Changelog

Subscribe to all changelog posts via RSS or follow #changelog on our Slack community to stay updated on everything we ship.

What's new?

  • Added the following new pipeline:
    • delete_dynamodb_table

What's new?

  • Added Detect and Correct pipeline for DynamoDB tables with stale data. (#34)

Enhancements

  • Added runtime variable support for control lambda_function_use_latest_runtime. (#791)

Bug fixes

  • Fixed the ecr_repository_image_scan_on_push_enabled query to use the correct common dimensions. (#793)

What's new?

Enhancements

  • The login_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Github connections. (#422)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#219)
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed the plugin support for Github OAuth Access token to work correctly. (#432)

Dependencies

Bug fixes

  • Updated Postgres FDW to v1.11.2 to remove unnecessary NOTICE level log messages. (#469)

What's new?

  • Added NIST SP 800-171 Revision 2 benchmark (powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2). (#264)

Integrate your developer, team or custom tenant with GitHub, enabling you to install custom Powerpipe mods from public or private repositories. Push changes for instant deploys and live updates.

For more information, see the launch post or check out the docs.

Bug fixes

  • Guardrails failed to discover system storage containers (e.g. $logs) for storage accounts. This is now fixed.

Bug fixes

  • Added support to process enable and disable real-time events for BigQuery Data Transfer API via Service Usage APIs.

5.0.0 (2024-05-15)

What's new?

Resource Types

  • GCP > BigQuery Data Transfer
  • GCP > BigQuery Data Transfer > Transfer Config

Control Types

  • GCP > BigQuery Data Transfer > API Enabled
  • GCP > BigQuery Data Transfer > CMDB
  • GCP > BigQuery Data Transfer > Discovery
  • GCP > BigQuery Data Transfer > Transfer Config > Active
  • GCP > BigQuery Data Transfer > Transfer Config > Approved
  • GCP > BigQuery Data Transfer > Transfer Config > CMDB
  • GCP > BigQuery Data Transfer > Transfer Config > Discovery
  • GCP > BigQuery Data Transfer > Transfer Config > Usage

Policy Types

  • GCP > BigQuery Data Transfer > API Enabled
  • GCP > BigQuery Data Transfer > Approved Regions [Default]
  • GCP > BigQuery Data Transfer > CMDB
  • GCP > BigQuery Data Transfer > Enabled
  • GCP > BigQuery Data Transfer > Permissions
  • GCP > BigQuery Data Transfer > Permissions > Levels
  • GCP > BigQuery Data Transfer > Permissions > Levels > Modifiers
  • GCP > BigQuery Data Transfer > Regions
  • GCP > BigQuery Data Transfer > Transfer Config > Active
  • GCP > BigQuery Data Transfer > Transfer Config > Active > Age
  • GCP > BigQuery Data Transfer > Transfer Config > Active > Last Modified
  • GCP > BigQuery Data Transfer > Transfer Config > Approved
  • GCP > BigQuery Data Transfer > Transfer Config > Approved > Custom
  • GCP > BigQuery Data Transfer > Transfer Config > Approved > Usage
  • GCP > BigQuery Data Transfer > Transfer Config > CMDB
  • GCP > BigQuery Data Transfer > Transfer Config > Regions
  • GCP > BigQuery Data Transfer > Transfer Config > Usage
  • GCP > BigQuery Data Transfer > Transfer Config > Usage > Limit
  • GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer
  • GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-bigquerydatatransfer
  • GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-bigquerydatatransfer

Action Types

  • GCP > BigQuery Data Transfer > Set API Enabled
  • GCP > BigQuery Data Transfer > Transfer Config > Delete
  • GCP > BigQuery Data Transfer > Transfer Config > Router

Bug fixes

  • Load locals in order of dependency. (#399).

Whats new

  • Added support for installing mods from a branch or from the local file system. (#285)

    To install from a branch:

    powerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected#main

    To reference a mod in the local file system:

    powerpipe mod install ../mods/local_mod_folder
  • Added --pull flag to mod, dashboard and benchmark commands to control the mod update strategy. (#352). Possible update strategies are:

    • full - check branch and tags for both latest and accuracy
    • latest - update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)
    • development - update branches and broken constraints to latest, leave satisfied constraints unchanged
    • minimal - only update broken constraints, do not check branches for new commits

Bug fixes

  • Fixed control category titles to use osquery instead of Osquery.

Bug fixes

  • Kubernetes > Node resources will no longer include the conditions.lastHeartbeatTime or resource_version properties to avoid unnecessary notifications in the activity tab.

What's new?

Resource Types

  • AWS > EventBridge Scheduler

Policy Types

  • AWS > EventBridge Scheduler > API Enabled
  • AWS > EventBridge Scheduler > Approved Regions [Default]
  • AWS > EventBridge Scheduler > Enabled
  • AWS > EventBridge Scheduler > Permissions
  • AWS > EventBridge Scheduler > Permissions > Levels
  • AWS > EventBridge Scheduler > Permissions > Levels > Modifiers
  • AWS > EventBridge Scheduler > Permissions > Lockdown
  • AWS > EventBridge Scheduler > Permissions > Lockdown > API Boundary
  • AWS > EventBridge Scheduler > Regions
  • AWS > EventBridge Scheduler > Tags Template [Default]
  • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-eventbridgescheduler
  • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-eventbridgescheduler
  • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-eventbridgescheduler

What's new?

Resource Types

  • AWS > EventBridge Pipes

Policy Types

  • AWS > EventBridge Pipes > API Enabled
  • AWS > EventBridge Pipes > Approved Regions [Default]
  • AWS > EventBridge Pipes > Enabled
  • AWS > EventBridge Pipes > Permissions
  • AWS > EventBridge Pipes > Permissions > Levels
  • AWS > EventBridge Pipes > Permissions > Levels > Modifiers
  • AWS > EventBridge Pipes > Permissions > Lockdown
  • AWS > EventBridge Pipes > Permissions > Lockdown > API Boundary
  • AWS > EventBridge Pipes > Regions
  • AWS > EventBridge Pipes > Tags Template [Default]
  • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-eventbridgepipes
  • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-eventbridgepipes
  • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-eventbridgepipes

Enhancements

  • The tenant_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Microsoft 365 subscriptions. (#50)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#55)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

  • Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#50)

Enhancements

  • The tenant_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#175)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#180)
  • Added support for China cloud endpoint and scope based on the environment. (#174)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

  • Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#175)

What's new?

  • Added 30 new 'detect and correct' pipelines to identify unused and underutilized AWS resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see AWS Thrifty Mod.

What's new?

  • Server

    • Added a new GraphQL resolver for osquery to generate an enrollSecret.
    • Added new REST APIs for osquery management, which includes:
      • api/latest/osquery/enroll
      • api/latest/osquery/config
      • api/latest/osquery/logger
    • Introduced a dedicated worker, along with SQS FIFO queue and SNS topic FIFO, to run osquery operations.
    • Implemented a new serviceNowCredential resolver specifically for Kubernetes clusters.
    • Upgraded our SDK (@turbot/sdk) to version 5.15.0 and our fn toolkit (@turbot/fn) to version 5.22.0, to support FIFO queues.
  • UI

    • Added support for connecting to Kubernetes, facilitating easier integration and management.
    • Added report for AWS CIS v2.0.
    • Added report for AWS CIS v3.0.
    • Added report for Azure CIS v2.0.
    • Added report for GCP CIS v2.0.

Requirements

  • TEF: 1.58.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

Control Types

  • Kubernetes > Cluster > ServiceNow
  • Kubernetes > Cluster > ServiceNow > Configuration Item
  • Kubernetes > Cluster > ServiceNow > Table
  • Kubernetes > ConfigMap > ServiceNow
  • Kubernetes > ConfigMap > ServiceNow > Configuration Item
  • Kubernetes > ConfigMap > ServiceNow > Table
  • Kubernetes > Deployment > ServiceNow
  • Kubernetes > Deployment > ServiceNow > Configuration Item
  • Kubernetes > Deployment > ServiceNow > Table
  • Kubernetes > Namespace > ServiceNow
  • Kubernetes > Namespace > ServiceNow > Configuration Item
  • Kubernetes > Namespace > ServiceNow > Table
  • Kubernetes > Node > ServiceNow
  • Kubernetes > Node > ServiceNow > Configuration Item
  • Kubernetes > Node > ServiceNow > Table
  • Kubernetes > Pod > ServiceNow
  • Kubernetes > Pod > ServiceNow > Configuration Item
  • Kubernetes > Pod > ServiceNow > Table
  • Kubernetes > ReplicaSet > ServiceNow
  • Kubernetes > ReplicaSet > ServiceNow > Configuration Item
  • Kubernetes > ReplicaSet > ServiceNow > Table
  • Kubernetes > Service > ServiceNow
  • Kubernetes > Service > ServiceNow > Configuration Item
  • Kubernetes > Service > ServiceNow > Table
  • ServiceNow > Turbot > Watches > Kubernetes

Policy Types

  • Kubernetes > Cluster > ServiceNow
  • Kubernetes > Cluster > ServiceNow > Configuration Item
  • Kubernetes > Cluster > ServiceNow > Configuration Item > Record
  • Kubernetes > Cluster > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Cluster > ServiceNow > Table
  • Kubernetes > Cluster > ServiceNow > Table > Definition
  • Kubernetes > ConfigMap > ServiceNow
  • Kubernetes > ConfigMap > ServiceNow > Configuration Item
  • Kubernetes > ConfigMap > ServiceNow > Configuration Item > Record
  • Kubernetes > ConfigMap > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > ConfigMap > ServiceNow > Table
  • Kubernetes > ConfigMap > ServiceNow > Table > Definition
  • Kubernetes > Deployment > ServiceNow
  • Kubernetes > Deployment > ServiceNow > Configuration Item
  • Kubernetes > Deployment > ServiceNow > Configuration Item > Record
  • Kubernetes > Deployment > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Deployment > ServiceNow > Table
  • Kubernetes > Deployment > ServiceNow > Table > Definition
  • Kubernetes > Namespace > ServiceNow
  • Kubernetes > Namespace > ServiceNow > Configuration Item
  • Kubernetes > Namespace > ServiceNow > Configuration Item > Record
  • Kubernetes > Namespace > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Namespace > ServiceNow > Table
  • Kubernetes > Namespace > ServiceNow > Table > Definition
  • Kubernetes > Node > ServiceNow
  • Kubernetes > Node > ServiceNow > Configuration Item
  • Kubernetes > Node > ServiceNow > Configuration Item > Record
  • Kubernetes > Node > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Node > ServiceNow > Table
  • Kubernetes > Node > ServiceNow > Table > Definition
  • Kubernetes > Pod > ServiceNow
  • Kubernetes > Pod > ServiceNow > Configuration Item
  • Kubernetes > Pod > ServiceNow > Configuration Item > Record
  • Kubernetes > Pod > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Pod > ServiceNow > Table
  • Kubernetes > Pod > ServiceNow > Table > Definition
  • Kubernetes > ReplicaSet > ServiceNow
  • Kubernetes > ReplicaSet > ServiceNow > Configuration Item
  • Kubernetes > ReplicaSet > ServiceNow > Configuration Item > Record
  • Kubernetes > ReplicaSet > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > ReplicaSet > ServiceNow > Table
  • Kubernetes > ReplicaSet > ServiceNow > Table > Definition
  • Kubernetes > Service > ServiceNow
  • Kubernetes > Service > ServiceNow > Configuration Item
  • Kubernetes > Service > ServiceNow > Configuration Item > Record
  • Kubernetes > Service > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Service > ServiceNow > Table
  • Kubernetes > Service > ServiceNow > Table > Definition
  • ServiceNow > Turbot > Watches > Kubernetes

Action Types

  • ServiceNow > Turbot > Watches > Kubernetes Archive And Delete Record

What's new?

Resource Types

  • osquery

Control Types

  • Turbot > Workspace > osquery
  • Turbot > Workspace > osquery > Secret Rotation

Policy Types

  • Turbot > Workspace > osquery
  • Turbot > Workspace > osquery > Enroll Secret Expiration
  • Turbot > Workspace > osquery > Secrets
  • Turbot > Workspace > osquery > Secrets > Expiration Period
  • Turbot > Workspace > osquery > Secrets > Rotation
  • osquery > Configuration

Action Types

  • Turbot > Rotate osquery Secret
  • osquery > Event Handler

What's new?

Resource Types

  • Kubernetes
  • Kubernetes > Cluster
  • Kubernetes > ConfigMap
  • Kubernetes > Deployment
  • Kubernetes > Namespace
  • Kubernetes > Node
  • Kubernetes > Pod
  • Kubernetes > ReplicaSet
  • Kubernetes > Service

Control Types

  • Kubernetes > Cluster > CMDB
  • Kubernetes > ConfigMap > Annotations
  • Kubernetes > ConfigMap > Approved
  • Kubernetes > ConfigMap > CMDB
  • Kubernetes > ConfigMap > Labels
  • Kubernetes > ConfigMap > Query
  • Kubernetes > Deployment > Annotations
  • Kubernetes > Deployment > Approved
  • Kubernetes > Deployment > CMDB
  • Kubernetes > Deployment > Labels
  • Kubernetes > Deployment > Query
  • Kubernetes > Namespace > Annotations
  • Kubernetes > Namespace > Approved
  • Kubernetes > Namespace > CMDB
  • Kubernetes > Namespace > Labels
  • Kubernetes > Namespace > Query
  • Kubernetes > Node > Annotations
  • Kubernetes > Node > Approved
  • Kubernetes > Node > CMDB
  • Kubernetes > Node > Labels
  • Kubernetes > Node > Query
  • Kubernetes > Pod > Annotations
  • Kubernetes > Pod > Approved
  • Kubernetes > Pod > CMDB
  • Kubernetes > Pod > Labels
  • Kubernetes > Pod > Query
  • Kubernetes > ReplicaSet > Annotations
  • Kubernetes > ReplicaSet > Approved
  • Kubernetes > ReplicaSet > CMDB
  • Kubernetes > ReplicaSet > Labels
  • Kubernetes > ReplicaSet > Query
  • Kubernetes > Service > Annotations
  • Kubernetes > Service > Approved
  • Kubernetes > Service > CMDB
  • Kubernetes > Service > Labels
  • Kubernetes > Service > Query

Policy Types

  • Kubernetes > Cluster > CMDB
  • Kubernetes > ConfigMap > Annotations
  • Kubernetes > ConfigMap > Annotations > Template
  • Kubernetes > ConfigMap > Approved
  • Kubernetes > ConfigMap > Approved > Custom
  • Kubernetes > ConfigMap > CMDB
  • Kubernetes > ConfigMap > Labels
  • Kubernetes > ConfigMap > Labels > Template
  • Kubernetes > ConfigMap > osquery
  • Kubernetes > ConfigMap > osquery > Configuration
  • Kubernetes > ConfigMap > osquery > Configuration > Columns
  • Kubernetes > ConfigMap > osquery > Configuration > Interval
  • Kubernetes > ConfigMap > osquery > Configuration > Name
  • Kubernetes > Deployment > Annotations
  • Kubernetes > Deployment > Annotations > Template
  • Kubernetes > Deployment > Approved
  • Kubernetes > Deployment > Approved > Custom
  • Kubernetes > Deployment > CMDB
  • Kubernetes > Deployment > Labels
  • Kubernetes > Deployment > Labels > Template
  • Kubernetes > Deployment > osquery
  • Kubernetes > Deployment > osquery > Configuration
  • Kubernetes > Deployment > osquery > Configuration > Columns
  • Kubernetes > Deployment > osquery > Configuration > Interval
  • Kubernetes > Deployment > osquery > Configuration > Name
  • Kubernetes > Namespace > Annotations
  • Kubernetes > Namespace > Annotations > Template
  • Kubernetes > Namespace > Approved
  • Kubernetes > Namespace > Approved > Custom
  • Kubernetes > Namespace > CMDB
  • Kubernetes > Namespace > Labels
  • Kubernetes > Namespace > Labels > Template
  • Kubernetes > Namespace > osquery
  • Kubernetes > Namespace > osquery > Configuration
  • Kubernetes > Namespace > osquery > Configuration > Columns
  • Kubernetes > Namespace > osquery > Configuration > Interval
  • Kubernetes > Namespace > osquery > Configuration > Name
  • Kubernetes > Node > Annotations
  • Kubernetes > Node > Annotations > Template
  • Kubernetes > Node > Approved
  • Kubernetes > Node > Approved > Custom
  • Kubernetes > Node > CMDB
  • Kubernetes > Node > Labels
  • Kubernetes > Node > Labels > Template
  • Kubernetes > Node > osquery
  • Kubernetes > Node > osquery > Configuration
  • Kubernetes > Node > osquery > Configuration > Columns
  • Kubernetes > Node > osquery > Configuration > Interval
  • Kubernetes > Node > osquery > Configuration > Name
  • Kubernetes > Pod > Annotations
  • Kubernetes > Pod > Annotations > Template
  • Kubernetes > Pod > Approved
  • Kubernetes > Pod > Approved > Custom
  • Kubernetes > Pod > CMDB
  • Kubernetes > Pod > Labels
  • Kubernetes > Pod > Labels > Template
  • Kubernetes > Pod > osquery
  • Kubernetes > Pod > osquery > Configuration
  • Kubernetes > Pod > osquery > Configuration > Columns
  • Kubernetes > Pod > osquery > Configuration > Interval
  • Kubernetes > Pod > osquery > Configuration > Name
  • Kubernetes > ReplicaSet > Annotations
  • Kubernetes > ReplicaSet > Annotations > Template
  • Kubernetes > ReplicaSet > Approved
  • Kubernetes > ReplicaSet > Approved > Custom
  • Kubernetes > ReplicaSet > CMDB
  • Kubernetes > ReplicaSet > Labels
  • Kubernetes > ReplicaSet > Labels > Template
  • Kubernetes > ReplicaSet > osquery
  • Kubernetes > ReplicaSet > osquery > Configuration
  • Kubernetes > ReplicaSet > osquery > Configuration > Columns
  • Kubernetes > ReplicaSet > osquery > Configuration > Interval
  • Kubernetes > ReplicaSet > osquery > Configuration > Name
  • Kubernetes > Service > Annotations
  • Kubernetes > Service > Annotations > Template
  • Kubernetes > Service > Approved
  • Kubernetes > Service > Approved > Custom
  • Kubernetes > Service > CMDB
  • Kubernetes > Service > Labels
  • Kubernetes > Service > Labels > Template
  • Kubernetes > Service > osquery
  • Kubernetes > Service > osquery > Configuration
  • Kubernetes > Service > osquery > Configuration > Columns
  • Kubernetes > Service > osquery > Configuration > Interval
  • Kubernetes > Service > osquery > Configuration > Name
  • Kubernetes > osquery
  • Kubernetes > osquery > Decorators

Action Types

  • Kubernetes > ConfigMap > Router
  • Kubernetes > Deployment > Router
  • Kubernetes > Namespace > Router
  • Kubernetes > Node > Router
  • Kubernetes > Pod > Router
  • Kubernetes > ReplicaSet > Router
  • Kubernetes > Service > Router

Bug fixes

  • The GCP > IAM > Service Account Key > Active control will no longer attempt to delete a system-managed service account key deemed inactive by the control.

What's new?

  • You can now determine if an IAM access key for a user is latest and deactivate or delete any keys that are not, using Guardrails. To get started, set the AWS > IAM > Access Key > Active > Latest policy.
  • You can now determine if an IAM server certificate is active based on its expiration. To get started, set the AWS > IAM > Server Certificate > Active > Expired policy.

Policy Types

  • AWS > IAM > Access Key > Active > Latest
  • AWS > IAM > Server Certificate > Active > Expired

Enhancements

  • The tenant_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple OCI tenants. (#606)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#614)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

Enhancements

  • The project column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple GCP projects. (#564)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#580)
  • Added the version flag to the plugin's Export tool. (#65)****

Bug fixes

  • Fixed the table gcp_cloudfunctions_function to list gen2 cloud functions. (#568) (Thanks @ashutoshmore658 for the contribution!)

Dependencies

Enhancements

  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#756)

Bug fixes

  • Fixed the server_properties column in the azure_postgresql_flexible_server table to correctly return data instead of nil. (#754)

Dependencies

Enhancements

  • The account_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Alibaba Cloud accounts. (#406)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#419)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

Bug fixes

  • Updated FDW to 1.11.1 to fix bad Linux Arm build. (#4271)
  • Updated hydrates count in timing verbose mode to use integer formatting(e.g. 119,138). (#4270)

Bug fixes

  • Pipeline execution no longer stalls when concurrency limit is applied and if clause returns false. (#836).
  • Trigger's common attributes (title, description, tags, documentation) allow functions and expresions. (#394).

Bug fixes

  • The GCP > Project > CMDB control would go into an error state if Access Approval API was disabled in GCP. This is now fixed.

Enhancements

  • The context_name column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Kubernetes connections. (#217)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#219)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

v0.138.0 [2024-05-09]

Enhancements

  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package for both the Linux and Darwin systems. (#219) (#2180)

Bug fixes

  • Fixed the aws_ebs_snapshot table to correctly return data instead of an empty row. (#2185)

Dependencies

Whats new

  • Added support for connection key columns: (#768)

    A connection key column defines a column whose value maps 1-1 to a Steampipe connection and so can be used to filter connections when executing an aggregator query. These columns are treated as (optional) KeyColumns. This means they are taken into account in the query planning.

  • Added support for verbose timing information. (#4244)

  • Added support for pushing down sort order. (#447)

  • Updated limit pushdown logic to push down the limit if all sort clauses are pushed down. (#458)

  • Added support for WHERE column=val1 OR column=val2 OR column=val3...

  • Migrated from plugin registry from GCP to GHCR. (#4232)

Bug fixes

  • Fixed hang when timing is disabled. (#4237)
  • Added a signal handler for signal 16 to avoid FDW crash. (#457)

Bug fixes

  • Ensured QueryData passed to connection key column value callback is populated with ConnectionManager. (#797)

What's new?

  • Implemented SNS topic to handle critical alarms notifications.
  • Added Product, Vendor Tags to the IAM Role resources created by the TEF stack.
  • Introduced a new SSM parameter to manage the reserved concurrency settings for the osquery worker lambda function.
  • Updated Log Bucket Lifecycle Policies:
    • Increased Retention Period: Extended the retention period of the lifecycle policy for logs in the log bucket with the /processes prefix from 1 day to 2 days.
    • New Policy Addition: Implemented a new lifecycle policy for managing log retention in the log bucket for logs with the /osquery prefix.

What's new?

  • Implemented critical alarms for RDS DB CPU utilization, DB Max Connections and Redis ElastiCache Memory utilization.
  • Added Product, Vendor Tags to the IAM Role resources created by the TED stack.

Bug fixes

  • The Azure > Compute > Virtual Machine Scale Set > Tags control would sometimes fail to update tags correctly for Scale Sets launched via Azure marketplace. This is fixed and the control will now update tags correctly, as expected.

What's new?

  • Revoke ingress rules that are unapproved for use in Network ACLs. To get started, set the AWS > VPC > Network ACL > Ingress Rules > Approved > * policies.

Bug fixes

  • Minor fixes and improvements.

What's new?

  • You can now delete existing Mount Targets which are unapproved for use in the account. To get started, set the AWS > EFS > Mount Target > Approved policy to Enforce: Delete unapproved.

What's new?

  • Create and manage aws_cloudwatch_metric_alarm resources via Guardrails stacks.

Control Types

  • AWS > CloudWatch > Alarm > Configured

Policy Types

  • AWS > CloudWatch > Alarm > Configured
  • AWS > CloudWatch > Alarm > Configured > Claim Precedence
  • AWS > CloudWatch > Alarm > Configured > Source

Bug fixes

  • Added support for aws_securityhub_account Terraform resource.

What's new?

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

Control Types

  • AWS > CIS v3.0
  • AWS > CIS v3.0 > 1 - Identity and Access Management
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
  • AWS > CIS v3.0 > 2 - Storage
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
  • AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
  • AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
  • AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
  • AWS > CIS v3.0 > 3 - Logging
  • AWS > CIS v3.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
  • AWS > CIS v3.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
  • AWS > CIS v3.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions
  • AWS > CIS v3.0 > 3 - Logging > 3.04 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • AWS > CIS v3.0 > 3 - Logging > 3.06 - Ensure rotation for customer created symmetric CMKs is enabled
  • AWS > CIS v3.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs
  • AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket
  • AWS > CIS v3.0 > 4 - Monitoring
  • AWS > CIS v3.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
  • AWS > CIS v3.0 > 5 - Networking
  • AWS > CIS v3.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
  • AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
  • AWS > CIS v3.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2

Policy Types

  • AWS > CIS v3.0
  • AWS > CIS v3.0 > 1 - Identity and Access Management
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account > Attestation
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation
  • AWS > CIS v3.0 > 1 - Identity and Access Management > Maximum Attestation Duration
  • AWS > CIS v3.0 > 2 - Storage
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
  • AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
  • AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
  • AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
  • AWS > CIS v3.0 > 2 - Storage > Maximum Attestation Duration
  • AWS > CIS v3.0 > 3 - Logging
  • AWS > CIS v3.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
  • AWS > CIS v3.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
  • AWS > CIS v3.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions
  • AWS > CIS v3.0 > 3 - Logging > 3.04 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • AWS > CIS v3.0 > 3 - Logging > 3.06 - Ensure rotation for customer created symmetric CMKs is enabled
  • AWS > CIS v3.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs
  • AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > Maximum Attestation Duration
  • AWS > CIS v3.0 > 4 - Monitoring
  • AWS > CIS v3.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
  • AWS > CIS v3.0 > 4 - Monitoring > Maximum Attestation Duration
  • AWS > CIS v3.0 > 5 - Networking
  • AWS > CIS v3.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
  • AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
  • AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' > Attestation
  • AWS > CIS v3.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2
  • AWS > CIS v3.0 > 5 - Networking > Maximum Attestation Duration
  • AWS > CIS v3.0 > Maximum Attestation Duration

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Resource Types:

    • GCP > DNS > Policy
  • Control Types:

    • GCP > DNS > Policy > Active
    • GCP > DNS > Policy > Approved
    • GCP > DNS > Policy > CMDB
    • GCP > DNS > Policy > Discovery
    • GCP > DNS > Policy > Usage
  • Policy Types:

    • GCP > DNS > Policy > Active
    • GCP > DNS > Policy > Active > Age
    • GCP > DNS > Policy > Active > Last Modified
    • GCP > DNS > Policy > Approved
    • GCP > DNS > Policy > Approved > Custom
    • GCP > DNS > Policy > Approved > Usage
    • GCP > DNS > Policy > CMDB
    • GCP > DNS > Policy > Usage
    • GCP > DNS > Policy > Usage > Limit
  • Action Types:

    • GCP > DNS > Policy > Delete
    • GCP > DNS > Policy > Router

What's new?

Control Types

  • GCP > CIS v2.0
  • GCP > CIS v2.0 > 1 - Identity and Access Management
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
  • GCP > CIS v2.0 > 2 - Logging and Monitoring
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
  • GCP > CIS v2.0 > 3 - Networking
  • GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project
  • GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects
  • GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS
  • GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
  • GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
  • GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet
  • GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet
  • GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
  • GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
  • GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
  • GCP > CIS v2.0 > 4 - Virtual Machines
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
  • GCP > CIS v2.0 > 5 - Storage
  • GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
  • GCP > CIS v2.0 > 7 - BigQuery
  • GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
  • GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets

Policy Types

  • GCP > CIS v2.0
  • GCP > CIS v2.0 > 1 - Identity and Access Management
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration
  • GCP > CIS v2.0 > 2 - Logging and Monitoring
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' > Attestation
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > Maximum Attestation Duration
  • GCP > CIS v2.0 > 3 - Networking
  • GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project
  • GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects
  • GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS
  • GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
  • GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
  • GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet
  • GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet
  • GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
  • GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
  • GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
  • GCP > CIS v2.0 > 4 - Virtual Machines
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections > Attestation
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects > Attestation
  • GCP > CIS v2.0 > 4 - Virtual Machines > Maximum Attestation Duration
  • GCP > CIS v2.0 > 5 - Storage
  • GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges > Attestation
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > Maximum Attestation Duration
  • GCP > CIS v2.0 > 7 - BigQuery
  • GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
  • GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets
  • GCP > CIS v2.0 > Maximum Attestation Duration

Bug fixes

  • Minor fixes and improvements.

What's new?

  • Access approval setting details for projects is now be available in Project CMDB.

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

Enhancements

  • The subscription_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#740)
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed the plugin's Postgres FDW Extension crash issue.

Dependencies

Bug fixes

  • Action Type for Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved control did not render correctly on mod inspect. This is now fixed.

Whats new

  • It is now possible to set a timeout for benchmark and dashboard execution. These can be set:
    • In the workspace using properties: dashboard_timeout and benchmark_timeout
    • Using the --dashboard-timeout flag for the dashboard run and server commands
    • Using the --benchmark-timeout flag for the benchmark run commands.
    • Using the environment variables POWERPIPE_DASHBOARD_TIMEOUT and POWERPIPE_BENCHMARK_TIMEOUT respectively. (#336)
  • Support installing private mods using a GitHub app token. (#381).
  • Improve the layout of filter and grouping components for control tags and dimensions. (#263)
  • Remove the dashboard input list and dashboard input show commands.
  • Add thousands separator to numeric values in dashboard tables. (#315)
  • Only show benchmark cards for statuses that are contained in the current filter and add status to filter on card click. (#322)

Bug fixes

  • When calling mod update, respect the argument (if any) and only update specified mods. (#331)
  • Fix mod update display of updates to transitive dependencies. (#288)

All new Pipes workspaces will be running Powerpipe v0.2.0 and existing workspaces will be upgraded by Monday 29th April 2024.

For more information on this Powerpipe release, see the release notes.

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The Azure > Storage > Storage Account > Data Protection control would go into an error state when container delete retention policy data was not available in CMDB. This issue is fixed and the control will now work as expected.

What's new?

  • You can now removed unapproved Firewall IP Ranges on PostgreSQL servers and flexi servers. To get started, set the Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > * and Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > * policies respectively.
  • You can now stop unapproved flexi servers. To get started, set the Azure > PostgreSQL > Flexible Server > Approved policy to Enforce: Stop unapproved or Enforce: Stop unapproved if new.

Control Types

  • Azure > PostgreSQL > Flexible Server > Firewall
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
  • Azure > PostgreSQL > Server > Firewall
  • Azure > PostgreSQL > Server > Firewall > IP Ranges
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved

Policy Types

  • Azure > PostgreSQL > Flexible Server > Firewall
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > Compiled Rules
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > IP Addresses
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > Rules
  • Azure > PostgreSQL > Server > Firewall
  • Azure > PostgreSQL > Server > Firewall > IP Ranges
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > Compiled Rules
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > IP Addresses
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > Rules

Action Types

  • Azure > PostgreSQL > Flexible Server > Stop
  • Azure > PostgreSQL > Server > Update Firewall IP Ranges

Bug fixes

  • Fixed control category names for v7.2.10, v7.7.10 and v7.14.1.

What's new?

Control Types

  • Azure > CIS v2.0
  • Azure > CIS v2.0 > 01 - Identity and Access Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 Ensure That 'Number of methods required to reset' is set to '2'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
  • Azure > CIS v2.0 > 02 - Microsoft Defender
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring
  • Azure > CIS v2.0 > 03 - Storage Accounts
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"
  • Azure > CIS v2.0 > 04 - Database Services
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
  • Azure > CIS v2.0 > 05 - Logging and Monitoring
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
  • Azure > CIS v2.0 > 06 - Networking
  • Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
  • Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled'
  • Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
  • Azure > CIS v2.0 > 07 - Virtual Machines
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.02 - Ensure Virtual Machines are utilizing Managed Disks
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted
  • Azure > CIS v2.0 > 08 - Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable
  • Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
  • Azure > CIS v2.0 > 09 - Application Services
  • Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption
  • Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
  • Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.10 - Ensure FTP deployments are Disabled
  • Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets
  • Azure > CIS v2.0 > 10 - Miscellaneous
  • Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources

Policy Types

  • Azure > CIS v2.0
  • Azure > CIS v2.0 > 01 - Identity and Access Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > Maximum Attestation Duration
  • Azure > CIS v2.0 > 02 - Microsoft Defender
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' > Attestation
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' > Attestation
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' > Attestation
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring
  • Azure > CIS v2.0 > 02 - Microsoft Defender > Maximum Attestation Duration
  • Azure > CIS v2.0 > 03 - Storage Accounts
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account > Attestation
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"
  • Azure > CIS v2.0 > 03 - Storage Accounts > Maximum Attestation Duration
  • Azure > CIS v2.0 > 04 - Database Services
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible > Attestation
  • Azure > CIS v2.0 > 04 - Database Services > Maximum Attestation Duration
  • Azure > CIS v2.0 > 05 - Logging and Monitoring
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > Maximum Attestation Duration
  • Azure > CIS v2.0 > 06 - Networking
  • Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
  • Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled'
  • Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
  • Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis > Attestation
  • Azure > CIS v2.0 > 06 - Networking > Maximum Attestation Duration
  • Azure > CIS v2.0 > 07 - Virtual Machines
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.02 - Ensure Virtual Machines are utilizing Managed Disks
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed > Attestation
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed > Attestation
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted > Attestation
  • Azure > CIS v2.0 > 07 - Virtual Machines > Maximum Attestation Duration
  • Azure > CIS v2.0 > 08 - Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable
  • Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
  • Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services > Attestation
  • Azure > CIS v2.0 > 08 - Key Vault > Maximum Attestation Duration
  • Azure > CIS v2.0 > 09 - Application Services
  • Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption
  • Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
  • Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App > Attestation
  • Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App > Attestation
  • Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App > Attestation
  • Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.10 - Ensure FTP deployments are Disabled
  • Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets
  • Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets > Attestation
  • Azure > CIS v2.0 > 09 - Application Services > Maximum Attestation Duration
  • Azure > CIS v2.0 > 10 - Miscellaneous
  • Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
  • Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation
  • Azure > CIS v2.0 > 10 - Miscellaneous > Maximum Attestation Duration
  • Azure > CIS v2.0 > Maximum Attestation Duration

Bug fixes

  • Param can be used in query step's args attribute. (#830).
  • File watcher now correctly detect changes in the loop block. (#808).
  • Duplicate step names are now detected and reported as an error. (#820).
  • Better error message for invalid notifier reference. (#826).

What's new?

  • Server
    • Implemented monitoring for worker_factory in the CloudWatch Dashboard widgets "Events Queue Activity" and "Events Queue Backlog".
    • Established a CloudWatch Alarm for the _worker_factory queue.
    • Product, Vendor Tags to the IAM Role resources created by the TE stack.
    • Adjusted the threshold for the CloudWatch Alarm monitoring the _worker queue.

Bug fixes

  • Server

    • Now, users with only Turbot/User access will no longer see grants or active grants belonging to other users. This ensures that you only view grants that are relevant to your permissions.
    • Control will move to error if it fails to determine the state at precheck.
    • System resilience has been enhanced through extended TTL settings and refined management of suspended processes, aiming to improve stability and reduce backlog issues.
    • Refined management of various processes to improve stability and reduce backlog issues.
  • UI

    • Converted the template_input property of the policy setting in the Terraform plan to YAML format, improving clarity and manageability.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Moved the Turbot > Process Monitor control to operate within the priority queue, ensuring more timely and efficient processing of critical tasks.
  • Updated the Turbot > Workspace > Background Tasks control to modify the next_tick_timestamp for any policy values that previously had incorrect defaults.

Bug fixes

  • Minor fixes and improvements.

What's new?

  • You can now configure rotation reminders for access keys and soft delete for blobs and containers in storage accounts. To get started, set the Azure > Storage > Storage Account > Access Keys > Rotation Reminder > * and Azure > Storage > Storage Account > Data Protection > Soft Delete > * policies respectively.

Control Types

  • Azure > Storage > Storage Account > Access Keys
  • Azure > Storage > Storage Account > Access Keys > Rotation Reminder
  • Azure > Storage > Storage Account > Data Protection
  • Azure > Storage > Storage Account > Data Protection > Soft Delete

Policy Types

  • Azure > Storage > Storage Account > Access Keys
  • Azure > Storage > Storage Account > Access Keys > Rotation Reminder
  • Azure > Storage > Storage Account > Access Keys > Rotation Reminder > Days
  • Azure > Storage > Storage Account > Data Protection
  • Azure > Storage > Storage Account > Data Protection > Soft Delete
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs > Retention Days
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers > Retention Days

Action Types

  • Azure > Storage > Storage Account > Set Data Protection Soft Delete
  • Azure > Storage > Storage Account > Update Rotation Reminder

What's new?

  • You can now removed unapproved Firewall IP Ranges on SQL servers. To get started, set the Azure > SQL > Server > Firewall > IP Ranges > Approved > * policies.

Control Types

  • Azure > SQL > Server > Firewall
  • Azure > SQL > Server > Firewall > IP Ranges
  • Azure > SQL > Server > Firewall > IP Ranges > Approved

Policy Types

  • Azure > SQL > Server > Firewall
  • Azure > SQL > Server > Firewall > IP Ranges
  • Azure > SQL > Server > Firewall > IP Ranges > Approved
  • Azure > SQL > Server > Firewall > IP Ranges > Approved > Compiled Rules
  • Azure > SQL > Server > Firewall > IP Ranges > Approved > IP Addresses
  • Azure > SQL > Server > Firewall > IP Ranges > Approved > Rules

Action Types

  • Azure > SQL > Server > Update Firewall IP Ranges

Enhancements

  • Updated the workspace_dashboard dashboard to include information on the accounts, resources, and active controls across different workspaces. (#31)
  • Updated the workspace_account_report dashboard to display resources, policy settings, alerts, and active controls across workspaces instead of the TE version. (#31)

Enhancements

  • Optimized several queries to minimize API usage, achieving faster performance. (#786)

Bug fixes

  • The rotationPeriod and nextRotationTime attributes for Crypto Keys did not update correctly in CMDB when the rotation policy for such keys was removed. This is now fixed.

What's new?

  • You can now configure Encryption in Transit for Flexi Servers. To get started, set the Azure > MySQL > Flexible Server > Encryption in Transit > * policies.
  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Control Types

  • Azure > MySQL > Flexible Server > Encryption in Transit

Policy Types

  • Azure > MySQL > Flexible Server > Encryption in Transit

Action Types

  • Azure > MySQL > Flexible Server > Update Encryption in Transit

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Policy Types

  • Azure > App Service > App Service Plan > Approved > Custom
  • Azure > App Service > Function App > Approved > Custom
  • Azure > App Service > Web App > Approved > Custom

Bug fixes

  • The AWS > VPC > Flow Log > Configured control would sometimes go into an error state for flow logs created via the AWS console, even though they were correctly claimed by a Guardrails stack. This is now fixed.

What's new?

Enhancements

  • The account_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple AWS accounts. (#2133)

Bug fixes

  • Fixed the getDirectoryServiceSnapshotLimit and getDirectoryServiceEventTopics hydrate calls in the aws_directory_service_directory table to correctly return nil for the unsupported ADConnector services instead of an error. (#2170)

What's new?

  • You can now configure log checkpoints for Flexi Servers. To get started, set the Azure > PostgreSQL > Flexible Server > Audit Logging > * policies.
  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Control Types

  • Azure > PostgreSQL > Flexible Server > Audit Logging

Policy Types

  • Azure > PostgreSQL > Flexible Server > Audit Logging
  • Azure > PostgreSQL > Flexible Server > Audit Logging > Log Checkpoints

Action Types

  • Azure > PostgreSQL > Flexible Server > Update Audit Logging

What's new?

  • You can now configure expiration for Key Vault Keys and Secrets. To get started, set the Azure > Key Vault > Key > Expiration > * and Azure > Key Vault > Secret > Expiration > * policies respectively.

Control Types

  • Azure > Key Vault > Key > Expiration
  • Azure > Key Vault > Secret > Expiration

Policy Types

  • Azure > Key Vault > Key > Expiration
  • Azure > Key Vault > Key > Expiration > Days [Default]
  • Azure > Key Vault > Secret > Expiration
  • Azure > Key Vault > Secret > Expiration > Days [Default]

Action Types

  • Azure > Key Vault > Key > Set Expiration
  • Azure > Key Vault > Secret > Set Expiration

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • Added CIS v3.0.0 benchmark (powerpipe benchmark run gcp_compliance.benchmark.cis_v300). (#158)

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

  • The Azure > Storage > Storage Account > Queue > Logging control would go into a skipped state for storage accounts, irrespective of any policy setting for Logging. This issue is fixed and the control will now work as expected.

v0.40.0 [2024-04-12]

What's new?

Bug fixes

  • Fixed the github_workflow table to correctly return data for dynamic workflows instead of an error. (#412)
  • Fixed the plugin's Postgres FDW Extension crash issue.

What's new?

Enhancements

  • Added snapshot_block_public_access_state column to aws_ec2_regional_settings table. (#2077)

Bug fixes

  • Fixed the getDirectoryServiceSnapshotLimit and getDirectoryServiceEventTopics hydrate calls in the aws_directory_service_directory table to correctly return nil for unsupported SharedMicrosoftAD services instead of an error. (#2156)

What's new?

  • You can now delete existing Public IP Addresses which are unapproved for use in the Subscription. To get started, set the Azure > Network > Public IP Address > Approved policy to Enforce: Delete unapproved.

What's new?

  • Added support for connection key columns. (#768)
  • Added sp_ctx and sp_connection_name columns to all tables. (#769)

What's new?

  • You can now configure Encryption in Transit for Flexi Servers. To get started, set the Azure > PostgresSql > Flexible Server > Encryption in Transit > * policies.

Control Types

  • Azure > PostgreSQL > Flexible Server > Encryption in Transit

Policy Types

  • Azure > PostgreSQL > Flexible Server > Encryption in Transit

Action Types

  • Azure > PostgreSQL > Flexible Server > Update Encryption in Transit

Bug fixes

  • Updated the foundational_security_lambda_2 control to check for the latest Lambda runtimes as per the AWS FSBP document. (#778) (Thanks @sbldevnet for the contribution!)
  • Fixed the title of secretsmanager_secret_unused_90_day control. (#783)

What's new?

  • You can now delete existing Entra ID users which are unapproved to be used in the Tenant. To get started, set the Azure > Active Directory > User > Approved policy to Enforce: Delete unapproved.

Policy Types

  • Azure > Active Directory > User > Approved > Custom

What's new?

  • You can now configure TLS version for Flexi Servers. To get started, set the Azure > MySQL > Flexible Server > Minimum TLS Version > * policies.

Enhancements

  • Added the following controls to the All Controls benchmark: (#253)
    • cosmosdb_account_uses_aad_and_rbac
    • iam_user_not_allowed_to_create_tenants
    • securitycenter_image_scan_enabled

Bug fixes

  • Updated the postgres_db_server_allow_access_to_azure_services_disabled query to check if the endIpAddress column is set to 0.0.0.0 instead of 255.255.255.255 as per the CIS documentation. (#253)

What's new?

  • Account CMDB data will now also include alternate security contact details.

What's new?

Control Types

  • AWS > CIS v2.0
  • AWS > CIS v2.0 > 1 - Identity and Access Management
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
  • AWS > CIS v2.0 > 2 - Storage
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
  • AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
  • AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
  • AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
  • AWS > CIS v2.0 > 3 - Logging
  • AWS > CIS v2.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
  • AWS > CIS v2.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
  • AWS > CIS v2.0 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
  • AWS > CIS v2.0 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs
  • AWS > CIS v2.0 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions
  • AWS > CIS v2.0 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • AWS > CIS v2.0 > 3 - Logging > 3.08 - Ensure rotation for customer created symmetric CMKs is enabled
  • AWS > CIS v2.0 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs
  • AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket
  • AWS > CIS v2.0 > 4 - Monitoring
  • AWS > CIS v2.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
  • AWS > CIS v2.0 > 5 - Networking
  • AWS > CIS v2.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
  • AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
  • AWS > CIS v2.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2

Policy Types

  • AWS > CIS v2.0
  • AWS > CIS v2.0 > 1 - Identity and Access Management
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account > Attestation
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation
  • AWS > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration
  • AWS > CIS v2.0 > 2 - Storage
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
  • AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
  • AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
  • AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
  • AWS > CIS v2.0 > 2 - Storage > Maximum Attestation Duration
  • AWS > CIS v2.0 > 3 - Logging
  • AWS > CIS v2.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
  • AWS > CIS v2.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
  • AWS > CIS v2.0 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
  • AWS > CIS v2.0 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs
  • AWS > CIS v2.0 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions
  • AWS > CIS v2.0 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • AWS > CIS v2.0 > 3 - Logging > 3.08 - Ensure rotation for customer created symmetric CMKs is enabled
  • AWS > CIS v2.0 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs
  • AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > Maximum Attestation Duration
  • AWS > CIS v2.0 > 4 - Monitoring
  • AWS > CIS v2.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
  • AWS > CIS v2.0 > 4 - Monitoring > Maximum Attestation Duration
  • AWS > CIS v2.0 > 5 - Networking
  • AWS > CIS v2.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
  • AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
  • AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' > Attestation
  • AWS > CIS v2.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2
  • AWS > CIS v2.0 > 5 - Networking > Maximum Attestation Duration
  • AWS > CIS v2.0 > Maximum Attestation Duration

Enhancements

  • Added support for nested dashboards. (#4208)

Bug fixes

  • Fixed the issue where local plugins were not being loaded. (#4196)
  • Re-added support for 'implicit' local plugins (i.e. the plugin binary exists but there is no entry in the versions.json). (#4223)
  • Fixed the issue where the daily update check message showed a <nil> when there was no message to show. (#4206)

Bug fixes

  • SQL Instances were sometimes not updated/cleaned up correctly via real-time events in Guardrails. This is now fixed.

What's new?

  • You can now manage IMDS defaults for EC2 per region. To get started, set the AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > * policies.

Bug fixes

  • The AWS > EC2 > Instance > Approved control would sometimes fail to stop instances that were discovered in Guardrails via real-time events if the AWS > EC2 > Instance > Approved policy was set to Enforce: Stop unapproved if new. This is now fixed.

Bug fixes

  • Lazy create flowpipe.db. (#808).
  • Respect max_concurrency in pipeline and input steps. (#815).
  • Misleading error message for invalid step dependencies. (#816).
  • HTTP integration address is shown correctly at the beginning of each input step loop. (#818).

What's new?

  • Storage Account CMDB data will now also include details about the account's blob service properties.

What's new?

  • You can now configure connection_throttling parameter for PostgreSQL servers. To get started, set the Azure > PostgreSQL > Server > Audit Logging > Connection Throttling policy.

What's new?

  • TLS version and audit log details will now be available in CMDB for Flexi Servers.

What's new?

  • Users can now disable unapproved Keys in AWS. To get started, set the AWS > KMS > Key > Approved policy to Enforce: Disable unapproved.

What's new?

Enhancements

  • Added support for quota_project config arg to provide users the ability to set the Project ID used for billing and quota. (#556)

Bug fixes

  • Fixed the retry_policy_maximum_backoff and retry_policy_minimum_backoff columns of gcp_pubsub_subscription table to correctly return data. (#552) (Thanks to @mvanholsteijn for the contribution!)

What's new?

Bug fixes

  • Fixed the aws_vpc_eip table to return an Access Denied error instead of an Invalid Memory Address or Nil Pointer Dereference error when a Service Control Policy is applied to an account for a specific region. (#2136)
  • Fixed the aws_s3_bucket terraform script to prevent the AccessControlListNotSupported: The bucket does not allow ACLs error during the PutBucketAcl terraform call. (#2080) (Thanks @pdecat for the contribution!)
  • Fixed an issue where querying regional tables while using AWS profiles with cross-account role credentials results in the correct error being reported instead of zero rows. (#2137)
  • Fixed pagination in the aws_ebs_snapshot table to make fewer API calls when the limit parameter is passed to the query. (#2088)

What's new?

  • New control added:
    • rds_mysql_postresql_db_no_unsupported_version (#174)

Bug fixes

  • Fixed the ecs_cluster_active_service_count query in the AWS ECS Cluster Dashboard to correctly return the count of Cluster Active Services instead of ECS Clusters. (#341) (Thanks @mupi2k for the contribution!)

Bug fixes

  • In v5.15.1, we introduced the policy value Enforce: Enabled but ignore permission errors for the AWS > SNS > Subscription > CMDB policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors inadvertently introduced a bug, resulting in the removal of real-time events for Subscription from the SNS EventBridge rule created by the Event Handlers. This issue has now been fixed.

Bug fixes

  • In v5.13.0, we introduced the policy value Enforce: Enabled but ignore permission errors for the AWS > KMS > Key > CMDB policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors inadvertently introduced a bug, resulting in the removal of the EventBridge Rule for KMS by the Event Handlers. This issue has now been fixed.

Bug fixes

  • loop block now works in container, function, message and input steps.
  • Use HCL expressions in max_concurrency step argument. (#800).
  • throw, retry and error block now works for input step.

Breaking changes

  • The Foundational Security Best Practices v1.0.0 benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)
    • The foundational_security_elbv2 sub-benchmark have been removed.
    • The following controls are no longer included in the benchmarks:
      • foundational_security_cloudfront_2
      • foundational_security_ec2_22
      • foundational_security_s3_4

Enhancements

  • The Foundational Security Best Practices v1.0.0 benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)
    • The following sub-benchmarks have been added to the foundational_security benchmark:
      • foundational_security_appsync
      • foundational_security_backup
      • foundational_security_eventbridge
      • foundational_security_fsx
      • foundational_security_msk
      • foundational_security_pca
      • foundational_security_route53
      • foundational_security_sfn
    • The following controls have been added to the benchmarks:
      • foundational_security_acm_2
      • foundational_security_appsync_2
      • foundational_security_backup_1
      • foundational_security_cloudfront_13
      • foundational_security_dms_6
      • foundational_security_dms_7
      • foundational_security_dms_8
      • foundational_security_dms_9
      • foundational_security_docdb_3
      • foundational_security_docdb_4
      • foundational_security_docdb_5
      • foundational_security_dms_9
      • foundational_security_dynamodb_6
      • foundational_security_ec2_51
      • foundational_security_ecs_9
      • foundational_security_eks_8
      • foundational_security_elasticbeanstalk_3
      • foundational_security_emr_2
      • foundational_security_eventbridge_3
      • foundational_security_fsx_1
      • foundational_security_msk_1
      • foundational_security_networkfirewall_2
      • foundational_security_networkfirewall_9
      • foundational_security_opensearch_10
      • foundational_security_pca_1
      • foundational_security_rds_34
      • foundational_security_rds_35
      • foundational_security_route53_2
      • foundational_security_s3_19
      • foundational_security_sfn_1
      • foundational_security_waf_12

v0.13.2 of the Terraform Provider for Pipes is now available.

Bug fixes

  • pipes_workspace_datatank_table: Set PartPer setting for datatank table to be nil if nothing is passed in configuration while updating a datatank table. (#23)

Enhancements:

  • resources/pipes_workspace: Add support for passing desired_state, db_volume_size_bytes attribute when creating or updating a workspace. Add missing attribute state_reason.
  • resources/pipes_workspace_pipeline: Add support for passing desired_state attribute when creating or updating a pipeline. Add attributes state and state_reason.
  • resources/pipes_workspace_datatank: Add support for passing desired_state attribute when creating a datatank.
  • resources/pipes_workspace_datatank_table: Add support for passing desired_state attribute when creating a datatank_table.

Bug fixes

  • Fixed the project_license_table, project_other_license_count and project_weak_copyleft_license_count queries to use the latest version of EUP (European Union Public License 1.2). (#13)

Bug fixes

  • Fixed the repository_license_table, repository_other_license_count and repository_weak_copyleft_license_count queries to use the latest version of EUP (European Union Public License 1.2). (#25)

Bug fixes

  • Fixed the CIS controls from cis_v200_2_4 to cis_v200_2_11 to correctly evaluate results when using the aggregator connection of the GCP plugin. (#154)

Bug fixes

  • Input step respects the max_concurrency argument. (#798).
  • Erroneous error message detecting a missing credential where there isn't one.
  • HCL try() function should be evaluated at runtime rather than parse time.
  • Integration and input step URLs should use the provided custom host & port. (#792).
  • Shows filename and line number for invalid step references.

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Control Types:

    • AWS > ECR > Repository > Policy
    • AWS > ECR > Repository > Policy > Required
  • Policy Types:

    • AWS > ECR > Repository > Policy
    • AWS > ECR > Repository > Policy > Required
    • AWS > ECR > Repository > Policy > Required > Items
  • Action Types:

    • AWS > ECR > Repository > Update Repository policy

Bug fixes

  • When exporting or displaying a benchmark run result as a snapshot, ensure the top level panel has a valid summary. (#274)
  • Update mod list output to include resource_name and mod fields.

Bug fixes

  • Server
    • Account import will be smoother and more consistent than before.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Guardrails will now exclude upserting VPC resources that are shared from other accounts and only upsert resources that belong to the owner account.
  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

What's new?

  • Added CIS v2.1.0 benchmark (powerpipe benchmark run azure_compliance.benchmark.cis_v210). (#250)

Whats new

  • Optimize workspace load time for large workspaces with multiple dependent mods. (#365)

All new Pipes workspaces will be running Steampipe v0.22.1 and existing workspaces will be upgraded by Monday 18th March 2024.

For more information on this Steampipe release, see the release notes.

All new Pipes workspaces will be running Powerpipe v0.1.2 and existing workspaces will be upgraded by Monday 18th March 2024.

For more information on this Powerpipe release, see the release notes.

Bug fixes

  • The AWS > VPC > VPC > Stack control failed to claim security group rules correctly if the protocol for such rules was set to All or TCP in the stack's source policy. This issue has been fixed, and the control will now claim such rules correctly.

Bug fixes

  • We have updated various policy definitions set during account imports to allow for a smoother account import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.

What's new?

Enhancements

  • Added auto_minor_version_upgrade column to aws_rds_db_cluster table. (#2109)
  • Added open_zfs_configuration column to aws_fsx_file_system table. (#2113)
  • Added logging_configuration column to aws_networkfirewall_firewall table. (#2115)
  • Added lf_tags column to aws_glue_catalog_table table. (#2128)

Bug fixes

  • Fixed the query in the aws_s3_bucket table doc to correctly filter out buckets without the application tag. (#2093)
  • Fixed the aws_cloudtrail_lookup_event input param to pass correctly end_time as an optional qual. (#2102)
  • Fixed the arn column of the aws_elastic_beanstalk_environment table to correctly return data instead of null. (#2105)
  • Fixed the template_body_json column of the aws_cloudformation_stack table to correctly return data by adding a new transform function formatJsonBody, replacing the UnmarshalYAML transform function. (#1959)
  • Fixed the next_execution_time column of aws_ssm_maintenance_window table to be of String datatype instead of TIMESTAMP. (#2116)
  • Renamed the client_log_options column to connection_log_options in aws_ec2_client_vpn_endpoint table to correctly return data instead of null. (#2122)

Whats new

  • Improved startup performance with high plugin count - parallelize plugin startup. (#4183)
  • Added database SSL password support for encrypted private key in order to handle your own certificates. (#4149)

Bug fixes

  • Fixed issue where plugin list cannot re-create top-level versions.json file if the file has been corrupted or empty. (#4191)

Notice

  • Scripts must use the permanent installation script at https://steampipe.io/install/steampipe.sh.
  • The script above is automatically updated when the script moves location.
  • install.sh has been moved from the top level folder to the scripts folder.
  • Scripts directly referencing the raw GitHub location must be updated.

Notice

Steampipe will no longer officially publish or support a Dockerfile or container images.

Steampipe can be run in a containerized setup. We run it ourselves that way as part of Turbot Pipes. But, we've decided to cease publishing an supporting a container definition because:

  • The CLI is optimized for developer use on the command line.
  • Everyone has specific goals and requirements for their containers.
  • Container setup requires various mounts and access to configuration files.
  • It's hard to support containers across many different environments.

We welcome users to create and share your own open-source container definitions for Steampipe!

What's new?

Bug fixes

  • Function step output attribute should be called response not result. (#789).
  • Pipeline execution should not fail when a string argument is passed with double quotes. (#791).

Bug fixes

  • UI
    • Fixed the AWS login dropdown button to accurately display both existing and new grants.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Unsupported US Gov cloud regions were inadvertently included in the AWS > SageMaker > Code Repository > Regions policy, which led to the AWS > SageMaker > Code Repository > Discovery control being in an error state for those regions. We've now removed the unsupported US Gov cloud regions from the Regions policy.

What's new?

  • Policy Types:
    • AWS > SageMaker > Notebook Instance > Approved > Custom

Bug fixes

  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

Bug fixes

  • Multiselect Inputs with preselected Options now correctly pre-populate in Slack.
  • Change detection in throw and output block in pipeline steps works correctly with ternary operators and will not trigger mod reload for white space changes.

Bug fixes

  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
  • In the previous version, we fixed an issue with the AWS > VPC > VPC > Stack control that prevented it from recognizing security group rules with the port range set to 0 correctly. However, the control still failed to claim existing security group rules available in Guardrails CMDB, due to an inadvertent bug introduced in v5.9.2. This issue has now been fixed, and the control will correctly claim existing security group rules.

Bug fixes

  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

Bug fixes

  • Previously, Guardrails unnecessarily listened to and processed real-time lists events for various storage resources. We've now improved our events filter to ignore these lists events, thereby reducing unnecessary processing.

Bug fixes

  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

Bug fixes

  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

Bug fixes

  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
  • The AWS > EC2 > Snapshot > Active and AWS > EC2 > Snapshot > Approved controls will now not attempt to delete a snapshot if it has one or more AMIs attached to it.
  • In the previous version, although we fixed a bug to prevent upserting volumes and snapshots with incorrect AKAs, there was still a provision for instances to be upserted with incorrect AKAs. We have now addressed this issue as well, ensuring instances are upserted more correctly and consistently than before.
  • The deprecated ec2-reports:* permissions are now removed from the mod.

Bug fixes

  • Multi-select option in input step now works. (#776).
  • Input step white space changes will not trigger mod reload. (#297).

Bug fixes

  • Fix CLI available version check. (#250)
  • Notify when mod install creates a default mod. (#246)
  • Remove newline from end of mod install output. (#247)
  • Fix issue where asff output was always missing the first row. (#249)

v0.13.1 of the Terraform Provider for Pipes is now available.

Bug fixes

  • Ensure tags are passed during creation of resource pipes_workspace_pipeline and are only updated when a valid value is present in the Terraform configuration.

All new Pipes workspaces will be running Steampipe v0.22.0 and existing workspaces will be upgraded by Monday 11th March 2024.

For more information on this Steampipe release, see the release post or release notes.

Dashboards in Turbot Pipes are now powered by Powerpipe, allowing you to filter, group and share custom views of your cloud benchmarks.

All new Pipes workspaces will be running Powerpipe v0.1.0 and existing workspaces will be upgraded by Monday 11th March 2024.

For more information on the launch of Powerpipe, see the launch post or release notes.

Bug fixes

  • Guardrails will now exclude upserting VPC resources that are shared from other accounts and only upsert resources that belong to the owner account.
  • In the previous version, we believed we had resolved an issue with Internet Gateways not being upserted into the CMDB while processing real-time CreateDefaultVpc events. However, we overlooked an edge case in the fix. We have now addressed this issue, ensuring that Internet Gateways will be reliably discovered and upserted into the Guardrails CMDB. We recommend updating the aws-vpc-core mod to version 5.17.1 or higher to enable Guardrails to correctly process real-time CreateDefaultVpc events for Internet Gateways.
  • Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.

We're thrilled to announce the release of 52 new Powerpipe mods, featuring pre-built dashboards and benchmarks for cloud inventory & insights, security & compliance, cost management and shift-left scanning. These include the 43 Steampipe mods to visualize AWS, Azure, GCP, GitHub, Terraform and more using Steampipe as the database. And 9 new, ready-to-use Powerpipe mods providing easy to learn examples to visualize data in Postgres, SQLite, DuckDB, and MySQL!

A full list of mods can be found in the Powerpipe Hub.

For more information on how you can get started incorporating these mods into your own custom dashboards and benchmarks, please see Introducing Powerpipe - Composable Mods.

Introducing Powerpipe - Dashboards for DevOps.

Benchmarks - 5,000+ open-source controls from CIS, NIST, PCI, HIPAA, FedRamp and more. Run instantly on your machine or as part of your deployment pipeline.

Relationship Diagrams - The only dashboarding tool designed from the ground up to visualize DevOps data. Explore your cloud,understand relationships and drill down to the details.

Dashboards & Reports - High level dashboards provide a quick management view. Reports highlight misconfigurations and attention areas. Filter, pivot and snapshot results.

Code, not clicks - Our dashboards are code. Version controlled, composable, shareable, easy to edit - designed for the way you work. Join our open-source community!

Learn more at:

Bug fixes

  • The AWS > VPC > VPC > Stack control would sometimes go into an error state after creating security group rules with port range set to 0. This occurred because the control failed to recognize the existing rule in Guardrails CMDB and attempted to create a new rule instead. This issue has been fixed, and the stack control will now work correctly as expected.
  • The AWS > VPC > Security Group > CMDB control would sometimes go into an error state for security groups shared from other AWS accounts. We will now exclude shared security groups and only upsert security groups that belong to the owner account.

What's new?

  • You can now also manage the IAM Permissions model for Guardrails Users via the AWS > Turbot > IAM > Managed control. The AWS > Turbot > IAM > Managed control is faster and more efficient than the existing AWS > Turbot > IAM control because it utilizes Native AWS APIs rather than Terraform to manage IAM resources. Please note that this feature will work as intended only on TE v5.42.19 or higher and turbot-iam mod v5.11.0 or higher.

  • Control Types

    • AWS > Turbot > IAM > Group
    • AWS > Turbot > IAM > Group > Managed
    • AWS > Turbot > IAM > Managed
    • AWS > Turbot > IAM > Policy
    • AWS > Turbot > IAM > Policy > Managed
    • AWS > Turbot > IAM > Role
    • AWS > Turbot > IAM > Role > Managed
    • AWS > Turbot > IAM > User
    • AWS > Turbot > IAM > User > Managed
  • Policy Types

    • AWS > Turbot > IAM > Managed
  • Policy Types Renamed

    • AWS > IAM > Turbot to AWS > Turbot > IAM
  • Action Types

    • AWS > Account > Provision Managed Resources
    • AWS > IAM > Group > Detach and delete
    • AWS > IAM > Group > IAM Group Managed
    • AWS > IAM > Policy > Detach and delete
    • AWS > IAM > Role > IAM Role Managed
    • AWS > IAM > User > IAM User Managed

Bug fixes

The AWS > IAM > Group > CMDB, AWS > IAM > Role > CMDB, and AWS > IAM > User > CMDB controls previously failed to fetch all attachments for groups, roles, and users, respectively, due to the lack of pagination support. This issue has been fixed, and the controls will now correctly fetch all respective attachments.

Steampipe unbundled, introducing Powerpipe

Powerpipe is now the recommended way to run dashboards and benchmarks!

Mods still work as normal in Steampipe for now, but they are deprecated and will be removed in a future release:

Whats new

  • Added version column to steampipe_plugin table. (#4141)
  • Direct all errors and warnings to standard error (stderr). (4162)

Bug fixes

  • Fixed the issue where search_path_prefix set in database options does not alter the search path. (#4160)
  • Fix issue where asff output was always missing the first row. (#4157)

Deprecations and migrations

  • Steampipe mods and dashboards are now separately available in Powerpipe, a new open-source project. The steampipe mod, check and dashboard commands have been deprecated and will be removed in a future version. Migration guide.
  • Deprecated cloud-host and cloud-token CLI args, and replaced them with pipes-host and pipes-token respectively. (#4137)
  • Deprecated STEAMPIPE_CLOUD_HOST and STEAMPIPE_CLOUD_TOKEN env vars, replaced with PIPES_HOST and PIPES_TOKEN respectively. (#4137)
  • Deprecated cloud_host and cloud_token workspace args, replaced with pipes_host and pipes_token respectively. (#4137)
  • Removed support for deprecated terminal options. (#3751)
  • Removed support for deprecated max_parallel property in general options. (#4132)
  • Removed support for deprecated connection options. (#4131)
  • Removed deprecated version property from the mod require block. (#3750)

What's new?

  • Workflow - message step for easy notifications. Documentation.
  • Workflow - input step for buttons, text and other data. Documentation.
  • Workflow - simple, reusable integration and notifier configuration for HTTP, Slack and Email. Documentation
  • Import Steampipe connections as Flowpipe credentials. Documentation.
  • Manage concurrency of pipelines and steps.
  • New credential types: alicloud and mastodon.
  • Shorter hash for HTTP triggers for simpler URLs.
  • DuckDB support in query step & trigger.
  • Step metadata, like started_at and finished_at added under a flowpipe attribute.
  • Moved flowpipe.db into the mod-level .flowpipe directory.
  • connection_string in query step and trigger renamed to database.

Deprecation

Bug fixes

  • log_level workspace setting is now respected (#618).
  • Default listen flag should be network, not localhost (#694)
  • Trigger attributes are now validated (#225).
  • Pipeline output attributes are now validated (#239).
  • Pipeline param default value data type is now validated against the specified type (#262).
  • Removed titles when merging multiple error messages (#263).
  • Runtime resolution of pipeline reference and credentials are now working correctly. (#732).
  • Scheduled triggers are now re-scheduled when mod files have changed.
  • File watcher reliability improvements.

Bug fixes

  • Updated metadata param type in create_ticket pipeline to be consistent with similar param types.

Bug fixes

  • Fixed secret param type in create_secret pipeline.

Bug fixes

  • Fixed broken links to credential import docs in various sample READMEs.

What's new?

  • Added the following new sample mods: (#108)
    • add_s3_bucket_cost_center_tags
    • aws_iam_access_key_events_notifier_with_multiple_pipelines
    • aws_iam_access_key_events_notifier_with_single_pipeline
    • deactivate_expired_aws_iam_access_keys_using_queries
    • deactivate_expired_aws_iam_access_keys_with_approval
    • notify_new_aws_iam_access_keys

Enhancements

  • Updated all AWS, Azure, PagerDuty, Slack, Zendesk library mod dependency versions in several sample mods. (#108)

Bug fixes

  • Server

    • Updated the tier for the SSM parameter /tenant/${workspaceFullId} to Advanced.
    • Delete operations for resources is now faster and more efficient than before.
    • Auto mod update control for mods will now look only for recommended versions instead of available and recommended.
    • Fixed policy value resolution to default to the value of resolvedSchema if not available in the schema.
  • UI

    • Fixed a table typo in the Steampipe query used in the resources developer tab.
    • Display the AWS login button when setting permissions via the AWS > Turbot > IAM > Managed control.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The default value for Turbot > IAM > Permissions > Compiled > Levels > Turbot policy will now be evaluated correctly and consistently.

Bug fixes

  • SSM Parameters with incorrect names would sometimes be inadvertently upserted in Guardrails CMDB. This issue has now been fixed.

What's new?

  • The AWS > S3 > Bucket CMDB data will now also include information about Bucket Intelligent Tiering Configuration.

  • A few policy values in the AWS > S3 > Bucket > Encyprion at Rest policy have now been deprecated and will be removed in the next major mod version (v6.0.0) because they are no longer supported by AWS.

    | Deprecated Values
    |- | Check: None
    | Check: None or higher
    | Enforce: None
    | Enforce: None or higher

Bug fixes

  • Removed duplicate ticket_id param from update_ticket_comment pipeline.

Bug fixes

  • Fixed invalid type for license param in create_user pipeline. (#6)

Bug fixes

  • Fixed mismatched types for generate_ssh_keys param in various Compute VM test pipelines.

Bug fixes

  • Previously, Guardrails did not upsert Internet Gateways into the CMDB while processing real-time CreateDefaultVpc events. This issue has been fixed, and Internet Gateways will now be more reliably upserted into the Guardrails CMDB. We recommend updating the aws-vpc-core mod to v5.17.1 or higher to allow Guardrails to process the CreateDefaultVpc event for Internet Gateways correctly.

Bug fixes

  • Previously, Guardrails did not upsert DHCP Options into the CMDB while processing real-time CreateDefaultVpc events. This issue has been fixed, and DHCP Options will now be more reliably upserted into the Guardrails CMDB.

Enhancements

  • Updated the regex pattern of slack_api_token to also detect the Slack bot tokens. (#73)
  • Updated the regex pattern of AWS access_key_id to include key resources like AWS SSO credentials. (#74)

Bug fixes

  • Previously, Guardrails unnecessarily listened to and processed real-time lists events for various Dataproc resources. We've now improved our events filter to ignore these lists events, thereby reducing unnecessary processing.

Bug fixes

  • The GCP > Turbot > Event Handlers > Pub/Sub stack control previously attempted to create a topic and its IAM member incorrectly when the GCP > Turbot > Event Handlers > Logging > Unique Writer Identity policy was set to Enforce: Unique Identity, but the project number for the project was not available. This is fixed and the control will transition to an Invalid state until Guardrails can correctly fetch the project number.

Bug fixes

  • Fixed the type mismatch of the input parameter in the get_channel_history pipeline. (#20)

What's new?

  • Control Types:

    • GCP > Pub/Sub > Topic > Labels
  • Policy Types:

    • GCP > Pub/Sub > Topic > Labels
    • GCP > Pub/Sub > Topic > Labels > Template
  • Action Types

    • GCP > Pub/Sub > Topic > Set Labels

Bug fixes

  • In a previous version (v5.6.2), we introduced a change in the AWS > S3 > Bucket > Encryption in Transit and AWS > S3 > Bucket > Encryption at Rest control to wait for a few minutes before applying the respective policies to new buckets created via Cloudformation Stacks. We've now extended this feature to all buckets regardless of how they were created, to ensure that IaC changes can be correctly applied to buckets without interference from immediate policy enforcements.

What's new?

  • Added support for Advanced Tier for SSM Parameters.
  • Increased the visibility timeout from 60 seconds to 7200 seconds and decreased the message retention period to 7 days for runnable DLQ.

What's new?

  • Added: Support for Postgres versions 14.9, 14.10, 15.4 and 15.5.
  • Added: Support for Redis 7.1.
  • Added: m6gd.medium to instance type parameter for RDS.
  • Added: Support for Advanced Tier for SSM Parameters.
  • Removed: t4.micro and t4.small from instance type parameter for RDS.

Note

To use the latest RDS certificate in commercial cloud, please upgrade TE to 5.42.3 or higher and update the RDS CA Certificate for Commercial Cloud parameter.

Bug fixes

  • Server

    • Added: Support for AWS Custom Group Levels.
    • Updated: The DLQ lambda timeout has been updated to 2 minutes instead of 1 minute.
    • Updated: The Events DLQ visibility timeout has been increased from 15 minutes to 4 hours.
    • Updated: The Events DLQ MessageRetentionPeriod has been decreased from 14 days to 7 days.
  • UI

    • Added: Action button to run immediate policy value.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Added support for group permission levels.

What's new?

  • Control Types:

    • GCP > Firebase > Android App > ServiceNow
    • GCP > Firebase > Android App > ServiceNow > Configuration Item
    • GCP > Firebase > Android App > ServiceNow > Table
    • GCP > Firebase > Firebase Project > ServiceNow
    • GCP > Firebase > Firebase Project > ServiceNow > Configuration Item
    • GCP > Firebase > Firebase Project > ServiceNow > Table
    • GCP > Firebase > Web App > ServiceNow
    • GCP > Firebase > Web App > ServiceNow > Configuration Item
    • GCP > Firebase > Web App > ServiceNow > Table
    • GCP > Firebase > iOS App > ServiceNow
    • GCP > Firebase > iOS App > ServiceNow > Configuration Item
    • GCP > Firebase > iOS App > ServiceNow > Table
  • Policy Types:

    • GCP > Firebase > Android App > ServiceNow
    • GCP > Firebase > Android App > ServiceNow > Configuration Item
    • GCP > Firebase > Android App > ServiceNow > Configuration Item > Record
    • GCP > Firebase > Android App > ServiceNow > Configuration Item > Table Definition
    • GCP > Firebase > Android App > ServiceNow > Table
    • GCP > Firebase > Android App > ServiceNow > Table > Definition
    • GCP > Firebase > Firebase Project > ServiceNow
    • GCP > Firebase > Firebase Project > ServiceNow > Configuration Item
    • GCP > Firebase > Firebase Project > ServiceNow > Configuration Item > Record
    • GCP > Firebase > Firebase Project > ServiceNow > Configuration Item > Table Definition
    • GCP > Firebase > Firebase Project > ServiceNow > Table
    • GCP > Firebase > Firebase Project > ServiceNow > Table > Definition
    • GCP > Firebase > Web App > ServiceNow
    • GCP > Firebase > Web App > ServiceNow > Configuration Item
    • GCP > Firebase > Web App > ServiceNow > Configuration Item > Record
    • GCP > Firebase > Web App > ServiceNow > Configuration Item > Table Definition
    • GCP > Firebase > Web App > ServiceNow > Table
    • GCP > Firebase > Web App > ServiceNow > Table > Definition
    • GCP > Firebase > iOS App > ServiceNow
    • GCP > Firebase > iOS App > ServiceNow > Configuration Item
    • GCP > Firebase > iOS App > ServiceNow > Configuration Item > Record
    • GCP > Firebase > iOS App > ServiceNow > Configuration Item > Table Definition
    • GCP > Firebase > iOS App > ServiceNow > Table
    • GCP > Firebase > iOS App > ServiceNow > Table > Definition

What's new?

  • The AWS > Secrets Manager > Secret > CMDB control would go into an error state if Guardrails did not have permissions to describe a secret. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > Secrets Manager > Secret > CMDB policy to Enforce: Enabled but ignore permission errors.

What's new?

  • You can now attach custom IAM Groups to Guardrails users if the AWS > Turbot > Permissions policy is set to Enforce: User Mode. To get started, set the AWS > Turbot > Permissions > Custom Group Levels [Account] policy and then attach the custom group to a user via the Grant Permission button on the Permissions page. Please note that this feature will work as intended only on TE v5.42.18 or higher and turbot-iam mod v5.11.0 or higher.

  • Policy Types:

    • AWS > Turbot > Permissions > Custom Group Levels [Account]
  • Policy Types renamed:

    • AWS > Turbot > Permissions > Custom Levels [Account] to AWS > Turbot > Permissions > Custom Role Levels [Account]
    • AWS > Turbot > Permissions > Custom Levels [Folder] to AWS > Turbot > Permissions > Custom Role Levels [Folder]

Bug fixes

  • Fixed the plugin to return nil instead of an error when API credentials are not set in the *.spc file. (#14)
  • Fixed the default data type of the dynamic columns to be of the String type instead of JSON. (#16)

Bug fixes

  • Fixed the hierarchy in the benchmark list by properly integrating Cloud Functions benchmark into all_controls benchmark. (#146)

What's new?

  • Removed support for Memoized functions to be directly assigned as column hydrate functions. Instead, require a wrapper hydrate function. (#756) (#738)

Bug fixes

  • If cache is disabled for the server, but enabled for the client, the query execution code tries to stream to the cache even though there is no active set operation. (#740)

What's new?

  • Control Types:

    • GCP > Network > Address > ServiceNow
    • GCP > Network > Address > ServiceNow > Configuration Item
    • GCP > Network > Address > ServiceNow > Table
    • GCP > Network > Backend Bucket > ServiceNow
    • GCP > Network > Backend Bucket > ServiceNow > Configuration Item
    • GCP > Network > Backend Bucket > ServiceNow > Table
    • GCP > Network > Backend Service > ServiceNow
    • GCP > Network > Backend Service > ServiceNow > Configuration Item
    • GCP > Network > Backend Service > ServiceNow > Table
    • GCP > Network > Firewall > ServiceNow
    • GCP > Network > Firewall > ServiceNow > Configuration Item
    • GCP > Network > Firewall > ServiceNow > Table
    • GCP > Network > Forwarding Rule > ServiceNow
    • GCP > Network > Forwarding Rule > ServiceNow > Configuration Item
    • GCP > Network > Forwarding Rule > ServiceNow > Table
    • GCP > Network > Global Address > ServiceNow
    • GCP > Network > Global Address > ServiceNow > Configuration Item
    • GCP > Network > Global Address > ServiceNow > Table
    • GCP > Network > Global Forwarding Rule > ServiceNow
    • GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item
    • GCP > Network > Global Forwarding Rule > ServiceNow > Table
    • GCP > Network > Interconnect > ServiceNow
    • GCP > Network > Interconnect > ServiceNow > Configuration Item
    • GCP > Network > Interconnect > ServiceNow > Table
    • GCP > Network > Packet Mirroring > ServiceNow
    • GCP > Network > Packet Mirroring > ServiceNow > Configuration Item
    • GCP > Network > Packet Mirroring > ServiceNow > Table
    • GCP > Network > Region Backend Service > ServiceNow
    • GCP > Network > Region Backend Service > ServiceNow > Configuration Item
    • GCP > Network > Region Backend Service > ServiceNow > Table
    • GCP > Network > Region SSL Certificate > ServiceNow
    • GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item
    • GCP > Network > Region SSL Certificate > ServiceNow > Table
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Table
    • GCP > Network > Region URL Map > ServiceNow
    • GCP > Network > Region URL Map > ServiceNow > Configuration Item
    • GCP > Network > Region URL Map > ServiceNow > Table
    • GCP > Network > Route > ServiceNow
    • GCP > Network > Route > ServiceNow > Configuration Item
    • GCP > Network > Route > ServiceNow > Table
    • GCP > Network > Router > ServiceNow
    • GCP > Network > Router > ServiceNow > Configuration Item
    • GCP > Network > Router > ServiceNow > Table
    • GCP > Network > SSL Certificate > ServiceNow
    • GCP > Network > SSL Certificate > ServiceNow > Configuration Item
    • GCP > Network > SSL Certificate > ServiceNow > Table
    • GCP > Network > SSL Policy > ServiceNow
    • GCP > Network > SSL Policy > ServiceNow > Configuration Item
    • GCP > Network > SSL Policy > ServiceNow > Table
    • GCP > Network > Target HTTPS Proxy > ServiceNow
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Table
    • GCP > Network > Target Pool > ServiceNow
    • GCP > Network > Target Pool > ServiceNow > Configuration Item
    • GCP > Network > Target Pool > ServiceNow > Table
    • GCP > Network > Target SSL Proxy > ServiceNow
    • GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item
    • GCP > Network > Target SSL Proxy > ServiceNow > Table
    • GCP > Network > Target TCP Proxy > ServiceNow
    • GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item
    • GCP > Network > Target TCP Proxy > ServiceNow > Table
    • GCP > Network > Target VPN Gateway > ServiceNow
    • GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item
    • GCP > Network > Target VPN Gateway > ServiceNow > Table
    • GCP > Network > URL Map > ServiceNow
    • GCP > Network > URL Map > ServiceNow > Configuration Item
    • GCP > Network > URL Map > ServiceNow > Table
    • GCP > Network > VPN Tunnel > ServiceNow
    • GCP > Network > VPN Tunnel > ServiceNow > Configuration Item
    • GCP > Network > VPN Tunnel > ServiceNow > Table
  • Policy Types:

    • GCP > Network > Address > ServiceNow
    • GCP > Network > Address > ServiceNow > Configuration Item
    • GCP > Network > Address > ServiceNow > Configuration Item > Record
    • GCP > Network > Address > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Address > ServiceNow > Table
    • GCP > Network > Address > ServiceNow > Table > Definition
    • GCP > Network > Backend Bucket > ServiceNow
    • GCP > Network > Backend Bucket > ServiceNow > Configuration Item
    • GCP > Network > Backend Bucket > ServiceNow > Configuration Item > Record
    • GCP > Network > Backend Bucket > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Backend Bucket > ServiceNow > Table
    • GCP > Network > Backend Bucket > ServiceNow > Table > Definition
    • GCP > Network > Backend Service > ServiceNow
    • GCP > Network > Backend Service > ServiceNow > Configuration Item
    • GCP > Network > Backend Service > ServiceNow > Configuration Item > Record
    • GCP > Network > Backend Service > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Backend Service > ServiceNow > Table
    • GCP > Network > Backend Service > ServiceNow > Table > Definition
    • GCP > Network > Firewall > ServiceNow
    • GCP > Network > Firewall > ServiceNow > Configuration Item
    • GCP > Network > Firewall > ServiceNow > Configuration Item > Record
    • GCP > Network > Firewall > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Firewall > ServiceNow > Table
    • GCP > Network > Firewall > ServiceNow > Table > Definition
    • GCP > Network > Forwarding Rule > ServiceNow
    • GCP > Network > Forwarding Rule > ServiceNow > Configuration Item
    • GCP > Network > Forwarding Rule > ServiceNow > Configuration Item > Record
    • GCP > Network > Forwarding Rule > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Forwarding Rule > ServiceNow > Table
    • GCP > Network > Forwarding Rule > ServiceNow > Table > Definition
    • GCP > Network > Global Address > ServiceNow
    • GCP > Network > Global Address > ServiceNow > Configuration Item
    • GCP > Network > Global Address > ServiceNow > Configuration Item > Record
    • GCP > Network > Global Address > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Global Address > ServiceNow > Table
    • GCP > Network > Global Address > ServiceNow > Table > Definition
    • GCP > Network > Global Forwarding Rule > ServiceNow
    • GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item
    • GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item > Record
    • GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Global Forwarding Rule > ServiceNow > Table
    • GCP > Network > Global Forwarding Rule > ServiceNow > Table > Definition
    • GCP > Network > Interconnect > ServiceNow
    • GCP > Network > Interconnect > ServiceNow > Configuration Item
    • GCP > Network > Interconnect > ServiceNow > Configuration Item > Record
    • GCP > Network > Interconnect > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Interconnect > ServiceNow > Table
    • GCP > Network > Interconnect > ServiceNow > Table > Definition
    • GCP > Network > Packet Mirroring > ServiceNow
    • GCP > Network > Packet Mirroring > ServiceNow > Configuration Item
    • GCP > Network > Packet Mirroring > ServiceNow > Configuration Item > Record
    • GCP > Network > Packet Mirroring > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Packet Mirroring > ServiceNow > Table
    • GCP > Network > Packet Mirroring > ServiceNow > Table > Definition
    • GCP > Network > Region Backend Service > ServiceNow
    • GCP > Network > Region Backend Service > ServiceNow > Configuration Item
    • GCP > Network > Region Backend Service > ServiceNow > Configuration Item > Record
    • GCP > Network > Region Backend Service > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Region Backend Service > ServiceNow > Table
    • GCP > Network > Region Backend Service > ServiceNow > Table > Definition
    • GCP > Network > Region SSL Certificate > ServiceNow
    • GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item
    • GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item > Record
    • GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Region SSL Certificate > ServiceNow > Table
    • GCP > Network > Region SSL Certificate > ServiceNow > Table > Definition
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item > Record
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Table
    • GCP > Network > Region Target HTTPS Proxy > ServiceNow > Table > Definition
    • GCP > Network > Region URL Map > ServiceNow
    • GCP > Network > Region URL Map > ServiceNow > Configuration Item
    • GCP > Network > Region URL Map > ServiceNow > Configuration Item > Record
    • GCP > Network > Region URL Map > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Region URL Map > ServiceNow > Table
    • GCP > Network > Region URL Map > ServiceNow > Table > Definition
    • GCP > Network > Route > ServiceNow
    • GCP > Network > Route > ServiceNow > Configuration Item
    • GCP > Network > Route > ServiceNow > Configuration Item > Record
    • GCP > Network > Route > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Route > ServiceNow > Table
    • GCP > Network > Route > ServiceNow > Table > Definition
    • GCP > Network > Router > ServiceNow
    • GCP > Network > Router > ServiceNow > Configuration Item
    • GCP > Network > Router > ServiceNow > Configuration Item > Record
    • GCP > Network > Router > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Router > ServiceNow > Table
    • GCP > Network > Router > ServiceNow > Table > Definition
    • GCP > Network > SSL Certificate > ServiceNow
    • GCP > Network > SSL Certificate > ServiceNow > Configuration Item
    • GCP > Network > SSL Certificate > ServiceNow > Configuration Item > Record
    • GCP > Network > SSL Certificate > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > SSL Certificate > ServiceNow > Table
    • GCP > Network > SSL Certificate > ServiceNow > Table > Definition
    • GCP > Network > SSL Policy > ServiceNow
    • GCP > Network > SSL Policy > ServiceNow > Configuration Item
    • GCP > Network > SSL Policy > ServiceNow > Configuration Item > Record
    • GCP > Network > SSL Policy > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > SSL Policy > ServiceNow > Table
    • GCP > Network > SSL Policy > ServiceNow > Table > Definition
    • GCP > Network > Target HTTPS Proxy > ServiceNow
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item > Record
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Table
    • GCP > Network > Target HTTPS Proxy > ServiceNow > Table > Definition
    • GCP > Network > Target Pool > ServiceNow
    • GCP > Network > Target Pool > ServiceNow > Configuration Item
    • GCP > Network > Target Pool > ServiceNow > Configuration Item > Record
    • GCP > Network > Target Pool > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Target Pool > ServiceNow > Table
    • GCP > Network > Target Pool > ServiceNow > Table > Definition
    • GCP > Network > Target SSL Proxy > ServiceNow
    • GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item
    • GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item > Record
    • GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Target SSL Proxy > ServiceNow > Table
    • GCP > Network > Target SSL Proxy > ServiceNow > Table > Definition
    • GCP > Network > Target TCP Proxy > ServiceNow
    • GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item
    • GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item > Record
    • GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Target TCP Proxy > ServiceNow > Table
    • GCP > Network > Target TCP Proxy > ServiceNow > Table > Definition
    • GCP > Network > Target VPN Gateway > ServiceNow
    • GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item
    • GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item > Record
    • GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Target VPN Gateway > ServiceNow > Table
    • GCP > Network > Target VPN Gateway > ServiceNow > Table > Definition
    • GCP > Network > URL Map > ServiceNow
    • GCP > Network > URL Map > ServiceNow > Configuration Item
    • GCP > Network > URL Map > ServiceNow > Configuration Item > Record
    • GCP > Network > URL Map > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > URL Map > ServiceNow > Table
    • GCP > Network > URL Map > ServiceNow > Table > Definition
    • GCP > Network > VPN Tunnel > ServiceNow
    • GCP > Network > VPN Tunnel > ServiceNow > Configuration Item
    • GCP > Network > VPN Tunnel > ServiceNow > Configuration Item > Record
    • GCP > Network > VPN Tunnel > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > VPN Tunnel > ServiceNow > Table
    • GCP > Network > VPN Tunnel > ServiceNow > Table > Definition

Bug fixes

  • Fixed growing memory usage following file watching events when running dashboard server. (#4150)

Bug fixes

  • The AWS > VPC > VPC > Stack control would sometimes fail to claim existing Flow Logs in Guardrails CMDB. This is now fixed.

Dependencies

  • GCP plugin v0.49.0 or higher is now required. (#143)

Enhancements

  • Added 5 new controls to the All Controls benchmark across the following services: (#143)
    • App Engine
    • Cloud Run
    • Kubernetes

What's new?

  • Control Types:

    • GCP > IAM > Project Role > ServiceNow
    • GCP > IAM > Project Role > ServiceNow > Configuration Item
    • GCP > IAM > Project Role > ServiceNow > Table
    • GCP > IAM > Project User > ServiceNow
    • GCP > IAM > Project User > ServiceNow > Configuration Item
    • GCP > IAM > Project User > ServiceNow > Table
    • GCP > IAM > Service Account > ServiceNow
    • GCP > IAM > Service Account > ServiceNow > Configuration Item
    • GCP > IAM > Service Account > ServiceNow > Table
    • GCP > IAM > Service Account Key > ServiceNow
    • GCP > IAM > Service Account Key > ServiceNow > Configuration Item
    • GCP > IAM > Service Account Key > ServiceNow > Table
    • GCP > Project > Policy > ServiceNow
    • GCP > Project > Policy > ServiceNow > Configuration Item
    • GCP > Project > Policy > ServiceNow > Table
  • Policy Types:

    • GCP > IAM > Project Role > ServiceNow
    • GCP > IAM > Project Role > ServiceNow > Configuration Item
    • GCP > IAM > Project Role > ServiceNow > Configuration Item > Record
    • GCP > IAM > Project Role > ServiceNow > Configuration Item > Table Definition
    • GCP > IAM > Project Role > ServiceNow > Table
    • GCP > IAM > Project Role > ServiceNow > Table > Definition
    • GCP > IAM > Project User > ServiceNow
    • GCP > IAM > Project User > ServiceNow > Configuration Item
    • GCP > IAM > Project User > ServiceNow > Configuration Item > Record
    • GCP > IAM > Project User > ServiceNow > Configuration Item > Table Definition
    • GCP > IAM > Project User > ServiceNow > Table
    • GCP > IAM > Project User > ServiceNow > Table > Definition
    • GCP > IAM > Service Account > ServiceNow
    • GCP > IAM > Service Account > ServiceNow > Configuration Item
    • GCP > IAM > Service Account > ServiceNow > Configuration Item > Record
    • GCP > IAM > Service Account > ServiceNow > Configuration Item > Table Definition
    • GCP > IAM > Service Account > ServiceNow > Table
    • GCP > IAM > Service Account > ServiceNow > Table > Definition
    • GCP > IAM > Service Account Key > ServiceNow
    • GCP > IAM > Service Account Key > ServiceNow > Configuration Item
    • GCP > IAM > Service Account Key > ServiceNow > Configuration Item > Record
    • GCP > IAM > Service Account Key > ServiceNow > Configuration Item > Table Definition
    • GCP > IAM > Service Account Key > ServiceNow > Table
    • GCP > IAM > Service Account Key > ServiceNow > Table > Definition
    • GCP > Project > Policy > ServiceNow
    • GCP > Project > Policy > ServiceNow > Configuration Item
    • GCP > Project > Policy > ServiceNow > Configuration Item > Record
    • GCP > Project > Policy > ServiceNow > Configuration Item > Table Definition
    • GCP > Project > Policy > ServiceNow > Table
    • GCP > Project > Policy > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > Functions > Function > ServiceNow
    • GCP > Functions > Function > ServiceNow > Configuration Item
    • GCP > Functions > Function > ServiceNow > Table
  • Policy Types:

    • GCP > Functions > Function > ServiceNow
    • GCP > Functions > Function > ServiceNow > Configuration Item
    • GCP > Functions > Function > ServiceNow > Configuration Item > Record
    • GCP > Functions > Function > ServiceNow > Configuration Item > Table Definition
    • GCP > Functions > Function > ServiceNow > Table
    • GCP > Functions > Function > ServiceNow > Table > Definition

Bug fixes

  • The AWS > SNS > Subscription > CMDB control would go into an error state if Guardrails did not have permissions to describe a subscription. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > SNS > Subscription > CMDB policy to Enforce: Enabled but ignore permission errors.

Dependencies

  • AWS plugin v0.131.0 or higher is now required. (#747)

Enhancements

  • Added 11 new controls to the All Controls benchmark across the following services: (#747)
    • API Gateway
    • DMS
    • EMR
    • MQ
    • VPC

Bug fixes

  • Fixed the foundational_security_ssm_2 control to correctly evaluate results when patches are not applicable for SSM managed EC2 instances. (#761)

What's new?

  • Control Types:

    • GCP > Project > ServiceNow
    • GCP > Project > ServiceNow > Configuration Item
    • GCP > Project > ServiceNow > Table
  • Policy Types:

    • GCP > Project > ServiceNow
    • GCP > Project > ServiceNow > Configuration Item
    • GCP > Project > ServiceNow > Configuration Item > Record
    • GCP > Project > ServiceNow > Configuration Item > Table Definition
    • GCP > Project > ServiceNow > Table
    • GCP > Project > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > Memorystore > Instance > ServiceNow
    • GCP > Memorystore > Instance > ServiceNow > Configuration Item
    • GCP > Memorystore > Instance > ServiceNow > Table
  • Policy Types:

    • GCP > Memorystore > Instance > ServiceNow
    • GCP > Memorystore > Instance > ServiceNow > Configuration Item
    • GCP > Memorystore > Instance > ServiceNow > Configuration Item > Record
    • GCP > Memorystore > Instance > ServiceNow > Configuration Item > Table Definition
    • GCP > Memorystore > Instance > ServiceNow > Table
    • GCP > Memorystore > Instance > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > Storage > Object > ServiceNow
    • GCP > Storage > Object > ServiceNow > Configuration Item
    • GCP > Storage > Object > ServiceNow > Table
  • Policy Types:

    • GCP > Storage > Object > ServiceNow
    • GCP > Storage > Object > ServiceNow > Configuration Item
    • GCP > Storage > Object > ServiceNow > Configuration Item > Record
    • GCP > Storage > Object > ServiceNow > Configuration Item > Table Definition
    • GCP > Storage > Object > ServiceNow > Table
    • GCP > Storage > Object > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > Secret Manager > Secret > ServiceNow
    • GCP > Secret Manager > Secret > ServiceNow > Configuration Item
    • GCP > Secret Manager > Secret > ServiceNow > Table
  • Policy Types:

    • GCP > Secret Manager > Secret > ServiceNow
    • GCP > Secret Manager > Secret > ServiceNow > Configuration Item
    • GCP > Secret Manager > Secret > ServiceNow > Configuration Item > Record
    • GCP > Secret Manager > Secret > ServiceNow > Configuration Item > Table Definition
    • GCP > Secret Manager > Secret > ServiceNow > Table
    • GCP > Secret Manager > Secret > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > Scheduler > Job > ServiceNow
    • GCP > Scheduler > Job > ServiceNow > Configuration Item
    • GCP > Scheduler > Job > ServiceNow > Table
  • Policy Types:

    • GCP > Scheduler > Job > ServiceNow
    • GCP > Scheduler > Job > ServiceNow > Configuration Item
    • GCP > Scheduler > Job > ServiceNow > Configuration Item > Record
    • GCP > Scheduler > Job > ServiceNow > Configuration Item > Table Definition
    • GCP > Scheduler > Job > ServiceNow > Table
    • GCP > Scheduler > Job > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > Dataproc > Cluster > ServiceNow
    • GCP > Dataproc > Cluster > ServiceNow > Configuration Item
    • GCP > Dataproc > Cluster > ServiceNow > Table
    • GCP > Dataproc > Job > ServiceNow
    • GCP > Dataproc > Job > ServiceNow > Configuration Item
    • GCP > Dataproc > Job > ServiceNow > Table
    • GCP > Dataproc > Workflow Template > ServiceNow
    • GCP > Dataproc > Workflow Template > ServiceNow > Configuration Item
    • GCP > Dataproc > Workflow Template > ServiceNow > Table
  • Policy Types:

    • GCP > Dataproc > Cluster > ServiceNow
    • GCP > Dataproc > Cluster > ServiceNow > Configuration Item
    • GCP > Dataproc > Cluster > ServiceNow > Configuration Item > Record
    • GCP > Dataproc > Cluster > ServiceNow > Configuration Item > Table Definition
    • GCP > Dataproc > Cluster > ServiceNow > Table
    • GCP > Dataproc > Cluster > ServiceNow > Table > Definition
    • GCP > Dataproc > Job > ServiceNow
    • GCP > Dataproc > Job > ServiceNow > Configuration Item
    • GCP > Dataproc > Job > ServiceNow > Configuration Item > Record
    • GCP > Dataproc > Job > ServiceNow > Configuration Item > Table Definition
    • GCP > Dataproc > Job > ServiceNow > Table
    • GCP > Dataproc > Job > ServiceNow > Table > Definition
    • GCP > Dataproc > Workflow Template > ServiceNow
    • GCP > Dataproc > Workflow Template > ServiceNow > Configuration Item
    • GCP > Dataproc > Workflow Template > ServiceNow > Configuration Item > Record
    • GCP > Dataproc > Workflow Template > ServiceNow > Configuration Item > Table Definition
    • GCP > Dataproc > Workflow Template > ServiceNow > Table
    • GCP > Dataproc > Workflow Template > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > Composer > Environment > ServiceNow
    • GCP > Composer > Environment > ServiceNow > Configuration Item
    • GCP > Composer > Environment > ServiceNow > Table
  • Policy Types:

    • GCP > Composer > Environment > ServiceNow
    • GCP > Composer > Environment > ServiceNow > Configuration Item
    • GCP > Composer > Environment > ServiceNow > Configuration Item > Record
    • GCP > Composer > Environment > ServiceNow > Configuration Item > Table Definition
    • GCP > Composer > Environment > ServiceNow > Table
    • GCP > Composer > Environment > ServiceNow > Table > Definition

The timeout for scheduled snapshot pipelines has been extended from 10 minutes to 1 hour, giving complex benchmarks and dashboards longer to successfully complete.

What's new?

  • Control Types:

    • GCP > Monitoring > Alert Policy > ServiceNow
    • GCP > Monitoring > Alert Policy > ServiceNow > Configuration Item
    • GCP > Monitoring > Alert Policy > ServiceNow > Table
    • GCP > Monitoring > Group > ServiceNow
    • GCP > Monitoring > Group > ServiceNow > Configuration Item
    • GCP > Monitoring > Group > ServiceNow > Table
    • GCP > Monitoring > Notification Channel > ServiceNow
    • GCP > Monitoring > Notification Channel > ServiceNow > Configuration Item
    • GCP > Monitoring > Notification Channel > ServiceNow > Table
  • Policy Types:

    • GCP > Monitoring > Alert Policy > ServiceNow
    • GCP > Monitoring > Alert Policy > ServiceNow > Configuration Item
    • GCP > Monitoring > Alert Policy > ServiceNow > Configuration Item > Record
    • GCP > Monitoring > Alert Policy > ServiceNow > Configuration Item > Table Definition
    • GCP > Monitoring > Alert Policy > ServiceNow > Table
    • GCP > Monitoring > Alert Policy > ServiceNow > Table > Definition
    • GCP > Monitoring > Group > ServiceNow
    • GCP > Monitoring > Group > ServiceNow > Configuration Item
    • GCP > Monitoring > Group > ServiceNow > Configuration Item > Record
    • GCP > Monitoring > Group > ServiceNow > Configuration Item > Table Definition
    • GCP > Monitoring > Group > ServiceNow > Table
    • GCP > Monitoring > Group > ServiceNow > Table > Definition
    • GCP > Monitoring > Notification Channel > ServiceNow
    • GCP > Monitoring > Notification Channel > ServiceNow > Configuration Item
    • GCP > Monitoring > Notification Channel > ServiceNow > Configuration Item > Record
    • GCP > Monitoring > Notification Channel > ServiceNow > Configuration Item > Table Definition
    • GCP > Monitoring > Notification Channel > ServiceNow > Table
    • GCP > Monitoring > Notification Channel > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > DNS > Managed Zone > ServiceNow
    • GCP > DNS > Managed Zone > ServiceNow > Configuration Item
    • GCP > DNS > Managed Zone > ServiceNow > Table
  • Policy Types:

    • GCP > DNS > Managed Zone > ServiceNow
    • GCP > DNS > Managed Zone > ServiceNow > Configuration Item
    • GCP > DNS > Managed Zone > ServiceNow > Configuration Item > Record
    • GCP > DNS > Managed Zone > ServiceNow > Configuration Item > Table Definition
    • GCP > DNS > Managed Zone > ServiceNow > Table
    • GCP > DNS > Managed Zone > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > Datapipeline > Pipeline > ServiceNow
    • GCP > Datapipeline > Pipeline > ServiceNow > Configuration Item
    • GCP > Datapipeline > Pipeline > ServiceNow > Table
  • Policy Types:

    • GCP > Datapipeline > Pipeline > ServiceNow
    • GCP > Datapipeline > Pipeline > ServiceNow > Configuration Item
    • GCP > Datapipeline > Pipeline > ServiceNow > Configuration Item > Record
    • GCP > Datapipeline > Pipeline > ServiceNow > Configuration Item > Table Definition
    • GCP > Datapipeline > Pipeline > ServiceNow > Table
    • GCP > Datapipeline > Pipeline > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > Dataflow > Job > ServiceNow
    • GCP > Dataflow > Job > ServiceNow > Configuration Item
    • GCP > Dataflow > Job > ServiceNow > Table
  • Policy Types:

    • GCP > Dataflow > Job > ServiceNow
    • GCP > Dataflow > Job > ServiceNow > Configuration Item
    • GCP > Dataflow > Job > ServiceNow > Configuration Item > Record
    • GCP > Dataflow > Job > ServiceNow > Configuration Item > Table Definition
    • GCP > Dataflow > Job > ServiceNow > Table
    • GCP > Dataflow > Job > ServiceNow > Table > Definition

Bug fixes

  • The GCP > Compute Engine > Instance Template > CMDB control would sometimes go into an error state due to a bad internal build. This is fixed and the control will now work as expected.

Bug fixes

  • Due to an inadvertently introduced issue with an internal build for Azure > Subscription, importing subscriptions encountered schema validation problems. This issue has been resolved, and you can now successfully import subscriptions as before.

Bug fixes

  • In the previous version, while we improved on the way we discovered missing Snapshots and Volumes while processing their update events, we inadvertently introduced a bug where some resources were upserted with incorrect AKAs. Such resources with malformed AKAs should now be cleaned up automatically from the environment, and Guardrails will now discover resources more correctly and consistently than before.
  • In a previous version (v5.31.4), we implemented a feature to Discover Instances while processing their update events respectively, if those resources were missing from Guardrails CMDB. In busy environments, this would sometimes cause unnecessary Lambda executions. We've now improved this behavior to upsert the missing resources in a lighter and faster way.

Bug fixes

  • Fixed the typo in the scaleway_billing_consumption table docs to use consumption instead of consumtion. (#80)

Enhancements

  • Improved the plugin error message when invalid credentials are set in the wiz.spc file. (#23)

Bug fixes

  • Fixed the service_tickets column in wiz_issue table by removing the action subfield from the ServiceTickets field in the GraphQL response since it was no longer available. (#24 #25) (Thanks @sycophantic for the contribution!)

Bug fixes

  • Removed duplicate control rds_db_cluster_encrypted_with_kms_cmk. (#105)

Bug fixes

  • Removed duplicate node service_account. (#56)

Bug fixes

  • Fixed the pipeline column of the github_workflow table to correctly return data instead of an error. (#388)
  • Fixed the example query in the docs/index.md file by replacing the stargazers_count column with stargazer_count. (#397)

What's new?

Bug fixes

  • Fixed aws_sfn_state_machine_execution_history table to handle pagination and ignore errors for expired execution history. (#1934) (Thanks @pdecat for the contribution!)
  • Fixed the aws_health_affected_entity table to correctly return data instead of an interface conversion error. (#2072)

Bug fixes

  • Only trigger pipeline failure after a step has completed all retries (#630).
  • DOCKER_HOST, DOCKER_API_VERSION, DOCKER_CERT_PATH, DOCKER_TLS_VERIFY environment variables are now correctly passed to the Docker client (#651).
  • Do not set memory_swappiness when using Podman (#652).

What's new?

  • Added support for ap-northeast-3 in the AWS > Account > Regions policy.

What's new?

  • Added support for af-south-1, ap-northeast-3, ap-south-2, ap-southeast-3, ap-southeast-4, ca-west-1, eu-central-2, eu-south-1, eu-south-2, il-central-1 and me-central-1 regions in the AWS > Logs > Regions policy.

What's new?

  • You can now configure Block Public Access for Snapshots. To get started, set the AWS > EC2 > Account Attributes > Block Public Access for Snapshots policy.

  • You can now also disable Block Public Access for AMIs. To get started, set the AWS > EC2 > Account Attributes > Block Public Access for AMIs policy.

  • AWS/EC2/Admin, AWS/EC2/Metadata and AWS/EC2/Operator now includes permissions for Verified Access Endpoints, Verified Access Groups and Verified Access Trust Providers.

  • Control Types:

    • AWS > EC2 > Account Attributes > Block Public Access for Snapshots
  • Policy Types:

    • AWS > EC2 > Account Attributes > Block Public Access for Snapshots
  • Action Types:

    • AWS > EC2 > Account Attributes > Update Block Public Access for Snapshots

Bug fixes

  • In a previous version (v5.31.4), we implemented a feature to Discover Snapshots and Volumes while processing their update events respectively, if those resources were missing from Guardrails CMDB. In busy environments, this would sometimes cause unnecessary Lambda executions. We've now improved this behavior to upsert the missing resources in a lighter and faster way.

Bug fixes

  • Fixed the plugin initialization error by returning only the static tables when invalid config parameters were set for dynamic tables. #39

Bug fixes

  • Fixed variables not being reloaded after the file watch event. (#4123)
  • Fixed mod file being left invalid after mod uninstall. (#4124)

What's new?

  • Added create_branch, delete_branch and get_branch pipelines. (#10)

v0.86 [2024-02-08]

What's new?

  • Added CIS v3.0.0 benchmark (steampipe check benchmark.cis_v300). (#755)

What's new?

  • Added pipeline get_channel_id. (#17).

Bug fixes

  • Fixed the input parameters of the test_post_message pipeline. (#17)

What's new?

  • Updated: MaxPalyloadSize parameter description.
  • Updated: Turbot Policy Parameter to add back Deny: * for HTTP in SNS Policy.

What's new?

  • Added: Postgres versions 13.12 and 13.13.
  • Updated: CloudWatch Alarms will now use TEF SNS topic.

Bug fixes

  • Server
    • Added the Deny:* policy for HTTP traffic back to the turbot-policy-parameter custom lambda code.
    • Event DLQ should not set the control or policy value to error if there has been a new process started for the control or policy value.
    • Run next should drop the events in case of recursive loop.
    • Add additional retryable throttling codes for actions.

Requirements

  • TEF: 1.55.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Bug fixes

  • Fixed pagination in the datadog_monitor table to correctly return data instead of an error. (#48) (Thanks @mdb for the contribution!)

Bug fixes

  • Fixed HomeDirectoryModfileCheck returning false positive, causing errors when executing steampipe out of the home directory. (#4118)

v1.10.1 of the Terraform Provider for Guardrails is now available.

Bug fixes

  • resource/turbot_file: terraform apply failed to update content of an existing File in Guardrails. This is now fixed.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • GCP > Logging > Exclusion > Approved > Custom
    • GCP > Logging > Metric > Approved > Custom
    • GCP > Logging > Sink > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Policy Types:

    • GCP > Kubernetes Engine > Region Cluster > Approved > Custom
    • GCP > Kubernetes Engine > Region Node Pool > Approved > Custom
    • GCP > Kubernetes Engine > Zone Cluster > Approved > Custom
    • GCP > Kubernetes Engine > Zone Node Pool > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • GCP > Dataflow > Job > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Bug fixes

  • The AWS > EC2 > Key Pair > Discovery control would sometimes go into an error state if a Key Pair alias included escape characters. This is now fixed.

  • Control Types renamed:

    • AWS > EC2 > Volume > Configuration to AWS > EC2 > Volume > Performance Configuration
  • Policy Types renamed:

    • AWS > EC2 > Volume > Configuration to AWS > EC2 > Volume > Performance Configuration
    • AWS > EC2 > Volume > Configuration > IOPS Capacity to AWS > EC2 > Volume > Performance Configuration > IOPS Capacity
    • AWS > EC2 > Volume > Configuration > Throughput to AWS > EC2 > Volume > Performance Configuration > Throughput
    • AWS > EC2 > Volume > Configuration > Type to AWS > EC2 > Volume > Performance Configuration > Type
  • Action Types renamed:

    • AWS > EC2 > Volume > Update Configuration to AWS > EC2 > Volume > Update Performance Configuration

Enhancements

  • Updated all the tables to fetch the column data using hydrate functions to optimize the API calls and increase query speed when querying specific columns. (#30)

Bug fixes

  • Fixed UI freeze when prompting for workspace variables. (#4105)
  • Fixed dependency variable validation - it was failing if dependency variable value was set in the vars file. (#4110)

Bug fixes

  • The Turbot > Policy Setting Expiration control will now run every 12 hours to manage policy setting expirations more consistently than before.

Bug fixes

  • Build error no longer suppressed in container and function steps (#625).
  • Handles complex data types in step output (#626).

Bug fixes

  • Fix the commands in add_labels_to_compute_disk and add_labels_to_compute_instance pipelines. (#7)

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Dependencies

  • OCI plugin v0.35.0 or higher is now required. (#83)

What's new?

  • Added CIS v2.0.0 benchmark (steampipe check benchmark.cis_v200). (#80)

What's new?

  • Added OAuth config support to provide users the ability to set OAuth secret client ID and OAuth secret value of a service principal. For more information, please see Databricks plugin configuration. (#6) (Thanks @rinzool for the contribution!)
  • Added Config object to directly pass credentials to the client. (#10)

Enhancements

  • Optimized aws_cloudwatch_log_stream table's query performance by adding descending, log_group_name, log_stream_name_prefix and order_by new optional key qual columns. (#1951)
  • Optimized aws_ssm_inventory table's query performance by adding new optional key qual columns such as filter_key, filter_value, network_attribute_key, network_attribute_value, etc. (#1980)

Bug fixes

  • Fixed aws_cloudwatch_log_group table key column to be globally unique by filtering the results by region. (#1976)
  • Removed duplicate memoizing of getCommonColumns function from aws_s3_multi_region_access_point and aws_ec2_launch_template tables.(#2065)
  • Fixed error for column type_name in table aws_ssm_inventory_entry. (#1980)
  • Added the missing rate-limiter tags for aws_s3_bucket table's GetBucketLocation hydrate function to optimize query performance. (#2066)

Bug fixes

  • The Org policy details in the Project CMDB data will now be properly and consistently sorted.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Policy Types:

    • GCP > Scheduler > Job > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Dependencies

  • Azure plugin v0.53.0 or higher is now required. (#242)

Enhancements

  • Added 41 new controls to the All Controls benchmark across the following services: (#234 #233)
    • Active Directory
    • App Service
    • Batch
    • Compute
    • Container Instance
    • Key Vault
    • Kubernetes Service
    • Network
    • Recovery Service
    • Service Bus
    • Storage

Bug fixes

  • Fixed the description of CIS_v150_2_1_9 control. (#238) (Thanks @sfunkernw for the contribution!)

Bug fixes

  • Map MySQL query results to correct types (#604).
  • Handle null values in query trigger results (#611).
  • Convert binary data in query results to a string.
  • Docker containers now clear the cache to get correct parameters (#561).
  • Improved error message when Flowpipe CLI port is already in use (#603).

v0.13.0 of the Terraform Provider for Pipes is now available.

What's new?

  • Data Source pipes_tenant.
  • Resource pipes_tenant_member.

Enhancements

  • Resource pipes_organization_member now supports adding users directly to an organization in a custom tenant, rather than by invitation.

What's new?

  • Control Types:

    • GCP > Cloud Run > Service > ServiceNow
    • GCP > Cloud Run > Service > ServiceNow > Configuration Item
    • GCP > Cloud Run > Service > ServiceNow > Table
  • Policy Types:

    • GCP > Cloud Run > Service > ServiceNow
    • GCP > Cloud Run > Service > ServiceNow > Configuration Item
    • GCP > Cloud Run > Service > ServiceNow > Configuration Item > Record
    • GCP > Cloud Run > Service > ServiceNow > Configuration Item > Table Definition
    • GCP > Cloud Run > Service > ServiceNow > Table
    • GCP > Cloud Run > Service > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > Spanner > Database > ServiceNow
    • GCP > Spanner > Database > ServiceNow > Configuration Item
    • GCP > Spanner > Database > ServiceNow > Table
    • GCP > Spanner > Instance > ServiceNow
    • GCP > Spanner > Instance > ServiceNow > Configuration Item
    • GCP > Spanner > Instance > ServiceNow > Table
  • Policy Types:

    • GCP > Spanner > Database > ServiceNow
    • GCP > Spanner > Database > ServiceNow > Configuration Item
    • GCP > Spanner > Database > ServiceNow > Configuration Item > Record
    • GCP > Spanner > Database > ServiceNow > Configuration Item > Table Definition
    • GCP > Spanner > Database > ServiceNow > Table
    • GCP > Spanner > Database > ServiceNow > Table > Definition
    • GCP > Spanner > Instance > ServiceNow
    • GCP > Spanner > Instance > ServiceNow > Configuration Item
    • GCP > Spanner > Instance > ServiceNow > Configuration Item > Record
    • GCP > Spanner > Instance > ServiceNow > Configuration Item > Table Definition
    • GCP > Spanner > Instance > ServiceNow > Table
    • GCP > Spanner > Instance > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • AWS > EC2 > Volume > Configuration
  • Policy Types:

    • AWS > EC2 > Volume > Configuration
    • AWS > EC2 > Volume > Configuration > IOPS Capacity
    • AWS > EC2 > Volume > Configuration > Throughput
    • AWS > EC2 > Volume > Configuration > Type
  • Action Types:

    • AWS > EC2 > Volume > Update Configuration

Breaking changes

  • Removed the iam_root_user_virtual_mfa control since it is not recommended as good practice. (#743)
  • Replaced iam_account_password_policy_strong with iam_account_password_policy_strong_min_reuse_24 in the GDPR, FFIEC and CISA Cyber Essentials benchmarks to align more accurately with the requirements specified in the AWS Config rules. (#739)

Bug fixes

  • Updated the dashboard image to correctly list all the 25 benchmarks. (#748)

What's new?

  • Query trigger type to watch & event on database changes. Documentation.
  • HTTP trigger can now handle both GET and POST methods. Documentation.
  • Query steps & triggers now support Postgres, MySQL, SQLite, and Postgres.
  • Define container step using a source argument for inline image definitions.
  • Add a timeout to pipeline steps.
  • Enable or disable triggers using the enabled attribute.
  • Improved and expanded output for flowpipe server.
  • Improved and standardized output for CLI list and show commands.
  • Expanded intervals available in schedule and query triggers (e.g. 5m, 10m, etc).
  • New credential types: BitBucket, Datadog, Freshdesk, JumpCloud, ServiceNow, Turbot Guardrails.
  • Automatic check & notify for new CLI versions.

Bug fixes

  • Implemented a more descriptive error message for server startup failures.
  • Fixed Step Arguments unable to be referenced in the Pipeline definition.
  • Added missing execution_mode argument to HTTP Trigger (#533).
  • Fixed args arguments unable to be updated in the Pipeline Step loop block (#559).
  • Fixed an issue in the bootstrap process for identifying the config path.

What's new?

  • Added the following controls across Simple Email Service and VPC benchmarks. (#88 #102)
    • ses_configuration_set_tls_enforced
    • vpc_security_group_restrict_ingress_rdp_all
    • vpc_security_group_restrict_ingress_ssh_all

Bug fixes

  • Fixed schema clone function failing if table has an LTREE column. (#4079)
  • Maintained the order of execution when running multiple queries in batch mode. (#3728)
  • Fixed issue where using any meta-command would load connection state even if not required. (#3614)
  • Fixed issue where plugin version file back-filling would write versions.json to the CWD if the plugin folder is not found. (#4073)
  • Simplified and fixed available port check. (#4030)

What's new?

  • Added the kubernetes_cluster_no_cluster_level_node_pool control to the Kubernetes benchmark. (#53)

Enhancements

  • Added the annotations columns on all CRD resources. (#202)
  • Updated the API version for table kubernetes_horizontal_pod_autoscaler. (#190)

What's new?

Enhancements

  • Added column iam_policy to gcp_cloud_run_service table. (#531)
  • Optimized the gcp_logging_log_entry table result or result timing by applying a timestamp filter. (#508)
  • Added the json_payload, proto_payload, metadata, resource, operation, and tags columns to gcp_logging_log_entry table. (#508)

Bug fixes

  • Fixed the addons_config, network_config and network_policy column of gcp_kubernetes_cluster table to correctly return data instead of null. (#530)
  • Fixed the end_time column of the gcp_sql_backup table to return null instead of an error when end time is unavailable for a SQL backup. (#534)
  • Fixed the enqueued_time, start_time and window_start_time columns of the gcp_sql_backup table to return null instead of an error when timestamp is unavailable for a SQL backup. (#536)

Enhancements

  • Added the audit_policy column to azure_sql_database and azure_sql_server tables. (#711)
  • Added the webhooks column to azure_container_registry table. (#710)
  • Added the disable_local_auth and status columns to azure_servicebus_namespace table. (#715)

Bug fixes

  • Fixed the azure_key_vault_secret table to correctly return data when keyvault name is in camel-case. (#638)

Bug fixes

  • Fixed the low_iops_ebs_volumes control to now suggest converting io1 and io2 volumes to GP3 volumes, when the base IOPS is less than 16000 instead of 3000. (#167)

What's new?

  • Server
    • You can now update API size limit via the MAX_PAYLOAD_SIZE parameter.

Requirements

  • TEF: 1.55.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.

What's new?

  • Resource Types:

    • AWS > Kinesis > Kinesis Video Stream
  • Control Types:

    • AWS > Kinesis > Kinesis Video Stream > Active
    • AWS > Kinesis > Kinesis Video Stream > Approved
    • AWS > Kinesis > Kinesis Video Stream > CMDB
    • AWS > Kinesis > Kinesis Video Stream > Discovery
    • AWS > Kinesis > Kinesis Video Stream > Tags
  • Policy Types:

    • AWS > Kinesis > Kinesis Video Stream > Active
    • AWS > Kinesis > Kinesis Video Stream > Active > Age
    • AWS > Kinesis > Kinesis Video Stream > Active > Budget
    • AWS > Kinesis > Kinesis Video Stream > Active > Last Modified
    • AWS > Kinesis > Kinesis Video Stream > Approved
    • AWS > Kinesis > Kinesis Video Stream > Approved > Budget
    • AWS > Kinesis > Kinesis Video Stream > Approved > Custom
    • AWS > Kinesis > Kinesis Video Stream > Approved > Regions
    • AWS > Kinesis > Kinesis Video Stream > Approved > Usage
    • AWS > Kinesis > Kinesis Video Stream > CMDB
    • AWS > Kinesis > Kinesis Video Stream > Regions
    • AWS > Kinesis > Kinesis Video Stream > Tags
    • AWS > Kinesis > Kinesis Video Stream > Tags > Template
  • Action Types:

    • AWS > Kinesis > Kinesis Video Stream > Delete
    • AWS > Kinesis > Kinesis Video Stream > Delete from AWS
    • AWS > Kinesis > Kinesis Video Stream > Router
    • AWS > Kinesis > Kinesis Video Stream > Set Tags
    • AWS > Kinesis > Kinesis Video Stream > Skip alarm for Active control
    • AWS > Kinesis > Kinesis Video Stream > Skip alarm for Active control [90 days]
    • AWS > Kinesis > Kinesis Video Stream > Skip alarm for Approved control
    • AWS > Kinesis > Kinesis Video Stream > Skip alarm for Approved control [90 days]
    • AWS > Kinesis > Kinesis Video Stream > Skip alarm for Tags control
    • AWS > Kinesis > Kinesis Video Stream > Skip alarm for Tags control [90 days]
    • AWS > Kinesis > Kinesis Video Stream > Update Tags

What's new?

Enhancements

  • Added deletion_protection_enabled column to aws_dynamodb_table table. (#2049)

Bug fixes

  • Fixed default page size in aws_organizations_account table. (#2058)
  • Fixed processor_features column in aws_rds_db_instance not returning data when default value is set. (#2028)
  • Temporarily removed aws_organizations_organizational_unit table due to LTREE column issue. (#2058)

What's new?

  • Control Types:

    • GCP > Logging > Exclusion > ServiceNow
    • GCP > Logging > Exclusion > ServiceNow > Configuration Item
    • GCP > Logging > Exclusion > ServiceNow > Table
    • GCP > Logging > Metric > ServiceNow
    • GCP > Logging > Metric > ServiceNow > Configuration Item
    • GCP > Logging > Metric > ServiceNow > Table
    • GCP > Logging > Sink > ServiceNow
    • GCP > Logging > Sink > ServiceNow > Configuration Item
    • GCP > Logging > Sink > ServiceNow > Table
  • Policy Types:

    • GCP > Logging > Exclusion > ServiceNow
    • GCP > Logging > Exclusion > ServiceNow > Configuration Item
    • GCP > Logging > Exclusion > ServiceNow > Configuration Item > Record
    • GCP > Logging > Exclusion > ServiceNow > Configuration Item > Table Definition
    • GCP > Logging > Exclusion > ServiceNow > Table
    • GCP > Logging > Exclusion > ServiceNow > Table > Definition
    • GCP > Logging > Metric > ServiceNow
    • GCP > Logging > Metric > ServiceNow > Configuration Item
    • GCP > Logging > Metric > ServiceNow > Configuration Item > Record
    • GCP > Logging > Metric > ServiceNow > Configuration Item > Table Definition
    • GCP > Logging > Metric > ServiceNow > Table
    • GCP > Logging > Metric > ServiceNow > Table > Definition
    • GCP > Logging > Sink > ServiceNow
    • GCP > Logging > Sink > ServiceNow > Configuration Item
    • GCP > Logging > Sink > ServiceNow > Configuration Item > Record
    • GCP > Logging > Sink > ServiceNow > Configuration Item > Table Definition
    • GCP > Logging > Sink > ServiceNow > Table
    • GCP > Logging > Sink > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > Compute Engine > HTTP Health Check > ServiceNow
    • GCP > Compute Engine > HTTP Health Check > ServiceNow > Configuration Item
    • GCP > Compute Engine > HTTP Health Check > ServiceNow > Table
    • GCP > Compute Engine > HTTPS Health Check > ServiceNow
    • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Configuration Item
    • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Table
    • GCP > Compute Engine > Health Check > ServiceNow
    • GCP > Compute Engine > Health Check > ServiceNow > Configuration Item
    • GCP > Compute Engine > Health Check > ServiceNow > Table
    • GCP > Compute Engine > Instance Template > ServiceNow
    • GCP > Compute Engine > Instance Template > ServiceNow > Configuration Item
    • GCP > Compute Engine > Instance Template > ServiceNow > Table
    • GCP > Compute Engine > Node Group > ServiceNow
    • GCP > Compute Engine > Node Group > ServiceNow > Configuration Item
    • GCP > Compute Engine > Node Group > ServiceNow > Table
    • GCP > Compute Engine > Node Template > ServiceNow
    • GCP > Compute Engine > Node Template > ServiceNow > Configuration Item
    • GCP > Compute Engine > Node Template > ServiceNow > Table
    • GCP > Compute Engine > Project > ServiceNow
    • GCP > Compute Engine > Project > ServiceNow > Configuration Item
    • GCP > Compute Engine > Project > ServiceNow > Table
    • GCP > Compute Engine > Region Disk > ServiceNow
    • GCP > Compute Engine > Region Disk > ServiceNow > Configuration Item
    • GCP > Compute Engine > Region Disk > ServiceNow > Table
    • GCP > Compute Engine > Region Health Check > ServiceNow
    • GCP > Compute Engine > Region Health Check > ServiceNow > Configuration Item
    • GCP > Compute Engine > Region Health Check > ServiceNow > Table
  • Policy Types:

    • GCP > Compute Engine > HTTP Health Check > ServiceNow
    • GCP > Compute Engine > HTTP Health Check > ServiceNow > Configuration Item
    • GCP > Compute Engine > HTTP Health Check > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > HTTP Health Check > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > HTTP Health Check > ServiceNow > Table
    • GCP > Compute Engine > HTTP Health Check > ServiceNow > Table > Definition
    • GCP > Compute Engine > HTTPS Health Check > ServiceNow
    • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Configuration Item
    • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Table
    • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Table > Definition
    • GCP > Compute Engine > Health Check > ServiceNow
    • GCP > Compute Engine > Health Check > ServiceNow > Configuration Item
    • GCP > Compute Engine > Health Check > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > Health Check > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > Health Check > ServiceNow > Table
    • GCP > Compute Engine > Health Check > ServiceNow > Table > Definition
    • GCP > Compute Engine > Instance Template > ServiceNow
    • GCP > Compute Engine > Instance Template > ServiceNow > Configuration Item
    • GCP > Compute Engine > Instance Template > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > Instance Template > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > Instance Template > ServiceNow > Table
    • GCP > Compute Engine > Instance Template > ServiceNow > Table > Definition
    • GCP > Compute Engine > Node Group > ServiceNow
    • GCP > Compute Engine > Node Group > ServiceNow > Configuration Item
    • GCP > Compute Engine > Node Group > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > Node Group > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > Node Group > ServiceNow > Table
    • GCP > Compute Engine > Node Group > ServiceNow > Table > Definition
    • GCP > Compute Engine > Node Template > ServiceNow
    • GCP > Compute Engine > Node Template > ServiceNow > Configuration Item
    • GCP > Compute Engine > Node Template > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > Node Template > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > Node Template > ServiceNow > Table
    • GCP > Compute Engine > Node Template > ServiceNow > Table > Definition
    • GCP > Compute Engine > Project > ServiceNow
    • GCP > Compute Engine > Project > ServiceNow > Configuration Item
    • GCP > Compute Engine > Project > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > Project > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > Project > ServiceNow > Table
    • GCP > Compute Engine > Project > ServiceNow > Table > Definition
    • GCP > Compute Engine > Region Disk > ServiceNow
    • GCP > Compute Engine > Region Disk > ServiceNow > Configuration Item
    • GCP > Compute Engine > Region Disk > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > Region Disk > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > Region Disk > ServiceNow > Table
    • GCP > Compute Engine > Region Disk > ServiceNow > Table > Definition
    • GCP > Compute Engine > Region Health Check > ServiceNow
    • GCP > Compute Engine > Region Health Check > ServiceNow > Configuration Item
    • GCP > Compute Engine > Region Health Check > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > Region Health Check > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > Region Health Check > ServiceNow > Table
    • GCP > Compute Engine > Region Health Check > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > SQL > Backup > ServiceNow
    • GCP > SQL > Backup > ServiceNow > Configuration Item
    • GCP > SQL > Backup > ServiceNow > Table
    • GCP > SQL > Database > ServiceNow
    • GCP > SQL > Database > ServiceNow > Configuration Item
    • GCP > SQL > Database > ServiceNow > Table
  • Policy Types:

    • GCP > SQL > Backup > ServiceNow
    • GCP > SQL > Backup > ServiceNow > Configuration Item
    • GCP > SQL > Backup > ServiceNow > Configuration Item > Record
    • GCP > SQL > Backup > ServiceNow > Configuration Item > Table Definition
    • GCP > SQL > Backup > ServiceNow > Table
    • GCP > SQL > Backup > ServiceNow > Table > Definition
    • GCP > SQL > Database > ServiceNow
    • GCP > SQL > Database > ServiceNow > Configuration Item
    • GCP > SQL > Database > ServiceNow > Configuration Item > Record
    • GCP > SQL > Database > ServiceNow > Configuration Item > Table Definition
    • GCP > SQL > Database > ServiceNow > Table
    • GCP > SQL > Database > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > KMS > Crypto Key > ServiceNow
    • GCP > KMS > Crypto Key > ServiceNow > Configuration Item
    • GCP > KMS > Crypto Key > ServiceNow > Table
    • GCP > KMS > Key Ring > ServiceNow
    • GCP > KMS > Key Ring > ServiceNow > Configuration Item
    • GCP > KMS > Key Ring > ServiceNow > Table
  • Policy Types:

    • GCP > KMS > Crypto Key > ServiceNow
    • GCP > KMS > Crypto Key > ServiceNow > Configuration Item
    • GCP > KMS > Crypto Key > ServiceNow > Configuration Item > Record
    • GCP > KMS > Crypto Key > ServiceNow > Configuration Item > Table Definition
    • GCP > KMS > Crypto Key > ServiceNow > Table
    • GCP > KMS > Crypto Key > ServiceNow > Table > Definition
    • GCP > KMS > Key Ring > ServiceNow
    • GCP > KMS > Key Ring > ServiceNow > Configuration Item
    • GCP > KMS > Key Ring > ServiceNow > Configuration Item > Record
    • GCP > KMS > Key Ring > ServiceNow > Configuration Item > Table Definition
    • GCP > KMS > Key Ring > ServiceNow > Table
    • GCP > KMS > Key Ring > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > BigQuery > Dataset > ServiceNow
    • GCP > BigQuery > Dataset > ServiceNow > Configuration Item
    • GCP > BigQuery > Dataset > ServiceNow > Table
    • GCP > BigQuery > Table > ServiceNow
    • GCP > BigQuery > Table > ServiceNow > Configuration Item
    • GCP > BigQuery > Table > ServiceNow > Table
  • Policy Types:

    • GCP > BigQuery > Dataset > ServiceNow
    • GCP > BigQuery > Dataset > ServiceNow > Configuration Item
    • GCP > BigQuery > Dataset > ServiceNow > Configuration Item > Record
    • GCP > BigQuery > Dataset > ServiceNow > Configuration Item > Table Definition
    • GCP > BigQuery > Dataset > ServiceNow > Table
    • GCP > BigQuery > Dataset > ServiceNow > Table > Definition
    • GCP > BigQuery > Table > ServiceNow
    • GCP > BigQuery > Table > ServiceNow > Configuration Item
    • GCP > BigQuery > Table > ServiceNow > Configuration Item > Record
    • GCP > BigQuery > Table > ServiceNow > Configuration Item > Table Definition
    • GCP > BigQuery > Table > ServiceNow > Table
    • GCP > BigQuery > Table > ServiceNow > Table > Definition

Bug fixes

  • Server
    • Updated: Enhanced IAM policy for tighter access around custom Lambda.
    • Fixed: Turbot > Workspace > Health Control should not break if there is no input.

Requirements

  • TEF: 1.55.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Control Types:

    • GCP > Bigtable > Cluster > ServiceNow
    • GCP > Bigtable > Cluster > ServiceNow > Configuration Item
    • GCP > Bigtable > Cluster > ServiceNow > Table
    • GCP > Bigtable > Instance > ServiceNow
    • GCP > Bigtable > Instance > ServiceNow > Configuration Item
    • GCP > Bigtable > Instance > ServiceNow > Table
    • GCP > Bigtable > Table > ServiceNow
    • GCP > Bigtable > Table > ServiceNow > Configuration Item
    • GCP > Bigtable > Table > ServiceNow > Table
  • Policy Types:

    • GCP > Bigtable > Cluster > ServiceNow
    • GCP > Bigtable > Cluster > ServiceNow > Configuration Item
    • GCP > Bigtable > Cluster > ServiceNow > Configuration Item > Record
    • GCP > Bigtable > Cluster > ServiceNow > Configuration Item > Table Definition
    • GCP > Bigtable > Cluster > ServiceNow > Table
    • GCP > Bigtable > Cluster > ServiceNow > Table > Definition
    • GCP > Bigtable > Instance > ServiceNow
    • GCP > Bigtable > Instance > ServiceNow > Configuration Item
    • GCP > Bigtable > Instance > ServiceNow > Configuration Item > Record
    • GCP > Bigtable > Instance > ServiceNow > Configuration Item > Table Definition
    • GCP > Bigtable > Instance > ServiceNow > Table
    • GCP > Bigtable > Instance > ServiceNow > Table > Definition
    • GCP > Bigtable > Table > ServiceNow
    • GCP > Bigtable > Table > ServiceNow > Configuration Item
    • GCP > Bigtable > Table > ServiceNow > Configuration Item > Record
    • GCP > Bigtable > Table > ServiceNow > Configuration Item > Table Definition
    • GCP > Bigtable > Table > ServiceNow > Table
    • GCP > Bigtable > Table > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • GCP > App Engine > Application > ServiceNow
    • GCP > App Engine > Application > ServiceNow > Configuration Item
    • GCP > App Engine > Application > ServiceNow > Table
    • GCP > App Engine > Firewall Rule > ServiceNow
    • GCP > App Engine > Firewall Rule > ServiceNow > Configuration Item
    • GCP > App Engine > Firewall Rule > ServiceNow > Table
    • GCP > App Engine > Instance > ServiceNow
    • GCP > App Engine > Instance > ServiceNow > Configuration Item
    • GCP > App Engine > Instance > ServiceNow > Table
    • GCP > App Engine > Service > ServiceNow
    • GCP > App Engine > Service > ServiceNow > Configuration Item
    • GCP > App Engine > Service > ServiceNow > Table
    • GCP > App Engine > Version > ServiceNow
    • GCP > App Engine > Version > ServiceNow > Configuration Item
    • GCP > App Engine > Version > ServiceNow > Table
  • Policy Types:

    • GCP > App Engine > Application > ServiceNow
    • GCP > App Engine > Application > ServiceNow > Configuration Item
    • GCP > App Engine > Application > ServiceNow > Configuration Item > Record
    • GCP > App Engine > Application > ServiceNow > Configuration Item > Table Definition
    • GCP > App Engine > Application > ServiceNow > Table
    • GCP > App Engine > Application > ServiceNow > Table > Definition
    • GCP > App Engine > Firewall Rule > ServiceNow
    • GCP > App Engine > Firewall Rule > ServiceNow > Configuration Item
    • GCP > App Engine > Firewall Rule > ServiceNow > Configuration Item > Record
    • GCP > App Engine > Firewall Rule > ServiceNow > Configuration Item > Table Definition
    • GCP > App Engine > Firewall Rule > ServiceNow > Table
    • GCP > App Engine > Firewall Rule > ServiceNow > Table > Definition
    • GCP > App Engine > Instance > ServiceNow
    • GCP > App Engine > Instance > ServiceNow > Configuration Item
    • GCP > App Engine > Instance > ServiceNow > Configuration Item > Record
    • GCP > App Engine > Instance > ServiceNow > Configuration Item > Table Definition
    • GCP > App Engine > Instance > ServiceNow > Table
    • GCP > App Engine > Instance > ServiceNow > Table > Definition
    • GCP > App Engine > Service > ServiceNow
    • GCP > App Engine > Service > ServiceNow > Configuration Item
    • GCP > App Engine > Service > ServiceNow > Configuration Item > Record
    • GCP > App Engine > Service > ServiceNow > Configuration Item > Table Definition
    • GCP > App Engine > Service > ServiceNow > Table
    • GCP > App Engine > Service > ServiceNow > Table > Definition
    • GCP > App Engine > Version > ServiceNow
    • GCP > App Engine > Version > ServiceNow > Configuration Item
    • GCP > App Engine > Version > ServiceNow > Configuration Item > Record
    • GCP > App Engine > Version > ServiceNow > Configuration Item > Table Definition
    • GCP > App Engine > Version > ServiceNow > Table
    • GCP > App Engine > Version > ServiceNow > Table > Definition

Bug fixes

  • The GCP > Turbot > Event Poller control now includes a precheck condition to avoid running GraphQL input queries when the GCP > Turbot > Event Poller policy is set to Disabled. You won’t notice any difference and the control should run lighter and quicker than before.

Bug fixes

  • The Azure > Turbot > Event Poller and Azure > Turbot > Management Group Event Poller controls now include a precheck condition to avoid running GraphQL input queries when the Azure > Turbot > Event Poller and Azure > Turbot > Management Group Event Poller policies are set to Disabled respectively. You won’t notice any difference and the controls should run lighter and quicker than before.

Bug fixes

  • The Azure > Turbot > Directory Event Poller control now includes a precheck condition to avoid running GraphQL input queries when the Azure > Turbot > Directory Event Poller policy is set to Disabled. You won’t notice any difference and the control should run lighter and quicker than before.

Bug fixes

  • The AWS > Turbot > Event Poller control now includes a precheck condition to avoid running GraphQL input queries when the AWS > Turbot > Event Poller policy is set to Disabled. You won’t notice any difference and the control should run lighter and quicker than before.

What's new?

  • Resource Types:

    • AWS > OpenSearch
  • Policy Types:

    • AWS > OpenSearch > API Enabled
    • AWS > OpenSearch > Approved Regions [Default]
    • AWS > OpenSearch > Enabled
    • AWS > OpenSearch > Permissions
    • AWS > OpenSearch > Permissions > Levels
    • AWS > OpenSearch > Permissions > Levels > Modifiers
    • AWS > OpenSearch > Permissions > Lockdown
    • AWS > OpenSearch > Permissions > Lockdown > API Boundary
    • AWS > OpenSearch > Regions
    • AWS > OpenSearch > Tags Template [Default]
    • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-opensearch
    • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-opensearch
    • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-opensearch

What's new?

  • Added the query_and_stop_aws_ec2_instances_by_tag sample mod that can be used with Flowpipe. (#99)

Bug fixes

  • Fixed the README docs to use --arg instead of --pipeline-arg as the argument flag. (#102)
  • Fixed the link for installing mod dependencies in all the README docs. (#98)

What's new?

  • Control Types:

    • Azure > Resource Group > ServiceNow
    • Azure > Resource Group > ServiceNow > Configuration Item
    • Azure > Resource Group > ServiceNow > Table
    • Azure > Subscription > ServiceNow
    • Azure > Subscription > ServiceNow > Configuration Item
    • Azure > Subscription > ServiceNow > Table
    • Azure > Tenant > ServiceNow
    • Azure > Tenant > ServiceNow > Configuration Item
    • Azure > Tenant > ServiceNow > Table
  • Policy Types:

    • Azure > Resource Group > ServiceNow
    • Azure > Resource Group > ServiceNow > Configuration Item
    • Azure > Resource Group > ServiceNow > Configuration Item > Record
    • Azure > Resource Group > ServiceNow > Configuration Item > Table Definition
    • Azure > Resource Group > ServiceNow > Table
    • Azure > Resource Group > ServiceNow > Table > Definition
    • Azure > Subscription > ServiceNow
    • Azure > Subscription > ServiceNow > Configuration Item
    • Azure > Subscription > ServiceNow > Configuration Item > Record
    • Azure > Subscription > ServiceNow > Configuration Item > Table Definition
    • Azure > Subscription > ServiceNow > Table
    • Azure > Subscription > ServiceNow > Table > Definition
    • Azure > Tenant > ServiceNow
    • Azure > Tenant > ServiceNow > Configuration Item
    • Azure > Tenant > ServiceNow > Configuration Item > Record
    • Azure > Tenant > ServiceNow > Configuration Item > Table Definition
    • Azure > Tenant > ServiceNow > Table
    • Azure > Tenant > ServiceNow > Table > Definition

Bug fixes

  • Updated the tags to use risk instead of severity to eliminate duplicate column names in output files. (#41)

What's new?

  • Control Types:

    • Azure > Network > Private Endpoints > ServiceNow
    • Azure > Network > Private Endpoints > ServiceNow > Configuration Item
    • Azure > Network > Private Endpoints > ServiceNow > Table
  • Policy Types:

    • Azure > Network > Private Endpoints > ServiceNow
    • Azure > Network > Private Endpoints > ServiceNow > Configuration Item
    • Azure > Network > Private Endpoints > ServiceNow > Configuration Item > Record
    • Azure > Network > Private Endpoints > ServiceNow > Configuration Item > Table Definition
    • Azure > Network > Private Endpoints > ServiceNow > Table
    • Azure > Network > Private Endpoints > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Automation > Automation Account > ServiceNow
    • Azure > Automation > Automation Account > ServiceNow > Configuration Item
    • Azure > Automation > Automation Account > ServiceNow > Table
    • Azure > Automation > Runbook > ServiceNow
    • Azure > Automation > Runbook > ServiceNow > Configuration Item
    • Azure > Automation > Runbook > ServiceNow > Table
  • Policy Types:

    • Azure > Automation > Automation Account > ServiceNow
    • Azure > Automation > Automation Account > ServiceNow > Configuration Item
    • Azure > Automation > Automation Account > ServiceNow > Configuration Item > Record
    • Azure > Automation > Automation Account > ServiceNow > Configuration Item > Table Definition
    • Azure > Automation > Automation Account > ServiceNow > Table
    • Azure > Automation > Automation Account > ServiceNow > Table > Definition
    • Azure > Automation > Runbook > ServiceNow
    • Azure > Automation > Runbook > ServiceNow > Configuration Item
    • Azure > Automation > Runbook > ServiceNow > Configuration Item > Record
    • Azure > Automation > Runbook > ServiceNow > Configuration Item > Table Definition
    • Azure > Automation > Runbook > ServiceNow > Table
    • Azure > Automation > Runbook > ServiceNow > Table > Definition

What's new?

  • Added support for aws_network_interface_sg_attachment Terraform resource for AWS > EC2 > Network Interface.

Bug fixes

  • The AWS > EC2 > Instance > CMDB control would sometimes trigger multiple times if EnclaveOptions was not set as part of the AWS > EC2 > Instance > CMDB > Attributes policy. This would result in unnecessary Lambda runs for the control. The EnclaveOptions attribute is now available in the CMDB data by default and the EnclaveOptions policy value in AWS > EC2 > Instance > CMDB > Attributes policy has now been deprecated, and will be removed in the next major version.

Bug fixes

  • Updated the credential section of README to use api_key instead of token. (#7)

What's new?

  • Updated: Launch Template to prevent association of Network Interface with public IPs.

What's new?

  • Control Types:

    • Azure > Storage > Container > ServiceNow
    • Azure > Storage > Container > ServiceNow > Configuration Item
    • Azure > Storage > Container > ServiceNow > Table
    • Azure > Storage > FileShare > ServiceNow
    • Azure > Storage > FileShare > ServiceNow > Configuration Item
    • Azure > Storage > FileShare > ServiceNow > Table
    • Azure > Storage > Queue > ServiceNow
    • Azure > Storage > Queue > ServiceNow > Configuration Item
    • Azure > Storage > Queue > ServiceNow > Table
  • Policy Types:

    • Azure > Storage > Container > ServiceNow
    • Azure > Storage > Container > ServiceNow > Configuration Item
    • Azure > Storage > Container > ServiceNow > Configuration Item > Record
    • Azure > Storage > Container > ServiceNow > Configuration Item > Table Definition
    • Azure > Storage > Container > ServiceNow > Table
    • Azure > Storage > Container > ServiceNow > Table > Definition
    • Azure > Storage > FileShare > ServiceNow
    • Azure > Storage > FileShare > ServiceNow > Configuration Item
    • Azure > Storage > FileShare > ServiceNow > Configuration Item > Record
    • Azure > Storage > FileShare > ServiceNow > Configuration Item > Table Definition
    • Azure > Storage > FileShare > ServiceNow > Table
    • Azure > Storage > FileShare > ServiceNow > Table > Definition
    • Azure > Storage > Queue > ServiceNow
    • Azure > Storage > Queue > ServiceNow > Configuration Item
    • Azure > Storage > Queue > ServiceNow > Configuration Item > Record
    • Azure > Storage > Queue > ServiceNow > Configuration Item > Table Definition
    • Azure > Storage > Queue > ServiceNow > Table
    • Azure > Storage > Queue > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Recovery Service > Backup > ServiceNow
    • Azure > Recovery Service > Backup > ServiceNow > Configuration Item
    • Azure > Recovery Service > Backup > ServiceNow > Table
    • Azure > Recovery Service > Vault > ServiceNow
    • Azure > Recovery Service > Vault > ServiceNow > Configuration Item
    • Azure > Recovery Service > Vault > ServiceNow > Table
  • Policy Types:

    • Azure > Recovery Service > Backup > ServiceNow
    • Azure > Recovery Service > Backup > ServiceNow > Configuration Item
    • Azure > Recovery Service > Backup > ServiceNow > Configuration Item > Record
    • Azure > Recovery Service > Backup > ServiceNow > Configuration Item > Table Definition
    • Azure > Recovery Service > Backup > ServiceNow > Table
    • Azure > Recovery Service > Backup > ServiceNow > Table > Definition
    • Azure > Recovery Service > Vault > ServiceNow
    • Azure > Recovery Service > Vault > ServiceNow > Configuration Item
    • Azure > Recovery Service > Vault > ServiceNow > Configuration Item > Record
    • Azure > Recovery Service > Vault > ServiceNow > Configuration Item > Table Definition
    • Azure > Recovery Service > Vault > ServiceNow > Table
    • Azure > Recovery Service > Vault > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Monitor > Action Group > ServiceNow
    • Azure > Monitor > Action Group > ServiceNow > Configuration Item
    • Azure > Monitor > Action Group > ServiceNow > Table
    • Azure > Monitor > Alerts > ServiceNow
    • Azure > Monitor > Alerts > ServiceNow > Configuration Item
    • Azure > Monitor > Alerts > ServiceNow > Table
    • Azure > Monitor > Log Profile > ServiceNow
    • Azure > Monitor > Log Profile > ServiceNow > Configuration Item
    • Azure > Monitor > Log Profile > ServiceNow > Table
  • Policy Types:

    • Azure > Monitor > Action Group > ServiceNow
    • Azure > Monitor > Action Group > ServiceNow > Configuration Item
    • Azure > Monitor > Action Group > ServiceNow > Configuration Item > Record
    • Azure > Monitor > Action Group > ServiceNow > Configuration Item > Table Definition
    • Azure > Monitor > Action Group > ServiceNow > Table
    • Azure > Monitor > Action Group > ServiceNow > Table > Definition
    • Azure > Monitor > Alerts > ServiceNow
    • Azure > Monitor > Alerts > ServiceNow > Configuration Item
    • Azure > Monitor > Alerts > ServiceNow > Configuration Item > Record
    • Azure > Monitor > Alerts > ServiceNow > Configuration Item > Table Definition
    • Azure > Monitor > Alerts > ServiceNow > Table
    • Azure > Monitor > Alerts > ServiceNow > Table > Definition
    • Azure > Monitor > Log Profile > ServiceNow
    • Azure > Monitor > Log Profile > ServiceNow > Configuration Item
    • Azure > Monitor > Log Profile > ServiceNow > Configuration Item > Record
    • Azure > Monitor > Log Profile > ServiceNow > Configuration Item > Table Definition
    • Azure > Monitor > Log Profile > ServiceNow > Table
    • Azure > Monitor > Log Profile > ServiceNow > Table > Definition

What's new?

  • Added the following controls across the benchmarks: (#51)
    • container_instance_container_group_secure_environment_variable
    • container_registry_zone_redundant_enabled

What's new?

Enhancements

  • Added storage_throughput column to aws_rds_db_instance table. (#2010) (Thanks @toddwh50 for the contribution!)
  • Added layers column to aws_lambda_function table. (#2008) (Thanks @icaliskanoglu for the contribution!)
  • Added tags column to aws_backup_recovery_point and aws_backup_vault tables. (#2033)

Bug fixes

  • Custom HTTP client should allow buildable settings through env var options such as AWS_CA_BUNDLE. (#2044)
  • Fixed MaxItems in aws_iam_policy and aws_iam_policy_attachment tables to use 1000 instead of 100 to avoid unnecessary API calls. (#2025) (#2026)

Bug fixes

  • Removed inaccurate SQL Query string validation to check for arguments. (#516)

What's new?

  • Control Types:

    • GCP > Kubernetes Engine > Region Cluster > ServiceNow
    • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Configuration Item
    • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Table
    • GCP > Kubernetes Engine > Region Node Pool > ServiceNow
    • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Configuration Item
    • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Table
    • GCP > Kubernetes Engine > Zone Cluster > ServiceNow
    • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Configuration Item
    • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Table
    • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow
    • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Configuration Item
    • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Table
  • Policy Types:

    • GCP > Kubernetes Engine > Region Cluster > ServiceNow
    • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Configuration Item
    • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Configuration Item > Record
    • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Configuration Item > Table Definition
    • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Table
    • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Table > Definition
    • GCP > Kubernetes Engine > Region Node Pool > ServiceNow
    • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Configuration Item
    • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Configuration Item > Record
    • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Configuration Item > Table Definition
    • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Table
    • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Table > Definition
    • GCP > Kubernetes Engine > Zone Cluster > ServiceNow
    • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Configuration Item
    • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Configuration Item > Record
    • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Configuration Item > Table Definition
    • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Table
    • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Table > Definition
    • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow
    • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Configuration Item
    • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Configuration Item > Record
    • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Configuration Item > Table Definition
    • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Table
    • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > IAM > Role Assignment > ServiceNow
    • Azure > IAM > Role Assignment > ServiceNow > Configuration Item
    • Azure > IAM > Role Assignment > ServiceNow > Table
    • Azure > IAM > Role Definition > ServiceNow
    • Azure > IAM > Role Definition > ServiceNow > Configuration Item
    • Azure > IAM > Role Definition > ServiceNow > Table
  • Policy Types:

    • Azure > IAM > Role Assignment > ServiceNow
    • Azure > IAM > Role Assignment > ServiceNow > Configuration Item
    • Azure > IAM > Role Assignment > ServiceNow > Configuration Item > Record
    • Azure > IAM > Role Assignment > ServiceNow > Configuration Item > Table Definition
    • Azure > IAM > Role Assignment > ServiceNow > Table
    • Azure > IAM > Role Assignment > ServiceNow > Table > Definition
    • Azure > IAM > Role Definition > ServiceNow
    • Azure > IAM > Role Definition > ServiceNow > Configuration Item
    • Azure > IAM > Role Definition > ServiceNow > Configuration Item > Record
    • Azure > IAM > Role Definition > ServiceNow > Configuration Item > Table Definition
    • Azure > IAM > Role Definition > ServiceNow > Table
    • Azure > IAM > Role Definition > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Data Factory > Dataset > ServiceNow
    • Azure > Data Factory > Dataset > ServiceNow > Configuration Item
    • Azure > Data Factory > Dataset > ServiceNow > Table
    • Azure > Data Factory > Factory > ServiceNow
    • Azure > Data Factory > Factory > ServiceNow > Configuration Item
    • Azure > Data Factory > Factory > ServiceNow > Table
    • Azure > Data Factory > Pipeline > ServiceNow
    • Azure > Data Factory > Pipeline > ServiceNow > Configuration Item
    • Azure > Data Factory > Pipeline > ServiceNow > Table
  • Policy Types:

    • Azure > Data Factory > Dataset > ServiceNow
    • Azure > Data Factory > Dataset > ServiceNow > Configuration Item
    • Azure > Data Factory > Dataset > ServiceNow > Configuration Item > Record
    • Azure > Data Factory > Dataset > ServiceNow > Configuration Item > Table Definition
    • Azure > Data Factory > Dataset > ServiceNow > Table
    • Azure > Data Factory > Dataset > ServiceNow > Table > Definition
    • Azure > Data Factory > Factory > ServiceNow
    • Azure > Data Factory > Factory > ServiceNow > Configuration Item
    • Azure > Data Factory > Factory > ServiceNow > Configuration Item > Record
    • Azure > Data Factory > Factory > ServiceNow > Configuration Item > Table Definition
    • Azure > Data Factory > Factory > ServiceNow > Table
    • Azure > Data Factory > Factory > ServiceNow > Table > Definition
    • Azure > Data Factory > Pipeline > ServiceNow
    • Azure > Data Factory > Pipeline > ServiceNow > Configuration Item
    • Azure > Data Factory > Pipeline > ServiceNow > Configuration Item > Record
    • Azure > Data Factory > Pipeline > ServiceNow > Configuration Item > Table Definition
    • Azure > Data Factory > Pipeline > ServiceNow > Table
    • Azure > Data Factory > Pipeline > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Databricks > Workspace > ServiceNow
    • Azure > Databricks > Workspace > ServiceNow > Configuration Item
    • Azure > Databricks > Workspace > ServiceNow > Table
  • Policy Types:

    • Azure > Databricks > Workspace > ServiceNow
    • Azure > Databricks > Workspace > ServiceNow > Configuration Item
    • Azure > Databricks > Workspace > ServiceNow > Configuration Item > Record
    • Azure > Databricks > Workspace > ServiceNow > Configuration Item > Table Definition
    • Azure > Databricks > Workspace > ServiceNow > Table
    • Azure > Databricks > Workspace > ServiceNow > Table > Definition

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.51.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Enhancements

  • Updated the controls to reference their query using query = rather than sql =. (#25)

Bug fixes

  • Fixed the broken network_subnet_to_network_virtual_network edge of the relationship graph in the sql_server_detail dashboard page to correctly reference the network_subnets_for_sql_server query. (#118)

Bug fixes

  • Fixed the kubernetes_cluster_upgraded_with_non_vulnerable_version query to correctly check if a Kubernetes cluster is using an outdated software version. (#235)

Bug fixes

  • Server
    • The scheduled actions would sometimes fail to work for the firehose-aws-sns mod due an inadvertent bug introduced in TE v5.42.10. This is now fixed.

Requirements

  • TEF: 1.51.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Control Types:

    • Azure > Active Directory > Application > ServiceNow
    • Azure > Active Directory > Application > ServiceNow > Configuration Item
    • Azure > Active Directory > Application > ServiceNow > Table
    • Azure > Active Directory > Client Secret > ServiceNow
    • Azure > Active Directory > Client Secret > ServiceNow > Configuration Item
    • Azure > Active Directory > Client Secret > ServiceNow > Table
    • Azure > Active Directory > Custom Domain > ServiceNow
    • Azure > Active Directory > Custom Domain > ServiceNow > Configuration Item
    • Azure > Active Directory > Custom Domain > ServiceNow > Table
    • Azure > Active Directory > Directory > ServiceNow
    • Azure > Active Directory > Directory > ServiceNow > Configuration Item
    • Azure > Active Directory > Directory > ServiceNow > Table
    • Azure > Active Directory > Group > ServiceNow
    • Azure > Active Directory > Group > ServiceNow > Configuration Item
    • Azure > Active Directory > Group > ServiceNow > Table
    • Azure > Active Directory > Service Principal > ServiceNow
    • Azure > Active Directory > Service Principal > ServiceNow > Configuration Item
    • Azure > Active Directory > Service Principal > ServiceNow > Table
    • Azure > Active Directory > User > ServiceNow
    • Azure > Active Directory > User > ServiceNow > Configuration Item
    • Azure > Active Directory > User > ServiceNow > Table
  • Policy Types:

    • Azure > Active Directory > Application > ServiceNow
    • Azure > Active Directory > Application > ServiceNow > Configuration Item
    • Azure > Active Directory > Application > ServiceNow > Configuration Item > Record
    • Azure > Active Directory > Application > ServiceNow > Configuration Item > Table Definition
    • Azure > Active Directory > Application > ServiceNow > Table
    • Azure > Active Directory > Application > ServiceNow > Table > Definition
    • Azure > Active Directory > Client Secret > ServiceNow
    • Azure > Active Directory > Client Secret > ServiceNow > Configuration Item
    • Azure > Active Directory > Client Secret > ServiceNow > Configuration Item > Record
    • Azure > Active Directory > Client Secret > ServiceNow > Configuration Item > Table Definition
    • Azure > Active Directory > Client Secret > ServiceNow > Table
    • Azure > Active Directory > Client Secret > ServiceNow > Table > Definition
    • Azure > Active Directory > Custom Domain > ServiceNow
    • Azure > Active Directory > Custom Domain > ServiceNow > Configuration Item
    • Azure > Active Directory > Custom Domain > ServiceNow > Configuration Item > Record
    • Azure > Active Directory > Custom Domain > ServiceNow > Configuration Item > Table Definition
    • Azure > Active Directory > Custom Domain > ServiceNow > Table
    • Azure > Active Directory > Custom Domain > ServiceNow > Table > Definition
    • Azure > Active Directory > Directory > ServiceNow
    • Azure > Active Directory > Directory > ServiceNow > Configuration Item
    • Azure > Active Directory > Directory > ServiceNow > Configuration Item > Record
    • Azure > Active Directory > Directory > ServiceNow > Configuration Item > Table Definition
    • Azure > Active Directory > Directory > ServiceNow > Table
    • Azure > Active Directory > Directory > ServiceNow > Table > Definition
    • Azure > Active Directory > Group > ServiceNow
    • Azure > Active Directory > Group > ServiceNow > Configuration Item
    • Azure > Active Directory > Group > ServiceNow > Configuration Item > Record
    • Azure > Active Directory > Group > ServiceNow > Configuration Item > Table Definition
    • Azure > Active Directory > Group > ServiceNow > Table
    • Azure > Active Directory > Group > ServiceNow > Table > Definition
    • Azure > Active Directory > Service Principal > ServiceNow
    • Azure > Active Directory > Service Principal > ServiceNow > Configuration Item
    • Azure > Active Directory > Service Principal > ServiceNow > Configuration Item > Record
    • Azure > Active Directory > Service Principal > ServiceNow > Configuration Item > Table Definition
    • Azure > Active Directory > Service Principal > ServiceNow > Table
    • Azure > Active Directory > Service Principal > ServiceNow > Table > Definition
    • Azure > Active Directory > User > ServiceNow
    • Azure > Active Directory > User > ServiceNow > Configuration Item
    • Azure > Active Directory > User > ServiceNow > Configuration Item > Record
    • Azure > Active Directory > User > ServiceNow > Configuration Item > Table Definition
    • Azure > Active Directory > User > ServiceNow > Table
    • Azure > Active Directory > User > ServiceNow > Table > Definition

Bug fixes

  • Fixed the plugin to return only static tables instead of an error when the objects config argument is not set or the plugin credentials are not set correctly. (#26)

What's new?

  • Control Types:

    • GCP > Pub/Sub > Snapshot > ServiceNow
    • GCP > Pub/Sub > Snapshot > ServiceNow > Configuration Item
    • GCP > Pub/Sub > Snapshot > ServiceNow > Table
    • GCP > Pub/Sub > Subscription > ServiceNow
    • GCP > Pub/Sub > Subscription > ServiceNow > Configuration Item
    • GCP > Pub/Sub > Subscription > ServiceNow > Table
    • GCP > Pub/Sub > Topic > ServiceNow
    • GCP > Pub/Sub > Topic > ServiceNow > Configuration Item
    • GCP > Pub/Sub > Topic > ServiceNow > Table
  • Policy Types:

    • GCP > Pub/Sub > Snapshot > ServiceNow
    • GCP > Pub/Sub > Snapshot > ServiceNow > Configuration Item
    • GCP > Pub/Sub > Snapshot > ServiceNow > Configuration Item > Record
    • GCP > Pub/Sub > Snapshot > ServiceNow > Configuration Item > Table Definition
    • GCP > Pub/Sub > Snapshot > ServiceNow > Table
    • GCP > Pub/Sub > Snapshot > ServiceNow > Table > Definition
    • GCP > Pub/Sub > Subscription > ServiceNow
    • GCP > Pub/Sub > Subscription > ServiceNow > Configuration Item
    • GCP > Pub/Sub > Subscription > ServiceNow > Configuration Item > Record
    • GCP > Pub/Sub > Subscription > ServiceNow > Configuration Item > Table Definition
    • GCP > Pub/Sub > Subscription > ServiceNow > Table
    • GCP > Pub/Sub > Subscription > ServiceNow > Table > Definition
    • GCP > Pub/Sub > Topic > ServiceNow
    • GCP > Pub/Sub > Topic > ServiceNow > Configuration Item
    • GCP > Pub/Sub > Topic > ServiceNow > Configuration Item > Record
    • GCP > Pub/Sub > Topic > ServiceNow > Configuration Item > Table Definition
    • GCP > Pub/Sub > Topic > ServiceNow > Table
    • GCP > Pub/Sub > Topic > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Synapse Analytics > SQL Pool > ServiceNow
    • Azure > Synapse Analytics > SQL Pool > ServiceNow > Configuration Item
    • Azure > Synapse Analytics > SQL Pool > ServiceNow > Table
    • Azure > Synapse Analytics > Workspace > ServiceNow
    • Azure > Synapse Analytics > Workspace > ServiceNow > Configuration Item
    • Azure > Synapse Analytics > Workspace > ServiceNow > Table
  • Policy Types:

    • Azure > Synapse Analytics > SQL Pool > ServiceNow
    • Azure > Synapse Analytics > SQL Pool > ServiceNow > Configuration Item
    • Azure > Synapse Analytics > SQL Pool > ServiceNow > Configuration Item > Record
    • Azure > Synapse Analytics > SQL Pool > ServiceNow > Configuration Item > Table Definition
    • Azure > Synapse Analytics > SQL Pool > ServiceNow > Table
    • Azure > Synapse Analytics > SQL Pool > ServiceNow > Table > Definition
    • Azure > Synapse Analytics > Workspace > ServiceNow
    • Azure > Synapse Analytics > Workspace > ServiceNow > Configuration Item
    • Azure > Synapse Analytics > Workspace > ServiceNow > Configuration Item > Record
    • Azure > Synapse Analytics > Workspace > ServiceNow > Configuration Item > Table Definition
    • Azure > Synapse Analytics > Workspace > ServiceNow > Table
    • Azure > Synapse Analytics > Workspace > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Search Management > Search Service > ServiceNow
    • Azure > Search Management > Search Service > ServiceNow > Configuration Item
    • Azure > Search Management > Search Service > ServiceNow > Table
  • Policy Types:

    • Azure > Search Management > Search Service > ServiceNow
    • Azure > Search Management > Search Service > ServiceNow > Configuration Item
    • Azure > Search Management > Search Service > ServiceNow > Configuration Item > Record
    • Azure > Search Management > Search Service > ServiceNow > Configuration Item > Table Definition
    • Azure > Search Management > Search Service > ServiceNow > Table
    • Azure > Search Management > Search Service > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Service Bus > Namespace > ServiceNow
    • Azure > Service Bus > Namespace > ServiceNow > Configuration Item
    • Azure > Service Bus > Namespace > ServiceNow > Table
    • Azure > Service Bus > Queue > ServiceNow
    • Azure > Service Bus > Queue > ServiceNow > Configuration Item
    • Azure > Service Bus > Queue > ServiceNow > Table
    • Azure > Service Bus > Topic > ServiceNow
    • Azure > Service Bus > Topic > ServiceNow > Configuration Item
    • Azure > Service Bus > Topic > ServiceNow > Table
  • Policy Types:

    • Azure > Service Bus > Namespace > ServiceNow
    • Azure > Service Bus > Namespace > ServiceNow > Configuration Item
    • Azure > Service Bus > Namespace > ServiceNow > Configuration Item > Record
    • Azure > Service Bus > Namespace > ServiceNow > Configuration Item > Table Definition
    • Azure > Service Bus > Namespace > ServiceNow > Table
    • Azure > Service Bus > Namespace > ServiceNow > Table > Definition
    • Azure > Service Bus > Queue > ServiceNow
    • Azure > Service Bus > Queue > ServiceNow > Configuration Item
    • Azure > Service Bus > Queue > ServiceNow > Configuration Item > Record
    • Azure > Service Bus > Queue > ServiceNow > Configuration Item > Table Definition
    • Azure > Service Bus > Queue > ServiceNow > Table
    • Azure > Service Bus > Queue > ServiceNow > Table > Definition
    • Azure > Service Bus > Topic > ServiceNow
    • Azure > Service Bus > Topic > ServiceNow > Configuration Item
    • Azure > Service Bus > Topic > ServiceNow > Configuration Item > Record
    • Azure > Service Bus > Topic > ServiceNow > Configuration Item > Table Definition
    • Azure > Service Bus > Topic > ServiceNow > Table
    • Azure > Service Bus > Topic > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Load Balancer > Load Balance > ServiceNow
    • Azure > Load Balancer > Load Balance > ServiceNow > Configuration Item
    • Azure > Load Balancer > Load Balance > ServiceNow > Table
  • Policy Types:

    • Azure > Load Balancer > Load Balance > ServiceNow
    • Azure > Load Balancer > Load Balance > ServiceNow > Configuration Item
    • Azure > Load Balancer > Load Balance > ServiceNow > Configuration Item > Record
    • Azure > Load Balancer > Load Balance > ServiceNow > Configuration Item > Table Definition
    • Azure > Load Balancer > Load Balance > ServiceNow > Table
    • Azure > Load Balancer > Load Balance > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > DNS > Record Set > ServiceNow
    • Azure > DNS > Record Set > ServiceNow > Configuration Item
    • Azure > DNS > Record Set > ServiceNow > Table
    • Azure > DNS > Zone > ServiceNow
    • Azure > DNS > Zone > ServiceNow > Configuration Item
    • Azure > DNS > Zone > ServiceNow > Table
  • Policy Types:

    • Azure > DNS > Record Set > ServiceNow
    • Azure > DNS > Record Set > ServiceNow > Configuration Item
    • Azure > DNS > Record Set > ServiceNow > Configuration Item > Record
    • Azure > DNS > Record Set > ServiceNow > Configuration Item > Table Definition
    • Azure > DNS > Record Set > ServiceNow > Table
    • Azure > DNS > Record Set > ServiceNow > Table > Definition
    • Azure > DNS > Zone > ServiceNow
    • Azure > DNS > Zone > ServiceNow > Configuration Item
    • Azure > DNS > Zone > ServiceNow > Configuration Item > Record
    • Azure > DNS > Zone > ServiceNow > Configuration Item > Table Definition
    • Azure > DNS > Zone > ServiceNow > Table
    • Azure > DNS > Zone > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Cosmos DB > Database Account > ServiceNow
    • Azure > Cosmos DB > Database Account > ServiceNow > Configuration Item
    • Azure > Cosmos DB > Database Account > ServiceNow > Table
    • Azure > Cosmos DB > MongoDB Collection > ServiceNow
    • Azure > Cosmos DB > MongoDB Collection > ServiceNow > Configuration Item
    • Azure > Cosmos DB > MongoDB Collection > ServiceNow > Table
    • Azure > Cosmos DB > MongoDB Database > ServiceNow
    • Azure > Cosmos DB > MongoDB Database > ServiceNow > Configuration Item
    • Azure > Cosmos DB > MongoDB Database > ServiceNow > Table
    • Azure > Cosmos DB > SQL Container > ServiceNow
    • Azure > Cosmos DB > SQL Container > ServiceNow > Configuration Item
    • Azure > Cosmos DB > SQL Container > ServiceNow > Table
    • Azure > Cosmos DB > SQL Database > ServiceNow
    • Azure > Cosmos DB > SQL Database > ServiceNow > Configuration Item
    • Azure > Cosmos DB > SQL Database > ServiceNow > Table
  • Policy Types:

    • Azure > Cosmos DB > Database Account > ServiceNow
    • Azure > Cosmos DB > Database Account > ServiceNow > Configuration Item
    • Azure > Cosmos DB > Database Account > ServiceNow > Configuration Item > Record
    • Azure > Cosmos DB > Database Account > ServiceNow > Configuration Item > Table Definition
    • Azure > Cosmos DB > Database Account > ServiceNow > Table
    • Azure > Cosmos DB > Database Account > ServiceNow > Table > Definition
    • Azure > Cosmos DB > MongoDB Collection > ServiceNow
    • Azure > Cosmos DB > MongoDB Collection > ServiceNow > Configuration Item
    • Azure > Cosmos DB > MongoDB Collection > ServiceNow > Configuration Item > Record
    • Azure > Cosmos DB > MongoDB Collection > ServiceNow > Configuration Item > Table Definition
    • Azure > Cosmos DB > MongoDB Collection > ServiceNow > Table
    • Azure > Cosmos DB > MongoDB Collection > ServiceNow > Table > Definition
    • Azure > Cosmos DB > MongoDB Database > ServiceNow
    • Azure > Cosmos DB > MongoDB Database > ServiceNow > Configuration Item
    • Azure > Cosmos DB > MongoDB Database > ServiceNow > Configuration Item > Record
    • Azure > Cosmos DB > MongoDB Database > ServiceNow > Configuration Item > Table Definition
    • Azure > Cosmos DB > MongoDB Database > ServiceNow > Table
    • Azure > Cosmos DB > MongoDB Database > ServiceNow > Table > Definition
    • Azure > Cosmos DB > SQL Container > ServiceNow
    • Azure > Cosmos DB > SQL Container > ServiceNow > Configuration Item
    • Azure > Cosmos DB > SQL Container > ServiceNow > Configuration Item > Record
    • Azure > Cosmos DB > SQL Container > ServiceNow > Configuration Item > Table Definition
    • Azure > Cosmos DB > SQL Container > ServiceNow > Table
    • Azure > Cosmos DB > SQL Container > ServiceNow > Table > Definition
    • Azure > Cosmos DB > SQL Database > ServiceNow
    • Azure > Cosmos DB > SQL Database > ServiceNow > Configuration Item
    • Azure > Cosmos DB > SQL Database > ServiceNow > Configuration Item > Record
    • Azure > Cosmos DB > SQL Database > ServiceNow > Configuration Item > Table Definition
    • Azure > Cosmos DB > SQL Database > ServiceNow > Table
    • Azure > Cosmos DB > SQL Database > ServiceNow > Table > Definition

Whats new

  • Allow using pprof on FDW when STEAMPIPE_FDW_PPROF environment variable is set. (#368)

Bug fixes

  • Set connection state to error if plugin load fails. (#4043)
  • Fixes incorrect row count in timing output for aggregator connections. (#402)
  • OpenTelemetry metric names must only contain [A-Za-z0-9_.-]. (#369)
  • Maintain the order of execution when running multiple queries in batch mode. (#3728)

v0.12.1 of the Terraform Provider for Pipes is now available.

Bug fixes

  • Omitting the PartPer setting for a pipes_workspace_datatank_table resource would have previously resulted in an error, meaning you had to pass connection as the value. This field is now optional, allowing single part tables to be defined.

What's new?

  • Server
    • Updated: Enhanced IAM policy for tighter access around Mod Lambda SNS topic.

Requirements

  • TEF: 1.51.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Control Types:

    • Azure > Search Management > Search Service > ServiceNow
    • Azure > Search Management > Search Service > ServiceNow > Configuration Item
    • Azure > Search Management > Search Service > ServiceNow > Table
  • Policy Types:

    • Azure > Search Management > Search Service > ServiceNow
    • Azure > Search Management > Search Service > ServiceNow > Configuration Item
    • Azure > Search Management > Search Service > ServiceNow > Configuration Item > Record
    • Azure > Search Management > Search Service > ServiceNow > Configuration Item > Table Definition
    • Azure > Search Management > Search Service > ServiceNow > Table
    • Azure > Search Management > Search Service > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Network Watcher > Flow Log > ServiceNow
    • Azure > Network Watcher > Flow Log > ServiceNow > Configuration Item
    • Azure > Network Watcher > Flow Log > ServiceNow > Table
    • Azure > Network Watcher > Network Watcher > ServiceNow
    • Azure > Network Watcher > Network Watcher > ServiceNow > Configuration Item
    • Azure > Network Watcher > Network Watcher > ServiceNow > Table
  • Policy Types:

    • Azure > Network Watcher > Flow Log > ServiceNow
    • Azure > Network Watcher > Flow Log > ServiceNow > Configuration Item
    • Azure > Network Watcher > Flow Log > ServiceNow > Configuration Item > Record
    • Azure > Network Watcher > Flow Log > ServiceNow > Configuration Item > Table Definition
    • Azure > Network Watcher > Flow Log > ServiceNow > Table
    • Azure > Network Watcher > Flow Log > ServiceNow > Table > Definition
    • Azure > Network Watcher > Network Watcher > ServiceNow
    • Azure > Network Watcher > Network Watcher > ServiceNow > Configuration Item
    • Azure > Network Watcher > Network Watcher > ServiceNow > Configuration Item > Record
    • Azure > Network Watcher > Network Watcher > ServiceNow > Configuration Item > Table Definition
    • Azure > Network Watcher > Network Watcher > ServiceNow > Table
    • Azure > Network Watcher > Network Watcher > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Front Door > Front Door > ServiceNow
    • Azure > Front Door > Front Door > ServiceNow > Configuration Item
    • Azure > Front Door > Front Door > ServiceNow > Table
  • Policy Types:

    • Azure > Front Door > Front Door > ServiceNow
    • Azure > Front Door > Front Door > ServiceNow > Configuration Item
    • Azure > Front Door > Front Door > ServiceNow > Configuration Item > Record
    • Azure > Front Door > Front Door > ServiceNow > Configuration Item > Table Definition
    • Azure > Front Door > Front Door > ServiceNow > Table
    • Azure > Front Door > Front Door > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Application Insights > Application Insight > ServiceNow
    • Azure > Application Insights > Application Insight > ServiceNow > Configuration Item
    • Azure > Application Insights > Application Insight > ServiceNow > Table
  • Policy Types:

    • Azure > Application Insights > Application Insight > ServiceNow
    • Azure > Application Insights > Application Insight > ServiceNow > Configuration Item
    • Azure > Application Insights > Application Insight > ServiceNow > Configuration Item > Record
    • Azure > Application Insights > Application Insight > ServiceNow > Configuration Item > Table Definition
    • Azure > Application Insights > Application Insight > ServiceNow > Table
    • Azure > Application Insights > Application Insight > ServiceNow > Table > Definition

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Enhancements

  • Added 61 new controls to the All Controls benchmark across the following services: (#140)
    • CloudFunctions
    • Compute
    • KMS
    • Kubernetes
    • Project
    • SQL
    • Storage

Enhancements

  • Added 50 new controls to the All Controls benchmark across the following services: (#736)
    • ACM
    • CloudFront
    • CloudTrail
    • Config
    • DocumentDB
    • EC2
    • ECS
    • EKS
    • ElastiCache
    • ELB
    • EMR
    • Kinesis
    • RDS
    • Redshift
    • S3
    • SNS
    • SQS
    • SSM
    • VPC

What's new?

  • Control Types:

    • Azure > Security Center > Security Center > ServiceNow
    • Azure > Security Center > Security Center > ServiceNow > Configuration Item
    • Azure > Security Center > Security Center > ServiceNow > Table
  • Policy Types:

    • Azure > Security Center > Security Center > ServiceNow
    • Azure > Security Center > Security Center > ServiceNow > Configuration Item
    • Azure > Security Center > Security Center > ServiceNow > Configuration Item > Record
    • Azure > Security Center > Security Center > ServiceNow > Configuration Item > Table Definition
    • Azure > Security Center > Security Center > ServiceNow > Table
    • Azure > Security Center > Security Center > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Firewall > Firewall > ServiceNow
    • Azure > Firewall > Firewall > ServiceNow > Configuration Item
    • Azure > Firewall > Firewall > ServiceNow > Table
  • Policy Types:

    • Azure > Firewall > Firewall > ServiceNow
    • Azure > Firewall > Firewall > ServiceNow > Configuration Item
    • Azure > Firewall > Firewall > ServiceNow > Configuration Item > Record
    • Azure > Firewall > Firewall > ServiceNow > Configuration Item > Table Definition
    • Azure > Firewall > Firewall > ServiceNow > Table
    • Azure > Firewall > Firewall > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Application Gateway Service > Application Gateway > ServiceNow
    • Azure > Application Gateway Service > Application Gateway > ServiceNow > Configuration Item
    • Azure > Application Gateway Service > Application Gateway > ServiceNow > Table
  • Policy Types:

    • Azure > Application Gateway Service > Application Gateway > ServiceNow
    • Azure > Application Gateway Service > Application Gateway > ServiceNow > Configuration Item
    • Azure > Application Gateway Service > Application Gateway > ServiceNow > Configuration Item > Record
    • Azure > Application Gateway Service > Application Gateway > ServiceNow > Configuration Item > Table Definition
    • Azure > Application Gateway Service > Application Gateway > ServiceNow > Table
    • Azure > Application Gateway Service > Application Gateway > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > API Management > API Management Service > ServiceNow
    • Azure > API Management > API Management Service > ServiceNow > Configuration Item
    • Azure > API Management > API Management Service > ServiceNow > Table
  • Policy Types:

    • Azure > API Management > API Management Service > ServiceNow
    • Azure > API Management > API Management Service > ServiceNow > Configuration Item
    • Azure > API Management > API Management Service > ServiceNow > Configuration Item > Record
    • Azure > API Management > API Management Service > ServiceNow > Configuration Item > Table Definition
    • Azure > API Management > API Management Service > ServiceNow > Table
    • Azure > API Management > API Management Service > ServiceNow > Table > Definition

What's new?

  • Server

    • Updated: The directory API to support Require Signed Assertion Response.
  • UI:

    • Added: Introduced UI options for Require Signed Assertion Response for enhanced security in SAML authentication.

Requirements

  • TEF: 1.51.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Enhanced Security and Compatibility Guide for SAML Authentication

Description: The recent update to @node-saml/passport-saml mandates the signing of the assertion response. To ensure backward compatibility, we have introduced a new configuration option in the UI:

  • Require Signed Assertion Response

By default, this option is set to Disabled to maintain compatibility with existing setups.

Recommendations: We recommend enabling this option as it adds an additional layer of security. However, please be aware that enabling this setting might impact the SAML login functionality.

What's new?

  • Control Types:

    • Azure > Relay > Namespace > ServiceNow
    • Azure > Relay > Namespace > ServiceNow > Configuration Item
    • Azure > Relay > Namespace > ServiceNow > Table
  • Policy Types:

    • Azure > Relay > Namespace > ServiceNow
    • Azure > Relay > Namespace > ServiceNow > Configuration Item
    • Azure > Relay > Namespace > ServiceNow > Configuration Item > Record
    • Azure > Relay > Namespace > ServiceNow > Configuration Item > Table Definition
    • Azure > Relay > Namespace > ServiceNow > Table
    • Azure > Relay > Namespace > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Log Analytics > Log Analytics Workspace > ServiceNow
    • Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Configuration Item
    • Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Table
  • Policy Types:

    • Azure > Log Analytics > Log Analytics Workspace > ServiceNow
    • Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Configuration Item
    • Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Configuration Item > Record
    • Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Configuration Item > Table Definition
    • Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Table
    • Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > App Service > App Service Plan > ServiceNow
    • Azure > App Service > App Service Plan > ServiceNow > Configuration Item
    • Azure > App Service > App Service Plan > ServiceNow > Table
    • Azure > App Service > Function App > ServiceNow
    • Azure > App Service > Function App > ServiceNow > Configuration Item
    • Azure > App Service > Function App > ServiceNow > Table
    • Azure > App Service > Web App > ServiceNow
    • Azure > App Service > Web App > ServiceNow > Configuration Item
    • Azure > App Service > Web App > ServiceNow > Table
  • Policy Types:

    • Azure > App Service > App Service Plan > ServiceNow
    • Azure > App Service > App Service Plan > ServiceNow > Configuration Item
    • Azure > App Service > App Service Plan > ServiceNow > Configuration Item > Record
    • Azure > App Service > App Service Plan > ServiceNow > Configuration Item > Table Definition
    • Azure > App Service > App Service Plan > ServiceNow > Table
    • Azure > App Service > App Service Plan > ServiceNow > Table > Definition
    • Azure > App Service > Function App > ServiceNow
    • Azure > App Service > Function App > ServiceNow > Configuration Item
    • Azure > App Service > Function App > ServiceNow > Configuration Item > Record
    • Azure > App Service > Function App > ServiceNow > Configuration Item > Table Definition
    • Azure > App Service > Function App > ServiceNow > Table
    • Azure > App Service > Function App > ServiceNow > Table > Definition
    • Azure > App Service > Web App > ServiceNow
    • Azure > App Service > Web App > ServiceNow > Configuration Item
    • Azure > App Service > Web App > ServiceNow > Configuration Item > Record
    • Azure > App Service > Web App > ServiceNow > Configuration Item > Table Definition
    • Azure > App Service > Web App > ServiceNow > Table
    • Azure > App Service > Web App > ServiceNow > Table > Definition

Enhancements

  • Updated the plugin to use a shared, optimized HTTP client that enhances DNS management and reduces connection floods for more stable and efficient queries. (#2036)

What's new?

  • Control Types:

    • Azure > SignalR Service > SignalR > ServiceNow
    • Azure > SignalR Service > SignalR > ServiceNow > Configuration Item
    • Azure > SignalR Service > SignalR > ServiceNow > Table
  • Policy Types:

    • Azure > SignalR Service > SignalR > ServiceNow
    • Azure > SignalR Service > SignalR > ServiceNow > Configuration Item
    • Azure > SignalR Service > SignalR > ServiceNow > Configuration Item > Record
    • Azure > SignalR Service > SignalR > ServiceNow > Configuration Item > Table Definition
    • Azure > SignalR Service > SignalR > ServiceNow > Table
    • Azure > SignalR Service > SignalR > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > AKS > Managed Cluster > ServiceNow
    • Azure > AKS > Managed Cluster > ServiceNow > Configuration Item
    • Azure > AKS > Managed Cluster > ServiceNow > Table
  • Policy Types:

    • Azure > AKS > Managed Cluster > ServiceNow
    • Azure > AKS > Managed Cluster > ServiceNow > Configuration Item
    • Azure > AKS > Managed Cluster > ServiceNow > Configuration Item > Record
    • Azure > AKS > Managed Cluster > ServiceNow > Configuration Item > Table Definition
    • Azure > AKS > Managed Cluster > ServiceNow > Table
    • Azure > AKS > Managed Cluster > ServiceNow > Table > Definition

Enhancements

  • Updated the plugin's .goreleaser file to build the netgo package only for Darwin systems. (#2029)

What's new?

  • Control Types:

    • Azure > SQL > Database > ServiceNow
    • Azure > SQL > Database > ServiceNow > Configuration Item
    • Azure > SQL > Database > ServiceNow > Table
    • Azure > SQL > Elastic Pool > ServiceNow
    • Azure > SQL > Elastic Pool > ServiceNow > Configuration Item
    • Azure > SQL > Elastic Pool > ServiceNow > Table
  • Policy Types:

    • Azure > SQL > Database > ServiceNow
    • Azure > SQL > Database > ServiceNow > Configuration Item
    • Azure > SQL > Database > ServiceNow > Configuration Item > Record
    • Azure > SQL > Database > ServiceNow > Configuration Item > Table Definition
    • Azure > SQL > Database > ServiceNow > Table
    • Azure > SQL > Database > ServiceNow > Table > Definition
    • Azure > SQL > Elastic Pool > ServiceNow
    • Azure > SQL > Elastic Pool > ServiceNow > Configuration Item
    • Azure > SQL > Elastic Pool > ServiceNow > Configuration Item > Record
    • Azure > SQL > Elastic Pool > ServiceNow > Configuration Item > Table Definition
    • Azure > SQL > Elastic Pool > ServiceNow > Table
    • Azure > SQL > Elastic Pool > ServiceNow > Table > Definition

What's new?

  • Control Types:
    • Azure > Network > Application Security Group > ServiceNow
    • Azure > Network > Application Security Group > ServiceNow > Configuration Item
    • Azure > Network > Application Security Group > ServiceNow > Table
    • Azure > Network > Express Route Circuits > ServiceNow
    • Azure > Network > Express Route Circuits > ServiceNow > Configuration Item
    • Azure > Network > Express Route Circuits > ServiceNow > Table
    • Azure > Network > Network Interface > ServiceNow
    • Azure > Network > Network Interface > ServiceNow > Configuration Item
    • Azure > Network > Network Interface > ServiceNow > Table
    • Azure > Network > Private DNS Zones > ServiceNow
    • Azure > Network > Private DNS Zones > ServiceNow > Configuration Item
    • Azure > Network > Private DNS Zones > ServiceNow > Table
    • Azure > Network > Public IP Address > ServiceNow
    • Azure > Network > Public IP Address > ServiceNow > Configuration Item
    • Azure > Network > Public IP Address > ServiceNow > Table
    • Azure > Network > Route Table > ServiceNow
    • Azure > Network > Route Table > ServiceNow > Configuration Item
    • Azure > Network > Route Table > ServiceNow > Table
    • Azure > Network > Virtual Network Gateway > ServiceNow
    • Azure > Network > Virtual Network Gateway > ServiceNow > Configuration Item
    • Azure > Network > Virtual Network Gateway > ServiceNow > Table
  • Policy Types:
    • Azure > Network > Application Security Group > ServiceNow
    • Azure > Network > Application Security Group > ServiceNow > Configuration Item
    • Azure > Network > Application Security Group > ServiceNow > Configuration Item > Record
    • Azure > Network > Application Security Group > ServiceNow > Configuration Item > Table Definition
    • Azure > Network > Application Security Group > ServiceNow > Table
    • Azure > Network > Application Security Group > ServiceNow > Table > Definition
    • Azure > Network > Express Route Circuits > ServiceNow
    • Azure > Network > Express Route Circuits > ServiceNow > Configuration Item
    • Azure > Network > Express Route Circuits > ServiceNow > Configuration Item > Record
    • Azure > Network > Express Route Circuits > ServiceNow > Configuration Item > Table Definition
    • Azure > Network > Express Route Circuits > ServiceNow > Table
    • Azure > Network > Express Route Circuits > ServiceNow > Table > Definition
    • Azure > Network > Network Interface > ServiceNow
    • Azure > Network > Network Interface > ServiceNow > Configuration Item
    • Azure > Network > Network Interface > ServiceNow > Configuration Item > Record
    • Azure > Network > Network Interface > ServiceNow > Configuration Item > Table Definition
    • Azure > Network > Network Interface > ServiceNow > Table
    • Azure > Network > Network Interface > ServiceNow > Table > Definition
    • Azure > Network > Private DNS Zones > ServiceNow
    • Azure > Network > Private DNS Zones > ServiceNow > Configuration Item
    • Azure > Network > Private DNS Zones > ServiceNow > Configuration Item > Record
    • Azure > Network > Private DNS Zones > ServiceNow > Configuration Item > Table Definition
    • Azure > Network > Private DNS Zones > ServiceNow > Table
    • Azure > Network > Private DNS Zones > ServiceNow > Table > Definition
    • Azure > Network > Public IP Address > ServiceNow
    • Azure > Network > Public IP Address > ServiceNow > Configuration Item
    • Azure > Network > Public IP Address > ServiceNow > Configuration Item > Record
    • Azure > Network > Public IP Address > ServiceNow > Configuration Item > Table Definition
    • Azure > Network > Public IP Address > ServiceNow > Table
    • Azure > Network > Public IP Address > ServiceNow > Table > Definition
    • Azure > Network > Route Table > ServiceNow
    • Azure > Network > Route Table > ServiceNow > Configuration Item
    • Azure > Network > Route Table > ServiceNow > Configuration Item > Record
    • Azure > Network > Route Table > ServiceNow > Configuration Item > Table Definition
    • Azure > Network > Route Table > ServiceNow > Table
    • Azure > Network > Route Table > ServiceNow > Table > Definition
    • Azure > Network > Virtual Network Gateway > ServiceNow
    • Azure > Network > Virtual Network Gateway > ServiceNow > Configuration Item
    • Azure > Network > Virtual Network Gateway > ServiceNow > Configuration Item > Record
    • Azure > Network > Virtual Network Gateway > ServiceNow > Configuration Item > Table Definition
    • Azure > Network > Virtual Network Gateway > ServiceNow > Table
    • Azure > Network > Virtual Network Gateway > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > Key Vault > Key > ServiceNow
    • Azure > Key Vault > Key > ServiceNow > Configuration Item
    • Azure > Key Vault > Key > ServiceNow > Table
    • Azure > Key Vault > Secret > ServiceNow
    • Azure > Key Vault > Secret > ServiceNow > Configuration Item
    • Azure > Key Vault > Secret > ServiceNow > Table
    • Azure > Key Vault > Vault > ServiceNow
    • Azure > Key Vault > Vault > ServiceNow > Configuration Item
    • Azure > Key Vault > Vault > ServiceNow > Table
  • Policy Types:

    • Azure > Key Vault > Key > ServiceNow
    • Azure > Key Vault > Key > ServiceNow > Configuration Item
    • Azure > Key Vault > Key > ServiceNow > Configuration Item > Record
    • Azure > Key Vault > Key > ServiceNow > Configuration Item > Table Definition
    • Azure > Key Vault > Key > ServiceNow > Table
    • Azure > Key Vault > Key > ServiceNow > Table > Definition
    • Azure > Key Vault > Secret > ServiceNow
    • Azure > Key Vault > Secret > ServiceNow > Configuration Item
    • Azure > Key Vault > Secret > ServiceNow > Configuration Item > Record
    • Azure > Key Vault > Secret > ServiceNow > Configuration Item > Table Definition
    • Azure > Key Vault > Secret > ServiceNow > Table
    • Azure > Key Vault > Secret > ServiceNow > Table > Definition
    • Azure > Key Vault > Vault > ServiceNow
    • Azure > Key Vault > Vault > ServiceNow > Configuration Item
    • Azure > Key Vault > Vault > ServiceNow > Configuration Item > Record
    • Azure > Key Vault > Vault > ServiceNow > Configuration Item > Table Definition
    • Azure > Key Vault > Vault > ServiceNow > Table
    • Azure > Key Vault > Vault > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > PostgreSQL > Flexible Server > ServiceNow
    • Azure > PostgreSQL > Flexible Server > ServiceNow > Configuration Item
    • Azure > PostgreSQL > Flexible Server > ServiceNow > Table
  • Policy Types:

    • Azure > PostgreSQL > Flexible Server > ServiceNow
    • Azure > PostgreSQL > Flexible Server > ServiceNow > Configuration Item
    • Azure > PostgreSQL > Flexible Server > ServiceNow > Configuration Item > Record
    • Azure > PostgreSQL > Flexible Server > ServiceNow > Configuration Item > Table Definition
    • Azure > PostgreSQL > Flexible Server > ServiceNow > Table
    • Azure > PostgreSQL > Flexible Server > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • Azure > MySQL > Flexible Server > ServiceNow
    • Azure > MySQL > Flexible Server > ServiceNow > Configuration Item
    • Azure > MySQL > Flexible Server > ServiceNow > Table
  • Policy Types:

    • Azure > MySQL > Flexible Server > ServiceNow
    • Azure > MySQL > Flexible Server > ServiceNow > Configuration Item
    • Azure > MySQL > Flexible Server > ServiceNow > Configuration Item > Record
    • Azure > MySQL > Flexible Server > ServiceNow > Configuration Item > Table Definition
    • Azure > MySQL > Flexible Server > ServiceNow > Table
    • Azure > MySQL > Flexible Server > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • AWS > KMS > Key > ServiceNow
    • AWS > KMS > Key > ServiceNow > Configuration Item
    • AWS > KMS > Key > ServiceNow > Table
  • Policy Types:

    • AWS > KMS > Key > ServiceNow
    • AWS > KMS > Key > ServiceNow > Configuration Item
    • AWS > KMS > Key > ServiceNow > Configuration Item > Record
    • AWS > KMS > Key > ServiceNow > Configuration Item > Table Definition
    • AWS > KMS > Key > ServiceNow > Table
    • AWS > KMS > Key > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • AWS > CloudWatch > Alarm > ServiceNow
    • AWS > CloudWatch > Alarm > ServiceNow > Configuration Item
    • AWS > CloudWatch > Alarm > ServiceNow > Table
  • Policy Types:

    • AWS > CloudWatch > Alarm > ServiceNow
    • AWS > CloudWatch > Alarm > ServiceNow > Configuration Item
    • AWS > CloudWatch > Alarm > ServiceNow > Configuration Item > Record
    • AWS > CloudWatch > Alarm > ServiceNow > Configuration Item > Table Definition
    • AWS > CloudWatch > Alarm > ServiceNow > Table
    • AWS > CloudWatch > Alarm > ServiceNow > Table > Definition

What's new?

  • Control Types:

    • AWS > CloudTrail > Trail > ServiceNow
    • AWS > CloudTrail > Trail > ServiceNow > Configuration Item
    • AWS > CloudTrail > Trail > ServiceNow > Table
  • Policy Types:

    • AWS > CloudTrail > Trail > ServiceNow
    • AWS > CloudTrail > Trail > ServiceNow > Configuration Item
    • AWS > CloudTrail > Trail > ServiceNow > Configuration Item > Record
    • AWS > CloudTrail > Trail > ServiceNow > Configuration Item > Table Definition
    • AWS > CloudTrail > Trail > ServiceNow > Table
    • AWS > CloudTrail > Trail > ServiceNow > Table > Definition

Bug fixes

  • The AWS > RDS > DB Instance > Discovery control would sometimes upsert DocumentDB Instances as RDS Instances in Guardrails CMDB. This is fixed and the control will now filter out DocumentDB Instances while upserting resources in CMDB.

Turbot Pipes Enterprise plan is now available.

The Enterprise tier expands on the Team tier’s features with enhanced collaboration, enterprise-grade security, and improved scalability, making it ideal for larger organizations:

  • Organization-wide cloud intelligence & security: Enables tailored data management across business units and teams for sharing insights.
  • SAML Authentication: Provides secure and seamless SSO user experience using your identity provider.
  • Multi-Organization RBAC: Allows granular access permissions across organizations and workspaces to protect sensitive data.
  • Trusted Login Domains: Significantly reduces unauthorized access by restricting logins to trusted domains.
  • Consolidated Usage and Billing: Simplifies resource and financial tracking with tenant-level visibility plus per organization/workspace details.

Get started in a 14-day free trial then switch to flexible, usage based pricing.

For more information, see the launch post.

Turbot Pipes now officially supports billing for your organization Enterprise plan via the AWS Marketplace.

For more information, see the Pipes billing docs.

Our trademark policy & terms now clarify that while others are allowed to make their own distribution of Turbot open-source software, they cannot use any of the Turbot trademarks, cloud services, etc.

We now require a signed Contributor License Agreement for all contributions to our AGPL 3.0 and CC BY-NC-ND licensed repositories.

Learn more in our open source FAQ.

114 plugins have been updated to include the following changes:

What's new?

Dependencies

  • Recompiled with steampipe-plugin-sdk v5.8.0 that includes plugin server encapsulation for in-process and GRPC usage, adding Steampipe Plugin SDK version to _ctx column, and fixing connection and potential divide-by-zero bugs.

35 new, ready-to-use Flowpipe sample mods are now available! These mods serve as practical examples, showcasing the patterns and applications of various library mods. Every mod comes with specific instructions for installation and use, enabling fast and easy setup.

A full list of sample mods can be found in the Flowpipe Hub and the source code is available at turbot/flowpipe-samples.

Introducing Flowpipe, a cloud scripting engine. Automation and workflow to connect your clouds to the people, systems and data that matter. Pipelines for DevOps written in HCL.

Initial support for:

  • Pipeline execution
  • Steps: container, email, function, http, pipeline, query, sleep, transform
  • Triggers: schedule, http
  • Credential management
  • Mod composition

Learn more at:

What's new?

  • Added support for latest lambda runtimes in the AWS > Lambda > Function > Allowed Runtime > Values policy.

What's new?

  • Control Types:

    • AWS > IAM > Root > Approved
  • Policy Types:

    • AWS > IAM > Root > Approved
    • AWS > IAM > Root > Approved > Custom
    • AWS > IAM > Root > Approved > Usage
  • Action Types:

    • AWS > IAM > Root > Skip alarm for Approved control
    • AWS > IAM > Root > Skip alarm for Approved control [90 days]

Bug fixes

  • The AWS > IAM > Account Password Policy > CMDB control would incorrectly go into an Alarm state when Guardrails was denied access to fetch the Account Password Policy data. This is fixed and the control will now move to an Error state instead for such cases.
  • Guardrails stack controls would sometimes fail to update IAM resources if the Terraform plan in the stack's source policy was updated. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.0 or higher.

Whats new

  • Added steampipe_plugin_column introspection table to the steampipe_internal schema. (#4003)

Bug fixes

  • Fixed issue where a query would return 'null' for an empty result set when output is set to json. (#3955)
  • Fixed custom registries bugs.
  • Clean up apt temporary files in Dockerfile.

Bug fixes

  • README.md file is now available for users to check details about resource types that the mod covers.

What's new?

  • AWS/CloudFront/Admin and AWS/CloudFront/Metadata will now also include permissions for CloudFront KeyValueStore.

Bug fixes

  • Server
    • Guardrails will now process notifications correctly for a matching watch created via @turbot/sdk.

Requirements

  • TEF: 1.51.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Policy Types:

    • ServiceNow > Turbot > Watches > GCP
  • Control Types:

    • ServiceNow > Turbot > Watches > GCP
  • Action Types:

    • ServiceNow > Turbot > Watches > GCP Archive And Delete Record

What's new?

  • Policy Types:

    • GCP > Storage > Bucket > ServiceNow
    • GCP > Storage > Bucket > ServiceNow > Configuration Item
    • GCP > Storage > Bucket > ServiceNow > Configuration Item > Record
    • GCP > Storage > Bucket > ServiceNow > Configuration Item > Table Definition
    • GCP > Storage > Bucket > ServiceNow > Table
    • GCP > Storage > Bucket > ServiceNow > Table > Definition
  • Control Types:

    • GCP > Storage > Bucket > ServiceNow
    • GCP > Storage > Bucket > ServiceNow > Configuration Item
    • GCP > Storage > Bucket > ServiceNow > Table

What's new?

  • Policy Types:

    • GCP > SQL > Instance > ServiceNow
    • GCP > SQL > Instance > ServiceNow > Configuration Item
    • GCP > SQL > Instance > ServiceNow > Configuration Item > Record
    • GCP > SQL > Instance > ServiceNow > Configuration Item > Table Definition
    • GCP > SQL > Instance > ServiceNow > Table
    • GCP > SQL > Instance > ServiceNow > Table > Definition
  • Control Types:

    • GCP > SQL > Instance > ServiceNow
    • GCP > SQL > Instance > ServiceNow > Configuration Item
    • GCP > SQL > Instance > ServiceNow > Table

What's new?

  • Policy Types:

    • GCP > Network > Network > ServiceNow
    • GCP > Network > Network > ServiceNow > Configuration Item
    • GCP > Network > Network > ServiceNow > Configuration Item > Record
    • GCP > Network > Network > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Network > ServiceNow > Table
    • GCP > Network > Network > ServiceNow > Table > Definition
    • GCP > Network > Subnetwork > ServiceNow
    • GCP > Network > Subnetwork > ServiceNow > Configuration Item
    • GCP > Network > Subnetwork > ServiceNow > Configuration Item > Record
    • GCP > Network > Subnetwork > ServiceNow > Configuration Item > Table Definition
    • GCP > Network > Subnetwork > ServiceNow > Table
    • GCP > Network > Subnetwork > ServiceNow > Table > Definition
  • Control Types:

    • GCP > Network > Network > ServiceNow
    • GCP > Network > Network > ServiceNow > Configuration Item
    • GCP > Network > Network > ServiceNow > Table
    • GCP > Network > Subnetwork > ServiceNow
    • GCP > Network > Subnetwork > ServiceNow > Configuration Item
    • GCP > Network > Subnetwork > ServiceNow > Table

What's new?

  • Policy Types:

    • GCP > Compute Engine > Disk > ServiceNow
    • GCP > Compute Engine > Disk > ServiceNow > Configuration Item
    • GCP > Compute Engine > Disk > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > Disk > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > Disk > ServiceNow > Table
    • GCP > Compute Engine > Disk > ServiceNow > Table > Definition
    • GCP > Compute Engine > Image > ServiceNow
    • GCP > Compute Engine > Image > ServiceNow > Configuration Item
    • GCP > Compute Engine > Image > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > Image > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > Image > ServiceNow > Table
    • GCP > Compute Engine > Image > ServiceNow > Table > Definition
    • GCP > Compute Engine > Instance > ServiceNow
    • GCP > Compute Engine > Instance > ServiceNow > Configuration Item
    • GCP > Compute Engine > Instance > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > Instance > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > Instance > ServiceNow > Table
    • GCP > Compute Engine > Instance > ServiceNow > Table > Definition
    • GCP > Compute Engine > Snapshot > ServiceNow
    • GCP > Compute Engine > Snapshot > ServiceNow > Configuration Item
    • GCP > Compute Engine > Snapshot > ServiceNow > Configuration Item > Record
    • GCP > Compute Engine > Snapshot > ServiceNow > Configuration Item > Table Definition
    • GCP > Compute Engine > Snapshot > ServiceNow > Table
    • GCP > Compute Engine > Snapshot > ServiceNow > Table > Definition
  • Control Types:

    • GCP > Compute Engine > Disk > ServiceNow
    • GCP > Compute Engine > Disk > ServiceNow > Configuration Item
    • GCP > Compute Engine > Disk > ServiceNow > Table
    • GCP > Compute Engine > Image > ServiceNow
    • GCP > Compute Engine > Image > ServiceNow > Configuration Item
    • GCP > Compute Engine > Image > ServiceNow > Table
    • GCP > Compute Engine > Instance > ServiceNow
    • GCP > Compute Engine > Instance > ServiceNow > Configuration Item
    • GCP > Compute Engine > Instance > ServiceNow > Table
    • GCP > Compute Engine > Snapshot > ServiceNow
    • GCP > Compute Engine > Snapshot > ServiceNow > Configuration Item
    • GCP > Compute Engine > Snapshot > ServiceNow > Table

What's new?

  • Policy Types:

    • ServiceNow > Turbot > Watches > Azure
  • Control Types:

    • ServiceNow > Turbot > Watches > Azure
  • Action Types:

    • ServiceNow > Turbot > Watches > Azure Archive And Delete Record

What's new?

  • Policy Types:

    • Azure > Storage > Storage Account > ServiceNow
    • Azure > Storage > Storage Account > ServiceNow > Configuration Item
    • Azure > Storage > Storage Account > ServiceNow > Configuration Item > Record
    • Azure > Storage > Storage Account > ServiceNow > Configuration Item > Table Definition
    • Azure > Storage > Storage Account > ServiceNow > Table
    • Azure > Storage > Storage Account > ServiceNow > Table > Definition
  • Control Types:

    • Azure > Storage > Storage Account > ServiceNow
    • Azure > Storage > Storage Account > ServiceNow > Configuration Item
    • Azure > Storage > Storage Account > ServiceNow > Table

What's new?

  • Policy Types:

    • Azure > SQL > Server > ServiceNow
    • Azure > SQL > Server > ServiceNow > Configuration Item
    • Azure > SQL > Server > ServiceNow > Configuration Item > Record
    • Azure > SQL > Server > ServiceNow > Configuration Item > Table Definition
    • Azure > SQL > Server > ServiceNow > Table
    • Azure > SQL > Server > ServiceNow > Table > Definition
  • Control Types:

    • Azure > SQL > Server > ServiceNow
    • Azure > SQL > Server > ServiceNow > Configuration Item
    • Azure > SQL > Server > ServiceNow > Table

What's new?

  • Policy Types:

    • Azure > PostgreSQL > Server > ServiceNow
    • Azure > PostgreSQL > Server > ServiceNow > Configuration Item
    • Azure > PostgreSQL > Server > ServiceNow > Configuration Item > Record
    • Azure > PostgreSQL > Server > ServiceNow > Configuration Item > Table Definition
    • Azure > PostgreSQL > Server > ServiceNow > Table
    • Azure > PostgreSQL > Server > ServiceNow > Table > Definition
  • Control Types:

    • Azure > PostgreSQL > Server > ServiceNow
    • Azure > PostgreSQL > Server > ServiceNow > Configuration Item
    • Azure > PostgreSQL > Server > ServiceNow > Table

What's new?

  • Policy Types:

    • Azure > Network > Network Security Group > ServiceNow
    • Azure > Network > Network Security Group > ServiceNow > Configuration Item
    • Azure > Network > Network Security Group > ServiceNow > Configuration Item > Record
    • Azure > Network > Network Security Group > ServiceNow > Configuration Item > Table Definition
    • Azure > Network > Network Security Group > ServiceNow > Table
    • Azure > Network > Network Security Group > ServiceNow > Table > Definition
    • Azure > Network > Subnet > ServiceNow
    • Azure > Network > Subnet > ServiceNow > Configuration Item
    • Azure > Network > Subnet > ServiceNow > Configuration Item > Record
    • Azure > Network > Subnet > ServiceNow > Configuration Item > Table Definition
    • Azure > Network > Subnet > ServiceNow > Table
    • Azure > Network > Subnet > ServiceNow > Table > Definition
    • Azure > Network > Virtual Network > ServiceNow
    • Azure > Network > Virtual Network > ServiceNow > Configuration Item
    • Azure > Network > Virtual Network > ServiceNow > Configuration Item > Record
    • Azure > Network > Virtual Network > ServiceNow > Configuration Item > Table Definition
    • Azure > Network > Virtual Network > ServiceNow > Table
    • Azure > Network > Virtual Network > ServiceNow > Table > Definition
  • Control Types:

    • Azure > Network > Network Security Group > ServiceNow
    • Azure > Network > Network Security Group > ServiceNow > Configuration Item
    • Azure > Network > Network Security Group > ServiceNow > Table
    • Azure > Network > Subnet > ServiceNow
    • Azure > Network > Subnet > ServiceNow > Configuration Item
    • Azure > Network > Subnet > ServiceNow > Table
    • Azure > Network > Virtual Network > ServiceNow
    • Azure > Network > Virtual Network > ServiceNow > Configuration Item
    • Azure > Network > Virtual Network > ServiceNow > Table

What's new?

  • Policy Types:

    • Azure > MySQL > Server > ServiceNow
    • Azure > MySQL > Server > ServiceNow > Configuration Item
    • Azure > MySQL > Server > ServiceNow > Configuration Item > Record
    • Azure > MySQL > Server > ServiceNow > Configuration Item > Table Definition
    • Azure > MySQL > Server > ServiceNow > Table
    • Azure > MySQL > Server > ServiceNow > Table > Definition
  • Control Types:

    • Azure > MySQL > Server > ServiceNow
    • Azure > MySQL > Server > ServiceNow > Configuration Item
    • Azure > MySQL > Server > ServiceNow > Table

What's new?

  • Policy Types:

    • Azure > Compute > Availability Set > ServiceNow
    • Azure > Compute > Availability Set > ServiceNow > Configuration Item
    • Azure > Compute > Availability Set > ServiceNow > Configuration Item > Record
    • Azure > Compute > Availability Set > ServiceNow > Configuration Item > Table Definition
    • Azure > Compute > Availability Set > ServiceNow > Table
    • Azure > Compute > Availability Set > ServiceNow > Table > Definition
    • Azure > Compute > Disk > ServiceNow
    • Azure > Compute > Disk > ServiceNow > Configuration Item
    • Azure > Compute > Disk > ServiceNow > Configuration Item > Record
    • Azure > Compute > Disk > ServiceNow > Configuration Item > Table Definition
    • Azure > Compute > Disk > ServiceNow > Table
    • Azure > Compute > Disk > ServiceNow > Table > Definition
    • Azure > Compute > Disk Encryption Set > ServiceNow
    • Azure > Compute > Disk Encryption Set > ServiceNow > Configuration Item
    • Azure > Compute > Disk Encryption Set > ServiceNow > Configuration Item > Record
    • Azure > Compute > Disk Encryption Set > ServiceNow > Configuration Item > Table Definition
    • Azure > Compute > Disk Encryption Set > ServiceNow > Table
    • Azure > Compute > Disk Encryption Set > ServiceNow > Table > Definition
    • Azure > Compute > Image > ServiceNow
    • Azure > Compute > Image > ServiceNow > Configuration Item
    • Azure > Compute > Image > ServiceNow > Configuration Item > Record
    • Azure > Compute > Image > ServiceNow > Configuration Item > Table Definition
    • Azure > Compute > Image > ServiceNow > Table
    • Azure > Compute > Image > ServiceNow > Table > Definition
    • Azure > Compute > Snapshot > ServiceNow
    • Azure > Compute > Snapshot > ServiceNow > Configuration Item
    • Azure > Compute > Snapshot > ServiceNow > Configuration Item > Record
    • Azure > Compute > Snapshot > ServiceNow > Configuration Item > Table Definition
    • Azure > Compute > Snapshot > ServiceNow > Table
    • Azure > Compute > Snapshot > ServiceNow > Table > Definition
    • Azure > Compute > Ssh Public Key > ServiceNow
    • Azure > Compute > Ssh Public Key > ServiceNow > Configuration Item
    • Azure > Compute > Ssh Public Key > ServiceNow > Configuration Item > Record
    • Azure > Compute > Ssh Public Key > ServiceNow > Configuration Item > Table Definition
    • Azure > Compute > Ssh Public Key > ServiceNow > Table
    • Azure > Compute > Ssh Public Key > ServiceNow > Table > Definition
    • Azure > Compute > Virtual Machine > ServiceNow
    • Azure > Compute > Virtual Machine > ServiceNow > Configuration Item
    • Azure > Compute > Virtual Machine > ServiceNow > Configuration Item > Record
    • Azure > Compute > Virtual Machine > ServiceNow > Configuration Item > Table Definition
    • Azure > Compute > Virtual Machine > ServiceNow > Table
    • Azure > Compute > Virtual Machine > ServiceNow > Table > Definition
    • Azure > Compute > Virtual Machine Scale Set > ServiceNow
    • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Configuration Item
    • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Configuration Item > Record
    • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Configuration Item > Table Definition
    • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Table
    • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Table > Definition
  • Control Types:

    • Azure > Compute > Availability Set > ServiceNow
    • Azure > Compute > Availability Set > ServiceNow > Configuration Item
    • Azure > Compute > Availability Set > ServiceNow > Table
    • Azure > Compute > Disk > ServiceNow
    • Azure > Compute > Disk > ServiceNow > Configuration Item
    • Azure > Compute > Disk > ServiceNow > Table
    • Azure > Compute > Disk Encryption Set > ServiceNow
    • Azure > Compute > Disk Encryption Set > ServiceNow > Configuration Item
    • Azure > Compute > Disk Encryption Set > ServiceNow > Table
    • Azure > Compute > Image > ServiceNow
    • Azure > Compute > Image > ServiceNow > Configuration Item
    • Azure > Compute > Image > ServiceNow > Table
    • Azure > Compute > Snapshot > ServiceNow
    • Azure > Compute > Snapshot > ServiceNow > Configuration Item
    • Azure > Compute > Snapshot > ServiceNow > Table
    • Azure > Compute > Ssh Public Key > ServiceNow
    • Azure > Compute > Ssh Public Key > ServiceNow > Configuration Item
    • Azure > Compute > Ssh Public Key > ServiceNow > Table
    • Azure > Compute > Virtual Machine > ServiceNow
    • Azure > Compute > Virtual Machine > ServiceNow > Configuration Item
    • Azure > Compute > Virtual Machine > ServiceNow > Table
    • Azure > Compute > Virtual Machine Scale Set > ServiceNow
    • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Configuration Item
    • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Table

Bug fixes

  • The ServiceNow > Turbot > Watches > AWS control would fail to delete/archive records in ServiceNow. This is now fixed.

Bug fixes

  • Server
    • Updated TE stack to enable propagation of custom tags to ECS tasks.
    • Updated @turbot/aws-sdk to 5.13.0, @turbot/fn to 5.21.0 and aws-sdk to 2.922.

Requirements

  • TEF: 1.51.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
  • The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
  • The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.

Bug fixes

  • The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
  • The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
  • The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.

Bug fixes

  • The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
  • The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
  • The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.

Bug fixes

  • The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
  • The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
  • The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.

Bug fixes

  • The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
  • The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
  • The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.

Bug fixes

  • The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
  • The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
  • The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.

Bug fixes

  • The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
  • The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
  • The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.

Bug fixes

  • Fixed the plugin to correctly return results when environment variables are only used for authentication. (#21)

Bug fixes

  • Fixed the invalid Go module path of the plugin. (#15)

Bug fixes

  • The Discovery controls for Application, Cost Center and User would sometimes upsert resources with incorrect AKAs for a freshly imported ServiceNow Instance in Guardrails CMDB. This is fixed and the controls will now work as expected.

Bug fixes

  • The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.

Bug fixes

  • The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.

Bug fixes

  • The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.

Bug fixes

  • The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.

Bug fixes

  • The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.

Bug fixes

  • The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.

Bug fixes

  • The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.

Bug fixes

  • The AWS > Turbot > Event Poller policy will now be automatically set to Disabled if any of the AWS > Turbot > Event Handlers or AWS > Turbot > Event Handlers [Global] policies is set to Enforce: Configured.

Bug fixes

  • Fixed the invalid Go module path of the plugin. (#20)

Bug fixes

  • Fixed the invalid Go module path of the plugin. (#13)

Bug fixes

  • Fixed the invalid Go module path of the plugin. (#43)

Bug fixes

  • Fixed the invalid Go module path of the plugin. (#36)

Bug fixes

  • Fixed the invalid Go module path of the plugin. (#20)

Bug fixes

  • Fixed the invalid Go module path of the plugin. (#26)

What's new?

Enhancements

  • Updated the following tables to include support for dynamic GraphQL queries:
    • github_my_star (#369)
    • github_stargazer (#370)
    • github_tag (#371)
    • github_rate_limit (#368)
    • github_community_profile (#367)
    • github_license (#366)
    • github_organization_member (#364)
    • github_team_member (#364)
    • github_user (#364)
    • github_my_team (#363)
    • github_team (#363)
    • github_commit (#362)
    • github_my_organization (#361)
    • github_organization (#361)
    • github_organization_external_identity (#361)
    • github_branch (#360)
    • github_branch_protection (#360)
    • github_repository_collaborator (#365)
    • github_repository_deployment (#365)
    • github_repository_environment (#365)
    • github_repository_vulnerability_alert (#365)
    • github_issue (#359)
    • github_issue_comment (#359)
    • github_pull_request (#359)
    • github_pull_request_comment (#359)
    • github_pull_request_review (#359)

Bug fixes

  • Fixed the invalid Go module path of the plugin. (#27)

Bug fixes

  • Server
    • ServiceNow Instance Client Secret and Password were processed incorrectly while fetching credentials for the Instance.

Bug fixes

  • Server
    • Create mutation for ServiceNow instance failed if no instances were available in a Guardrails workspace.

What's new?

  • Resource Types:

    • ServiceNow
    • ServiceNow > Application
    • ServiceNow > Cost Center
    • ServiceNow > Instance
    • ServiceNow > User
  • Policy Types:

    • ServiceNow > Application > Business Rule
    • ServiceNow > Application > Business Rule > Name
    • ServiceNow > Application > CMDB
    • ServiceNow > Config
    • ServiceNow > Config > Application Scope
    • ServiceNow > Config > Client ID
    • ServiceNow > Config > Client Secret
    • ServiceNow > Config > Instance URL
    • ServiceNow > Config > Password
    • ServiceNow > Config > System Properties
    • ServiceNow > Config > System Properties > Template
    • ServiceNow > Config > Username
    • ServiceNow > Cost Center > Business Rule
    • ServiceNow > Cost Center > Business Rule > Name
    • ServiceNow > Cost Center > CMDB
    • ServiceNow > Instance > CMDB
    • ServiceNow > Login Names
    • ServiceNow > Turbot
    • ServiceNow > Turbot > Watches
    • ServiceNow > User > Business Rule
    • ServiceNow > User > Business Rule > Name
    • ServiceNow > User > CMDB
  • Control Types:

    • ServiceNow > Application > Business Rule
    • ServiceNow > Application > CMDB
    • ServiceNow > Application > Discovery
    • ServiceNow > Config
    • ServiceNow > Config > System Properties
    • ServiceNow > Cost Center > Business Rule
    • ServiceNow > Cost Center > CMDB
    • ServiceNow > Cost Center > Discovery
    • ServiceNow > Instance > CMDB
    • ServiceNow > Turbot
    • ServiceNow > Turbot > Watches
    • ServiceNow > User > Business Rule
    • ServiceNow > User > CMDB
    • ServiceNow > User > Discovery
  • Action Types:

    • ServiceNow > Instance > Event Handler
    • ServiceNow > Turbot
    • ServiceNow > Turbot > Watches

What's new?

  • Policy Types:

    • AWS > VPC > Network ACL > ServiceNow
    • AWS > VPC > Network ACL > ServiceNow > Configuration Item
    • AWS > VPC > Network ACL > ServiceNow > Configuration Item > Record
    • AWS > VPC > Network ACL > ServiceNow > Configuration Item > Table Definition
    • AWS > VPC > Network ACL > ServiceNow > Table
    • AWS > VPC > Network ACL > ServiceNow > Table > Definition
    • AWS > VPC > Security Group > ServiceNow
    • AWS > VPC > Security Group > ServiceNow > Configuration Item
    • AWS > VPC > Security Group > ServiceNow > Configuration Item > Record
    • AWS > VPC > Security Group > ServiceNow > Configuration Item > Table Definition
    • AWS > VPC > Security Group > ServiceNow > Table
    • AWS > VPC > Security Group > ServiceNow > Table > Definition
  • Control Types:

    • AWS > VPC > Network ACL > ServiceNow
    • AWS > VPC > Network ACL > ServiceNow > Configuration Item
    • AWS > VPC > Network ACL > ServiceNow > Table
    • AWS > VPC > Security Group > ServiceNow
    • AWS > VPC > Security Group > ServiceNow > Configuration Item
    • AWS > VPC > Security Group > ServiceNow > Table

What's new?

  • Policy Types:

    • AWS > VPC > Elastic IP > ServiceNow
    • AWS > VPC > Elastic IP > ServiceNow > Configuration Item
    • AWS > VPC > Elastic IP > ServiceNow > Configuration Item > Record
    • AWS > VPC > Elastic IP > ServiceNow > Configuration Item > Table Definition
    • AWS > VPC > Elastic IP > ServiceNow > Table
    • AWS > VPC > Elastic IP > ServiceNow > Table > Definition
  • Control Types:

    • AWS > VPC > Elastic IP > ServiceNow
    • AWS > VPC > Elastic IP > ServiceNow > Configuration Item
    • AWS > VPC > Elastic IP > ServiceNow > Table

What's new?

  • Policy Types:

    • AWS > VPC > Route Table > ServiceNow
    • AWS > VPC > Route Table > ServiceNow > Configuration Item
    • AWS > VPC > Route Table > ServiceNow > Configuration Item > Record
    • AWS > VPC > Route Table > ServiceNow > Configuration Item > Table Definition
    • AWS > VPC > Route Table > ServiceNow > Table
    • AWS > VPC > Route Table > ServiceNow > Table > Definition
    • AWS > VPC > Subnet > ServiceNow
    • AWS > VPC > Subnet > ServiceNow > Configuration Item
    • AWS > VPC > Subnet > ServiceNow > Configuration Item > Record
    • AWS > VPC > Subnet > ServiceNow > Configuration Item > Table Definition
    • AWS > VPC > Subnet > ServiceNow > Table
    • AWS > VPC > Subnet > ServiceNow > Table > Definition
    • AWS > VPC > VPC > ServiceNow
    • AWS > VPC > VPC > ServiceNow > Configuration Item
    • AWS > VPC > VPC > ServiceNow > Configuration Item > Record
    • AWS > VPC > VPC > ServiceNow > Configuration Item > Table Definition
    • AWS > VPC > VPC > ServiceNow > Table
    • AWS > VPC > VPC > ServiceNow > Table > Definition
  • Control Types:

    • AWS > VPC > Route Table > ServiceNow
    • AWS > VPC > Route Table > ServiceNow > Configuration Item
    • AWS > VPC > Route Table > ServiceNow > Table
    • AWS > VPC > Subnet > ServiceNow
    • AWS > VPC > Subnet > ServiceNow > Configuration Item
    • AWS > VPC > Subnet > ServiceNow > Table
    • AWS > VPC > VPC > ServiceNow
    • AWS > VPC > VPC > ServiceNow > Configuration Item
    • AWS > VPC > VPC > ServiceNow > Table

What's new?

  • Policy Types:

    • ServiceNow > Turbot > Watches > AWS
  • Control Types:

    • ServiceNow > Turbot > Watches > AWS
  • Action Types:

    • ServiceNow > Turbot > Watches > AWS Archive And Delete Record

What's new?

  • Policy Types:

    • AWS > S3 > Bucket > ServiceNow
    • AWS > S3 > Bucket > ServiceNow > Configuration Item
    • AWS > S3 > Bucket > ServiceNow > Configuration Item > Record
    • AWS > S3 > Bucket > ServiceNow > Configuration Item > Table Definition
    • AWS > S3 > Bucket > ServiceNow > Table
    • AWS > S3 > Bucket > ServiceNow > Table > Definition
  • Control Types:

    • AWS > S3 > Bucket > ServiceNow
    • AWS > S3 > Bucket > ServiceNow > Configuration Item
    • AWS > S3 > Bucket > ServiceNow > Table

What's new?

  • Policy Types:

    • AWS > IAM > Group > ServiceNow
    • AWS > IAM > Group > ServiceNow > Configuration Item
    • AWS > IAM > Group > ServiceNow > Configuration Item > Record
    • AWS > IAM > Group > ServiceNow > Configuration Item > Table Definition
    • AWS > IAM > Group > ServiceNow > Table
    • AWS > IAM > Group > ServiceNow > Table > Definition
    • AWS > IAM > Role > ServiceNow
    • AWS > IAM > Role > ServiceNow > Configuration Item
    • AWS > IAM > Role > ServiceNow > Configuration Item > Record
    • AWS > IAM > Role > ServiceNow > Configuration Item > Table Definition
    • AWS > IAM > Role > ServiceNow > Table
    • AWS > IAM > Role > ServiceNow > Table > Definition
    • AWS > IAM > User > ServiceNow
    • AWS > IAM > User > ServiceNow > Configuration Item
    • AWS > IAM > User > ServiceNow > Configuration Item > Record
    • AWS > IAM > User > ServiceNow > Configuration Item > Table Definition
    • AWS > IAM > User > ServiceNow > Table
    • AWS > IAM > User > ServiceNow > Table > Definition
  • Control Types:

    • AWS > IAM > Group > ServiceNow
    • AWS > IAM > Group > ServiceNow > Configuration Item
    • AWS > IAM > Group > ServiceNow > Table
    • AWS > IAM > Role > ServiceNow
    • AWS > IAM > Role > ServiceNow > Configuration Item
    • AWS > IAM > Role > ServiceNow > Table
    • AWS > IAM > User > ServiceNow
    • AWS > IAM > User > ServiceNow > Configuration Item
    • AWS > IAM > User > ServiceNow > Table

What's new?

  • Policy Types:

    • AWS > EC2 > Instance > ServiceNow
    • AWS > EC2 > Instance > ServiceNow > Configuration Item
    • AWS > EC2 > Instance > ServiceNow > Configuration Item > Record
    • AWS > EC2 > Instance > ServiceNow > Configuration Item > Table Definition
    • AWS > EC2 > Instance > ServiceNow > Table
    • AWS > EC2 > Instance > ServiceNow > Table > Definition
    • AWS > EC2 > Snapshot > ServiceNow
    • AWS > EC2 > Snapshot > ServiceNow > Configuration Item
    • AWS > EC2 > Snapshot > ServiceNow > Configuration Item > Record
    • AWS > EC2 > Snapshot > ServiceNow > Configuration Item > Table Definition
    • AWS > EC2 > Snapshot > ServiceNow > Table
    • AWS > EC2 > Snapshot > ServiceNow > Table > Definition
    • AWS > EC2 > Volume > ServiceNow
    • AWS > EC2 > Volume > ServiceNow > Configuration Item
    • AWS > EC2 > Volume > ServiceNow > Configuration Item > Record
    • AWS > EC2 > Volume > ServiceNow > Configuration Item > Table Definition
    • AWS > EC2 > Volume > ServiceNow > Table
    • AWS > EC2 > Volume > ServiceNow > Table > Definition
  • Control Types:

    • AWS > EC2 > Instance > ServiceNow
    • AWS > EC2 > Instance > ServiceNow > Configuration Item
    • AWS > EC2 > Instance > ServiceNow > Table
    • AWS > EC2 > Snapshot > ServiceNow
    • AWS > EC2 > Snapshot > ServiceNow > Configuration Item
    • AWS > EC2 > Snapshot > ServiceNow > Table
    • AWS > EC2 > Volume > ServiceNow
    • AWS > EC2 > Volume > ServiceNow > Configuration Item
    • AWS > EC2 > Volume > ServiceNow > Table

Turbot Pipes now officially supports billing for your organization team plan via AWS Marketplace.

For more information, see the Pipes billing docs.

What's new?

  • Server

    • Added: Support for creating and deleting watches using @turbot/sdk.
    • Updated: @turbot/fn, @turbot/aws-sdk, aws-sdk, @turbot/utils, @turbot/errors, @turbot/log, @turbot/responses packages.
    • Added: Support for ServiceNow credentials.
  • UI:

    • Added: Support to import ServiceNow Instance in Guardrails.

What's new?

  • Control Category Types:
    • CMDB > External
    • Cloud > Integration

What's new?

  • Added the following controls across the benchmarks: (#49)
    • bigquery_table_deletion_protection_enabled
    • bigtable_instance_deletion_protection_enabled
    • spanner_database_deletion_protection_enabled
    • spanner_database_drop_protection_enabled

What's new?

  • Added the following controls across the benchmarks: (#47)
    • appservice_environment_zone_redundant_enabled
    • appservice_function_app_public_access_disabled
    • appservice_plan_zone_redundant
    • appservice_web_app_public_access_disabled
    • eventhub_namespace_uses_latest_tls_version
    • eventhub_namespace_zone_redundant
    • kubernetes_cluster_critical_pods_on_system_nodes
    • kubernetes_cluster_os_disk_ephemeral
    • redis_cache_standard_replication_enabled
    • sql_database_ledger_enabled
    • sql_database_zone_redundant_enabled

What's new?

  • Added the following controls across the benchmarks: (#98)
    • docdb_cluster_backup_retention_period_7
    • lambda_permission_restricted_service_permission
    • neptune_cluster_backup_retention_period_7
    • neptune_cluster_copy_tags_to_snapshot_enabled
    • neptune_cluster_iam_authentication_enabled

Bug fixes

  • Fixed the index doc by removing unsupported images. (#334)

Enhancements

  • Added the following controls to the All Controls benchmark: (#733)
    • api_gateway_rest_api_public_endpoint_with_authorizer
    • dlm_ebs_snapshot_lifecycle_policy_enabled
    • docdb_cluster_instance_encryption_at_rest_enabled
    • ebs_volume_snapshot_exists
    • elasticache_cluster_no_public_subnet
    • iam_role_no_administrator_access_policy_attached
    • iam_user_access_key_unused_45
    • iam_user_console_access_unused_45
    • neptune_db_cluster_no_public_subnet

Bug fixes

  • Fixed missing closing tag in index doc. (#331)

What's new?

  • Resource Types:

    • AWS > Kendra
  • Policy Types:

    • AWS > Kendra > API Enabled
    • AWS > Kendra > Approved Regions [Default]
    • AWS > Kendra > Enabled
    • AWS > Kendra > Permissions
    • AWS > Kendra > Permissions > Levels
    • AWS > Kendra > Permissions > Levels > Modifiers
    • AWS > Kendra > Permissions > Lockdown
    • AWS > Kendra > Permissions > Lockdown > API Boundary
    • AWS > Kendra > Regions
    • AWS > Kendra > Tags Template [Default]
    • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-kendra
    • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-kendra
    • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-kendra

Bug fixes

  • Fixed ad_guest_user_reviewed_monthly, iam_deprecated_account_with_owner_roles, iam_external_user_with_read_permission, iam_external_user_with_write_permission, iam_user_not_allowed_to_create_security_group and iam_user_not_allowed_to_register_application queries to remove duplicate benchmark results. (#228)

What's new?

  • Category Types:
    • Turbot > Resource > Category > Business Application
    • Turbot > Resource > Category > Cloud > Api
    • Turbot > Resource > Category > Cloud > Provider
    • Turbot > Resource > Category > Cloud > Resource Group
    • Turbot > Resource > Category > Container
    • Turbot > Resource > Category > Cost Management
    • Turbot > Resource > Category > End User Computing
    • Turbot > Resource > Category > Migration
    • Turbot > Resource > Category > Robotics

What's new?

  • Added support to process enable and disable real-time events for Firebase Management APIs.

What's new?

  • You can now Enable/Disable Firebase Management API via Guardrails. To get started, set the GCP > Firebase > API Enabled policy.

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Control Types:

    • GCP > Firebase > API Enabled
  • Policy Types:

    • GCP > Firebase > API Enabled
    • GCP > Firebase > Android App > Approved > Custom
    • GCP > Firebase > Web App > Approved > Custom
    • GCP > Firebase > iOS App > Approved > Custom
  • Action Types:

    • GCP > Firebase > Set API Enabled

What's new?

  • Added support for newer US, Europe, India and US Government regions in the Azure > Synapse Analytics > Regions policy.

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • Azure > Synapse Analytics > SQL Pool > Approved > Custom
    • Azure > Synapse Analytics > SQL Pool > Regions
    • Azure > Synapse Analytics > Workspace > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • Azure > API Management > API Management Service > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • Azure > AKS > Managed Cluster > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • Azure > Network Watcher > Flow Log > Approved > Custom
    • Azure > Network Watcher > Network Watcher > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • Azure > Data Factory > Dataset > Approved > Custom
    • Azure > Data Factory > Factory > Approved > Custom
    • Azure > Data Factory > Pipeline > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • Azure > Firewall > Firewall > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • Azure > Front Door > Front Door > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • Azure > Databricks > Workspace > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • Policy Types:
    • GCP > Compute Engine > Image > Policy > Trusted Access > All Authenticated
    • GCP > Compute Engine > Image > Policy > Trusted Access > All Users

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • Azure > SignalR Service > SignalR > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • Azure > Relay > Namespace > Approved > Custom

Bug fixes

  • Fixed the plugin brand colour.

Bug fixes

  • Fixed the plugin to pass the namespace qualifier to the kubernetes API client when querying namespace scoped resources. (#181) (Thanks @pdecat for the contribution!!)

What's new?

  • Policy Types:
    • GCP > Functions > Function > Policy > Trusted Access > All Authenticated
    • GCP > Functions > Function > Policy > Trusted Access > All Users

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • Azure > Search Management > Search Service > Approved > Custom

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • Azure > Recovery Service > Vault > Approved > Custom

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • AWS > SWF > Domain > Approved > Custom
  • Action Types:

    • AWS > SWF > Domain > Set Tags
    • AWS > SWF > Domain > Skip alarm for Active control
    • AWS > SWF > Domain > Skip alarm for Active control [90 days]
    • AWS > SWF > Domain > Skip alarm for Approved control
    • AWS > SWF > Domain > Skip alarm for Approved control [90 days]
    • AWS > SWF > Domain > Skip alarm for Tags control
    • AWS > SWF > Domain > Skip alarm for Tags control [90 days]

Bug fixes

  • Fixed the GetConfig of github_team_repository table to include support for dynamic GraphQL queries. (#379)
  • Fixed the example queries in github_commit doc file. (#377)
  • Fixed the example queries in github_search_issue doc file to filter out results from the API. (#378)

What's new?

Bug fixes

  • Fixed the retention_policy column of gcp_storage_bucket table to correctly return data instead of null. (#502)

What's new?

Enhancements

  • Added the properties column to jira_project table. (#105)

Bug fixes

  • Fixed typo in the docs/index.md file. (#102) (Thanks @adrfrank for the contribution!)
  • Fixed the jira_issue table by enhancing case insensitivity support for the status column. (#90)

What's new?

  • Added CIS v3.0.0 benchmark (steampipe check benchmark.cis_v300). (#57)

Breaking Changes

  • Removed the following tables using the search API that no longer work due to API limitations. These tables will be added back if functionality can be restored.
    • linkedin_company_employee
    • linkedin_company_past_employee
    • linkedin_connection
    • linkedin_search_company
    • linkedin_search_profile

Bug fixes

  • Fixed the compute_firewall_allow_tcp_connections_proxied_by_iap query to correctly include all the ports and source IP ranges. (#128) (Thanks @saisirishreddy for the contribution!)

What's new?

  • Encapsulate plugin server so it is possible to use it in-process as well as via GRPC. (#719)
  • Add steampipe field to _ctx column, containing sdk version. (#712)

Bug fixes

  • Remove plugin has no connections error when deleting and then re-adding a connection. (#725)
  • Fix potential divide by zero bug when setting cache size

Enhancements

  • Added the dns_mx_dmarc_record_enabled control to the dns_mx_best_practices benchmark. (#20)

Bug fixes

  • Fixed dashboard localhost URLs in README and index doc. (#23)

Enhancements

  • Added the run_started_at column to github_actions_repository_workflow_run table. (#358) (Thanks @mridang for the contribution!)

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Policy Types:

    • AWS > QLDB > Ledger > Approved > Custom
  • Action Types:

    • AWS > QLDB > Ledger > Delete from AWS
    • AWS > QLDB > Ledger > Set Tags
    • AWS > QLDB > Ledger > Skip alarm for Active control
    • AWS > QLDB > Ledger > Skip alarm for Active control [90 days]
    • AWS > QLDB > Ledger > Skip alarm for Approved control
    • AWS > QLDB > Ledger > Skip alarm for Approved control [90 days]
    • AWS > QLDB > Ledger > Skip alarm for Tags control
    • AWS > QLDB > Ledger > Skip alarm for Tags control [90 days]

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • AWS > Neptune > DB Cluster > Approved > Custom
    • AWS > Neptune > DB Instance > Approved > Custom
  • Action Types:

    • AWS > Neptune > DB Cluster > Delete from AWS
    • AWS > Neptune > DB Cluster > Set Tags
    • AWS > Neptune > DB Cluster > Skip alarm for Active control
    • AWS > Neptune > DB Cluster > Skip alarm for Active control [90 days]
    • AWS > Neptune > DB Cluster > Skip alarm for Approved control
    • AWS > Neptune > DB Cluster > Skip alarm for Approved control [90 days]
    • AWS > Neptune > DB Cluster > Skip alarm for Tags control
    • AWS > Neptune > DB Cluster > Skip alarm for Tags control [90 days]
    • AWS > Neptune > DB Instance > Delete from AWS
    • AWS > Neptune > DB Instance > Set Tags
    • AWS > Neptune > DB Instance > Skip alarm for Active control
    • AWS > Neptune > DB Instance > Skip alarm for Active control [90 days]
    • AWS > Neptune > DB Instance > Skip alarm for Approved control
    • AWS > Neptune > DB Instance > Skip alarm for Approved control [90 days]
    • AWS > Neptune > DB Instance > Skip alarm for Tags control
    • AWS > Neptune > DB Instance > Skip alarm for Tags control [90 days]

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • AWS > Inspector > Assessment Target > Approved > Custom
    • AWS > Inspector > Assessment Template > Approved > Custom
  • Action Types:

    • AWS > Inspector > Assessment Target > Delete from AWS
    • AWS > Inspector > Assessment Target > Skip alarm for Active control
    • AWS > Inspector > Assessment Target > Skip alarm for Active control [90 days]
    • AWS > Inspector > Assessment Target > Skip alarm for Approved control
    • AWS > Inspector > Assessment Target > Skip alarm for Approved control [90 days]
    • AWS > Inspector > Assessment Template > Delete from AWS
    • AWS > Inspector > Assessment Template > Set Tags
    • AWS > Inspector > Assessment Template > Skip alarm for Active control
    • AWS > Inspector > Assessment Template > Skip alarm for Active control [90 days]
    • AWS > Inspector > Assessment Template > Skip alarm for Approved control
    • AWS > Inspector > Assessment Template > Skip alarm for Approved control [90 days]
    • AWS > Inspector > Assessment Template > Skip alarm for Tags control
    • AWS > Inspector > Assessment Template > Skip alarm for Tags control [90 days]

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • AWS > DAX > Cluster > Approved > Custom
  • Action Types:

    • AWS > DAX > Cluster > Delete from AWS
    • AWS > DAX > Cluster > Set Tags
    • AWS > DAX > Cluster > Skip alarm for Active control
    • AWS > DAX > Cluster > Skip alarm for Active control [90 days]
    • AWS > DAX > Cluster > Skip alarm for Approved control
    • AWS > DAX > Cluster > Skip alarm for Approved control [90 days]
    • AWS > DAX > Cluster > Skip alarm for Tags control
    • AWS > DAX > Cluster > Skip alarm for Tags control [90 days]

What's new?_

  • Added the new All Controls benchmark (steampipe check benchmark.all_controls). This new benchmark includes 109 service-specific controls. (#127)

What's new?

  • Server

    • Updated: Updated the package passport-saml to @node-saml/passport-saml: 4.0.4
    • Updated: The directory API to support Require Signed Authentication Response and Strict Audience Validation.
  • UI:

    • Added: Introduced UI options for Require Signed Authentication Response and Strict Audience Validation for enhanced security in SAML authentication.

Enhanced Security and Compatibility Guide for SAML Authentication

Description

The recent package change for @node-saml/passport-saml has made it mandatory to sign the audience response and perform audience validation. To maintain backward compatibility, we have introduced two new options in the UI:

  1. Require Signed Authentication Response
  2. Strict Audience Validation

To make it backward compatible, both of these options are initially set to Disabled by default.

Important Note: This change ensures that the audience response is signed and audience validation is enforced. These checks were not available in earlier versions of the package.

Recommendations

We recommend customers enable both of these properties as they add an additional layer of security. However, it's important to be aware that enabling these properties might potentially break SAML login functionality. Therefore, certain steps need to be taken before enabling them.

Here are specific recommendations for popular Identity Providers (IDPs):

Okta

  • Strict Audience Validation: If enabled, ensure that the "Issuer ID" matches the "Audience Restriction."

OneLogin

  • Require Signed Authentication Response: This feature should be disabled in OneLogin, as OneLogin does not support it.
  • Strict Audience Validation: If enabled, ensure that the "Issuer ID" matches the "Audience".

Azure Entra ID (Previously Known as Azure AD)

  • Require Signed Authentication Response: If enabled, make sure you choose the Signing option to be "SIGN SAML response and assertion". The Signing option is available on the Signing Certificate page of Entra ID

Please follow these recommendations carefully to make sure you're able to transition smoothly to the updated SAML package.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Policy Types:

    • AWS > Lightsail > Instance > Approved > Custom
    • AWS > Lightsail > Load Balancer > Approved > Custom
    • AWS > Lightsail > Relational Database > Approved > Custom
  • Action Types:

    • AWS > Lightsail > Instance > Delete from AWS
    • AWS > Lightsail > Instance > Set Tags
    • AWS > Lightsail > Instance > Skip alarm for Active control
    • AWS > Lightsail > Instance > Skip alarm for Active control [90 days]
    • AWS > Lightsail > Instance > Skip alarm for Approved control
    • AWS > Lightsail > Instance > Skip alarm for Approved control [90 days]
    • AWS > Lightsail > Instance > Skip alarm for Tags control
    • AWS > Lightsail > Instance > Skip alarm for Tags control [90 days]
    • AWS > Lightsail > Load Balancer > Delete from AWS
    • AWS > Lightsail > Load Balancer > Set Tags
    • AWS > Lightsail > Load Balancer > Skip alarm for Active control
    • AWS > Lightsail > Load Balancer > Skip alarm for Active control [90 days]
    • AWS > Lightsail > Load Balancer > Skip alarm for Approved control
    • AWS > Lightsail > Load Balancer > Skip alarm for Approved control [90 days]
    • AWS > Lightsail > Load Balancer > Skip alarm for Tags control
    • AWS > Lightsail > Load Balancer > Skip alarm for Tags control [90 days]
    • AWS > Lightsail > Relational Database > Delete from AWS
    • AWS > Lightsail > Relational Database > Set Tags
    • AWS > Lightsail > Relational Database > Skip alarm for Active control
    • AWS > Lightsail > Relational Database > Skip alarm for Active control [90 days]
    • AWS > Lightsail > Relational Database > Skip alarm for Approved control
    • AWS > Lightsail > Relational Database > Skip alarm for Approved control [90 days]
    • AWS > Lightsail > Relational Database > Skip alarm for Tags control
    • AWS > Lightsail > Relational Database > Skip alarm for Tags control [90 days]

What's new?

  • Resource Types:

    • AWS > Bedrock
  • Policy Types:

    • AWS > Bedrock > API Enabled
    • AWS > Bedrock > Approved Regions [Default]
    • AWS > Bedrock > Enabled
    • AWS > Bedrock > Permissions
    • AWS > Bedrock > Permissions > Levels
    • AWS > Bedrock > Permissions > Levels > Modifiers
    • AWS > Bedrock > Permissions > Lockdown
    • AWS > Bedrock > Permissions > Lockdown > API Boundary
    • AWS > Bedrock > Regions
    • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-bedrock
    • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-bedrock
    • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-bedrock

What's new?

  • Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

  • Policy Types:

    • AWS > App Mesh > Mesh > Approved > Custom
  • Action Types:

    • AWS > App Mesh > Mesh > Delete from AWS
    • AWS > App Mesh > Mesh > Set Tags
    • AWS > App Mesh > Mesh > Skip alarm for Active control
    • AWS > App Mesh > Mesh > Skip alarm for Active control [90 days]
    • AWS > App Mesh > Mesh > Skip alarm for Approved control
    • AWS > App Mesh > Mesh > Skip alarm for Approved control [90 days]
    • AWS > App Mesh > Mesh > Skip alarm for Tags control
    • AWS > App Mesh > Mesh > Skip alarm for Tags control [90 days]
  • Updated the plugin dependency section of the following mods to use min_version instead of version:
    • Alicloud Insights
    • AWS Insights
    • AWS Tags
    • Azure Insights
    • Digitalocean Insights
    • Docker Compliance
    • GCP Insights
    • GCP Labels
    • Github Compliance
    • Github Insights
    • Gitlab Insights
    • Hackernews Insights
    • IBM Insights
    • Kubernetes Insights
    • Microsoft 365 Compliance
    • OCI Compliance
    • OCI Insights
    • OCI Thrifty
    • Snowflake Compliance
    • Tailscale Compliance
    • Terraform AWS Compliance
    • Terraform Azure Compliance
    • Terraform GCP Compliance
    • Terraform OCI Compliance
    • Turbot Guardrails Insights

Breaking changes

  • Updated the plugin dependency section of the mod to use min_version instead of version. (#82)

Bug fixes

  • Updated the docs to include the correct links for the nsa_cisa_v1 benchmark. (#80) (Thanks @aniketh-varma for the contribution!)
  • Fixed the following queries to cast the data to boolean format. (#79)
    • cronjob_container_privilege_disabled
    • cronjob_host_network_access_disabled
    • cronjob_hostpid_hostipc_sharing_disabled
    • cronjob_immutable_container_filesystem
    • cronjob_non_root_container
    • daemonset_container_privilege_disabled
    • daemonset_host_network_access_disabled
    • daemonset_hostpid_hostipc_sharing_disabled
    • daemonset_immutable_container_filesystem
    • daemonset_non_root_container
    • deployment_container_privilege_disabled
    • deployment_host_network_access_disabled
    • deployment_hostpid_hostipc_sharing_disabled
    • deployment_immutable_container_filesystem
    • deployment_non_root_container
    • job_container_privilege_disabled
    • job_host_network_access_disabled
    • job_hostpid_hostipc_sharing_disabled
    • job_immutable_container_filesystem
    • job_non_root_container
    • pod_container_privilege_disabled
    • pod_immutable_container_filesystem
    • pod_non_root_container
    • pod_service_account_token_enabled
    • pod_template_container_privilege_disabled
    • pod_template_immutable_container_filesystem
    • replicaset_container_privilege_disabled
    • replicaset_host_network_access_disabled
    • replicaset_hostpid_hostipc_sharing_disabled
    • replicaset_immutable_container_filesystem
    • replicaset_non_root_container
    • replication_controller_container_privilege_disabled
    • replication_controller_host_network_access_disabled
    • replication_controller_hostpid_hostipc_sharing_disabled
    • replication_controller_immutable_container_filesystem
    • replication_controller_non_root_container
    • statefulset_container_privilege_disabled
    • statefulset_host_network_access_disabled
    • statefulset_hostpid_hostipc_sharing_disabled
    • statefulset_immutable_container_filesystem
    • statefulset_non_root_container

Breaking changes

  • Updated the plugin dependency section of the mod to use min_version instead of version. (#130)

Bug fixes

  • Fixed the kms_key_separation_of_duties_enforced query to ensure that separation of duties is enforced while assigning KMS-related roles to users. (#132)

Breaking changes

  • Updated the plugin dependency section of the mod to use min_version instead of version. (#222)

Bug fixes

  • Fixed the compute_vm_tcp_udp_access_restricted_internet query to ensure internet-facing virtual machines are protected with network security groups. (#224)

Breaking changes

  • Updated the plugin dependency section of the mod to use min_version instead of version. (#34)

Bug fixes

  • Fixed the README and index docs to correctly reference the well_architected_framework_security benchmark. (