/cleaned up correctly via real-time events in Guardrails. This is now fixed.

What's new?

  • You can now manage IMDS defaults for EC2 per region. To get started, set the AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > * policies.

Bug fixes

  • The AWS > EC2 > Instance > Approved control would sometimes fail to stop instances that were discovered in Guardrails via real-time events if the AWS > EC2 > Instance > Approved policy was set to Enforce: Stop unapproved if new. This is now fixed.

Bug fixes

  • Lazy create flowpipe.db. (#808).
  • Respect max_concurrency in pipeline and input steps. (#815).
  • Misleading error message for invalid step dependencies. (#816).
  • HTTP integration address is shown correctly at the beginning of each input step loop. (#818).

What's new?

  • Storage Account CMDB data will now also include details about the account's blob service properties.

What's new?

  • You can now configure connection_throttling parameter for PostgreSQL servers. To get started, set the Azure > PostgreSQL > Server > Audit Logging > Connection Throttling policy.

What's new?

  • TLS version and audit log details will now be available in CMDB for Flexi Servers.

What's new?

  • Users can now disable unapproved Keys in AWS. To get started, set the AWS > KMS > Key > Approved policy to Enforce: Disable unapproved.

What's new?

Enhancements

  • Added support for quota_project config arg to provide users the ability to set the Project ID used for billing and quota. (#556)

Bug fixes

  • Fixed the retry_policy_maximum_backoff and retry_policy_minimum_backoff columns of gcp_pubsub_subscription table to correctly return data. (#552) (Thanks to @mvanholsteijn for the contribution!)

What's new?

Bug fixes

  • Fixed the aws_vpc_eip table to return an Access Denied error instead of an Invalid Memory Address or Nil Pointer Dereference error when a Service Control Policy is applied to an account for a specific region. (#2136)
  • Fixed the aws_s3_bucket terraform script to prevent the AccessControlListNotSupported: The bucket does not allow ACLs error during the PutBucketAcl terraform call. (#2080) (Thanks @pdecat for the contribution!)
  • Fixed an issue where querying regional tables while using AWS profiles with cross-account role credentials results in the correct error being reported instead of zero rows. (#2137)
  • Fixed pagination in the aws_ebs_snapshot table to make fewer API calls when the limit parameter is passed to the query. (#2088)

What's new?

  • New control added:
    • rds_mysql_postresql_db_no_unsupported_version (#174)

Bug fixes

  • Fixed the ecs_cluster_active_service_count query in the AWS ECS Cluster Dashboard to correctly return the count of Cluster Active Services instead of ECS Clusters. (#341) (Thanks @mupi2k for the contribution!)

Bug fixes

  • In v5.15.1, we introduced the policy value Enforce: Enabled but ignore permission errors for the AWS > SNS > Subscription > CMDB policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors inadvertently introduced a bug, resulting in the removal of real-time events for Subscription from the SNS EventBridge rule created by the Event Handlers. This issue has now been fixed.

Bug fixes

  • In v5.13.0, we introduced the policy value Enforce: Enabled but ignore permission errors for the AWS > KMS > Key > CMDB policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors inadvertently introduced a bug, resulting in the removal of the EventBridge Rule for KMS by the Event Handlers. This issue has now been fixed.

Bug fixes

  • loop block now works in container, function, message and input steps.
  • Use HCL expressions in max_concurrency step argument. (#800).
  • throw, retry and error block now works for input step.

Breaking changes

  • The Foundational Security Best Practices v1.0.0 benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)
    • The foundational_security_elbv2 sub-benchmark have been removed.
    • The following controls are no longer included in the benchmarks:
      • foundational_security_cloudfront_2
      • foundational_security_ec2_22
      • foundational_security_s3_4

Enhancements

  • The Foundational Security Best Practices v1.0.0 benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)
    • The following sub-benchmarks have been added to the foundational_security benchmark:
      • foundational_security_appsync
      • foundational_security_backup
      • foundational_security_eventbridge
      • foundational_security_fsx
      • foundational_security_msk
      • foundational_security_pca
      • foundational_security_route53
      • foundational_security_sfn
    • The following controls have been added to the benchmarks:
      • foundational_security_acm_2
      • foundational_security_appsync_2
      • foundational_security_backup_1
      • foundational_security_cloudfront_13
      • foundational_security_dms_6
      • foundational_security_dms_7
      • foundational_security_dms_8
      • foundational_security_dms_9
      • foundational_security_docdb_3
      • foundational_security_docdb_4
      • foundational_security_docdb_5
      • foundational_security_dms_9
      • foundational_security_dynamodb_6
      • foundational_security_ec2_51
      • foundational_security_ecs_9
      • foundational_security_eks_8
      • foundational_security_elasticbeanstalk_3
      • foundational_security_emr_2
      • foundational_security_eventbridge_3
      • foundational_security_fsx_1
      • foundational_security_msk_1
      • foundational_security_networkfirewall_2
      • foundational_security_networkfirewall_9
      • foundational_security_opensearch_10
      • foundational_security_pca_1
      • foundational_security_rds_34
      • foundational_security_rds_35
      • foundational_security_route53_2
      • foundational_security_s3_19
      • foundational_security_sfn_1
      • foundational_security_waf_12

v0.13.2 of the Terraform Provider for Pipes is now available.

Bug fixes

  • pipes_workspace_datatank_table: Set PartPer setting for datatank table to be nil if nothing is passed in configuration while updating a datatank table. (#23)

Enhancements:

  • resources/pipes_workspace: Add support for passing desired_state, db_volume_size_bytes attribute when creating or updating a workspace. Add missing attribute state_reason.
  • resources/pipes_workspace_pipeline: Add support for passing desired_state attribute when creating or updating a pipeline. Add attributes state and state_reason.
  • resources/pipes_workspace_datatank: Add support for passing desired_state attribute when creating a datatank.
  • resources/pipes_workspace_datatank_table: Add support for passing desired_state attribute when creating a datatank_table.

Bug fixes

  • Fixed the project_license_table, project_other_license_count and project_weak_copyleft_license_count queries to use the latest version of EUP (European Union Public License 1.2). (#13)

Bug fixes

  • Fixed the repository_license_table, repository_other_license_count and repository_weak_copyleft_license_count queries to use the latest version of EUP (European Union Public License 1.2). (#25)

Bug fixes

  • Fixed the CIS controls from cis_v200_2_4 to cis_v200_2_11 to correctly evaluate results when using the aggregator connection of the GCP plugin. (#154)

Bug fixes

  • Input step respects the max_concurrency argument. (#798).
  • Erroneous error message detecting a missing credential where there isn't one.
  • HCL try() function should be evaluated at runtime rather than parse time.
  • Integration and input step URLs should use the provided custom host & port. (#792).
  • Shows filename and line number for invalid step references.

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Control Types:

    • AWS > ECR > Repository > Policy
    • AWS > ECR > Repository > Policy > Required
  • Policy Types:

    • AWS > ECR > Repository > Policy
    • AWS > ECR > Repository > Policy > Required
    • AWS > ECR > Repository > Policy > Required > Items
  • Action Types:

    • AWS > ECR > Repository > Update Repository policy

Bug fixes

  • When exporting or displaying a benchmark run result as a snapshot, ensure the top level panel has a valid summary. (#274)
  • Update mod list output to include resource_name and mod fields.

Bug fixes

  • Server
    • Account import will be smoother and more consistent than before.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Guardrails will now exclude upserting VPC resources that are shared from other accounts and only upsert resources that belong to the owner account.
  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

What's new?

  • Added CIS v2.1.0 benchmark (powerpipe benchmark run azure_compliance.benchmark.cis_v210). (#250)

Whats new

  • Optimize workspace load time for large workspaces with multiple dependent mods. (#365)

All new Pipes workspaces will be running Powerpipe v0.4.1 and existing workspaces will be upgraded by Monday 29th July 2024.

For more information on this Powerpipe release, see the release notes.

All new Pipes workspaces will be running Steampipe v0.22.1 and existing workspaces will be upgraded by Monday 18th March 2024.

For more information on this Steampipe release, see the release notes.

All new Pipes workspaces will be running Powerpipe v0.1.2 and existing workspaces will be upgraded by Monday 18th March 2024.

For more information on this Powerpipe release, see the release notes.

Bug fixes

  • The AWS > VPC > VPC > Stack control failed to claim security group rules correctly if the protocol for such rules was set to All or TCP in the stack's source policy. This issue has been fixed, and the control will now claim such rules correctly.

Bug fixes

  • We have updated various policy definitions set during account imports to allow for a smoother account import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.

What's new?

Enhancements

  • Added auto_minor_version_upgrade column to aws_rds_db_cluster table. (#2109)
  • Added open_zfs_configuration column to aws_fsx_file_system table. (#2113)
  • Added logging_configuration column to aws_networkfirewall_firewall table. (#2115)
  • Added lf_tags column to aws_glue_catalog_table table. (#2128)

Bug fixes

  • Fixed the query in the aws_s3_bucket table doc to correctly filter out buckets without the application tag. (#2093)
  • Fixed the aws_cloudtrail_lookup_event input param to pass correctly end_time as an optional qual. (#2102)
  • Fixed the arn column of the aws_elastic_beanstalk_environment table to correctly return data instead of null. (#2105)
  • Fixed the template_body_json column of the aws_cloudformation_stack table to correctly return data by adding a new transform function formatJsonBody, replacing the UnmarshalYAML transform function. (#1959)
  • Fixed the next_execution_time column of aws_ssm_maintenance_window table to be of String datatype instead of TIMESTAMP. (#2116)
  • Renamed the client_log_options column to connection_log_options in aws_ec2_client_vpn_endpoint table to correctly return data instead of null. (#2122)

Whats new

  • Improved startup performance with high plugin count - parallelize plugin startup. (#4183)
  • Added database SSL password support for encrypted private key in order to handle your own certificates. (#4149)

Bug fixes

  • Fixed issue where plugin list cannot re-create top-level versions.json file if the file has been corrupted or empty. (#4191)

Notice

  • Scripts must use the permanent installation script at https://steampipe.io/install/steampipe.sh.
  • The script above is automatically updated when the script moves location.
  • install.sh has been moved from the top level folder to the scripts folder.
  • Scripts directly referencing the raw GitHub location must be updated.

Notice

Steampipe will no longer officially publish or support a Dockerfile or container images.

Steampipe can be run in a containerized setup. We run it ourselves that way as part of Turbot Pipes. But, we've decided to cease publishing an supporting a container definition because:

  • The CLI is optimized for developer use on the command line.
  • Everyone has specific goals and requirements for their containers.
  • Container setup requires various mounts and access to configuration files.
  • It's hard to support containers across many different environments.

We welcome users to create and share your own open-source container definitions for Steampipe!

What's new?

Bug fixes

  • Function step output attribute should be called response not result. (#789).
  • Pipeline execution should not fail when a string argument is passed with double quotes. (#791).

Bug fixes

  • UI
    • Fixed the AWS login dropdown button to accurately display both existing and new grants.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Unsupported US Gov cloud regions were inadvertently included in the AWS > SageMaker > Code Repository > Regions policy, which led to the AWS > SageMaker > Code Repository > Discovery control being in an error state for those regions. We've now removed the unsupported US Gov cloud regions from the Regions policy.

What's new?

  • Policy Types:
    • AWS > SageMaker > Notebook Instance > Approved > Custom

Bug fixes

  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

Bug fixes

  • Multiselect Inputs with preselected Options now correctly pre-populate in Slack.
  • Change detection in throw and output block in pipeline steps works correctly with ternary operators and will not trigger mod reload for white space changes.

Bug fixes

  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
  • In the previous version, we fixed an issue with the AWS > VPC > VPC > Stack control that prevented it from recognizing security group rules with the port range set to 0 correctly. However, the control still failed to claim existing security group rules available in Guardrails CMDB, due to an inadvertent bug introduced in v5.9.2. This issue has now been fixed, and the control will correctly claim existing security group rules.

Bug fixes

  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

Bug fixes

  • Previously, Guardrails unnecessarily listened to and processed real-time lists events for various storage resources. We've now improved our events filter to ignore these lists events, thereby reducing unnecessary processing.

Bug fixes

  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

Bug fixes

  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

Bug fixes

  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
  • The AWS > EC2 > Snapshot > Active and AWS > EC2 > Snapshot > Approved controls will now not attempt to delete a snapshot if it has one or more AMIs attached to it.
  • In the previous version, although we fixed a bug to prevent upserting volumes and snapshots with incorrect AKAs, there was still a provision for instances to be upserted with incorrect AKAs. We have now addressed this issue as well, ensuring instances are upserted more correctly and consistently than before.
  • The deprecated ec2-reports:* permissions are now removed from the mod.

Bug fixes

  • Multi-select option in input step now works. (#776).
  • Input step white space changes will not trigger mod reload. (#297).

Bug fixes

  • Fix CLI available version check. (#250)
  • Notify when mod install creates a default mod. (#246)
  • Remove newline from end of mod install output. (#247)
  • Fix issue where asff output was always missing the first row. (#249)

v0.13.1 of the Terraform Provider for Pipes is now available.

Bug fixes

  • Ensure tags are passed during creation of resource pipes_workspace_pipeline and are only updated when a valid value is present in the Terraform configuration.

All new Pipes workspaces will be running Steampipe v0.22.0 and existing workspaces will be upgraded by Monday 11th March 2024.

For more information on this Steampipe release, see the release post or release notes.

Dashboards in Turbot Pipes are now powered by Powerpipe, allowing you to filter, group and share custom views of your cloud benchmarks.

All new Pipes workspaces will be running Powerpipe v0.1.0 and existing workspaces will be upgraded by Monday 11th March 2024.

For more information on the launch of Powerpipe, see the launch post or release notes.

Bug fixes

  • Guardrails will now exclude upserting VPC resources that are shared from other accounts and only upsert resources that belong to the owner account.
  • In the previous version, we believed we had resolved an issue with Internet Gateways not being upserted into the CMDB while processing real-time CreateDefaultVpc events. However, we overlooked an edge case in the fix. We have now addressed this issue, ensuring that Internet Gateways will be reliably discovered and upserted into the Guardrails CMDB. We recommend updating the aws-vpc-core mod to version 5.17.1 or higher to enable Guardrails to correctly process real-time CreateDefaultVpc events for Internet Gateways.
  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

We're thrilled to announce the release of 52 new Powerpipe mods, featuring pre-built dashboards and benchmarks for cloud inventory & insights, security & compliance, cost management and shift-left scanning. These include the 43 Steampipe mods to visualize AWS, Azure, GCP, GitHub, Terraform and more using Steampipe as the database. And 9 new, ready-to-use Powerpipe mods providing easy to learn examples to visualize data in Postgres, SQLite, DuckDB, and MySQL!

A full list of mods can be found in the Powerpipe Hub.

For more information on how you can get started incorporating these mods into your own custom dashboards and benchmarks, please see Introducing Powerpipe - Composable Mods.

Introducing Powerpipe - Dashboards for DevOps.

Benchmarks - 5,000+ open-source controls from CIS, NIST, PCI, HIPAA, FedRamp and more. Run instantly on your machine or as part of your deployment pipeline.

Relationship Diagrams - The only dashboarding tool designed from the ground up to visualize DevOps data. Explore your cloud,understand relationships and drill down to the details.

Dashboards & Reports - High level dashboards provide a quick management view. Reports highlight misconfigurations and attention areas. Filter, pivot and snapshot results.

Code, not clicks - Our dashboards are code. Version controlled, composable, shareable, easy to edit - designed for the way you work. Join our open-source community!

Learn more at:

Bug fixes

  • The AWS > VPC > VPC > Stack control would sometimes go into an error state after creating security group rules with port range set to 0. This occurred because the control failed to recognize the existing rule in Guardrails CMDB and attempted to create a new rule instead. This issue has been fixed, and the stack control will now work correctly as expected.
  • The AWS > VPC > Security Group > CMDB control would sometimes go into an error state for security groups shared from other AWS accounts. We will now exclude shared security groups and only upsert security groups that belong to the owner account.

What's new?

  • You can now also manage the IAM Permissions model for Guardrails Users via the AWS > Turbot > IAM > Managed control. The AWS > Turbot > IAM > Managed control is faster and more efficient than the existing AWS > Turbot > IAM control because it utilizes Native AWS APIs rather than Terraform to manage IAM resources. Please note that this feature will work as intended only on TE v5.42.19 or higher and turbot-iam mod v5.11.0 or higher.

  • Control Types

    • AWS > Turbot > IAM > Group
    • AWS > Turbot > IAM > Group > Managed
    • AWS > Turbot > IAM > Managed
    • AWS > Turbot > IAM > Policy
    • AWS > Turbot > IAM > Policy > Managed
    • AWS > Turbot > IAM > Role
    • AWS > Turbot > IAM > Role > Managed
    • AWS > Turbot > IAM > User
    • AWS > Turbot > IAM > User > Managed
  • Policy Types

    • AWS > Turbot > IAM > Managed
  • Policy Types Renamed

    • AWS > IAM > Turbot to AWS > Turbot > IAM
  • Action Types

    • AWS > Account > Provision Managed Resources
    • AWS > IAM > Group > Detach and delete
    • AWS > IAM > Group > IAM Group Managed
    • AWS > IAM > Policy > Detach and delete
    • AWS > IAM > Role > IAM Role Managed
    • AWS > IAM > User > IAM User Managed

Bug fixes

The AWS > IAM > Group > CMDB, AWS > IAM > Role > CMDB, and AWS > IAM > User > CMDB controls previously failed to fetch all attachments for groups, roles, and users, respectively, due to the lack of pagination support. This issue has been fixed, and the controls will now correctly fetch all respective attachments.

Steampipe unbundled, introducing Powerpipe

Powerpipe is now the recommended way to run dashboards and benchmarks!

Mods still work as normal in Steampipe for now, but they are deprecated and will be removed in a future release:

Whats new

  • Added version column to steampipe_plugin table. (#4141)
  • Direct all errors and warnings to standard error (stderr). (4162)

Bug fixes

  • Fixed the issue where search_path_prefix set in database options does not alter the search path. (#4160)
  • Fix issue where asff output was always missing the first row. (#4157)

Deprecations and migrations

  • Steampipe mods and dashboards are now separately available in Powerpipe, a new open-source project. The steampipe mod, check and dashboard commands have been deprecated and will be removed in a future version. Migration guide.
  • Deprecated cloud-host and cloud-token CLI args, and replaced them with pipes-host and pipes-token respectively. (#4137)
  • Deprecated STEAMPIPE_CLOUD_HOST and STEAMPIPE_CLOUD_TOKEN env vars, replaced with PIPES_HOST and PIPES_TOKEN respectively. (#4137)
  • Deprecated cloud_host and cloud_token workspace args, replaced with pipes_host and pipes_token respectively. (#4137)
  • Removed support for deprecated terminal options. (#3751)
  • Removed support for deprecated max_parallel property in general options. (#4132)
  • Removed support for deprecated connection options. (#4131)
  • Removed deprecated version property from the mod require block. (#3750)

What's new?

  • Workflow - message step for easy notifications. Documentation.
  • Workflow - input step for buttons, text and other data. Documentation.
  • Workflow - simple, reusable integration and notifier configuration for HTTP, Slack and Email. Documentation
  • Import Steampipe connections as Flowpipe credentials. Documentation.
  • Manage concurrency of pipelines and steps.
  • New credential types: alicloud and mastodon.
  • Shorter hash for HTTP triggers for simpler URLs.
  • DuckDB support in query step & trigger.
  • Step metadata, like started_at and finished_at added under a flowpipe attribute.
  • Moved flowpipe.db into the mod-level .flowpipe directory.
  • connection_string in query step and trigger renamed to database.

Deprecation

Bug fixes

  • log_level workspace setting is now respected (#618).
  • Default listen flag should be network, not localhost (#694)
  • Trigger attributes are now validated (#225).
  • Pipeline output attributes are now validated (#239).
  • Pipeline param default value data type is now validated against the specified type (#262).
  • Removed titles when merging multiple error messages (#263).
  • Runtime resolution of pipeline reference and credentials are now working correctly. (#732).
  • Scheduled triggers are now re-scheduled when mod files have changed.
  • File watcher reliability improvements.

Bug fixes

  • Updated metadata param type in create_ticket pipeline to be consistent with similar param types.

Bug fixes

  • Fixed secret param type in create_secret pipeline.

Bug fixes

  • Fixed broken links to credential import docs in various sample READMEs.

What's new?

  • Added the following new sample mods: (#108)
    • add_s3_bucket_cost_center_tags
    • aws_iam_access_key_events_notifier_with_multiple_pipelines
    • aws_iam_access_key_events_notifier_with_single_pipeline
    • deactivate_expired_aws_iam_access_keys_using_queries
    • deactivate_expired_aws_iam_access_keys_with_approval
    • notify_new_aws_iam_access_keys

Enhancements

  • Updated all AWS, Azure, PagerDuty, Slack, Zendesk library mod dependency versions in several sample mods. (#108)

Bug fixes

  • Server

    • Updated the tier for the SSM parameter /tenant/${workspaceFullId} to Advanced.
    • Delete operations for resources is now faster and more efficient than before.
    • Auto mod update control for mods will now look only for recommended versions instead of available and recommended.
    • Fixed policy value resolution to default to the value of resolvedSchema if not available in the schema.
  • UI

    • Fixed a table typo in the Steampipe query used in the resources developer tab.
    • Display the AWS login button when setting permissions via the AWS > Turbot > IAM > Managed control.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The default value for Turbot > IAM > Permissions > Compiled > Levels > Turbot policy will now be evaluated correctly and consistently.

Bug fixes

  • SSM Parameters with incorrect names would sometimes be inadvertently upserted in Guardrails CMDB. This issue has now been fixed.

What's new?

  • The AWS > S3 > Bucket CMDB data will now also include information about Bucket Intelligent Tiering Configuration.

  • A few policy values in the AWS > S3 > Bucket > Encyprion at Rest policy have now been deprecated and will be removed in the next major mod version (v6.0.0) because they are no longer supported by AWS.

    | Deprecated Values
    |- | Check: None
    | Check: None or higher
    | Enforce: None
    | Enforce: None or higher

Bug fixes

  • Removed duplicate ticket_id param from update_ticket_comment pipeline.

Bug fixes

  • Fixed invalid type for license param in create_user pipeline. (#6)

Bug fixes

  • Fixed mismatched types for generate_ssh_keys param in various Compute VM test pipelines.

Bug fixes

  • Previously, Guardrails did not upsert Internet Gateways into the CMDB while processing real-time CreateDefaultVpc events. This issue has been fixed, and Internet Gateways will now be more reliably upserted into the Guardrails CMDB. We recommend updating the aws-vpc-core mod to v5.17.1 or higher to allow Guardrails to process the CreateDefaultVpc event for Internet Gateways correctly.

Bug fixes

  • Previously, Guardrails did not upsert DHCP Options into the CMDB while processing real-time CreateDefaultVpc events. This issue has been fixed, and DHCP Options will now be more reliably upserted into the Guardrails CMDB.

Enhancements

  • Updated the regex pattern of slack_api_token to also detect the Slack bot tokens. (#73)
  • Updated the regex pattern of AWS access_key_id to include key resources like AWS SSO credentials. (#74)

Bug fixes

  • Previously, Guardrails unnecessarily listened to and processed real-time lists events for various Dataproc resources. We've now improved our events filter to ignore these lists events, thereby reducing unnecessary processing.

Bug fixes

  • The GCP > Turbot > Event Handlers > Pub/Sub stack control previously attempted to create a topic and its IAM member incorrectly when the GCP > Turbot > Event Handlers > Logging > Unique Writer Identity policy was set to Enforce: Unique Identity, but the project number for the project was not available. This is fixed and the control will transition to an Invalid state until Guardrails can correctly fetch the project number.

Bug fixes

  • Fixed the type mismatch of the input parameter in the get_channel_history pipeline. (#20)

What's new?

  • Control Types:

    • GCP > Pub/Sub > Topic > Labels
  • Policy Types:

    • GCP > Pub/Sub > Topic > Labels
    • GCP > Pub/Sub > Topic > Labels > Template
  • Action Types

    • GCP > Pub/Sub > Topic > Set Labels

Bug fixes

  • In a previous version (v5.6.2), we introduced a change in the AWS > S3 > Bucket > Encryption in Transit and AWS > S3 > Bucket > Encryption at Rest control to wait for a few minutes before applying the respective policies to new buckets created via Cloudformation Stacks. We've now extended this feature to all buckets regardless of how they were created, to ensure that IaC changes can be correctly applied to buckets without interference from immediate policy enforcements.

What's new?

  • Added support for Advanced Tier for SSM Parameters.
  • Increased the visibility timeout from 60 seconds to 7200 seconds and decreased the message retention period to 7 days for runnable DLQ.

What's new?

  • Added: Support for Postgres versions 14.9, 14.10, 15.4 and 15.5.
  • Added: Support for Redis 7.1.
  • Added: m6gd.medium to instance type parameter for RDS.
  • Added: Support for Advanced Tier for SSM Parameters.
  • Removed: t4.micro and t4.small from instance type parameter for RDS.

Note

To use the latest RDS certificate in commercial cloud, please upgrade TE to 5.42.3 or higher and update the RDS CA Certificate for Commercial Cloud parameter.

Bug fixes

  • Server

    • Added: Support for AWS Custom Group Levels.
    • Updated: The DLQ lambda timeout has been updated to 2 minutes instead of 1 minute.
    • Updated: The Events DLQ visibility timeout has been increased from 15 minutes to 4 hours.
    • Updated: The Events DLQ MessageRetentionPeriod has been decreased from 14 days to 7 days.
  • UI

    • Added: Action button to run immediate policy value.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Added support for group permission levels.

What's new?

  • Control Types:

    • GCP > Firebase > Android App > ServiceNow
    • GCP > Firebase > Android App > ServiceNow > Configuration Item
    • GCP > Firebase > Android App > ServiceNow > Table
    • GCP > Firebase > Firebase Project > ServiceNow
    • GCP > Firebase > Firebase Project > ServiceNow > Configuration Item
    • GCP > Firebase > Firebase Project > ServiceNow > Table
    • GCP > Firebase > Web App > ServiceNow
    • GCP > Firebase > Web App > ServiceNow > Configuration Item
    • GCP > Firebase > Web App > ServiceNow > Table
    • GCP > Firebase > iOS App > ServiceNow
    • GCP > Firebase > iOS App > ServiceNow > Configuration Item
    • GCP > Firebase > iOS App > ServiceNow > Table
  • Policy Types:

    • GCP > Firebase > Android App > ServiceNow
    • GCP > Firebase > Android App > ServiceNow > Configuration Item
    • GCP > Firebase > Android App > ServiceNow > Configuration Item > Record
    • GCP > Firebase > Android App > ServiceNow > Configuration Item > Table Definition
    • GCP > Firebase > Android App > ServiceNow > Table
    • GCP > Firebase > Android App > ServiceNow > Table > Definition
    • GCP > Firebase > Firebase Project > ServiceNow
    • GCP > Firebase > Firebase Project > ServiceNow > Configuration Item
    • GCP > Firebase > Firebase Project > ServiceNow > Configuration Item > Record
    • GCP > Firebase > Firebase Project > ServiceNow > Configuration Item > Table Definition
    • GCP > Firebase > Firebase Project > ServiceNow > Table
    • GCP > Firebase > Firebase Project > ServiceNow > Table > Definition
    • GCP > Firebase > Web App > ServiceNow
    • GCP > Firebase > Web App > ServiceNow > Configuration Item
    • GCP > Firebase > Web App > ServiceNow > Configuration Item > Record
    • GCP > Firebase > Web App > ServiceNow > Configuration Item > Table Definition
    • GCP > Firebase > Web App > ServiceNow > Table
    • GCP > Firebase > Web App > ServiceNow > Table > Definition
    • GCP > Firebase > iOS App > ServiceNow
    • GCP > Firebase > iOS App > ServiceNow > Configuration Item
    • GCP > Firebase > iOS App > ServiceNow > Configuration Item > Record
    • GCP > Firebase > iOS App > ServiceNow > Configuration Item > Table Definition
    • GCP > Firebase > iOS App > ServiceNow > Table
    • GCP > Firebase > iOS App > ServiceNow > Table > Definition

What's new?

  • The AWS > Secrets Manager > Secret > CMDB control would go into an error state if Guardrails did not have permissions to describe a secret. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > Secrets Manager > Secret > CMDB policy to Enforce: Enabled but ignore permission errors.

What's new?

  • You can now attach custom IAM Groups to Guardrails users if the AWS > Turbot > Permissions policy is set to Enforce: User Mode. To get started, set the AWS > Turbot > Permissions > Custom Group Levels [Account] policy and then attach the custom group to a user via the Grant Permission button on the Permissions page. Please note that this feature will work as intended only on TE v5.42.18 or higher and turbot-iam mod v5.11.0 or higher.

  • Policy Types:

    • AWS > Turbot > Permissions > Custom Group Levels [Account]
  • Policy Types renamed:

    • AWS > Turbot > Permissions > Custom Levels [Account] to AWS > Turbot > Permissions > Custom Role Levels [Account]
    • AWS > Turbot > Permissions > Custom Levels [Folder] to AWS > Turbot > Permissions > Custom Role Levels [Folder]

Bug fixes

  • Fixed the plugin to return nil instead of an error when API credentials are not set in the *.spc file. (#14)
  • Fixed the default data type of the dynamic columns to be of the String type instead of JSON. (#16)

Bug fixes

  • Fixed the hierarchy in the benchmark list by properly integrating Cloud Functions benchmark into all_controls benchmark. (#146)

What's new?

  • Removed support for Memoized functions to be directly assigned as column hydrate functions. Instead, require a wrapper hydrate function. (#756) (#738)

Bug fixes

  • If cache is disabled for the server, but enabled for the client, the query execution code tries to stream to the cache even though there is no active set operation. (#740)

What's new?

  • Control Types:

    • GCP > Network > Address > ServiceNow
    • GCP > Network > Address > ServiceNow > Configuration Item
    • GCP > Network > Address > ServiceNow > Table
    • GCP > Network > Backend Bucket > ServiceNow
    • GCP > Network > Backend Bucket > ServiceNow > Configuration Item
    • GCP > Network > Backend Bucket > ServiceNow > Table
    • GCP > Network > Backend Service > ServiceNow
    • GCP > Network > Backend Service > ServiceNow > Configuration Item
    • GCP > Network > Backend Service > ServiceNow > Table
    • GCP > Network > Firewall > ServiceNow
    • GCP > Network > Firewall > ServiceNow > Configuration Item
    • GCP > Network > Firewall > ServiceNow > Table
    • GCP > Network > Forwarding Rule > ServiceNow
    • GCP > Network > Forwarding Rule > ServiceNow > Configuration Item
    • GCP > Network > Forwarding Rule > ServiceNow > Table
    • GCP > Network > Global Address > ServiceNow
    • GCP > Network > Global Address > ServiceNow > Configuration Item
    • GCP > Network > Global Address > ServiceNow > Table
    • GCP > Network > Global Forwarding Rule > ServiceNow
    • GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item
    • GCP > Network > Global Forwarding Rule > ServiceNow > Table
    • GCP > Network > Interconnect > ServiceNow
    • GCP > Network > Interconnect > ServiceNow > Configuration Item
    • GCP > Network > Interconnect > ServiceNow > Table
    • GCP > Network > Packet Mirroring > ServiceNow
    • GCP > Network > Packet Mirroring > ServiceNow > Configuration Item
    • GCP > Network > Packet Mirroring > ServiceNow > Table
    • GCP > Network > Region Backend Service > ServiceNow
    • GCP > Network > Region Backend Service > ServiceNow > Configuration Item
    • GCP > Network > Region Backend Service > ServiceNow > Table
    • GCP > Network > Region SSL Certificate > ServiceNow
    • GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item
    • GCP > Network > Region SSL Certificate > ServiceNow > Table
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Table
    • GCP > Network > Region URL Map > ServiceNow
    • GCP > Network > Region URL Map > ServiceNow > Configuration Item
    • GCP > Network > Region URL Map > ServiceNow > Table
    • GCP > Network > Route > ServiceNow
    • GCP > Network > Route > ServiceNow > Configuration Item
    • GCP > Network > Route > ServiceNow > Table
    • GCP > Network > Router > ServiceNow
    • GCP > Network > Router > ServiceNow > Configuration Item
    • GCP > Network > Router > ServiceNow > Table
    • GCP > Network > SSL Certificate > ServiceNow
    • GCP > Network > SSL Certificate > ServiceNow > Configuration Item
    • GCP > Network > SSL Certificate > ServiceNow > Table
    • GCP > Network > SSL Policy > ServiceNow
    • GCP > Network > SSL Policy > ServiceNow > Configuration Item
    • GCP > Network > SSL Policy > ServiceNow > Table
    • GCP > Network > Target HTTPS Proxy > ServiceNow
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Table
    • GCP > Network > Target Pool > ServiceNow
    • GCP > Network > Target Pool > ServiceNow > Configuration Item
    • GCP > Network > Target Pool > ServiceNow > Table
    • GCP > Network > Target SSL Proxy > ServiceNow
    • GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item
    • GCP > Network > Target SSL Proxy > ServiceNow > Table
    • GCP > Network > Target TCP Proxy > ServiceNow
    • GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item
    • GCP > Network > Target TCP Proxy > ServiceNow > Table
    • GCP > Network > Target VPN Gateway > ServiceNow
    • GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item
    • GCP > Network > Target VPN Gateway > ServiceNow > Table
    • GCP > Network > URL Map > ServiceNow
    • GCP > Network > URL Map > ServiceNow > Configuration Item
    • GCP > Network > URL Map > ServiceNow > Table
    • GCP > Network > VPN Tunnel > ServiceNow
    • GCP > Network > VPN Tunnel > ServiceNow > Configuration Item
    • GCP > Network > VPN Tunnel > ServiceNow > Table
  • Policy Types:

    • GCP > Network > Address > ServiceNow
    • GCP > Network > Address > ServiceNow > Configuration Item
    • GCP > Network > Address > ServiceNow > Configuration Item > Record
    • GCP > Network > Address > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Address > ServiceNow > Table
    • GCP > Network > Address > ServiceNow > Table > Definition
    • GCP > Network > Backend Bucket > ServiceNow
    • GCP > Network > Backend Bucket > ServiceNow > Configuration Item
    • GCP > Network > Backend Bucket > ServiceNow > Configuration Item > Record
    • GCP > Network > Backend Bucket > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Backend Bucket > ServiceNow > Table
    • GCP > Network > Backend Bucket > ServiceNow > Table > Definition
    • GCP > Network > Backend Service > ServiceNow
    • GCP > Network > Backend Service > ServiceNow > Configuration Item
    • GCP > Network > Backend Service > ServiceNow > Configuration Item > Record
    • GCP > Network > Backend Service > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Backend Service > ServiceNow > Table
    • GCP > Network > Backend Service > ServiceNow > Table > Definition
    • GCP > Network > Firewall > ServiceNow
    • GCP > Network > Firewall > ServiceNow > Configuration Item
    • GCP > Network > Firewall > ServiceNow > Configuration Item > Record
    • GCP > Network > Firewall > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Firewall > ServiceNow > Table
    • GCP > Network > Firewall > ServiceNow > Table > Definition
    • GCP > Network > Forwarding Rule > ServiceNow
    • GCP > Network > Forwarding Rule > ServiceNow > Configuration Item
    • GCP > Network > Forwarding Rule > ServiceNow > Configuration Item > Record
    • GCP > Network > Forwarding Rule > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Forwarding Rule > ServiceNow > Table
    • GCP > Network > Forwarding Rule > ServiceNow > Table > Definition
    • GCP > Network > Global Address > ServiceNow
    • GCP > Network > Global Address > ServiceNow > Configuration Item
    • GCP > Network > Global Address > ServiceNow > Configuration Item > Record
    • GCP > Network > Global Address > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Global Address > ServiceNow > Table
    • GCP > Network > Global Address > ServiceNow > Table > Definition
    • GCP > Network > Global Forwarding Rule > ServiceNow
    • GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item
    • GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item > Record
    • GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Global Forwarding Rule > ServiceNow > Table
    • GCP > Network > Global Forwarding Rule > ServiceNow > Table > Definition
    • GCP > Network > Interconnect > ServiceNow
    • GCP > Network > Interconnect > ServiceNow > Configuration Item
    • GCP > Network > Interconnect > ServiceNow > Configuration Item > Record
    • GCP > Network > Interconnect > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Interconnect > ServiceNow > Table
    • GCP > Network > Interconnect > ServiceNow > Table > Definition
    • GCP > Network > Packet Mirroring > ServiceNow
    • GCP > Network > Packet Mirroring > ServiceNow > Configuration Item
    • GCP > Network > Packet Mirroring > ServiceNow > Configuration Item > Record
    • GCP > Network > Packet Mirroring > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Packet Mirroring > ServiceNow > Table
    • GCP > Network > Packet Mirroring > ServiceNow > Table > Definition
    • GCP > Network > Region Backend Service > ServiceNow
    • GCP > Network > Region Backend Service > ServiceNow > Configuration Item
    • GCP > Network > Region Backend Service > ServiceNow > Configuration Item > Record
    • GCP > Network > Region Backend Service > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Region Backend Service > ServiceNow > Table
    • GCP > Network > Region Backend Service > ServiceNow > Table > Definition
    • GCP > Network > Region SSL Certificate > ServiceNow
    • GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item
    • GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item > Record
    • GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Region SSL Certificate > ServiceNow > Table
    • GCP > Network > Region SSL Certificate > ServiceNow > Table > Definition
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item > Record
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Table
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Table > Definition
    • GCP > Network > Region URL Map > ServiceNow
    • GCP > Network > Region URL Map > ServiceNow > Configuration Item
    • GCP > Network > Region URL Map > ServiceNow > Configuration Item > Record
    • GCP > Network > Region URL Map > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Region URL Map > ServiceNow > Table
    • GCP > Network > Region URL Map > ServiceNow > Table > Definition
    • GCP > Network > Route > ServiceNow
    • GCP > Network > Route > ServiceNow > Configuration Item
    • GCP > Network > Route > ServiceNow > Configuration Item > Record
    • GCP > Network > Route > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Route > ServiceNow > Table
    • GCP > Network > Route > ServiceNow > Table > Definition
    • GCP > Network > Router > ServiceNow
    • GCP > Network > Router > ServiceNow > Configuration Item
    • GCP > Network > Router > ServiceNow > Configuration Item > Record
    • GCP > Network > Router > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Router > ServiceNow > Table
    • GCP > Network > Router > ServiceNow > Table > Definition
    • GCP > Network > SSL Certificate > ServiceNow
    • GCP > Network > SSL Certificate > ServiceNow > Configuration Item
    • GCP > Network > SSL Certificate > ServiceNow > Configuration Item > Record
    • GCP > Network > SSL Certificate > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > SSL Certificate > ServiceNow > Table
    • GCP > Network > SSL Certificate > ServiceNow > Table > Definition
    • GCP > Network > SSL Policy > ServiceNow
    • GCP > Network > SSL Policy > ServiceNow > Configuration Item
    • GCP > Network > SSL Policy > ServiceNow > Configuration Item > Record
    • GCP > Network > SSL Policy > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > SSL Policy > ServiceNow > Table
    • GCP > Network > SSL Policy > ServiceNow > Table > Definition
    • GCP > Network > Target HTTPS Proxy > ServiceNow
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item > Record
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Table
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Table > Definition
    • GCP > Network > Target Pool > ServiceNow
    • GCP > Network > Target Pool > ServiceNow > Configuration Item
    • GCP > Network > Target Pool > ServiceNow > Configuration Item > Record
    • GCP > Network > Target Pool > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Target Pool > ServiceNow > Table
    • GCP > Network > Target Pool > ServiceNow > Table > Definition
    • GCP > Network > Target SSL Proxy > ServiceNow
    • GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item
    • GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item > Record
    • GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Target SSL Proxy > ServiceNow > Table
    • GCP > Network > Target SSL Proxy > ServiceNow > Table > Definition
    • GCP > Network > Target TCP Proxy > ServiceNow
    • GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item
    • GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item > Record
    • GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Target TCP Proxy > ServiceNow > Table
    • GCP > Network > Target TCP Proxy > ServiceNow > Table > Definition
    • GCP > Network > Target VPN Gateway > ServiceNow
    • GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item
    • GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item > Record
    • GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Target VPN Gateway > ServiceNow > Table
    • GCP > Network > Target VPN Gateway > ServiceNow > Table > Definition
    • GCP > Network > URL Map > ServiceNow
    • GCP > Network > URL Map > ServiceNow > Configuration Item
    • GCP > Network > URL Map > ServiceNow > Configuration Item > Record
    • GCP > Network > URL Map > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > URL Map > ServiceNow > Table
    • GCP > Network > URL Map > ServiceNow > Table > Definition
    • GCP > Network > VPN Tunnel > ServiceNow
    • GCP > Network > VPN Tunnel > ServiceNow > Configuration Item
    • GCP > Network > VPN Tunnel > ServiceNow > Configuration Item > Record
    • GCP > Network > VPN Tunnel > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > VPN Tunnel > ServiceNow > Table
    • GCP > Network > VPN Tunnel > ServiceNow > Table > Definition

Bug fixes

  • Fixed growing memory usage following file watching events when running dashboard server. (#4150)

Bug fixes

  • The AWS > VPC > VPC > Stack control would sometimes fail to claim existing Flow Logs in Guardrails CMDB. This is now fixed.

Dependencies

  • GCP plugin v0.49.0 or higher is now required. (#143)

Enhancements

  • Added 5 new controls to the All Controls benchmark across the following services: (#143)
    • App Engine
    • Cloud Run
    • Kubernetes

What's new?

  • Control Types:

    • GCP > IAM > Project Role > ServiceNow
    • GCP > IAM > Project Role > ServiceNow > Configuration Item
    • GCP > IAM > Project Role > ServiceNow > Table
    • GCP > IAM > Project User > ServiceNow
    • GCP > IAM > Project User > ServiceNow > Configuration Item
    • GCP > IAM > Project User > ServiceNow > Table
    • GCP > IAM > Service Account > ServiceNow
    • GCP > IAM > Service Account > ServiceNow > Configuration Item
    • GCP > IAM > Service Account > ServiceNow > Table
    • GCP > IAM > Service Account Key > ServiceNow
    • GCP > IAM > Service Account Key > ServiceNow > Configuration Item
    • GCP > IAM > Service Account Key > ServiceNow > Table
    • GCP > Project > Policy > ServiceNow
    • GCP > Project > Policy > ServiceNow > Configuration Item
    • GCP > Project > Policy > ServiceNow > Table
  • Policy Types:

    • GCP > IAM > Project Role > ServiceNow
    • GCP > IAM > Project Role > ServiceNow > Configuration Item
    • GCP > IAM > Project Role > ServiceNow > Configuration Item > Record
    • GCP > IAM > Project Role > ServiceNow > Configuration Item > Table Definition
    • GCP > IAM > Project Role > ServiceNow > Table
    • GCP > IAM > Project Role > ServiceNow > Table > Definition
    • GCP > IAM > Project User > ServiceNow
    • GCP > IAM > Project User > ServiceNow > Configuration Item
    • GCP > IAM > Project User > ServiceNow > Configuration Item > Record
    • GCP > IAM > Project User > ServiceNow > Configuration Item > Table Definition
    • GCP > IAM > Project User > ServiceNow > Table
    • GCP > IAM > Project User > ServiceNow > Table > Definition
    • GCP > IAM > Service Account > ServiceNow
    • GCP > IAM > Service Account > ServiceNow > Configuration Item
    • GCP > IAM > Service Account > ServiceNow > Configuration Item > Record
    • GCP > IAM > Service Account > ServiceNow > Configuration Item > Table Definition
    • GCP > IAM > Service Account > ServiceNow > Table
    • GCP > IAM > Service Account > ServiceNow > Table > Definition
    • GCP > IAM > Service Account Key > ServiceNow
    • GCP > IAM > Service Account Key > ServiceNow > Configuration Item
    • GCP > IAM > Service Account Key > ServiceNow > Configuration Item > Record
    • GCP > IAM > Service Account Key > ServiceNow > Configuration Item > Table Definition
    • GCP > IAM > Service Account Key > ServiceNow > Table
    • GCP > IAM > Service Account Key > ServiceNow > Table > Definition
    • GCP > Project > Policy > ServiceNow
    • GCP > Project > Policy > ServiceNow > Configuration Item
    • GCP > Project > Policy > ServiceNow > Configuration Item > Record
    • GCP > Project > Policy > ServiceNow > Configuration Item > Table Definition
    • GCP > Project > Policy > ServiceNow > Table
    • GCP > Project > Policy > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > Functions > Function > ServiceNow
    • GCP > Functions > Function > ServiceNow > Configuration Item
    • GCP > Functions > Function > ServiceNow > Table
  • Policy Types:

    • GCP > Functions > Function > ServiceNow
    • GCP > Functions > Function > ServiceNow > Configuration Item
    • GCP > Functions > Function > ServiceNow > Configuration Item > Record
    • GCP > Functions > Function > ServiceNow > Configuration Item > Table Definition
    • GCP > Functions > Function > ServiceNow > Table
    • GCP > Functions > Function > ServiceNow > Table > Definition

Bug fixes

  • The AWS > SNS > Subscription > CMDB control would go into an error state if Guardrails did not have permissions to describe a s