Bug fixes
- Fix issue where MacOS binaries failed to run due to absolute openssl paths and incorrect minimun OS version requirement. (#4679)
Changelog
Subscribe to all changelog posts via RSS or follow #changelog on our Slack community to stay updated on everything we ship.
What's new?
- You can now configure public network access for database accounts. To get started, set the
Azure > Cosmos DB > Database Account > Public Network Accesspolicy.
Control Types
- Azure > Cosmos DB > Database Account > Public Network Access
Policy Types
- Azure > Cosmos DB > Database Account > Public Network Access
Action Types
- Azure > Cosmos DB > Database Account > Set Public Network Access
Bug fixes
- Fixed policy mappings in various control types.
What's new?
- You can now configure advanced data security for workspaces. To get started, set the
Azure > Synapse Analytics > Workspace > Advanced Data Security > *policies.
Control Types
- Azure > Synapse Analytics > Workspace > Advanced Data Security
Policy Types
- Azure > Synapse Analytics > Workspace > Advanced Data Security
- Azure > Synapse Analytics > Workspace > Advanced Data Security > Threat Protection
- Azure > Synapse Analytics > Workspace > Advanced Data Security > Threat Protection > Notify Admins
- Azure > Synapse Analytics > Workspace > Advanced Data Security > Threat Protection > Types
- Azure > Synapse Analytics > Workspace > Advanced Data Security > Threat Protection > Types > Email Addresses
- Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment
- Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment > Periodic Scans
- Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Email Addresses
- Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Notify Admins
- Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment > Storage Account
Action Types
- Azure > Synapse Analytics > Workspace > Update Advanced Data Security
What's new?
- You can now configure public network access for automation accounts. To get started, set the
Azure > Automation > Automation Account > Public Network Accesspolicy.
Control Types
- Azure > Automation > Automation Account > Public Network Access
Policy Types
- Azure > Automation > Automation Account > Public Network Access
Action Types
- Azure > Automation > Automation Account > Set Public Network Access
Enhancements
- Added the column
leaked_credential_check_enabledtocloudflare_zonetable. (#187) (Thanks @Theo-Bouguet for the contribution!!) - Added the parent hydrate
cloudflare_zoneto thecloudflare_dns_recordtable, so queries no longer requirezone_idin theWHEREorJOINclause. (#185) (Thanks @Theo-Bouguet for the contribution!!)
Bug fixes
- Added support to process enable and disable real-time events for Vertex AI API via Service Usage APIs.
Bug fixes
- Unsupported regions were inadvertently included in the
AWS > Bedrock > Custom Model > Regionspolicy, which led to theAWS > Bedrock > Custom Model > Discoverycontrol being in an error state for those regions. We've now removed the unsupported regions from the Regions policy.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
What's new?
Resource Types
- AWS > Cognito > Identity Pool
Control Types
- AWS > Cognito > Identity Pool > Active
- AWS > Cognito > Identity Pool > Allowed
- AWS > Cognito > Identity Pool > Allowed > Custom
- AWS > Cognito > Identity Pool > Allowed > Region
- AWS > Cognito > Identity Pool > CMDB
- AWS > Cognito > Identity Pool > Classic Authentication Flow
- AWS > Cognito > Identity Pool > Discovery
- AWS > Cognito > Identity Pool > Guest Access
- AWS > Cognito > Identity Pool > Tags
Policy Types
- AWS > Cognito > Allowed Regions [Default]
- AWS > Cognito > Identity Pool > Active
- AWS > Cognito > Identity Pool > Active > Age
- AWS > Cognito > Identity Pool > Active > Last Modified
- AWS > Cognito > Identity Pool > Allowed
- AWS > Cognito > Identity Pool > Allowed > Custom
- AWS > Cognito > Identity Pool > Allowed > Custom > Rules
- AWS > Cognito > Identity Pool > Allowed > Region
- AWS > Cognito > Identity Pool > Allowed > Region > Regions
- AWS > Cognito > Identity Pool > CMDB
- AWS > Cognito > Identity Pool > Classic Authentication Flow
- AWS > Cognito > Identity Pool > Guest Access
- AWS > Cognito > Identity Pool > Regions
- AWS > Cognito > Identity Pool > Tags
- AWS > Cognito > Identity Pool > Tags > Template
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-cognito
Action Types
- AWS > Cognito > Identity Pool > Delete
- AWS > Cognito > Identity Pool > Router
- AWS > Cognito > Identity Pool > Update Classic Authentication Flow
- AWS > Cognito > Identity Pool > Update Guest Access
- AWS > Cognito > Identity Pool > Update Tags
Note: We recommend updating the @turbot/aws mod to v5.40.0 for proper functionality.
What's new?
- New tables added
- grafana_alert_rule (#51) (Thanks @codenio for the contribution!!)
Bug fixes
Bug fixes
- Fixed
OAuth2scope handling by shifting to table-specific scope requests instead of global scopes, and documented required scopes per table. (#94)
What's new?
AWS > EC2 > AMI > *Lambda functions have been migrated to use AWS SDK v3, reducing the mod package size and improving deployment efficiency. You will not notice any differences, and things will continue to work smoothly as before.
What's new?
Policy Types
- Azure > Subscription > Allowed Regions [Default]
Bug fixes
- The real-time Event Handlers would fail to process tagging events for
AWS > Secrets Manager > Secretresources. This is now fixed.
Enhancements
- Added the following columns to the
azuread_usertable: (#295)automatic_replies_settingdate_formatdelegate_meeting_message_delivery_optionslanguagetime_formattime_zoneuser_purposeworking_hours
Enhancements
- Added the column
dhcp_optionstoazure_virtual_networktable. (#959) (Thanks @manzomanze for the contribution!)
Bug fixes
- Fixed the
legacy_usage_detailcolumn inazure_consumption_usagetable which now correctly returns theMeterDetailsmetadata instead ofnull. (#953)
What's new?
- New tables added
Enhancements
- Added the column
routing_configtoaws_lambda_aliastable. (#2657)
Bug fixes
- Fixed the
codecolumn inaws_lambda_versiontable to correctly return data instead ofnull. (#2656)
Dependencies
- Recompiled plugin with aws-sdk-go-v2 v1.39.3. (#2658)
- Updated the
OpenSearchtables to use github.com/aws/aws-sdk-go-v2/service/opensearch v1.52.6 module. (#2658)
What's new?
- Virtual network rules details will now be available in CMDB for servers.
Bug fixes
- The
AWS > Lambda > Function > URL Auth Typecontrol previously entered an invalid state when a Function URL was not configured. This issue has now been resolved and the control will correctly transition to a skipped state in such cases.
Bug fixes
- The
AWS > DynamoDB > Table > Encryption at Restcontrol previously remained incorrectly in an alarm state when encryption was enforced on Global Table replicas. This issue has been resolved; the control now transitions to an invalid state for replicas, as AWS Global Tables require a single, coordinated cross-region encryption update rather than per-replica changes.
v0.17.0 of the Terraform Provider for Pipes is now available.
What's new?
- Resource:
pipes_tenant_service_account - Resource:
pipes_organization_service_account
Enhancements
- Add
skip_initial_refreshattribute to thepipes_workspace_datatank_tableresource to prevent immediately obtaining all data on creation or update.
What's new?
Resource Types
- AWS > Neptune > DB Cluster Snapshot
Control Types
- AWS > Neptune > DB Cluster Snapshot > Active
- AWS > Neptune > DB Cluster Snapshot > Allowed
- AWS > Neptune > DB Cluster Snapshot > Allowed > Custom
- AWS > Neptune > DB Cluster Snapshot > Allowed > Region
- AWS > Neptune > DB Cluster Snapshot > CMDB
- AWS > Neptune > DB Cluster Snapshot > Discovery
- AWS > Neptune > DB Cluster Snapshot > Tags
- AWS > Neptune > DB Cluster Snapshot > Usage
Policy Types
- AWS > Neptune > Allowed Regions [Default]
- AWS > Neptune > DB Cluster Snapshot > Active
- AWS > Neptune > DB Cluster Snapshot > Active > Age
- AWS > Neptune > DB Cluster Snapshot > Active > Last Modified
- AWS > Neptune > DB Cluster Snapshot > Allowed
- AWS > Neptune > DB Cluster Snapshot > Allowed > Custom
- AWS > Neptune > DB Cluster Snapshot > Allowed > Custom > Rules
- AWS > Neptune > DB Cluster Snapshot > Allowed > Region
- AWS > Neptune > DB Cluster Snapshot > Allowed > Region > Regions
- AWS > Neptune > DB Cluster Snapshot > CMDB
- AWS > Neptune > DB Cluster Snapshot > Regions
- AWS > Neptune > DB Cluster Snapshot > Tags
- AWS > Neptune > DB Cluster Snapshot > Tags > Template
- AWS > Neptune > DB Cluster Snapshot > Usage
- AWS > Neptune > DB Cluster Snapshot > Usage > Limit
Action Types
- AWS > Neptune > DB Cluster Snapshot > Delete
- AWS > Neptune > DB Cluster Snapshot > Delete from AWS
- AWS > Neptune > DB Cluster Snapshot > Router
- AWS > Neptune > DB Cluster Snapshot > Set Tags
- AWS > Neptune > DB Cluster Snapshot > Skip alarm for Active control
- AWS > Neptune > DB Cluster Snapshot > Skip alarm for Active control [90 days]
- AWS > Neptune > DB Cluster Snapshot > Skip alarm for Tags control
- AWS > Neptune > DB Cluster Snapshot > Skip alarm for Tags control [90 days]
- AWS > Neptune > DB Cluster Snapshot > Update Tags
Note: We recommend updating the @turbot/aws-rds mod to v5.32.2 and the @turbot/aws mod to v5.40.0 for proper functionality.
What's new?
What's new?
- New tables added (#294)
Bug fixes
- Server:
- Materialization now handles invalid policy type mappings gracefully by skipping them instead of failing.
Requirements
- Upgrade to
5.54.2requires your workspace to be on5.53.x - TEF: 1.66.0
- TED: 1.9.1
- Mods:
- @turbot/turbot: 5.56.0
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- UI
- Added Terraform import block generation to policy pack developer tab alongside existing import commands.
Bug fixes
- UI
- Control page policy lists now show complete trunk names without cutting them off.
- Resource page alert counts now accurately reflect the actual number of alerts
Requirements
- Upgrade to
5.53.6requires your workspace to be on5.51.x - TEF: 1.66.0
- TED: 1.9.1
- Mods:
- @turbot/turbot: 5.55.0
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Updated permissions to support real-time event processing for DB cluster snapshot resources used by Neptune and DocDB services.
What's new?
Resource Types
- AWS > Doc DB > DB Cluster Snapshot
Control Types
- AWS > Doc DB > DB Cluster Snapshot > Active
- AWS > Doc DB > DB Cluster Snapshot > Allowed
- AWS > Doc DB > DB Cluster Snapshot > Allowed > Custom
- AWS > Doc DB > DB Cluster Snapshot > Allowed > Region
- AWS > Doc DB > DB Cluster Snapshot > CMDB
- AWS > Doc DB > DB Cluster Snapshot > Discovery
- AWS > Doc DB > DB Cluster Snapshot > Tags
- AWS > Doc DB > DB Cluster Snapshot > Usage
Policy Types
- AWS > Doc DB > Allowed Regions [Default]
- AWS > Doc DB > DB Cluster Snapshot > Active
- AWS > Doc DB > DB Cluster Snapshot > Active > Age
- AWS > Doc DB > DB Cluster Snapshot > Active > Budget
- AWS > Doc DB > DB Cluster Snapshot > Active > Last Modified
- AWS > Doc DB > DB Cluster Snapshot > Allowed
- AWS > Doc DB > DB Cluster Snapshot > Allowed > Custom
- AWS > Doc DB > DB Cluster Snapshot > Allowed > Custom > Rules
- AWS > Doc DB > DB Cluster Snapshot > Allowed > Region
- AWS > Doc DB > DB Cluster Snapshot > Allowed > Region > Regions
- AWS > Doc DB > DB Cluster Snapshot > CMDB
- AWS > Doc DB > DB Cluster Snapshot > Regions
- AWS > Doc DB > DB Cluster Snapshot > Tags
- AWS > Doc DB > DB Cluster Snapshot > Tags > Template
- AWS > Doc DB > DB Cluster Snapshot > Usage
- AWS > Doc DB > DB Cluster Snapshot > Usage > Limit
Action Types
- AWS > Doc DB > DB Cluster Snapshot > Delete
- AWS > Doc DB > DB Cluster Snapshot > Delete from AWS
- AWS > Doc DB > DB Cluster Snapshot > Router
- AWS > Doc DB > DB Cluster Snapshot > Set Tags
- AWS > Doc DB > DB Cluster Snapshot > Skip alarm for Active control
- AWS > Doc DB > DB Cluster Snapshot > Skip alarm for Active control [90 days]
- AWS > Doc DB > DB Cluster Snapshot > Skip alarm for Tags control
- AWS > Doc DB > DB Cluster Snapshot > Skip alarm for Tags control [90 days]
- AWS > Doc DB > DB Cluster Snapshot > Update Tags
Note: We recommend updating the @turbot/aws-rds mod to v5.32.2 and the @turbot/aws mod to v5.40.0 for proper functionality.
What's new?
- New tables added: (#950)
What's new?
- New tables added (#283)
Enhancements
- Added
additional_datacolumn to theazuread_conditional_access_policytable. (#283)
Dependencies
- Recompiled plugin with github.com/microsoftgraph/msgraph-beta-sdk-go v0.151.0. (#283)
- Recompiled plugin with steampipe-plugin-sdk v5.13.1 that addresses critical and high vulnerabilities in dependent packages. (#288)
What's new?
- Firewall rules details will now be available in CMDB for workspaces.
- Security alert policy and vulnerability assessments details will now be available in CMDB for workspaces.
What's new?
- Firewall rules details will now be available in CMDB for redis cache.
What's new?
- Firewall rules details will now be available in CMDB for flexible servers.
Currently executing queries can now be efficiently stopped using the Cancel button in the query console.
For more information, check out the docs
All Steampipe plugins have been updated to use steampipe-plugin-sdk v5.13.1, which includes:
- Updated dependent packages to address critical and high vulnerabilities
- Upgraded Go version to
1.24
What's new?
- New tables added (#67)
Enhancements
- Added the following columns to the
microsoft365_drivetable: (#67)listownerquotasharepoint_idssystem
Bug fixes
- Fixed the
microsoft365_usertable to populate all the column values correctly. (#68)
Dependencies
- Recompiled plugin with msgraph-sdk-go v1.84.0. (#67)
- Recompiled plugin with Go version
1.24. (#66) - Recompiled plugin with steampipe-plugin-sdk v5.13.1 that addresses critical and high vulnerabilities in dependent packages. (#70)
Enhancements
- Added column
full_snapshot_size_in_bytestoaws_ebs_snapshottable. (#2652) (Thanks @bahybintang for the contribution!) - Added column
codetoaws_lambda_aliastable. (#2649)
Bug fixes
- Fixed the default rate limiter configuration for
AWS Kinesisservice tables. (#2644) (Thanks @pdecat for the contribution!)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.13.1 that addresses critical and high vulnerabilities in dependent packages. (#2649)
What's new?
- Server
Turbot > Notifications > Rule-Based Routingnow supports usingTurbot > Fileresources as notification templates — update the@turbot/turbotmod tov5.56.1or later to enable this feature.
Requirements
- Upgrade to
5.53.5requires your workspace to be on5.51.x - TEF: 1.66.0
- TED: 1.9.1
- Mods:
- @turbot/turbot: 5.55.0
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Server
- Redis/Valkey connection management now tracks connection creation times for improved visibility and connection lifecycle tracking.
- Maintenance container logic refined to avoid errors when attempting to drop unique index constraints.
Requirements
- Upgrade to
5.53.4requires your workspace to be on5.51.x - TEF: 1.66.0
- TED: 1.9.1
- Mods:
- @turbot/turbot: 5.55.0
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- Users can now manage trusted access for layers. To get started, set the
AWS > Lambda > Function > Layer Trusted Access > *policies.
Control Types
- AWS > Lambda > Function > Layer Trusted Access
Policy Types
- AWS > Lambda > Function > Layer Trusted Access
- AWS > Lambda > Function > Layer Trusted Access > Accounts
Action Types
- AWS > Lambda > Function > Set Layer Trusted Access
What's new?
Policy Types
- AWS > Account > Allowed Regions [Default]
Bug Fixes
- Build: Restored CentOS/RHEL 9 compatibility by pinning the build image to an older libstdc++/GCC baseline. Previous build linked against newer GLIBCXX symbols, causing Tailpipe to fail on CentOS/RHEL 9.
Bug Fixes
- Build: Restored CentOS/RHEL 9 compatibility by pinning the build image to an older libstdc++/GCC baseline. Previous build linked against newer GLIBCXX symbols, causing Powerpipe to fail on CentOS/RHEL 9.
- Improve benchmark/detection summary chart width calculations. (#945)
- Fix filtering by false boolean values in tables. (#946)
What's new?
Resource Types
- Azure > Redis
- Azure > Redis > Redis Cache
Control Types
- Azure > Redis > Redis Cache > Active
- Azure > Redis > Redis Cache > CMDB
- Azure > Redis > Redis Cache > Discovery
- Azure > Redis > Redis Cache > Tags
Policy Types
- Azure > Redis > Approved Regions [Default]
- Azure > Redis > Enabled
- Azure > Redis > Permissions
- Azure > Redis > Permissions > Levels
- Azure > Redis > Permissions > Levels > Modifiers
- Azure > Redis > Redis Cache > Active
- Azure > Redis > Redis Cache > Active > Age
- Azure > Redis > Redis Cache > Active > Last Modified
- Azure > Redis > Redis Cache > CMDB
- Azure > Redis > Redis Cache > Regions
- Azure > Redis > Redis Cache > Tags
- Azure > Redis > Redis Cache > Tags > Template
- Azure > Redis > Regions
- Azure > Redis > Tags Template [Default]
- Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-redis
- Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-redis
Action Types
- Azure > Redis > Redis Cache > Delete
- Azure > Redis > Redis Cache > Router
- Azure > Redis > Redis Cache > Set Tags
What's new?
Resource Types
- Azure > Provider > Redis
Control Types
- Azure > Provider > Redis > CMDB
- Azure > Provider > Redis > Discovery
- Azure > Provider > Redis > Registered
Policy Types
- Azure > Provider > Redis > CMDB
- Azure > Provider > Redis > Registered
Action Types
- Azure > Provider > Redis > Set Registered
What's new?
- You can now configure anonymous pull access for registries. To get started, set the
Azure > Container Registry > Registry > Anonymous Pull Accesspolicy.
Control Types
- Azure > Container Registry > Registry > Anonymous Pull Access
Policy Types
- Azure > Container Registry > Registry > Anonymous Pull Access
Action Types
- Azure > Container Registry > Registry > Set Anonymous Pull Access
Bug fixes
- Fixed the
jira_issue_commenttable to correctly return data instead of an empty row whenissue_idis passed in as an optional qual when querying the table. (#190)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.13.1 that addresses critical and high vulnerabilities in dependent packages. (#191)
Bug fixes
- Re-added control
elb_application_lb_drop_http_headersto avoid breaking dependencies in other mods. (#943)
v0.16.0 of the Pipes SDK Go is now available.
What's new?
- AI Key Management APIs for
Tenants,UsersandOrganizations. - Workspace Conversations, Conversation Messages and Conversation Artifacts APIs for
UserWorkspacesandOrgWorkspaces. - Workspace AI Models APIs for
UserWorkspacesandOrgWorkspaces. - Service Account APIs.
- Added
ServiceStateenum to represent the state of a service. - Added
ModelStateenum to represent the state of an AI model. - Added
UserTypeenum to classify users.
Enhancements
- Added
AiEnabledattribute toTenantSettingsto allow enabling / disabling AI features at a tenant level. - Added
Typeattribute toUser(backed byUserType) to distinguish user types. - Added
TokenWithValueandCreateTokenRequestmodels to improve token creation workflows.
Bug fixes
- Controls for Lambda functions now use updated CMDB references in internal GraphQL queries. You will not notice any differences, and things will continue to work smoothly as before.
What's new?
- You can now configure anonymous auth for domains. To get started, set the
AWS > OpenSearch > Domain > Anonymous Authpolicy.
Control Types
- AWS > OpenSearch > Domain > Anonymous Auth
Policy Types
- AWS > OpenSearch > Domain > Anonymous Auth
Action Types
- AWS > OpenSearch > Domain > Disable Anonymous Auth
What's new?
- You can now configure URL auth type for functions. To get started, set the
AWS > Lambda > Function > URL Auth Typepolicy.
Bug fixes
Fixed action and control mappings in various control types and policy types.
We've removed the redundant
Configurationdetails for functions from the CMDB. We recommend updating your existing policy settings to reference the top-level attributes from the CMDB data instead.Removed: In AWS > Lambda > Function:
Configuration
Control Types
- AWS > Lambda > Function > URL Auth Type
Policy Types
- AWS > Lambda > Function > URL Auth Type
Action Types
- AWS > Lambda > Function > Update URL Auth Type
Bug fixes
- Controls for Lambda functions now use updated CMDB references in internal GraphQL queries. You will not notice any differences, and things will continue to work smoothly as before.
Bug fixes
- Guardrails would sometimes fail to process the real-time
ec2:DisableSnapshotBlockPublicAccessevent for EC2 Account Attributes correctly. This is now fixed.
Dependencies
- Recompiled plugin with tailpipe-plugin-sdk v0.9.4 that fixes an issue where
azure_blob_storagewas not working correctly as an artifact source. (#94)
What's new?
New benchmarks added:
- GitHub Security Log Detections benchmark (
powerpipe benchmark run github_security_log_detections.benchmark.security_log_detections). - MITRE ATT&CK v16.1 benchmark (
powerpipe benchmark run github_security_log_detections.benchmark.mitre_attack_v161).
- GitHub Security Log Detections benchmark (
New dashboards added:
Bug fixes
- Fixed the
cis_v400_8_1control to correctly reference thedataproc_cluster_encryption_with_cmekquery instead ofbigquery_dataset_not_publicly_accessible. (#218)
Dependencies
- Azure plugin v1.8.0 or higher is now required.
Enhancements
- Updated the
kubernetes_cluster_sku_standardquery to report clusters using theFreeSKU tier asalarm, ensuring consistency with the API response. (#340)
Bug fixes
- Fixed control and query name by renaming
elb_application_lb_drop_http_headerstoelb_application_lb_http_drop_invalid_header_enabledto correctly indicate that it checks whether Application Load Balancers are configured to drop invalid HTTP headers (not all headers). (#936) - Fixed the
iam_policy_no_full_access_to_kmscontrol to correctly referenceiam_policy_no_full_access_to_kmsquery instead ofiam_policy_no_full_access_to_cloudtrail. (#938)
Bug fixes
Server
- Resolved an issue where creating policy values could hang when related policies had no targets.
UI
- Policy value cards are now better aligned, improving readability and visual consistency.
- Smoothed out the header experience on the resources page by removing flicker.
Requirements
- Upgrade to
5.54.1requires your workspace to be on5.53.x - TEF: 1.66.0
- TED: 1.9.1
- Mods:
- @turbot/turbot: 5.56.0
Base images
- Alpine: 3.17.5
- Ubuntu: 22.04.3
What's new?
- Server
- Increased type installation limit from 600 to 1500.
Bug fixes
- UI
- Policy value cards are now better aligned, improving readability and visual consistency.
- Smoothed out the header experience on the resources page by removing flicker.
Requirements
- Upgrade to
5.53.3requires your workspace to be on5.51.x - TEF: 1.66.0
- TED: 1.9.1
- Mods:
- @turbot/turbot: 5.55.0
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Dependencies
- Recompiled plugin with Go version
1.24. - Recompiled plugin with steampipe-plugin-sdk v5.13.1 that addresses critical and high vulnerabilities in dependent packages.
We've added an AI-powered chat interface that unifies your entire cloud environment - AWS, Azure, GCP, GitHub, M365 and 80+ other services. Start conversations to get instant, accurate answers through natural language.
For more information, see the launch post or check out the docs.
What's new?
You now have more control over when Guardrails creates controls and policy values based on policy settings. Previously, Guardrails would evaluate all possible controls for every resource by default. With this release, Guardrails can be configured to only create controls impacted by policy settings, improving both user experience and backend performance.
The Turbot > Materialization policy supports two modes:
- Always (Default) — Create controls and policy values for all applicable resources, even if no setting exists. This matches legacy behavior.
- Automatic — Create controls and policy values only if a setting is explicitly defined for the primary policy. This can significantly reduce noise and improve performance.
Note that some types, such as those used to discover resources and configure accounts, are always created regardless of the materialization mode.
To get started, we recommend setting the Turbot > Materialization policy to Automatic and updating any cloud mods currently installed, like aws, aws-s3, azure, to their latest versions.
In the upcoming TE version, the default for the Turbot > Materialization policy will change from Always to Automatic. To retain the existing behavior, set the Turbot > Materialization policy to Always before upgrading to the next TE version.
Requirements
- Upgrade to
5.54.0requires your workspace to be on5.53.x - TEF: 1.66.0
- TED: 1.9.1
- Mods:
- @turbot/turbot: 5.56.0
Base images
- Alpine: 3.17.5
- Ubuntu: 22.04.3
What's new?
- Added the
Turbot > Materializationpolicy to control when Guardrails creates controls and policy values, with modes forAlways(legacy behavior) andAutomatic(create only when explicitly set), reducing noise and improving performance.
Control Types
- Turbot > Policy Pack > Materialize
- Turbot > Guardrail > Materialize
- Turbot > Materialize
Policy Types
Turbot > Materialization
Renamed
- Turbot > Notifications > Email > CC > Tag > Name to Turbot > Notifications > Email > CC > Tag Name.
Deprecated
- Turbot > Notifications > Email > CC > Tag
Requirements
- TE: 5.35.4
What's new?
- You can now configure key based metadata write access for database accounts. To get started, set the
Azure > Cosmos DB > Database Account > Key Based Metadata Write Accesspolicy.
Control Types
- Azure > Cosmos DB > Database Account > Key Based Metadata Write Access
Policy Types
- Azure > Cosmos DB > Database Account > Key Based Metadata Write Access
Action Types
- Azure > Cosmos DB > Database Account > Set Key Based Metadata Write Access
Bug fixes
- All Lambda functions have been migrated to use AWS SDK v3, reducing the mod package size and improving deployment efficiency. You will not notice any differences, and things will continue to work smoothly as before.
Major Changes
Replace native Parquet conversion with a DuckLake database backend. (#546)
- DuckLake is DuckDB’s new lakehouse format: data remains in Parquet files, but metadata is efficiently tracked in a separate DuckDB database.
- DuckLake supports function-based partitioning, which allows data to be partitioned by year and month. This enables
efficient file pruning on
tp_timestampwithout needing a separatetp_datefilter. Atp_datecolumn will still be present for compatibility, but it is no longer required for efficient query filtering. - Existing data will be automatically migrated the next time Tailpipe runs. Migration does not
occur if progress output is disabled (
--progress=false) or when using machine-readable output (json,line,csv).
Note: For CentOS/RHEL users, the minimum supported version is now CentOS Stream 10 / RHEL 10 due to
libstdc++library compatibility.The
connectcommand now returns the path to an initialisation SQL script instead of the database path. (#550)- The script sets up DuckDB with required extensions, attaches the Tailpipe database, and defines views with optional filters.
- You can pass the generated script to DuckDB using the
--initargument to immediately configure the session. For example:
Note: The minimum supported DuckDB version is 1.4.0.duckdb --init $(tailpipe connect)
Bug Fixes
- Include partitions for local plugins in the
tailpipe plugin listcommand. (#538)
What's new
Updated the
tailpipeconnection to support the new Tailpipe v0.7.0 DuckLake backend. (#889)
Note: When using Powerpipe with Tailpipe v0.7.0, existing Tailpipe data must be migrated to DuckLake before running a dashboard that uses a Tailpipe backend. Data can be migrated by runningtailpipe query.Updated pipe-fittings to v2.7.0. (#760)
Note: For CentOS/RHEL users, the minimum supported version is now CentOS Stream 10 / RHEL 10 due to libstdc++ library compatibility.
What's new?
Server
- GitHub integration now supports importing GitHub Enterprise organizations, expanding coverage for enterprise users.
UI
- The main dashboard’s resource list is now split into favorites and accounts for easier navigation and prioritization.
- The GitHub import page now includes support for GitHub Enterprise.
Bug fixes
Server
- Resolved an issue that could prevent confirmation of SNS subscriptions during event handler setup for accounts.
- Resolved issues with incorrect index mapping definitions in the maintenance container.
UI
- Improved UI consistency and usability across policy value cards, control actions, and resource control lists.
Requirements
- Upgrade to
5.53.2requires your workspace to be on5.51.x - TEF: 1.66.0
- TED: 1.9.1
- Mods:
- @turbot/turbot: 5.55.0
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- Track and manage domain resources in Guardrails.
Resource Types
- AWS > OpenSearch > Domain
Control Types
- AWS > OpenSearch > Domain > Active
- AWS > OpenSearch > Domain > Approved
- AWS > OpenSearch > Domain > CMDB
- AWS > OpenSearch > Domain > Discovery
- AWS > OpenSearch > Domain > Tags
Policy Types
- AWS > OpenSearch > Domain > Active
- AWS > OpenSearch > Domain > Active > Age
- AWS > OpenSearch > Domain > Active > Last Modified
- AWS > OpenSearch > Domain > Approved
- AWS > OpenSearch > Domain > Approved > Custom
- AWS > OpenSearch > Domain > Approved > Regions
- AWS > OpenSearch > Domain > Approved > Usage
- AWS > OpenSearch > Domain > CMDB
- AWS > OpenSearch > Domain > Regions
- AWS > OpenSearch > Domain > Tags
- AWS > OpenSearch > Domain > Tags > Template
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-opensearch
Action Types
- AWS > OpenSearch > Domain > Delete
- AWS > OpenSearch > Domain > Delete from AWS
- AWS > OpenSearch > Domain > Router
- AWS > OpenSearch > Domain > Set Tags
- AWS > OpenSearch > Domain > Skip alarm for Active control
- AWS > OpenSearch > Domain > Skip alarm for Active control [90 days]
- AWS > OpenSearch > Domain > Skip alarm for Approved control
- AWS > OpenSearch > Domain > Skip alarm for Approved control [90 days]
- AWS > OpenSearch > Domain > Skip alarm for Tags control
- AWS > OpenSearch > Domain > Skip alarm for Tags control [90 days]
- AWS > OpenSearch > Domain > Update Tags
- Fixed queries to use
LEFT JOINinstead ofINNER JOINto ensure results are returned correctly. (#338)
What's new?
- Intelligent Assessment controls now also support OpenAI GPT-5 and Anthropic Claude Opus 4.1 models.
- All policy types across AWS, Azure, GCP, GitHub, Kubernetes, and ServiceNow mods now have an associated class. You will not notice any differences, and everything will continue to function smoothly as before.
Bug fixes
- Support for the contactable interface has been removed from all resource types except AWS Account, Azure Subscription, and GCP Project. As a result, the
Turbot > Notifications > Email > CC > Tag Namepolicy can no longer be explicitly set for the affected resource types.
What's new?
- You can now configure public network access for registries. To get started, set the
Azure > Container Registry > Registry > Public Network Accesspolicy.
Control Types
- Azure > Container Registry > Registry > Public Network Access
Policy Types
- Azure > Container Registry > Registry > Public Network Access
Action Types
- Azure > Container Registry > Registry > Set Public Network Access
Bug fixes
- Various controls sometimes failed to evaluate their dependent policies correctly, which led to the controls failing without explicitly throwing errors. This issue has been fixed, and such controls will now work as expected.
What's new?
- You can now configure public network access for API management services. To get started, set the
Azure > API Management > API Management Service > Public Network Accesspolicy.
Control Types
- Azure > API Management > API Management Service > Public Network Access
Policy Types
- Azure > API Management > API Management Service > Public Network Access
Action Types
- Azure > API Management > API Management Service > Set Public Network Access
Enhancements
- Added column
support_planto theazure_kubernetes_clustertable. (#944) (Thanks @pdecat for the contribution!)
Bug fixes
- Fixed the common
subscription_idcolumn across all Azure tables to always fetch the value from the API, ensuring consistency and avoiding mismatches with subscription IDs set via connection config arguments or environment variables. (#948)
Enhancements
- Added
physical_resource_idcolumn as an optional qualifier to theaws_cloudformation_stack_resourcetable. (#2635) - Added
metadatacolumn toaws_cloudformation_stack_resourcetable. (#2635) - Added default rate limit configuration for
AWS Lambdaservice tables. (#2561)
Bug fixes
- Fixed the
aws_availability_zonetable to respectignore_error_codesandignore_error_messagesconnection config arguments. (#2640)
What's new?
- You can now import GitHub Enterprise organizations in Guardrails. To get started, select GitHub Enterprise Organization from the Connect screen and configure details. We recommend upgrading TE to v5.53.2 for this change to take effect.
- Added support for
classattribute for various policy types.
Policy Types
- GitHub > Config > Base URL
Resource Types
- AWS > IAM > Service Specific Credential
Control Types
- AWS > IAM > Service Specific Credential > Active
- AWS > IAM > Service Specific Credential > Approved
- AWS > IAM > Service Specific Credential > CMDB
- AWS > IAM > Service Specific Credential > Discovery
Policy Types
- AWS > IAM > Service Specific Credential > Active
- AWS > IAM > Service Specific Credential > Active > Age
- AWS > IAM > Service Specific Credential > Active > Last Modified
- AWS > IAM > Service Specific Credential > Approved
- AWS > IAM > Service Specific Credential > Approved > Custom
- AWS > IAM > Service Specific Credential > Approved > Usage
- AWS > IAM > Service Specific Credential > CMDB
Action Types
- AWS > IAM > Service Specific Credential > Delete
- AWS > IAM > Service Specific Credential > Delete from AWS
- AWS > IAM > Service Specific Credential > Router
- AWS > IAM > Service Specific Credential > Skip alarm for Active control
- AWS > IAM > Service Specific Credential > Skip alarm for Active control [90 days]
- AWS > IAM > Service Specific Credential > Skip alarm for Approved control
- AWS > IAM > Service Specific Credential > Skip alarm for Approved control [90 days]
Enhancements
- Added default rate limiter configurations for GCP Resource Manager, Compute Engine, Storage, Secret Manager, Logging, Pub/Sub, IAM, Cloud Functions, and Cloud DNS tables. (#779)
What's new?
- New tables added
Dependencies
- Recompiled plugin with Go version
1.24. (#267) - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages. (#267)
What's new?
- You can now configure Encryption at Rest for agents. To get started, set the
AWS > Bedrock > Agent > Encryption at Rest > *policies.
Bug fixes
- The
promptOverrideConfiguration.promptConfigurationsattribute for agents has now been made dynamic to avoid unnecessary notifications in the activity tab.
Control Types
- AWS > Bedrock > Agent > Encryption at Rest
Policy Types
- AWS > Bedrock > Agent > Encryption at Rest
- AWS > Bedrock > Agent > Encryption at Rest > Customer Managed Key
Action Types
- AWS > Bedrock > Agent > Update Encryption at Rest
Breaking changes
- jira_issue_comment table now requires an
issue_idfilter in theWHEREorJOINclause. (#180)
Enhancements
- Updated the
jira_issuetable to use the latest Jira Cloud platform REST API. (#180)
Bug fixes
- Fixed the
jira_issue_worklogtable to correctly populate theissue_idcolumn when provided as a query parameter. (#164)
Dependencies
- Recompiled plugin with Go version
1.24. (#175) - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages. (#175)
What's new?
- Added support for the
DD_CLIENT_API_URLenvironment variable to configure theapi_urlconnection argument. Please refer to the Configuration section for more details. (#92) (Thanks @l-teles for the contribution!)
Dependencies
- Recompiled plugin with Go version
1.24. (#89) - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages. (#89)
Deprecations
- crowdstrike_detection table has been deprecated due to missing API support. It will be removed in a future major release. Please use crowdstrike_alert table instead. (#57)
What's new?
- New tables added
Dependencies
- Recompiled plugin with
github.com/crowdstrike/gofalconwith v0.16.0. (#57) - Recompiled plugin with Go version
1.24. (#55) - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages. (#55)
What's new?
- Server
- Added support for the class property in policy types.
Requirements
- Upgrade to
5.53.1requires your workspace to be on5.51.x - TEF: 1.66.0
- TED: 1.9.1
- Mods:
- @turbot/turbot: 5.55.0
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Fixed service title to
CodeArtifact.
Resource Types
Renamed
- AWS > Code Artifact to AWS > CodeArtifact
Policy Types
Renamed
- AWS > Code Artifact > API Enabled to AWS > CodeArtifact > API Enabled
- AWS > Code Artifact > Enabled to AWS > CodeArtifact > Enabled
- AWS > Code Artifact > Permissions to AWS > CodeArtifact > Permissions
- AWS > Code Artifact > Permissions > Levels to AWS > CodeArtifact > Permissions > Levels
- AWS > Code Artifact > Permissions > Levels > Modifiers to AWS > CodeArtifact > Permissions > Levels > Modifiers
- AWS > Code Artifact > Permissions > Lockdown to AWS > CodeArtifact > Permissions > Lockdown
- AWS > Code Artifact > Permissions > Lockdown > API Boundary to AWS > CodeArtifact > Permissions > Lockdown > API Boundary
Bug fixes
- Removed the unnecessary
AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-codeartifactpolicy.
Policy Types
Removed
- AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-codeartifact
What's new?
Resource Types
- AWS > Code Artifact
Policy Types
- AWS > Code Artifact > API Enabled
- AWS > Code Artifact > Enabled
- AWS > Code Artifact > Permissions
- AWS > Code Artifact > Permissions > Levels
- AWS > Code Artifact > Permissions > Levels > Modifiers
- AWS > Code Artifact > Permissions > Lockdown
- AWS > Code Artifact > Permissions > Lockdown > API Boundary
- AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-codeartifact
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-codeartifact
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-codeartifact
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-codeartifact
Custom tenant and organization member pages now allow for creation and management of service accounts. Service accounts are a specialized type of user designed for programmatic access to Turbot Pipes.
For more information, check out the tenant or organization member docs.
What's new?
- Server
- Added support for the Storage token audience in the Azure credential resolver.
Bug fixes
- Server
- Creating a new workspace now correctly adds the missing policy pack (aka) for Smart Folder resource types.
- Numeric values in wildcard tag filters are now processed correctly.
Requirements
- Upgrade to
5.52.5requires your workspace to be on5.51.x - TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- The
Azure > Storage > Storage Account > CMDBno longer requires thelistkeyspermission on storage accounts to fetch details for Blob, Queue, and File Share services. We recommend upgrading TE tov5.52.5for this change to take effect.
Bug fixes
- The
AWS > S3 > Bucket > Encryption In Transitcontrol previously required an Encryption in Transit policy statement with the SidMustBeEncryptedInTransitand the condition"aws:SecureTransport": "false". This sometimes caused the control to incorrectly enter an alarm state when the bucket had the correct condition but a different Sid. The control has been updated to check only for the relevant Encryption in Transit condition, without explicitly requiring the SidMustBeEncryptedInTransit.
What's new?
- New tables added
Dependencies
- Recompiled plugin with Go version
1.24. (#509) - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages. (#509)
Enhancements
- Added
DefaultRetryConfigto the plugin, enabling automatic retries on rate limit errors and improving overall query stability and performance. (#55)
Dependencies
- Recompiled plugin with Go version
1.24. (#52) - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages. (#52)
v0.16.0 of the Terraform Provider for Pipes is now available.
What's new?
- Updated
hashicorp/terraform-plugin-sdktov2.37.0 - Updated
go-kittov1.3.0
Enhancements
- The following resources now support write-only configuration with new
config_woandconfig_wo_versionargumentsresources/pipes_connectionresources/pipes_organization_connectionresources/pipes_tenant_connectionresources/pipes_workspace_connectionresources/pipes_organization_integrationresources/pipes_tenant_integrationresources/pipes_user_integration
Dependencies
- Recompiled plugin with github.com/grafana/grafana-openapi-client-go. (#47)
- Recompiled plugin with Go version
1.24. (#45) - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages. (#45)
What's new?
- New tables added
Bug fixes
- The
Azure > Storage > Storage Account > Data Protection > Soft Deletecontrol will no longer attempt to apply soft delete settings if Guardrails does not have the required permissions to read or write soft delete data. Instead, it will transition to an invalid state.
Dependencies
- AWS plugin
v1.23.0or higher is now required. (#932)
Enhancements
- Added 42 new controls to the
AWS Foundational Security Best Practicesbenchmark, expanding coverage across multiple AWS services, including DocumentDB, EC2, EFS, ELB, EMR, Glue, GuardDuty, Inspector, MQ, MSK, NetworkFirewall, Redshift, S3, SageMaker, Service Catalog, SSM, and Transfer. (#932)
What's new?
- Users can now manage trusted access for datasets. To get started, set the
GCP > BigQuery > Dataset > Policy > Trusted Access > *policies.
Control Types
- GCP > BigQuery > Dataset > Policy
- GCP > BigQuery > Dataset > Policy > Trusted Access
Policy Types
- GCP > BigQuery > Dataset > Policy
- GCP > BigQuery > Dataset > Policy > Trusted Access
- GCP > BigQuery > Dataset > Policy > Trusted Access > Domains
- GCP > BigQuery > Dataset > Policy > Trusted Access > Groups
- GCP > BigQuery > Dataset > Policy > Trusted Access > Service Accounts
- GCP > BigQuery > Dataset > Policy > Trusted Access > Users
Action Types
- GCP > BigQuery > Dataset > Set Trusted Access
Bug fixes
- The
Azure > PostgreSQL > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
What's new?
- New tables added (Thanks @Theo-Bouguet for the contribution!!)
What's new?
- Server
- The
Turbot > Notifications > CC > Tagpolicy is no longer checked; resource tags previously specified inTurbot > Notifications > CC > Tag > Nameare now associated with theAccount/CCpolicy instead of being evaluated independently.
- The
Bug fixes
- Server
- Policy settings now return results correctly for policies inside Policy Packs when you have valid access.
Requirements
- Upgrade to
5.52.4requires your workspace to be on5.51.x - TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- You can now configure and manage project role bindings for service accounts. To get started, set the
GCP > IAM > Service Account > Project Role Bindings > *policies.
Control Types
- GCP > IAM > Service Account > Project Role Bindings
- GCP > IAM > Service Account > Project Role Bindings > Approved
Policy Types
- GCP > IAM > Service Account > Project Role Bindings
- GCP > IAM > Service Account > Project Role Bindings > Approved
- GCP > IAM > Service Account > Project Role Bindings > Approved > Rules
Action Types
- GCP > IAM > Service Account > Update Project Role Bindings
Bug fixes
- The
Azure > Azure > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > MySQL > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > Monitor > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > Data Factory > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > Cosmos DB > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > Automation > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug Fixes
- Fix issue where the
databaseargument from a query resource was not respected. (#829) - Fix issue where the default config path was not resolved correctly. The default is the
mod-location, followed by the$POWERPIPE_INSTALL_DIR/config. Also thePOWERPIPE_CONFIG_PATHenvironment variable was not respected. (#898) - Fix issue where
pie/donutcharts were not rendering correctly on boolean values. (#433)
Dependencies
- Upgrade
hashicorp/go-getter,sha.jsandcipher-baseto remediate critical and high vulnerabilities.
Bug fixes
- CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to
Skip. This issue has been resolved; such controls will now correctly transition to a skipped state.
Bug fixes
- CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to
Skip. This issue has been resolved; such controls will now correctly transition to a skipped state.
What's new?
- Server
- Controls now wait for dependent policy values to finish processing, preventing redundant runs and duplicate execution attempts.
Bug fixes
- Server
- Restrict smart folder and policy pack to create exception if there is a top level setting available.
Requirements
- Upgrade to
5.53.0requires your workspace to be on5.51.x - TEF: 1.66.0
- TED: 1.9.1
- Mods:
- @turbot/turbot: 5.55.0
Base images
- Alpine: 3.17.5
- Ubuntu: 22.04.3
What's new?
- You can now configure boot diagnostics for virtual machines. To get started, set the
Azure > Compute > Virtual Machine > Update Boot Diagnosticspolicy.
Control Types
- Azure > Compute > Virtual Machine > Boot Diagnostics
Policy Types
- Azure > Compute > Virtual Machine > Boot Diagnostics
- Azure > Compute > Virtual Machine > Boot Diagnostics > Custom Storage Account
Action Types
- Azure > Compute > Virtual Machine > Update Boot Diagnostics
Bug fixes
- Web App and Function App metadata will now also include
createdBydetails in Guardrails CMDB.
Bug fixes
- Optimized the
Azure > Active Directory > Directory > Discoverycontrol to run more efficiently and prevent unnecessary resource updates, thereby reducing CMDB churn.
What's new?
- You can now configure organization restrictions for AWS Lambda function policies. To get started, configure the AWS > Lambda > Function > Policy > Trusted Access > Organization Restrictions policy accordingly.
Policy Types
- AWS > Lambda > Function > Policy > Trusted Access > Organization Restrictions
- AWS > Lambda > Trusted Organizations [Default]
- New tables added
- hcloud_firewall (#47) (Thanks @kuang87 for the contribution!!)
Bug fixes
- Fixed the
bound_tocolumn ofhcloud_imagetable to correctly return data instead of an error. (#48) (Thanks @kuang87 for the contribution!!)
Dependencies
- Recompiled plugin with Go version
1.24. - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages.
Bug fixes
- Fixed the example query in the plugin documentation to use the correct column name
exec_outputinstead ofoutput. (#63) (Thanks @pdecat for the contribution!!)
Dependencies
- Recompiled plugin with Go version
1.24. - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages.
What's new?
- New tables added
- aws_ec2_spot_fleet_request (#2599)
- aws_glue_ml_transform (#2610)
- aws_inspector2_organization_configuration (#2608)
- aws_mskconnect_connector (#2603)
- aws_s3_directory_bucket (#2618)
- aws_servicecatalog_portfolio_share (#2612)
- aws_ssm_service_setting (#2611)
- aws_transfer_connector (#2606)
- aws_vpc_block_public_access_options (#2595)
Enhancements
- Added columns
tagsandtags_srctoaws_ec2_load_balancer_listener_ruletable. (#2625) - Added column
multi_aztoaws_redshift_clustertable. (#2617)
Bug fixes
- Fixed the
aws_cloudformation_stack_resourcetable to correctly return data instead of an error. (#2622)
Dependencies
- AWS plugin
v1.22.0or higher is now required. (#930)
Enhancements
- Added 47 new controls to the
AWS Foundational Security Best Practicesbenchmark, expanding coverage across multiple AWS services, including AppSync, Athena, CodeBuild, Cognito, Data Firehose, DataSync, DMS, EC2, EFS, FSx, RDS, Kinesis, KMS, Redshift Serverless, SQS, SNS, Transfer, WorkSpaces, SageMaker, and DynamoDB. (#930)
Preview
All of the following resource types, policy types, and control types are currently in preview and may change in future releases.
Resource Types:
- Turbot > Rollout
- Turbot > Guardrail
Policy Types:
- Turbot > Notifications > Email > Rollout > Check Template
- Turbot > Notifications > Email > Rollout > Check Template > Warning Body
- Turbot > Notifications > Email > Rollout > Check Template > Warning Subject
- Turbot > Notifications > Email > Rollout > Check Template > Welcome Body
- Turbot > Notifications > Email > Rollout > Check Template > Welcome Subject
- Turbot > Notifications > Email > Rollout > Detach Template
- Turbot > Notifications > Email > Rollout > Detach Template > Warning Body
- Turbot > Notifications > Email > Rollout > Detach Template > Warning Subject
- Turbot > Notifications > Email > Rollout > Enforce Template
- Turbot > Notifications > Email > Rollout > Enforce Template > Warning Body
- Turbot > Notifications > Email > Rollout > Enforce Template > Warning Subject
- Turbot > Notifications > Email > Rollout > Enforce Template > Welcome Body
- Turbot > Notifications > Email > Rollout > Enforce Template > Welcome Subject
- Turbot > Notifications > Email > Rollout > Preview Template
- Turbot > Notifications > Email > Rollout > Preview Template > Warning Body
- Turbot > Notifications > Email > Rollout > Preview Template > Warning Subject
- Turbot > Notifications > Email > Rollout > Preview Template > Welcome Subject
- Turbot > Notifications > Email > Rollout > Preview Template > Welcome Body
Control types
- Turbot > Rollout > Events
Bug fixes
- The
AWS > EC2 > Target Group > Discoverycontrol could previously enter an error state when upserting a target group whose parent load balancer was not available in CMDB. We have improved this process so that all target groups are now upserted under a region, ensuring better consistency and reliability. Existing target groups under load balancers will also be moved under their respective regions automatically.
What's new?
- New tables added: (Thanks @xybytes for the new plugin!)
What's new?
- New tables added
- okta_authenticator (#182) (Thanks @ameyer117 for the contribution!!)
Bug fixes
- Fixed the
okta_network_zonetable to correctly return data instead of an error. (#160)
Dependencies
- Recompiled plugin with Go version
1.24. - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages.
What's new?
- You can now configure soft delete for file shares in storage accounts. To get started, configure the
Azure > Storage > Storage Account > Data Protection > Soft Delete > File Shares > *policies accordingly. - Delete retention policy details for file share will now be available in CMDB for Storage Accounts.
Policy Types
- Azure > Storage > Storage Account > Data Protection > Soft Delete > File Shares
- Azure > Storage > Storage Account > Data Protection > Soft Delete > File Shares > Retention Days
Bug fixes
- The
Azure > Relay > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > Recovery Service > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > Key Vault > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > DNS > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > Databricks > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
What's new?
Bug fixes
- The
Azure > Synapse Analytics > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > SQL Virtual Machine Service > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > SignalR Service > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > Service Bus > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
Azure > Network > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource. - The
Azure > Network > Bastion Host > Discoverycontrol previously could inadvertently upsert bastion hosts under incorrect resource groups. This issue has been resolved, and the control now upserts bastion hosts more reliably and consistently.
Bug fixes
- The
Azure > Log Analytics > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- The
AWS > Backup > Recovery Point > CMDBcontrol previously ran every minute if a recovery point’sCalculatedLifecycle.DeleteAttimestamp was already in the past. It now deletes expired recovery points and no longer re-runs automatically when the next tick is also in the past.
Breaking changes
Configuration Changes
- The plugin configuration format has changed to support the REST API.
- You must now configure either OAuth client credentials or an access token for authentication. Please refer to the Configuration section for additional information.
API Migration
- Migrated from Vanta's deprecated GraphQL API to the new REST API.
- Queries, dashboards, and benchmarks that reference removed columns (listed below) will fail until updated.
Removed Columns
vanta_computeragent_versionhostnamehost_identifierlast_pingnum_browser_extensionsendpoint_applicationsinstalled_av_programsinstalled_password_managersunsupported_reasonsorganization_name
vanta_evidencetitleevidence_request_idcategoryuidapp_upload_enabledrestricteddismissed_statusrenewal_metadataorganization_name
vanta_groupchecklistembedded_idp_grouporganization_name
vanta_integrationdescriptionapplication_urlinstallation_urllogo_slug_idcredentialsintegration_categoriesservice_categoriesorganization_name
vanta_monitorcontrolsorganization_name
vanta_policypolicy_typecreated_atupdated_atemployee_acceptance_test_idnum_usersnum_users_acceptedsourceacceptance_controlsapproverstandardsuploaded_docuploaderorganization_name
vanta_useris_from_scanneeds_employee_digest_reminderis_not_human
vanta_vendorvendor_risk_lockedownerrisk_profileorganization_name
Migration Notes
- Reason for change: Vanta has ended GraphQL API support; the REST API is now the only supported interface.
- Action required:
- Update SQL queries to remove or replace references to removed columns.
- Review table documentation for updated field availability.
Deprecations
- The
cloudflare_firewall_ruletable has been deprecated. Please usecloudflare_rulesettable instead. (#166) - The following columns have been deprecated due to lack of API support and will be fully removed in the future major release: (#166)
cloudflare_account_membercode
cloudflare_dns_recordlocked
cloudflare_logpush_jobfrequencylogpull_options
cloudflare_userapi_key
cloudflare_zoneplan_pendingsettings
What's new?
- New tables added
- cloudflare_custom_page (#176) (Thanks @Theo-Bouguet for the contribution!!)
- cloudflare_logpush_job (#177) (Thanks @Theo-Bouguet for the contribution!!)
- cloudflare_notification (#179) (Thanks @Theo-Bouguet for the contribution!!)
- cloudflare_ruleset (#166)
- cloudflare_zone_setting (#170)
- cloudflare_zone (#170)
Enhancements
- Added the following new columns to the
cloudflare_zonetable: (#174) (Thanks @Theo-Bouguet for the contribution!!)smart_tiered_cacheregional_tiered_cacheargo_tiered_cachingargo_smart_routingbot_managementsecurity_txt
- Added columns
account_nameandhealthto thecloudflare_load_balancer_pooltable. (#175) (Thanks @Theo-Bouguet for the contribution!!) - Added
max_request_timeoutandmax_retriesconfig arguments to effectively manage the plugin's rate limiting errors. (#166)
Bug fixes
- Fixed the
ttlcolumn incloudflare_dns_recordtable to correctly return data instead ofnull. (#173) (Thanks @Theo-Bouguet for the contribution!!)
Dependencies
- Recompiled plugin with cloudflare-go v4.2.0. (#166)
- Recompiled plugin with Go version
1.24. - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages.
What's new?
- Added support for
tagsattribute in theturbot_policy_packresource. This will allow users to manage tags on policy packs.
Minimum version requirements:
TE v5.52.3
What's new?
- Server
- Added support for tags in policy packs, making it easier to organize and filter them.
Note
Upgrade to 5.52.3 requires your workspace to be on 5.51.x; direct upgrades from older versions (e.g., 5.49.x) will fail.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The
GCP > Turbot > Event Handlers > Pub/Sub > Sourcepolicy could previously evaluate incorrectly immediately after a GCP Project import if the Project CMDB data was not up to date. The policy now checks theGCP > Project > CMDBcontrol and evaluates only when that control has run successfully and is in an OK state, preventing incorrect results and improving clarity. - Event Poller controls now display improved help messages when the API used to fetch events returns an error, instead of only logging the errors under Activities.
Action Types Removed
- GCP > Folder > Event Poller
- GCP > Organization > Event Poller
- GCP > Project > Event Poller
Bug fixes
- The
Azure > Compute > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Bug fixes
- We have updated the internal GraphQL queries for the
AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removedcontrol to improve performance when evaluating the control’s outcome. There are no visible changes, but things will run smoother and faster than before.
Note: We recommend updating the @turbot/aws-ec2 mod to v5.46.2 for proper functionality.
Policy Types
- AWS > PCI v3.2.1 > EC2
- AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed
Bug fixes
- Added additional metadata for associated security groups to the CMDB data for network interfaces for internal performance improvements.
What's new?
- New tables added
Enhancements
- Added
api_cachecolumn toaws_appsync_graphql_apitable. (#2591)
What's new?
- New tables added: (#80)
Enhancements
- Updated all top-level benchmark titles to include
AWSfor clearer cloud provider identification. (#924) - Added
databasevariable to configure the Steampipe database connection string, defaulting toconnection.steampipe.default. (#926) - Added new automated query implementations for the following CIS controls: (#927)
cis_v120_1_19cis_v130_1_18cis_v140_1_18cis_v150_1_18cis_v200_1_18cis_v300_1_18cis_v400_1_18cis_v500_1_17
- Added
ec2_instance_using_iam_instance_roleandiam_root_user_account_console_access_mfa_enabledqueries to theAll AWS Compliance Controlsbenchmark. (#927)
v0.15.3 of the Terraform Provider for Pipes is now available.
What's new?
- Updated
pipes-sdk-gotov0.15.0. - New Resource:
pipes_tenant_settings
Enhancements
resources/pipes_connection: Added attributesstatus,last_error_at,last_error_process_id,last_successful_update_at,last_successful_update_process_id,last_update_attempt_at,last_update_attempt_process_id.resources/pipes_organization_connection: Added attributesstatus,last_error_at,last_error_process_id,last_successful_update_at,last_successful_update_process_id,last_update_attempt_at,last_update_attempt_process_id.resources/pipes_tenant: Added attributetoken_min_issued_at.resources/pipes_tenant_connection: Added attributesstatus,last_error_at,last_error_process_id,last_successful_update_at,last_successful_update_process_id,last_update_attempt_at,last_update_attempt_process_id.resources/pipes_workspace_connection: Added attributesstatus,last_error_at,last_error_process_id,last_successful_update_at,last_successful_update_process_id,last_update_attempt_at,last_update_attempt_process_id.
v0.15.0 of the Pipes SDK Go is now available.
Enhancements
- Added extra attributes to
Connectionto supportStatus,LastErrorAt,LastErrorProcessId,LastSuccessfulUpdateAt,LastSuccessfulUpdateProcessId,LastUpdateAttemptAtandLastUpdateAttemptProcessIdto track the connection status and last update attempts. - Added extra attributes to
WorkspaceConnectionto supportStatus,LastErrorAt,LastErrorProcessId,LastSuccessfulUpdateAt,LastSuccessfulUpdateProcessId,LastUpdateAttemptAtandLastUpdateAttemptProcessIdto track the connection status and last update attempts. - Added
ConnectionIdattribute toSpProcessto track the connection associated with a process. - Added
TokenMinIssuedAtattribute toTenantto determine the time after which tokens will be accepted for this tenant. - Added extra attributes to
TenantSettingsto supportMaxTokenExpiration,CliSessionTimeout,ConsoleSessionTimeoutandPostgresEnabledto manage tenant settings around timeouts, tokens and direct database access. - Added extra attributes to
Tokento supportCreatedBy,CreatedById,UpdatedBy,UpdatedById,ExpiresAt,Title,DescriptionandTokenTypeto provide more context and control over tokens. - Added
BillingModeattribute toUsageMetricto denote the billing mode for the metric.
What's new?
- Added
ConnectionStatusenum to represent the status of a connection. - Added
PostgresEndpointStateenum to represent the state of the Postgres endpoint. - Added
UsageBillingModeTypeenum to represent the billing mode for usage metrics.
What's new?
- Track and manage delivery, delivery destination, delivery source, and destination resources in Guardrails.
Resource Types
- AWS > Logs > Delivery
- AWS > Logs > Delivery Destination
- AWS > Logs > Delivery Source
- AWS > Logs > Destination
Control Types
- AWS > Logs > Delivery > Active
- AWS > Logs > Delivery > CMDB
- AWS > Logs > Delivery > Discovery
- AWS > Logs > Delivery > Tags
- AWS > Logs > Delivery Destination > Active
- AWS > Logs > Delivery Destination > CMDB
- AWS > Logs > Delivery Destination > Discovery
- AWS > Logs > Delivery Destination > Tags
- AWS > Logs > Delivery Source > Active
- AWS > Logs > Delivery Source > CMDB
- AWS > Logs > Delivery Source > Discovery
- AWS > Logs > Delivery Source > Tags
- AWS > Logs > Destination > Active
- AWS > Logs > Destination > CMDB
- AWS > Logs > Destination > Discovery
Policy Types
- AWS > Logs > Delivery > Active
- AWS > Logs > Delivery > Active > Age
- AWS > Logs > Delivery > Active > Budget
- AWS > Logs > Delivery > Active > Last Modified
- AWS > Logs > Delivery > CMDB
- AWS > Logs > Delivery > Regions
- AWS > Logs > Delivery > Tags
- AWS > Logs > Delivery > Tags > Template
- AWS > Logs > Delivery Destination > Active
- AWS > Logs > Delivery Destination > Active > Age
- AWS > Logs > Delivery Destination > Active > Budget
- AWS > Logs > Delivery Destination > Active > Last Modified
- AWS > Logs > Delivery Destination > CMDB
- AWS > Logs > Delivery Destination > Regions
- AWS > Logs > Delivery Destination > Tags
- AWS > Logs > Delivery Destination > Tags > Template
- AWS > Logs > Delivery Source > Active
- AWS > Logs > Delivery Source > Active > Age
- AWS > Logs > Delivery Source > Active > Budget
- AWS > Logs > Delivery Source > Active > Last Modified
- AWS > Logs > Delivery Source > CMDB
- AWS > Logs > Delivery Source > Regions
- AWS > Logs > Delivery Source > Tags
- AWS > Logs > Delivery Source > Tags > Template
- AWS > Logs > Destination > Active
- AWS > Logs > Destination > Active > Age
- AWS > Logs > Destination > Active > Budget
- AWS > Logs > Destination > Active > Last Modified
- AWS > Logs > Destination > CMDB
- AWS > Logs > Destination > Regions
Action Types
- AWS > Logs > Delivery > Delete
- AWS > Logs > Delivery > Router
- AWS > Logs > Delivery > Update Tags
- AWS > Logs > Delivery Destination > Delete
- AWS > Logs > Delivery Destination > Router
- AWS > Logs > Delivery Destination > Update Tags
- AWS > Logs > Delivery Source > Delete
- AWS > Logs > Delivery Source > Router
- AWS > Logs > Delivery Source > Update Tags
- AWS > Logs > Destination > Delete
- AWS > Logs > Destination > Router
Bug fixes
- Guardrails stack controls would fail to claim any existing OpenID Connect provider if the OpenID Connect provider was available in Guardrails CMDB and the stack's Source policy included the Terraform plan for the OpenID Connect provider. This is fixed and stack control will now be able to claim existing OpenID Connect providers correctly.
Enterprise plan now has tenant settings allowing owners to control direct access to Steampipe PostgreSQL endpoints.
For more information, check out the docs
Users can now create up to five tokens. You can also set an expiration for each token and optionally add a title to make them easier to identify in your token list.
For enterprise plan customers, we've introduced a new Maximum Token Expiration tenant setting. This lets you control the maximum lifespan of tokens created within your tenant.
For more information, check out the docs
What's new?
- Server
- Added retry mechanism for Mod expired URL errors.
Bug Fixes
Server
- Turbot > Workspace > Background Tasks now ignore deleted resources.
- Resolved an issue where the worker could crash while processing errors.
- Addressed a cleanup script bug that was incorrectly removing active Lambda version aliases and associated topics. The script now deletes only unused resources.
UI
- Saving in the calculated policy editor is now prevented if there is an error.
- Alignment of
Notein the policy tab is now consistent across all entries. - Multi-step queries in the calculated policy editor are now displayed correctly as separate steps.
- Policy packs no longer show a blank page when the description is missing.
- Policy Pack details screen should not show summary when AI summary is disabled.
Note
Upgrade to 5.52.2 requires your workspace to be on 5.51.x; direct upgrades from older versions (e.g., 5.49.x) will fail.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The
Azure > Storage > Storage Account > CMDBcontrol previously encountered errors with Premium storage accounts when attempting to access unsupported Table services. This has now been resolved.
Dependencies
- Azure plugin v1.6.0 or higher is now required.
Enhancements
- Added the following controls to
All Azure Compliance Controls: (#328)databricks_workspace_diagnostic_log_delivery_configureddatabricks_workspace_subnet_with_nsg_configuredkeyvault_key_automatic_rotation_enablednetwork_security_group_https_port_80_443_access_restrictedstorage_account_blob_and_container_soft_delete_enabledstorage_account_file_share_smb_channel_encryption_aes_256_gcmstorage_account_file_share_smb_protocol_version_3_1_1
- Added new automated query implementations for the following CIS controls: (#328)
cis_v400_10_1_2cis_v400_10_1_3cis_v400_3_1_7cis_v400_6_2_1cis_v400_7_1_1_7cis_v400_9_3_9
- Updated all top-level benchmark titles to include
Azurefor clearer cloud provider identification. (#334)
Bug fixes
- Fixed several CIS controls to use the correct Azure service tags. (#328)
What's new?
- Turbot > Workspace > Background Tasks will no longer go into an error state if the resource does not exist.
Requirements
- TE: 5.35.4
What's new?
- Users can now create and manage cloud resources using Terraform 1.x via Guardrails, fully leveraging all features available in this version. To get started, set the
Stack [Native] > *policies.
Bug fixes
- The
Azure > Storage > Storage Account > CMDBcontrol now stores details of API calls that fail due to insufficient permissions granted to Guardrails' service principal. This enables Guardrails to mark controls that depend on the respective data as invalid, rather than enforcing settings unnecessarily.
Control Types
- Azure > Storage > Storage Account > Stack [Native]
Policy Types
- Azure > Storage > Storage Account > Stack [Native]
- Azure > Storage > Storage Account > Stack [Native] > Drift Detection
- Azure > Storage > Storage Account > Stack [Native] > Drift Detection > Interval
- Azure > Storage > Storage Account > Stack [Native] > Modifier
- Azure > Storage > Storage Account > Stack [Native] > Secret Variables
- Azure > Storage > Storage Account > Stack [Native] > Source
- Azure > Storage > Storage Account > Stack [Native] > Timeout
- Azure > Storage > Storage Account > Stack [Native] > Variables
- Azure > Storage > Storage Account > Stack [Native] > Version
What's new?
- Users can now create and manage cloud resources using Terraform 1.x via Guardrails, fully leveraging all features available in this version. To get started, set the
Stack [Native] > *policies.
Control Types
- Azure > Key Vault > Vault > Stack [Native]
Policy Types
- Azure > Key Vault > Vault > Stack [Native]
- Azure > Key Vault > Vault > Stack [Native] > Drift Detection
- Azure > Key Vault > Vault > Stack [Native] > Drift Detection > Interval
- Azure > Key Vault > Vault > Stack [Native] > Modifier
- Azure > Key Vault > Vault > Stack [Native] > Secret Variables
- Azure > Key Vault > Vault > Stack [Native] > Source
- Azure > Key Vault > Vault > Stack [Native] > Timeout
- Azure > Key Vault > Vault > Stack [Native] > Variables
- Azure > Key Vault > Vault > Stack [Native] > Version
Bug fixes
- Fixed invalid CMDB references for the
Zone,Region,Multi-Region, andGlobal Regionresource types that caused theRelationshipsandImport Setcontrols to enter an error state. The controls now run reliably without errors.
Bug fixes
- The
AWS > Account > Budget > Budgetcontrol previously reran unnecessarily in workspaces withTurbot > Notificationsenabled. This issue has been resolved, and the control now runs as expected.
Bug fixes
- Fixed the compliance queries to prevent ambiguous
tagcolumn references when joining multiple Azure tables. (#330)
Bug fixes
- Fixed an issue in the
turbot_fileresource where removed keys in the content field were incorrectly sent as"key": nullin the update payload. The provider now sends the content exactly as specified in the Terraform configuration, ensuring that only the intended keys appear in the Turbot console.
What's new?
- Added CPU and memory settings for the PgBouncer task, giving you more control over resource allocation.
What's new?
- You can now configure cross-tenant replication for storage accounts. To get started, set the
Azure > Storage > Storage Account > Cross-Tenant Replicationpolicy.
Control Types
- Azure > Storage > Storage Account > Cross-Tenant Replication
Policy Types
- Azure > Storage > Storage Account > Cross-Tenant Replication
Action Types
- Azure > Storage > Storage Account > Set Cross-Tenant Replication
Bug fixes
- Guardrails previously failed to delete
Azure > SQL > *resources due to limitations in the internal Node SDK package version. This issue has now been resolved, and the resources will be deleted as expected. - The
Azure > SQL > *tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
What's new?
- New tables added
Whats new
- Compiled with Go 1.24.
Bug Fixes
- Fix issue where the
--wherearg was not correctly filtering the benchmarks/controls when JSON path expressions were passed. (#740) - Fix error handling for JSON output/export incase of database failures. (#665)
Dependencies
- Upgrade
form-dataandgo-viper/mapstructure/v2packages to remediate critical and high vulnerabilities.
What's new?
- You can now manage role bindings for service accounts. To get started, set the
GCP > IAM > Service Account > Role Bindings > *policies.
Control Types
- GCP > IAM > Service Account > Role Bindings
- GCP > IAM > Service Account > Role Bindings > Approved
Policy Types
- GCP > IAM > Service Account > Role Bindings
- GCP > IAM > Service Account > Role Bindings > Approved
- GCP > IAM > Service Account > Role Bindings > Approved > Rules
Action Types
- GCP > IAM > Service Account > Update Role Bindings
Breaking changes
- Renamed the following controls to align with their focus on classic logging for the respective service types: (#322)
storage_account_blobs_logging_enabledtostorage_account_blob_service_classic_logging_enabledstorage_account_queues_logging_enabledtostorage_account_queue_service_classic_logging_enabledstorage_account_tables_logging_enabledtostorage_account_table_service_classic_logging_enabled
Dependencies
- Azure plugin
v1.5.1or higher is now required.
Enhancements
- Added new automated queries for the following CIS controls: (#323)
cis_v150_3_3cis_v200_3_3cis_v200_5_1_7cis_v210_5_1_6cis_v300_4_3cis_v300_6_1_6cis_v400_10_3_1_1cis_v400_7_1_1_6
- Added
appservice_web_app_diagnostic_log_category_http_log_enabledandstorage_account_key_rotation_reminder_enabledcontrols to theAll Controlsbenchmark. (#323)
Bug fixes
- Fixed
keyvault_logging_enabledquery to correctly verify logging for Azure Key Vaults. (#320)
Bug fixes
- In the previous version, an issue was introduced in the CMDB control for
Azure > Storage > Storage Accountthat prevented the retrieval of diagnostic settings. This has now been resolved, and the control successfully processes diagnostic settings for all storage services, including Blob, Table, Queue, and the primary account.
What's new?
- Compiled with Go 1.24.
Dependencies
- Upgrade
golang.org/x/oauth2,form-dataandvitepackages to remediate critical vulnerabilities.
What's new?
- You can now manage role bindings for project users. To get started, set the
GCP > IAM > Project User > Role Bindings > *policies.
Control Types
- GCP > IAM > Project User > Role Bindings
- GCP > IAM > Project User > Role Bindings > Approved
Policy Types
- GCP > IAM > Project User > Role Bindings
- GCP > IAM > Project User > Role Bindings > Approved
- GCP > IAM > Project User > Role Bindings > Approved > Rules
Action Types
- GCP > IAM > Project User > Update Role Bindings
What's new?
- Network rule set details will now be available in CMDB for namespaces.
What's new?
Control Types
- Azure > CIS v3.0
- Azure > CIS v3.0 > 02 - Identity
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA)
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
- Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis
- Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
- Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
- Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
- Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
- Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure
User consent for applicationsis set toDo not allow user consent - Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
- Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
- Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist
- Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
- Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
- Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment
- Azure > CIS v3.0 > 03 - Security
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM)
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.01 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.02 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.02 - Defender Plan APIs
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage > 03.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan - App Service
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan - App Service > 03.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault > 03.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager > 03.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.14 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT
- Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.07 - Ensure that Private Endpoints are Used for Azure Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- Azure > CIS v3.0 > 04 - Storage Accounts
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.02 - Ensure that
Enable Infrastructure Encryptionfor Each Storage Account in Azure Storage is Set toenabled - Azure > CIS v3.0 > 04 - Storage Accounts > 04.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.06 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.07 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.08 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.09 - Ensure Private Endpoints are used to access Storage Accounts
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.10 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.12 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.14 - Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.15 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.16 - Ensure 'Cross Tenant Replication' is not enabled
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.17 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
- Azure > CIS v3.0 > 05 - Database Services
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On'
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.03 - Ensure SQL Server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.04 - Ensure that Microsoft Entra authentication is Configured for SQL Servers
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.07 - Ensure Public Network Access is Disabled
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.06 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
- Azure > CIS v3.0 > 06 - Logging & Monitoring
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.02 - Ensure Diagnostic Setting captures appropriate categories
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights > 06.03.01 - Ensure Application Insights are Configured
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
- Azure > CIS v3.0 > 07 - Networking
- Azure > CIS v3.0 > 07 - Networking > 07.01 - Ensure that RDP access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.02 - Ensure that SSH access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.03 - Ensure that UDP access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- Azure > CIS v3.0 > 07 - Networking > 07.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
- Azure > CIS v3.0 > 07 - Networking > 07.07 - Ensure that Public IP addresses are evaluated on a periodic basis
- Azure > CIS v3.0 > 08 - Virtual Machines
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.01 - Ensure an Azure Bastion Host Exists
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.02 - Ensure Virtual Machines are utilizing Managed Disks
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.05 - Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.06 - Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.11 - Ensure Trusted Launch is enabled on Virtual Machines
- Azure > CIS v3.0 > 09 - Application Services
- Azure > CIS v3.0 > 09 - Application Services > 09.01 - Ensure 'HTTPS Only' is set to
On - Azure > CIS v3.0 > 09 - Application Services > 09.02 - Ensure App Service Authentication is set up for apps in Azure App Service
- Azure > CIS v3.0 > 09 - Application Services > 09.03 - Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
- Azure > CIS v3.0 > 09 - Application Services > 09.04 - Ensure Web App is using the latest version of TLS encryption
- Azure > CIS v3.0 > 09 - Application Services > 09.05 - Ensure that Register with Entra ID is enabled on App Service
- Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled'
- Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.10 - Ensure that 'HTTP20enabled' is set to 'true' (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets
- Azure > CIS v3.0 > 09 - Application Services > 09.12 - Ensure that 'Remote debugging' is set to 'Off'
- Azure > CIS v3.0 > 10 - Miscellaneous
- Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
Policy Types
- Azure > CIS v3.0
- Azure > CIS v3.0 > 02 - Identity
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA)
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
- Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
- Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
- Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis
- Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
- Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
- Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
- Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
- Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure
User consent for applicationsis set toDo not allow user consent - Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure
User consent for applicationsis set toDo not allow user consent> Attestation - Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
- Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
- Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
- Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist
- Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
- Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
- Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one' > Attestation
- Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment
- Azure > CIS v3.0 > 02 - Identity > Maximum Attestation Duration
- Azure > CIS v3.0 > 03 - Security
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM)
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.01 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.02 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.02 - Defender Plan APIs
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage > 03.01.05.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan App - Service
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan App - Service > 03.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault > 03.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager > 03.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.14 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT
- Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > Attestation
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.07 - Ensure that Private Endpoints are Used for Azure Key Vault
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services > Attestation
- Azure > CIS v3.0 > 03 - Security > Maximum Attestation Duration
- Azure > CIS v3.0 > 04 - Storage Accounts
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.02 - Ensure that
Enable Infrastructure Encryptionfor Each Storage Account in Azure Storage is Set toenabled - Azure > CIS v3.0 > 04 - Storage Accounts > 04.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.06 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.07 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.08 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.09 - Ensure Private Endpoints are used to access Storage Accounts
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.10 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.12 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.14 - Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.15 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.16 - Ensure 'Cross Tenant Replication' is not enabled
- Azure > CIS v3.0 > 04 - Storage Accounts > 04.17 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
- Azure > CIS v3.0 > 04 - Storage Accounts > Maximum Attestation Duration
- Azure > CIS v3.0 > 05 - Database Services
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On'
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.03 - Ensure SQL Server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.04 - Ensure that Microsoft Entra authentication is Configured for SQL Servers
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
- Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.07 - Ensure Public Network Access is Disabled
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'
- Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 5.2.6 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
- Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible > Attestation
- Azure > CIS v3.0 > 05 - Database Services > Maximum Attestation Duration
- Azure > CIS v3.0 > 06 - Logging & Monitoring
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs > Attestation
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.02 - Ensure Diagnostic Setting captures appropriate categories
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights > 06.03.01 - Ensure Application Insights are Configured
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation
- Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
- Azure > CIS v3.0 > 06 - Logging & Monitoring > Maximum Attestation Duration
- Azure > CIS v3.0 > 07 - Networking
- Azure > CIS v3.0 > 07 - Networking > 07.01 - Ensure that RDP access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.02 - Ensure that SSH access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.03 - Ensure that UDP access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
- Azure > CIS v3.0 > 07 - Networking > 07.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- Azure > CIS v3.0 > 07 - Networking > 07.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
- Azure > CIS v3.0 > 07 - Networking > 07.07 - Ensure that Public IP addresses are evaluated on a periodic basis
- Azure > CIS v3.0 > 07 - Networking > Maximum Attestation Duration
- Azure > CIS v3.0 > 08 - Virtual Machines
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.01 - Ensure Virtual Machines are utilizing Managed Disks
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.02 - Ensure Virtual Machines are utilizing Managed Disks
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.05 - Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.06 - Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed > Attestation
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed > Attestation
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted > Attestation
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine > Attestation
- Azure > CIS v3.0 > 08 - Virtual Machines > 08.11 - Ensure Trusted Launch is enabled on Virtual Machines
- Azure > CIS v3.0 > 08 - Virtual Machines > Maximum Attestation Duration
- Azure > CIS v3.0 > 09 - Application Services
- Azure > CIS v3.0 > 09 - Application Services > 09.01 - Ensure 'HTTPS Only' is set to
On - Azure > CIS v3.0 > 09 - Application Services > 09.02 - Ensure App Service Authentication is set up for apps in Azure App Service
- Azure > CIS v3.0 > 09 - Application Services > 09.03 - Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
- Azure > CIS v3.0 > 09 - Application Services > 09.04 - Ensure Web App is using the latest version of TLS encryption
- Azure > CIS v3.0 > 09 - Application Services > 09.05 - Ensure that Register with Entra ID is enabled on App Service
- Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled'
- Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled' > Attestation
- Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use) > Attestation
- Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use) > Attestation
- Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use) > Attestation
- Azure > CIS v3.0 > 09 - Application Services > 09.10 - Ensure that 'HTTP20enabled' is set to 'true' (if in use)
- Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets
- Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets > Attestation
- Azure > CIS v3.0 > 09 - Application Services > 09.12 - Ensure that 'Remote debugging' is set to 'Off'
- Azure > CIS v3.0 > 09 - Application Services > Maximum Attestation Duration
- Azure > CIS v3.0 > 10 - Miscellaneous
- Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
- Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation
- Azure > CIS v3.0 > 10 - Miscellaneous > Maximum Attestation Duration
- Azure > CIS v3.0 > Maximum Attestation Duration
Note
To ensure compatibility and proper functioning of the Guardrails Azure CIS v3 mod, we recommend updating all dependent mods to their latest versions.
Bug fixes
- Fixed the
azure_network_watcher_flow_logtable to correctly return data instead of an error. (#926)
Deprecations
- The following columns of the
azure_security_center_contacthave now been deprecated due to the lack of API support:alert_notificationsalerts_to_admins
What's new?
- New tables added
Enhancements
- Added rate-limiter tags to all tables which can be used to smooth request rates and limit the number of parallel requests to avoid hitting API rate limits. (#904)
- Added
diagnostic_settingscolumn toazure_app_service_web_apptable. (#921) - Added
default_blob_diagnostic_settings,default_file_diagnostic_settings,default_table_diagnostic_settingsanddefault_queue_diagnostic_settingscolumns toazure_storage_accounttable. (#918) - Added
key_policycolumn toazure_storage_accounttable. (#922)
Bug fixes
- Fixed the
azure_storage_accounttable to correctly handle theno such host error for premium type storage account. (#922) - Fixed the
diagnostic_settingscolumn inazure_key_vaulttable to correctly return data instead of null. (#915) - Fixed
azure_data_protection_backup_vaultandazure_security_center_contacttables to correctly return data instead of an error. (#917) - Fixed the
azure_security_center_contacttable to correctly return data instead of null. (#902)
Dependencies
- Recompiled plugin with Go version
1.24. (#912) - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages. (#912)
Enhancements
- Added new automated queries for the following manual CIS controls: (#317)
cis_v150_1_2_1cis_v200_1_2_1cis_v200_5_1_7cis_v210_1_2_1cis_v210_5_1_6cis_v210_7_9cis_v300_2_2_1cis_v300_4_16cis_v300_6_1_6cis_v300_8_11
- Added
compute_vm_trust_launch_enabledandiam_conditional_access_trusted_location_configuredcontrols to theAll Controlsbenchmark. (#317) - Added variable support for App Service controls to improve configurability: (#317)
appservice_web_app_latest_python_version- Configurable Python version validation for web appappservice_web_app_latest_java_version- Configurable Java version validation for web appappservice_function_app_latest_python_version- Configurable Python version validation for function appappservice_function_app_latest_java_version- Configurable Java version validation for function app
Bug fixes
- Fixed
iam_global_administrator_max_5query to correctly check for a minimum of 2 and a maximum of 5 administrators. (#318) - Fixed
cis_v300_3_1_4_2control by removing the invalid query reference and marking it as manual. (#317) - Fixed
appservice_function_app_latest_java_versionquery to correctly check results for both Linux and Windows operating system function app. (#317) - Fixed
appservice_web_app_latest_java_versionquery to correctly check results for both Linux and Windows operating system web app. (#317)
What's new?
- Added proxy support for GitHub API requests.
Bug fixes
- Guardrails previously failed to fetch all
diagnosticSettingsdetails for storage accounts control due to limitations in the internal Node SDK package version. This has now been resolved, and the CMDB control will successfully fetch all details as expected.
Renamed:
diagnosticSettings.valuetodiagnosticSettings
Bug fixes
- Guardrails previously failed to fetch all
diagnosticSettingsdetails for vaults control due to limitations in the internal Node SDK package version. This has now been resolved, and the CMDB control will successfully fetch all details as expected.
Bug fixes
- Guardrails previously failed to fetch all
diagnosticSettingsdetails for web apps control due to limitations in the internal Node SDK package version. This has now been resolved, and the CMDB control will successfully fetch all details as expected.
What's new?
- New tables added
- aws_bedrock_agent (#2580)
- aws_bedrock_foundation_model (#2581)
- aws_bedrock_imported_model (#2581)
- aws_bedrock_knowledge_base (#2580)
- aws_elasticache_serverless_cache (#2538) (Thanks @michalpl-monday for the contribution!)
What's new?
- Diagnostic Settings for blob, queue, and table will now be available in CMDB for storage accounts.
- Users can now update access tier to
coldfor storage accounts. To get started, set theAzure > Storage > Storage Account > Access Tierpolicy toEnforce: Cold.
Bug fixes
- The
Azure > Storage > Storage Account > Tagscontrol will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
What's new?
- You can now configure guest configuration extension for virtual machines. To get started, set the
Azure > Compute > Virtual Machine > Extensions > Guest Configurationpolicy.
Control Types
- Azure > Compute > Virtual Machine > Extensions
- Azure > Compute > Virtual Machine > Extensions > Guest Configuration
Policy Types
- Azure > Compute > Virtual Machine > Extensions
- Azure > Compute > Virtual Machine > Extensions > Guest Configuration
Action Types
- Azure > Compute > Virtual Machine > Update Guest Configuration
What's new?
- Added controls for sections 5.01.01, 5.01.02 and 7.01.
Control Types
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.01 - Ensure that a 'Diagnostic Setting' exists
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.02 - Ensure Diagnostic Setting captures appropriate categories
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.01 - Ensure an Azure Bastion Host Exists
Policy Types
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.01 - Ensure that a 'Diagnostic Setting' exists
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.01 - Ensure that a 'Diagnostic Setting' exists > Attestation
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.02 - Ensure Diagnostic Setting captures appropriate categories
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.01 - Ensure an Azure Bastion Host Exists
Bug fixes
- CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to
Skip. This issue has been resolved; such controls will now correctly transition to a skipped state.
All Tailpipe plugins have been updated to use tailpipe-plugin-sdk v0.9.2, which includes:
Bug fixes
- The CMDB data for buckets did not refresh automatically when intelligent tiering configurations were removed from the buckets. This issue has now been fixed.
Bug fixes
- Fixed the
containers_resources_limits_stdandcontainers_resources_requests_stdcolumns in thekubernetes_podtable to correctly return data when pod resource limits or requests are expressed in scientific notation, preventing errors. (#315)
Dependencies
- Recompiled plugin with Go version
1.24. - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages.
Bug fixes
- Fix issue where
--towas not respected for zero granularity data. (#483) - Fix issue where the relative time passed to
from/toargs were getting parsed incorrectly. (#485) - Fix issue where Tailpipe was crashing if the collection state file had nil trunk states from the previous collection. (#489)
- Fix
.inspectoutput to show the plugin name for custom tables. (#360) - Fix query JSON outputs to be consistent with DuckDB. (#432)
Dependencies
- Upgrade
go-viper/mapstructure/v2andoauth2packages to remediate high and moderate vulnerabilities.
Bug fixes
- Fixed the
account_alternate_contact_security_registeredquery to correctly list all the available accounts. (#917) - Fixed the
iam_user_access_key_age_90query to skip the inactive access keys. (#912) - Fixed
config_enabled_all_regions,iam_access_analyzer_enabled_without_findingsandsecurityhub_enabledqueries to skip regions not defined in theaws.spcfile. (#908)
What's new?
- Added support for PostgreSQL version 15.9, 15.10, 15.11, 15.12 and 15.13.
Bug fixes
- Fixed
gcp_compute_ssl_policytable to return regional along with global SSL policies. (#773)
Dependencies
- Recompiled plugin with Go version
1.24. - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages.
What's new?
- New tables added
Enhancements
- Added
exportcolumn to theaws_acm_certificatetable. (#2571) - Added
ignore_error_messagesconfig arg to provide users the ability to set a list of additional AWS error messages to ignore while running queries. For more information, please see AWS plugin configuration (#2560)
Dependencies
- Recompiled plugin with Go version
1.24. - Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages.
Custom tenant settings now allow owners to control session timeouts for Console (browser) and CLI logins.
For more information, check out the docs
Bug fixes
Resolved a bug where destroying a policy pack via Terraform did not delete the policy pack if it was still attached to resources. The
terraform destroycommand now provides a clear and meaningful error message when such attachments exist.Minimum version requirements:
- TE v5.52.1
What's new?
- Diagnostic Settings details will now be available in CMDB for Subscriptions.
What's new?
- Server
- Introduced
LAMBDA_IN_VPC_GITHUBflag to enable deployment of GitHub mod lambdas inside a VPC.
- Introduced
Bug Fixes
- Server
- Optimized mod type installation to distribute event execution more evenly over time, minimizing the risk of throttling.
- Fixed an issue where controls or actions could get stuck if their notification templates were empty or failed to render correctly.
- The Delete Policy Pack API now throws a clear error when attempting to delete a policy pack that still has attached resources.
- The maintenance container now ensures the index_list table is populated with any missing indexes, improving database reliability.
- Unused Lambda functions are now correctly deleted when no aliases remain.
Note
Upgrade to 5.52.1 requires your workspace to be on 5.51.x; direct upgrades from older versions (e.g., 5.49.x) will fail.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Resource Types:
- Azure > Network > Bastion Host
Control Types:
- Azure > Network > Bastion Host > Active
- Azure > Network > Bastion Host > CMDB
- Azure > Network > Bastion Host > Discovery
- Azure > Network > Bastion Host > Tags
Policy Types:
- Azure > Network > Bastion Host > Active
- Azure > Network > Bastion Host > Active > Age
- Azure > Network > Bastion Host > Active > Last Modified
- Azure > Network > Bastion Host > CMDB
- Azure > Network > Bastion Host > Regions
- Azure > Network > Bastion Host > Tags
- Azure > Network > Bastion Host > Tags > Template
Action Types:
- Azure > Network > Bastion Host > Delete
- Azure > Network > Bastion Host > Router
- Azure > Network > Bastion Host > Set Tags
What's new?
HyperVGenerationdetails will now be available in the CMDB for Virtual Machines.
What's new?
Conditional Access PolicyandDirectory Roledetails will now be available in CMDB for Directories.
Action Types
- Azure > Active Directory > Directory > Router
What's new?
Resource Types:
- AWS > Bedrock > Agent
- AWS > Bedrock > Custom Model
- AWS > Bedrock > Foundation Model
- AWS > Bedrock > Imported Model
- AWS > Bedrock > Knowledge Base
- AWS > Bedrock > Settings
Control Types:
- AWS > Bedrock > Agent > Active
- AWS > Bedrock > Agent > CMDB
- AWS > Bedrock > Agent > Discovery
- AWS > Bedrock > Agent > Tags
- AWS > Bedrock > Custom Model > Active
- AWS > Bedrock > Custom Model > CMDB
- AWS > Bedrock > Custom Model > Discovery
- AWS > Bedrock > Custom Model > Tags
- AWS > Bedrock > Foundation Model > CMDB
- AWS > Bedrock > Foundation Model > Discovery
- AWS > Bedrock > Imported Model > Active
- AWS > Bedrock > Imported Model > CMDB
- AWS > Bedrock > Imported Model > Discovery
- AWS > Bedrock > Imported Model > Tags
- AWS > Bedrock > Knowledge Base > Active
- AWS > Bedrock > Knowledge Base > CMDB
- AWS > Bedrock > Knowledge Base > Discovery
- AWS > Bedrock > Knowledge Base > Tags
- AWS > Bedrock > Settings > CMDB
- AWS > Bedrock > Settings > Discovery
- AWS > Bedrock > Settings > Model Invocation Logging Configuration
Policy Types:
- AWS > Bedrock > Agent > Active
- AWS > Bedrock > Agent > Active > Age
- AWS > Bedrock > Agent > Active > Last Modified
- AWS > Bedrock > Agent > CMDB
- AWS > Bedrock > Agent > Regions
- AWS > Bedrock > Agent > Tags
- AWS > Bedrock > Agent > Tags > Template
- AWS > Bedrock > Custom Model > Active
- AWS > Bedrock > Custom Model > Active > Age
- AWS > Bedrock > Custom Model > Active > Last Modified
- AWS > Bedrock > Custom Model > CMDB
- AWS > Bedrock > Custom Model > Regions
- AWS > Bedrock > Custom Model > Tags
- AWS > Bedrock > Custom Model > Tags > Template
- AWS > Bedrock > Foundation Model > CMDB
- AWS > Bedrock > Foundation Model > Regions
- AWS > Bedrock > Imported Model > Active
- AWS > Bedrock > Imported Model > Active > Age
- AWS > Bedrock > Imported Model > Active > Last Modified
- AWS > Bedrock > Imported Model > CMDB
- AWS > Bedrock > Imported Model > Regions
- AWS > Bedrock > Imported Model > Tags
- AWS > Bedrock > Imported Model > Tags > Template
- AWS > Bedrock > Knowledge Base > Active
- AWS > Bedrock > Knowledge Base > Active > Age
- AWS > Bedrock > Knowledge Base > Active > Last Modified
- AWS > Bedrock > Knowledge Base > CMDB
- AWS > Bedrock > Knowledge Base > Regions
- AWS > Bedrock > Knowledge Base > Tags
- AWS > Bedrock > Knowledge Base > Tags > Template
- AWS > Bedrock > Settings > CMDB
- AWS > Bedrock > Settings > Model Invocation Logging Configuration
- AWS > Bedrock > Settings > Model Invocation Logging Configuration > Data Delivery
- AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination
- AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination > CloudWatch Log Group Name
- AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination > S3 Location
- AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination > S3 Location for Large Data Delivery
- AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination > Service Role ARN
- AWS > Bedrock > Settings > Regions
- AWS > Bedrock > Tags Template [Default]
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-bedrock
Action Types:
- AWS > Bedrock > Agent > Delete
- AWS > Bedrock > Agent > Router
- AWS > Bedrock > Agent > Update Tags
- AWS > Bedrock > Custom Model > Delete
- AWS > Bedrock > Custom Model > Router
- AWS > Bedrock > Custom Model > Update Tags
- AWS > Bedrock > Imported Model > Delete
- AWS > Bedrock > Imported Model > Router
- AWS > Bedrock > Imported Model > Update Tags
- AWS > Bedrock > Knowledge Base > Delete
- AWS > Bedrock > Knowledge Base > Router
- AWS > Bedrock > Knowledge Base > Update Tags
- AWS > Bedrock > Settings > Router
- AWS > Bedrock > Settings > Update Model Invocation Logging Configuration
Bug fixes
- In previous versions,
apigateway:CreateDeploymentevents were processed without validating the required stageName parameter, which could result in invalid stage resources in the CMDB. This issue is now fixed.
What's new?
- New tables added
- googleworkspace_activity_report (#88) (Thanks @assakafpix for the contribution!!)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.11.7 which resolves an issue where rate limiters were not being applied to hydrate functions correctly. (#87)
What's new?
- New tables added
- github_traffic_clone_daily (#505) (Thanks @sohanmaheshwar for the contribution!!)
- github_traffic_clone_weekly (#505) (Thanks @sohanmaheshwar for the contribution!!)
Bug fixes
- Resolved an issue with real-time event handling for
AWS > API Gateway > Stageresources. Specifically, Guardrails was previously not receiving events when a Web ACL was attached to an API Gateway stage. This has now been fixed, and events for such actions are processed as expected.
v0.15.2 of the Terraform Provider for Pipes is now available.
Bug Fixes
- Updated
pipes-sdk-gotov0.14.0. - Support for creation of
db1.mediumworkspace instance types.
Bug fixes
- Fixed the
controlcolumn ofwiz_cloud_config_ruletable to correctly return data instead of an error. (#61)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.11.7 which resolves an issue where rate limiters were not being applied to hydrate functions correctly. (#58)
Enhancements
- Added
destination,destination_branch_nameandsourcecolumns to thebitbucket_pull_requesttable. (#119)
Bug fixes
- Renamed the incorrectly named
branch_namecolumn tosource_branch_namein thebitbucket_pull_requesttable to reflect the correct source branch of the pull request. (#119)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.11.7 which resolves an issue where rate limiters were not being applied to hydrate functions correctly. (#115)
What's new?
- New tables added
What's new?
- New tables added: (Thanks @vadimklimov for the new plugin!)
What's new?
- Users can now configure the private google access settings for subnetworks. To get started, set the
GCP > Network > Subnetwork > Private Google Accesspolicy.
Control Types
- GCP > Network > Subnetwork > Private Google Access
Policy Types
- GCP > Network > Subnetwork > Private Google Access
Action Types
- GCP > Network > Subnetwork > Set Private Google Access
Bug fixes
- Previously,
GCP > DNS > Managed Zone > Labelscontrol would fail when attempting to update labels on private DNS zones that were linked to a Service Directory namespace. This was caused by the control attempting to modify theserviceDirectoryConfigfield, which is not allowed by the Google Cloud DNS API and resulted in an error. This issue has now been resolved.
What's new?
- Users can now manage trusted access for tables. To get started, set the
AWS > DynamoDB > Table > Policy > Trusted Access > *policies. - Resource policy details will now be available in CMDB for tables.
Control Types
- AWS > DynamoDB > Table > Policy
- AWS > DynamoDB > Table > Policy > Trusted Access
Policy Types
- AWS > DynamoDB > Table > Policy
- AWS > DynamoDB > Table > Policy > Trusted Access
- AWS > DynamoDB > Table > Policy > Trusted Access > Accounts
- AWS > DynamoDB > Table > Policy > Trusted Access > CloudFront Origin Access Identities
- AWS > DynamoDB > Table > Policy > Trusted Access > Organization Restrictions
- AWS > DynamoDB > Trusted Accounts [Default]
- AWS > DynamoDB > Trusted Organizations [Default]
Action Types
- AWS > DynamoDB > Table > Set Policy Trusted Access
Bug Fixes
- Fix regression where powerpipe was failing to run detections from dependant mods if steampipe service was not running. (#824)
- Fix issue where powerpipe server was failing to resolve the default pipes token. (#818)
- Fix issue where query run snapshot output was returning a 0 exit code even incase of query failures. (#816)
Dependencies
- Upgrade
pbkdf2package to remediate critical vulnerabilities.
Whats new
- Compiled with Go 1.24.
- The versioning mechanism has been changed to use GoReleaser for automated version management during the build process.
Breaking changes
- The version package, which was previously used to control CLI versioning, has been removed in this version. This change only affects users who were importing the Steampipe version package in their Go code. Regular CLI usage is not impacted.
Bug fixes
- Bump module to v2. (#4593)
Dependencies
- Update
go-viperpackage to remediate moderate vulnerabilities.
What's new?
- Added support to process real-time events for
GCP > Compute Engine > Region Disk.
Action Types
- GCP > Compute Engine > Region Disk > Router
Bug fixes
- The
AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-ec2policy previously depended on theTurbot > Workspace > Workspace Versionpolicy, causing Event Handlers to run after a TE update. This dependency has been safely removed, improving the overall efficiency of the workspace.
What's new?
- New tables added
Enhancements
- Updated the
aws_cloudformation_stacktable to also return stacks that are inDELETE_COMPLETEstate. (#2548) - Added rate limiters for the following tables: (#2547)
aws_iam_roleaws_iam_policyaws_iam_policy_attachment
- Added default rate limiter configuration for
AWS CloudFormation,AWS Kinesis,AWS Route 53,AWS WAFandAWS WAF v2service tables. (#2537) (Thanks @pdecat for the contribution!)
Bug fixes
- Fixed
aws_rds_pending_maintenance_actiontable to correctly return data instead of an error. (#2545)
What's new?
- You can now use the
Intelligent Assessmentcontrol, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- Azure > PostgreSQL > Flexible Server > Intelligent Assessment
Policy Types
- Azure > PostgreSQL > Flexible Server > Intelligent Assessment
- Azure > PostgreSQL > Flexible Server > Intelligent Assessment > Context
- Azure > PostgreSQL > Flexible Server > Intelligent Assessment > User Prompt
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrols.
Bug fixes
- Update core version to v0.2.9 - fix issue where collection state is not being saved for zero granularity collections. (#251)
What's new
- Add
--toflag forcollect, allowing collection of standalone time ranges. (#238) - Add
--overwriteflag forcollect, allowing recollection of existing data. (#454)
Bug fixes
- Fix issue where collection state end-objects are cleared when collection is complete, meaning no further data will be collected for that day. (#250)
Behaviour Change
When passing a from time to a collection, the existing partition data is no longer cleared before the collection starts. This means that data will not, by default, be recollected for time ranges that have already been collected. To recollect data for a time range, pass the new --overwrite flag to the collect command.
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- GCP > Folder > Intelligent Assessment
- GCP > Organization > Intelligent Assessment
- GCP > Project > Intelligent Assessment
Policy Types
- GCP > Folder > Intelligent Assessment
- GCP > Folder > Intelligent Assessment > Context
- GCP > Folder > Intelligent Assessment > User Prompt
- GCP > Organization > Intelligent Assessment
- GCP > Organization > Intelligent Assessment > Context
- GCP > Organization > Intelligent Assessment > User Prompt
- GCP > Project > Intelligent Assessment
- GCP > Project > Intelligent Assessment > Context
- GCP > Project > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- GCP > Pub/Sub > Snapshot > Intelligent Assessment
- GCP > Pub/Sub > Subscription > Intelligent Assessment
- GCP > Pub/Sub > Topic > Intelligent Assessment
Policy Types
- GCP > Pub/Sub > Snapshot > Intelligent Assessment
- GCP > Pub/Sub > Snapshot > Intelligent Assessment > Context
- GCP > Pub/Sub > Snapshot > Intelligent Assessment > User Prompt
- GCP > Pub/Sub > Subscription > Intelligent Assessment
- GCP > Pub/Sub > Subscription > Intelligent Assessment > Context
- GCP > Pub/Sub > Subscription > Intelligent Assessment > User Prompt
- GCP > Pub/Sub > Topic > Intelligent Assessment
- GCP > Pub/Sub > Topic > Intelligent Assessment > Context
- GCP > Pub/Sub > Topic > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- GCP > Logging > Exclusion > Intelligent Assessment
- GCP > Logging > Metric > Intelligent Assessment
- GCP > Logging > Sink > Intelligent Assessment
Policy Types
- GCP > Logging > Exclusion > Intelligent Assessment
- GCP > Logging > Exclusion > Intelligent Assessment > Context
- GCP > Logging > Exclusion > Intelligent Assessment > User Prompt
- GCP > Logging > Metric > Intelligent Assessment
- GCP > Logging > Metric > Intelligent Assessment > Context
- GCP > Logging > Metric > Intelligent Assessment > User Prompt
- GCP > Logging > Sink > Intelligent Assessment
- GCP > Logging > Sink > Intelligent Assessment > Context
- GCP > Logging > Sink > Intelligent Assessment > User Prompt
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrol.
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrols.
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- GCP > App Engine > Application > Intelligent Assessment
- GCP > App Engine > Firewall Rule > Intelligent Assessment
- GCP > App Engine > Instance > Intelligent Assessment
- GCP > App Engine > Service > Intelligent Assessment
- GCP > App Engine > Version > Intelligent Assessment
Policy Types
- GCP > App Engine > Application > Intelligent Assessment
- GCP > App Engine > Application > Intelligent Assessment > Context
- GCP > App Engine > Application > Intelligent Assessment > User Prompt
- GCP > App Engine > Firewall Rule > Intelligent Assessment
- GCP > App Engine > Firewall Rule > Intelligent Assessment > Context
- GCP > App Engine > Firewall Rule > Intelligent Assessment > User Prompt
- GCP > App Engine > Instance > Intelligent Assessment
- GCP > App Engine > Instance > Intelligent Assessment > Context
- GCP > App Engine > Instance > Intelligent Assessment > User Prompt
- GCP > App Engine > Service > Intelligent Assessment
- GCP > App Engine > Service > Intelligent Assessment > Context
- GCP > App Engine > Service > Intelligent Assessment > User Prompt
- GCP > App Engine > Version > Intelligent Assessment
- GCP > App Engine > Version > Intelligent Assessment > Context
- GCP > App Engine > Version > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- Azure > SQL > Database > Intelligent Assessment
- Azure > SQL > Elastic Pool > Intelligent Assessment
- Azure > SQL > Managed Instance > Intelligent Assessment
- Azure > SQL > Server > Intelligent Assessment
Policy Types
- Azure > SQL > Database > Intelligent Assessment
- Azure > SQL > Database > Intelligent Assessment > Context
- Azure > SQL > Database > Intelligent Assessment > User Prompt
- Azure > SQL > Elastic Pool > Intelligent Assessment
- Azure > SQL > Elastic Pool > Intelligent Assessment > Context
- Azure > SQL > Elastic Pool > Intelligent Assessment > User Prompt
- Azure > SQL > Managed Instance > Intelligent Assessment
- Azure > SQL > Managed Instance > Intelligent Assessment > Context
- Azure > SQL > Managed Instance > Intelligent Assessment > User Prompt
- Azure > SQL > Server > Intelligent Assessment
- Azure > SQL > Server > Intelligent Assessment > Context
- Azure > SQL > Server > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- Azure > Network > Application Security Group > Intelligent Assessment
- Azure > Network > Express Route Circuits > Intelligent Assessment
- Azure > Network > Network Interface > Intelligent Assessment
- Azure > Network > Network Security Group > Intelligent Assessment
- Azure > Network > Private DNS Zones > Intelligent Assessment
- Azure > Network > Private Endpoints > Intelligent Assessment
- Azure > Network > Private Link Service > Intelligent Assessment
- Azure > Network > Public IP Address > Intelligent Assessment
- Azure > Network > Route Table > Intelligent Assessment
- Azure > Network > Subnet > Intelligent Assessment
- Azure > Network > Virtual Network > Intelligent Assessment
- Azure > Network > Virtual Network Gateway > Intelligent Assessment
Policy Types
- Azure > Network > Application Security Group > Intelligent Assessment
- Azure > Network > Application Security Group > Intelligent Assessment > Context
- Azure > Network > Application Security Group > Intelligent Assessment > User Prompt
- Azure > Network > Express Route Circuits > Intelligent Assessment
- Azure > Network > Express Route Circuits > Intelligent Assessment > Context
- Azure > Network > Express Route Circuits > Intelligent Assessment > User Prompt
- Azure > Network > Network Interface > Intelligent Assessment
- Azure > Network > Network Interface > Intelligent Assessment > Context
- Azure > Network > Network Interface > Intelligent Assessment > User Prompt
- Azure > Network > Network Security Group > Intelligent Assessment
- Azure > Network > Network Security Group > Intelligent Assessment > Context
- Azure > Network > Network Security Group > Intelligent Assessment > User Prompt
- Azure > Network > Private DNS Zones > Intelligent Assessment
- Azure > Network > Private DNS Zones > Intelligent Assessment > Context
- Azure > Network > Private DNS Zones > Intelligent Assessment > User Prompt
- Azure > Network > Private Endpoints > Intelligent Assessment
- Azure > Network > Private Endpoints > Intelligent Assessment > Context
- Azure > Network > Private Endpoints > Intelligent Assessment > User Prompt
- Azure > Network > Private Link Service > Intelligent Assessment
- Azure > Network > Private Link Service > Intelligent Assessment > Context
- Azure > Network > Private Link Service > Intelligent Assessment > User Prompt
- Azure > Network > Public IP Address > Intelligent Assessment
- Azure > Network > Public IP Address > Intelligent Assessment > Context
- Azure > Network > Public IP Address > Intelligent Assessment > User Prompt
- Azure > Network > Route Table > Intelligent Assessment
- Azure > Network > Route Table > Intelligent Assessment > Context
- Azure > Network > Route Table > Intelligent Assessment > User Prompt
- Azure > Network > Subnet > Intelligent Assessment
- Azure > Network > Subnet > Intelligent Assessment > Context
- Azure > Network > Subnet > Intelligent Assessment > User Prompt
- Azure > Network > Virtual Network > Intelligent Assessment
- Azure > Network > Virtual Network > Intelligent Assessment > Context
- Azure > Network > Virtual Network > Intelligent Assessment > User Prompt
- Azure > Network > Virtual Network Gateway > Intelligent Assessment
- Azure > Network > Virtual Network Gateway > Intelligent Assessment > Context
- Azure > Network > Virtual Network Gateway > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrol, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- Azure > MySQL > Flexible Server > Intelligent Assessment
Policy Types
- Azure > MySQL > Flexible Server > Intelligent Assessment
- Azure > MySQL > Flexible Server > Intelligent Assessment > Context
- Azure > MySQL > Flexible Server > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- Azure > Monitor > Action Group > Intelligent Assessment
- Azure > Monitor > Alerts > Intelligent Assessment
- Azure > Monitor > Log Profile > Intelligent Assessment
- Azure > Monitor > Metric Alert > Intelligent Assessment
Policy Types
- Azure > Monitor > Action Group > Intelligent Assessment
- Azure > Monitor > Action Group > Intelligent Assessment > Context
- Azure > Monitor > Action Group > Intelligent Assessment > User Prompt
- Azure > Monitor > Alerts > Intelligent Assessment
- Azure > Monitor > Alerts > Intelligent Assessment > Context
- Azure > Monitor > Alerts > Intelligent Assessment > User Prompt
- Azure > Monitor > Log Profile > Intelligent Assessment
- Azure > Monitor > Log Profile > Intelligent Assessment > Context
- Azure > Monitor > Log Profile > Intelligent Assessment > User Prompt
- Azure > Monitor > Metric Alert > Intelligent Assessment
- Azure > Monitor > Metric Alert > Intelligent Assessment > Context
- Azure > Monitor > Metric Alert > Intelligent Assessment > User Prompt
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrols.
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- AWS > Redshift > Cluster > Intelligent Assessment
- AWS > Redshift > Cluster Parameter Group > Intelligent Assessment
- AWS > Redshift > Cluster Subnet Group > Intelligent Assessment
- AWS > Redshift > Manual Cluster Snapshot > Intelligent Assessment
Policy Types
- AWS > Redshift > Cluster > Intelligent Assessment
- AWS > Redshift > Cluster > Intelligent Assessment > Context
- AWS > Redshift > Cluster > Intelligent Assessment > User Prompt
- AWS > Redshift > Cluster Parameter Group > Intelligent Assessment
- AWS > Redshift > Cluster Parameter Group > Intelligent Assessment > Context
- AWS > Redshift > Cluster Parameter Group > Intelligent Assessment > User Prompt
- AWS > Redshift > Cluster Subnet Group > Intelligent Assessment
- AWS > Redshift > Cluster Subnet Group > Intelligent Assessment > Context
- AWS > Redshift > Cluster Subnet Group > Intelligent Assessment > User Prompt
- AWS > Redshift > Manual Cluster Snapshot > Intelligent Assessment
- AWS > Redshift > Manual Cluster Snapshot > Intelligent Assessment > Context
- AWS > Redshift > Manual Cluster Snapshot > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- AWS > RDS > DB Cluster > Intelligent Assessment
- AWS > RDS > DB Cluster Parameter Group > Intelligent Assessment
- AWS > RDS > DB Cluster Snapshot [Manual] > Intelligent Assessment
- AWS > RDS > DB Instance > Intelligent Assessment
- AWS > RDS > DB Parameter Group > Intelligent Assessment
- AWS > RDS > DB Snapshot [Manual] > Intelligent Assessment
- AWS > RDS > Global Cluster > Intelligent Assessment
- AWS > RDS > Option Group > Intelligent Assessment
- AWS > RDS > Subnet Group > Intelligent Assessment
Policy Types
- AWS > RDS > DB Cluster > Intelligent Assessment
- AWS > RDS > DB Cluster > Intelligent Assessment > Context
- AWS > RDS > DB Cluster > Intelligent Assessment > User Prompt
- AWS > RDS > DB Cluster Parameter Group > Intelligent Assessment
- AWS > RDS > DB Cluster Parameter Group > Intelligent Assessment > Context
- AWS > RDS > DB Cluster Parameter Group > Intelligent Assessment > User Prompt
- AWS > RDS > DB Cluster Snapshot [Manual] > Intelligent Assessment
- AWS > RDS > DB Cluster Snapshot [Manual] > Intelligent Assessment > Context
- AWS > RDS > DB Cluster Snapshot [Manual] > Intelligent Assessment > User Prompt
- AWS > RDS > DB Instance > Intelligent Assessment
- AWS > RDS > DB Instance > Intelligent Assessment > Context
- AWS > RDS > DB Instance > Intelligent Assessment > User Prompt
- AWS > RDS > DB Parameter Group > Intelligent Assessment
- AWS > RDS > DB Parameter Group > Intelligent Assessment > Context
- AWS > RDS > DB Parameter Group > Intelligent Assessment > User Prompt
- AWS > RDS > DB Snapshot [Manual] > Intelligent Assessment
- AWS > RDS > DB Snapshot [Manual] > Intelligent Assessment > Context
- AWS > RDS > DB Snapshot [Manual] > Intelligent Assessment > User Prompt
- AWS > RDS > Global Cluster > Intelligent Assessment
- AWS > RDS > Global Cluster > Intelligent Assessment > Context
- AWS > RDS > Global Cluster > Intelligent Assessment > User Prompt
- AWS > RDS > Option Group > Intelligent Assessment
- AWS > RDS > Option Group > Intelligent Assessment > Context
- AWS > RDS > Option Group > Intelligent Assessment > User Prompt
- AWS > RDS > Subnet Group > Intelligent Assessment
- AWS > RDS > Subnet Group > Intelligent Assessment > Context
- AWS > RDS > Subnet Group > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- AWS > Organizations > Organization > Intelligent Assessment
- AWS > Organizations > Organization Root > Intelligent Assessment
- AWS > Organizations > Organizational Account > Intelligent Assessment
- AWS > Organizations > Organizational Unit > Intelligent Assessment
Policy Types
- AWS > Organizations > Organization > Intelligent Assessment
- AWS > Organizations > Organization > Intelligent Assessment > Context
- AWS > Organizations > Organization > Intelligent Assessment > User Prompt
- AWS > Organizations > Organization Root > Intelligent Assessment
- AWS > Organizations > Organization Root > Intelligent Assessment > Context
- AWS > Organizations > Organization Root > Intelligent Assessment > User Prompt
- AWS > Organizations > Organizational Account > Intelligent Assessment
- AWS > Organizations > Organizational Account > Intelligent Assessment > Context
- AWS > Organizations > Organizational Account > Intelligent Assessment > User Prompt
- AWS > Organizations > Organizational Unit > Intelligent Assessment
- AWS > Organizations > Organizational Unit > Intelligent Assessment > Context
- AWS > Organizations > Organizational Unit > Intelligent Assessment > User Prompt
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrol.
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- AWS > IAM > Access Analyzer > Intelligent Assessment
- AWS > IAM > Access Key > Intelligent Assessment
- AWS > IAM > Account Password Policy > Intelligent Assessment
- AWS > IAM > Account Summary > Intelligent Assessment
- AWS > IAM > Credential Report > Intelligent Assessment
- AWS > IAM > Group > Group Policy Attachments > Intelligent Assessment
- AWS > IAM > Group > Inline Policy > Intelligent Assessment
- AWS > IAM > Group > Intelligent Assessment
- AWS > IAM > Instance Profile > Intelligent Assessment
- AWS > IAM > MFA Virtual > Intelligent Assessment
- AWS > IAM > OpenID Connect > Intelligent Assessment
- AWS > IAM > Policy > Intelligent Assessment
- AWS > IAM > Role > Inline Policy > Intelligent Assessment
- AWS > IAM > Role > Intelligent Assessment
- AWS > IAM > Role > Role Policy Attachments > Intelligent Assessment
- AWS > IAM > Root > Intelligent Assessment
- AWS > IAM > Server Certificate > Intelligent Assessment
- AWS > IAM > User > Group Memberships > Intelligent Assessment
- AWS > IAM > User > Inline Policy > Intelligent Assessment
- AWS > IAM > User > Intelligent Assessment
- AWS > IAM > User > User Policy Attachments > Intelligent Assessment
Policy Types
- AWS > IAM > Access Analyzer > Intelligent Assessment
- AWS > IAM > Access Analyzer > Intelligent Assessment > Context
- AWS > IAM > Access Analyzer > Intelligent Assessment > User Prompt
- AWS > IAM > Access Key > Intelligent Assessment
- AWS > IAM > Access Key > Intelligent Assessment > Context
- AWS > IAM > Access Key > Intelligent Assessment > User Prompt
- AWS > IAM > Account Password Policy > Intelligent Assessment
- AWS > IAM > Account Password Policy > Intelligent Assessment > Context
- AWS > IAM > Account Password Policy > Intelligent Assessment > User Prompt
- AWS > IAM > Account Summary > Intelligent Assessment
- AWS > IAM > Account Summary > Intelligent Assessment > Context
- AWS > IAM > Account Summary > Intelligent Assessment > User Prompt
- AWS > IAM > Credential Report > Intelligent Assessment
- AWS > IAM > Credential Report > Intelligent Assessment > Context
- AWS > IAM > Credential Report > Intelligent Assessment > User Prompt
- AWS > IAM > Group > Group Policy Attachments > Intelligent Assessment
- AWS > IAM > Group > Group Policy Attachments > Intelligent Assessment > Context
- AWS > IAM > Group > Group Policy Attachments > Intelligent Assessment > User Prompt
- AWS > IAM > Group > Inline Policy > Intelligent Assessment
- AWS > IAM > Group > Inline Policy > Intelligent Assessment > Context
- AWS > IAM > Group > Inline Policy > Intelligent Assessment > User Prompt
- AWS > IAM > Group > Intelligent Assessment
- AWS > IAM > Group > Intelligent Assessment > Context
- AWS > IAM > Group > Intelligent Assessment > User Prompt
- AWS > IAM > Instance Profile > Intelligent Assessment
- AWS > IAM > Instance Profile > Intelligent Assessment > Context
- AWS > IAM > Instance Profile > Intelligent Assessment > User Prompt
- AWS > IAM > MFA Virtual > Intelligent Assessment
- AWS > IAM > MFA Virtual > Intelligent Assessment > Context
- AWS > IAM > MFA Virtual > Intelligent Assessment > User Prompt
- AWS > IAM > OpenID Connect > Intelligent Assessment
- AWS > IAM > OpenID Connect > Intelligent Assessment > Context
- AWS > IAM > OpenID Connect > Intelligent Assessment > User Prompt
- AWS > IAM > Policy > Intelligent Assessment
- AWS > IAM > Policy > Intelligent Assessment > Context
- AWS > IAM > Policy > Intelligent Assessment > User Prompt
- AWS > IAM > Role > Inline Policy > Intelligent Assessment
- AWS > IAM > Role > Inline Policy > Intelligent Assessment > Context
- AWS > IAM > Role > Inline Policy > Intelligent Assessment > User Prompt
- AWS > IAM > Role > Intelligent Assessment
- AWS > IAM > Role > Intelligent Assessment > Context
- AWS > IAM > Role > Intelligent Assessment > User Prompt
- AWS > IAM > Role > Role Policy Attachments > Intelligent Assessment
- AWS > IAM > Role > Role Policy Attachments > Intelligent Assessment > Context
- AWS > IAM > Role > Role Policy Attachments > Intelligent Assessment > User Prompt
- AWS > IAM > Root > Intelligent Assessment
- AWS > IAM > Root > Intelligent Assessment > Context
- AWS > IAM > Root > Intelligent Assessment > User Prompt
- AWS > IAM > Server Certificate > Intelligent Assessment
- AWS > IAM > Server Certificate > Intelligent Assessment > Context
- AWS > IAM > Server Certificate > Intelligent Assessment > User Prompt
- AWS > IAM > User > Group Memberships > Intelligent Assessment
- AWS > IAM > User > Group Memberships > Intelligent Assessment > Context
- AWS > IAM > User > Group Memberships > Intelligent Assessment > User Prompt
- AWS > IAM > User > Inline Policy > Intelligent Assessment
- AWS > IAM > User > Inline Policy > Intelligent Assessment > Context
- AWS > IAM > User > Inline Policy > Intelligent Assessment > User Prompt
- AWS > IAM > User > Intelligent Assessment
- AWS > IAM > User > Intelligent Assessment > Context
- AWS > IAM > User > Intelligent Assessment > User Prompt
- AWS > IAM > User > User Policy Attachments > Intelligent Assessment
- AWS > IAM > User > User Policy Attachments > Intelligent Assessment > Context
- AWS > IAM > User > User Policy Attachments > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- AWS > Glue > Crawler > Intelligent Assessment
- AWS > Glue > Data Catalog > Intelligent Assessment
- AWS > Glue > Database > Intelligent Assessment
- AWS > Glue > Job > Intelligent Assessment
- AWS > Glue > ML Transform > Intelligent Assessment
- AWS > Glue > Security Configuration > Intelligent Assessment
- AWS > Glue > Table > Intelligent Assessment
- AWS > Glue > Trigger > Intelligent Assessment
- AWS > Glue > Workflow > Intelligent Assessment
Policy Types
- AWS > Glue > Crawler > Intelligent Assessment
- AWS > Glue > Crawler > Intelligent Assessment > Context
- AWS > Glue > Crawler > Intelligent Assessment > User Prompt
- AWS > Glue > Data Catalog > Intelligent Assessment
- AWS > Glue > Data Catalog > Intelligent Assessment > Context
- AWS > Glue > Data Catalog > Intelligent Assessment > User Prompt
- AWS > Glue > Database > Intelligent Assessment
- AWS > Glue > Database > Intelligent Assessment > Context
- AWS > Glue > Database > Intelligent Assessment > User Prompt
- AWS > Glue > Job > Intelligent Assessment
- AWS > Glue > Job > Intelligent Assessment > Context
- AWS > Glue > Job > Intelligent Assessment > User Prompt
- AWS > Glue > ML Transform > Intelligent Assessment
- AWS > Glue > ML Transform > Intelligent Assessment > Context
- AWS > Glue > ML Transform > Intelligent Assessment > User Prompt
- AWS > Glue > Security Configuration > Intelligent Assessment
- AWS > Glue > Security Configuration > Intelligent Assessment > Context
- AWS > Glue > Security Configuration > Intelligent Assessment > User Prompt
- AWS > Glue > Table > Intelligent Assessment
- AWS > Glue > Table > Intelligent Assessment > Context
- AWS > Glue > Table > Intelligent Assessment > User Prompt
- AWS > Glue > Trigger > Intelligent Assessment
- AWS > Glue > Trigger > Intelligent Assessment > Context
- AWS > Glue > Trigger > Intelligent Assessment > User Prompt
- AWS > Glue > Workflow > Intelligent Assessment
- AWS > Glue > Workflow > Intelligent Assessment > Context
- AWS > Glue > Workflow > Intelligent Assessment > User Prompt
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrols.
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrols.
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- AWS > CloudTrail > Shadow Trail > Intelligent Assessment
- AWS > CloudTrail > Trail > Intelligent Assessment
Policy Types
- AWS > CloudTrail > Shadow Trail > Intelligent Assessment
- AWS > CloudTrail > Shadow Trail > Intelligent Assessment > Context
- AWS > CloudTrail > Shadow Trail > Intelligent Assessment > User Prompt
- AWS > CloudTrail > Trail > Intelligent Assessment
- AWS > CloudTrail > Trail > Intelligent Assessment > Context
- AWS > CloudTrail > Trail > Intelligent Assessment > User Prompt
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrols.
All Tailpipe plugins have been updated to use tailpipe-plugin-sdk v0.9.1, which includes:
- Added support for the
--toflag forcollect, allowing collection of standalone time ranges. - Improved how plugins track what data has already been collected, especially across multiple time periods.
What's new?
- Added
NIST Cybersecurity Framework (CSF) v2.0benchmark (powerpipe benchmark run gcp_compliance.benchmark.nist_csf_v2). (#200)
Bug fixes
- Renamed the
NIST CSF v2.0benchmark toNIST Cybersecurity Framework (CSF) v2.0.
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- GCP > Dataproc > Cluster > Intelligent Assessment
- GCP > Dataproc > Job > Intelligent Assessment
- GCP > Dataproc > Workflow Template > Intelligent Assessment
Policy Types
- GCP > Dataproc > Cluster > Intelligent Assessment
- GCP > Dataproc > Cluster > Intelligent Assessment > Context
- GCP > Dataproc > Cluster > Intelligent Assessment > User Prompt
- GCP > Dataproc > Job > Intelligent Assessment
- GCP > Dataproc > Job > Intelligent Assessment > Context
- GCP > Dataproc > Job > Intelligent Assessment > User Prompt
- GCP > Dataproc > Workflow Template > Intelligent Assessment
- GCP > Dataproc > Workflow Template > Intelligent Assessment > Context
- GCP > Dataproc > Workflow Template > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- Azure > Management Group > Intelligent Assessment
- Azure > Resource Group > Intelligent Assessment
- Azure > Subscription > Intelligent Assessment
- Azure > Tenant > Intelligent Assessment
Policy Types
- Azure > Management Group > Intelligent Assessment
- Azure > Management Group > Intelligent Assessment > Context
- Azure > Management Group > Intelligent Assessment > User Prompt
- Azure > Resource Group > Intelligent Assessment
- Azure > Resource Group > Intelligent Assessment > Context
- Azure > Resource Group > Intelligent Assessment > User Prompt
- Azure > Subscription > Intelligent Assessment
- Azure > Subscription > Intelligent Assessment > Context
- Azure > Subscription > Intelligent Assessment > User Prompt
- Azure > Tenant > Intelligent Assessment
- Azure > Tenant > Intelligent Assessment > Context
- Azure > Tenant > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- AWS > Account > Intelligent Assessment
- AWS > Organization > Intelligent Assessment
- AWS > Organization Root > Intelligent Assessment
- AWS > Organizational Unit > Intelligent Assessment
Policy Types
- AWS > Account > Intelligent Assessment
- AWS > Account > Intelligent Assessment > Context
- AWS > Account > Intelligent Assessment > User Prompt
- AWS > Organization > Intelligent Assessment
- AWS > Organization > Intelligent Assessment > Context
- AWS > Organization > Intelligent Assessment > User Prompt
- AWS > Organization Root > Intelligent Assessment
- AWS > Organization Root > Intelligent Assessment > Context
- AWS > Organization Root > Intelligent Assessment > User Prompt
- AWS > Organizational Unit > Intelligent Assessment
- AWS > Organizational Unit > Intelligent Assessment > Context
- AWS > Organizational Unit > Intelligent Assessment > User Prompt
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrol.
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- AWS > API Gateway > API > Intelligent Assessment
- AWS > API Gateway > API Key > Intelligent Assessment
- AWS > API Gateway > API V2 > Intelligent Assessment
- AWS > API Gateway > Account > Intelligent Assessment
- AWS > API Gateway > Authorizer > Intelligent Assessment
- AWS > API Gateway > Authorizer V2 > Intelligent Assessment
- AWS > API Gateway > Domain Name V2 > Intelligent Assessment
- AWS > API Gateway > Integration V2 > Intelligent Assessment
- AWS > API Gateway > Resource > Intelligent Assessment
- AWS > API Gateway > Stage > Intelligent Assessment
- AWS > API Gateway > Stage v2 > Intelligent Assessment
- AWS > API Gateway > Usage Plan > Intelligent Assessment
Policy Types
- AWS > API Gateway > API > Intelligent Assessment
- AWS > API Gateway > API > Intelligent Assessment > Context
- AWS > API Gateway > API > Intelligent Assessment > User Prompt
- AWS > API Gateway > API Key > Intelligent Assessment
- AWS > API Gateway > API Key > Intelligent Assessment > Context
- AWS > API Gateway > API Key > Intelligent Assessment > User Prompt
- AWS > API Gateway > API V2 > Intelligent Assessment
- AWS > API Gateway > API V2 > Intelligent Assessment > Context
- AWS > API Gateway > API V2 > Intelligent Assessment > User Prompt
- AWS > API Gateway > Account > Intelligent Assessment
- AWS > API Gateway > Account > Intelligent Assessment > Context
- AWS > API Gateway > Account > Intelligent Assessment > User Prompt
- AWS > API Gateway > Authorizer > Intelligent Assessment
- AWS > API Gateway > Authorizer > Intelligent Assessment > Context
- AWS > API Gateway > Authorizer > Intelligent Assessment > User Prompt
- AWS > API Gateway > Authorizer V2 > Intelligent Assessment
- AWS > API Gateway > Authorizer V2 > Intelligent Assessment > Context
- AWS > API Gateway > Authorizer V2 > Intelligent Assessment > User Prompt
- AWS > API Gateway > Domain Name V2 > Intelligent Assessment
- AWS > API Gateway > Domain Name V2 > Intelligent Assessment > Context
- AWS > API Gateway > Domain Name V2 > Intelligent Assessment > User Prompt
- AWS > API Gateway > Integration V2 > Intelligent Assessment
- AWS > API Gateway > Integration V2 > Intelligent Assessment > Context
- AWS > API Gateway > Integration V2 > Intelligent Assessment > User Prompt
- AWS > API Gateway > Resource > Intelligent Assessment
- AWS > API Gateway > Resource > Intelligent Assessment > Context
- AWS > API Gateway > Resource > Intelligent Assessment > User Prompt
- AWS > API Gateway > Stage > Intelligent Assessment
- AWS > API Gateway > Stage > Intelligent Assessment > Context
- AWS > API Gateway > Stage > Intelligent Assessment > User Prompt
- AWS > API Gateway > Stage v2 > Intelligent Assessment
- AWS > API Gateway > Stage v2 > Intelligent Assessment > Context
- AWS > API Gateway > Stage v2 > Intelligent Assessment > User Prompt
- AWS > API Gateway > Usage Plan > Intelligent Assessment
- AWS > API Gateway > Usage Plan > Intelligent Assessment > Context
- AWS > API Gateway > Usage Plan > Intelligent Assessment > User Prompt
What's new?
- Added IAM Policy Public Access benchmark (
powerpipe benchmark run gcp_perimeter.benchmark.iam_policy_public_access) - Added IAM Policy Shared Access benchmark (
powerpipe benchmark run gcp_perimeter.benchmark.iam_policy_shared_access) - Added Network Access benchmark (
powerpipe benchmark run gcp_perimeter.benchmark.network_access)
What's new?
- Added CIS v1.2.0 benchmark (powerpipe benchmark run googleworkspace_compliance.benchmark.cis_v120).(#2)
v0.15.1 of the Terraform Provider for Pipes is now available.
Bug Fixes
- Resource
pipes_tenant_connection: Attributeconfigshould store data from the response object. - Resource
pipes_organization_connection: Attributeconfigshould store data from the response object. - Resource
pipes_workspace_connection: Attributeconfigshould store data from the response object.
What's new?
- Workspace Manager can now access log buckets encrypted with customer-managed KMS keys, improving support for secure logging setups.
- The initial setup for PgBouncer support is now available. When enabled, the stack automatically creates the networking and discovery components—like Security Groups and CloudMap—needed for PgBouncer to work.
What's new?
- PgBouncer support is now available.
- Support for Valkey has been introduced, offering a simpler and more cost-effective option than Redis.
PgBouncer
PgBouncer support has been introduced to improve database connection efficiency through lightweight connection pooling. This enhancement benefits high-throughput environments by reducing the overhead of frequent PostgreSQL connections.
Minimum version requirements:
- TE v5.52.0
- TEF v1.68.0
- TED v1.50.0
What's new?
Server
- Introduced a new GraphQL resolver that generates AI-driven remediation steps for controls.
UI
- Enhanced the UI to display AI-generated remediation steps within the control details view.
- Added a summary view to the UI for Policy Packs to provide a quick overview of key settings.
Note
Upgrade to 5.52.0 requires your workspace to be on 5.51.x; direct upgrades from older versions (e.g., 5.49.x) will fail.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- GCP > Storage > Bucket > Intelligent Assessment
- GCP > Storage > Object > Intelligent Assessment
Policy Types
- GCP > Storage > Bucket > Intelligent Assessment
- GCP > Storage > Bucket > Intelligent Assessment > Context
- GCP > Storage > Bucket > Intelligent Assessment > User Prompt
- GCP > Storage > Object > Intelligent Assessment
- GCP > Storage > Object > Intelligent Assessment > Context
- GCP > Storage > Object > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Bug fixes
- We have improved the internal handling of user prompts to ensure better and more consistent evaluations for the Intelligent Assessment control(s).
Control Types
- GCP > IAM > API Key > Intelligent Assessment
- GCP > IAM > Project Role > Intelligent Assessment
- GCP > IAM > Project User > Intelligent Assessment
- GCP > IAM > Service Account > Intelligent Assessment
- GCP > IAM > Service Account Key > Intelligent Assessment
- GCP > Project > Policy > Intelligent Assessment
Policy Types
- GCP > IAM > API Key > Intelligent Assessment
- GCP > IAM > API Key > Intelligent Assessment > Context
- GCP > IAM > API Key > Intelligent Assessment > User Prompt
- GCP > IAM > Project Role > Intelligent Assessment
- GCP > IAM > Project Role > Intelligent Assessment > Context
- GCP > IAM > Project Role > Intelligent Assessment > User Prompt
- GCP > IAM > Project User > Intelligent Assessment
- GCP > IAM > Project User > Intelligent Assessment > Context
- GCP > IAM > Project User > Intelligent Assessment > User Prompt
- GCP > IAM > Service Account > Intelligent Assessment
- GCP > IAM > Service Account > Intelligent Assessment > Context
- GCP > IAM > Service Account > Intelligent Assessment > User Prompt
- GCP > IAM > Service Account Key > Intelligent Assessment
- GCP > IAM > Service Account Key > Intelligent Assessment > Context
- GCP > IAM > Service Account Key > Intelligent Assessment > User Prompt
- GCP > Project > Policy > Intelligent Assessment
- GCP > Project > Policy > Intelligent Assessment > Context
- GCP > Project > Policy > Intelligent Assessment > User Prompt
Bug fixes
- We have improved the internal handling of user prompts to ensure better and more consistent evaluations for the Intelligent Assessment controls.
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- GCP > Compute Engine > Disk > Intelligent Assessment
- GCP > Compute Engine > HTTP Health Check > Intelligent Assessment
- GCP > Compute Engine > HTTPS Health Check > Intelligent Assessment
- GCP > Compute Engine > Health Check > Intelligent Assessment
- GCP > Compute Engine > Image > Intelligent Assessment
- GCP > Compute Engine > Instance > Intelligent Assessment
- GCP > Compute Engine > Instance Template > Intelligent Assessment
- GCP > Compute Engine > Node Group > Intelligent Assessment
- GCP > Compute Engine > Node template > Intelligent Assessment
- GCP > Compute Engine > Project > Intelligent Assessment
- GCP > Compute Engine > Region Disk > Intelligent Assessment
- GCP > Compute Engine > Region Health Check > Intelligent Assessment
- GCP > Compute Engine > Snapshot > Intelligent Assessment
Policy Types
- GCP > Compute Engine > Disk > Intelligent Assessment
- GCP > Compute Engine > Disk > Intelligent Assessment > Context
- GCP > Compute Engine > Disk > Intelligent Assessment > User Prompt
- GCP > Compute Engine > HTTP Health Check > Intelligent Assessment
- GCP > Compute Engine > HTTP Health Check > Intelligent Assessment > Context
- GCP > Compute Engine > HTTP Health Check > Intelligent Assessment > User Prompt
- GCP > Compute Engine > HTTPS Health Check > Intelligent Assessment
- GCP > Compute Engine > HTTPS Health Check > Intelligent Assessment > Context
- GCP > Compute Engine > HTTPS Health Check > Intelligent Assessment > User Prompt
- GCP > Compute Engine > Health Check > Intelligent Assessment
- GCP > Compute Engine > Health Check > Intelligent Assessment > Context
- GCP > Compute Engine > Health Check > Intelligent Assessment > User Prompt
- GCP > Compute Engine > Image > Intelligent Assessment
- GCP > Compute Engine > Image > Intelligent Assessment > Context
- GCP > Compute Engine > Image > Intelligent Assessment > User Prompt
- GCP > Compute Engine > Instance > Intelligent Assessment
- GCP > Compute Engine > Instance > Intelligent Assessment > Context
- GCP > Compute Engine > Instance > Intelligent Assessment > User Prompt
- GCP > Compute Engine > Instance Template > Intelligent Assessment
- GCP > Compute Engine > Instance Template > Intelligent Assessment > Context
- GCP > Compute Engine > Instance Template > Intelligent Assessment > User Prompt
- GCP > Compute Engine > Node Group > Intelligent Assessment
- GCP > Compute Engine > Node Group > Intelligent Assessment > Context
- GCP > Compute Engine > Node Group > Intelligent Assessment > User Prompt
- GCP > Compute Engine > Node template > Intelligent Assessment
- GCP > Compute Engine > Node template > Intelligent Assessment > Context
- GCP > Compute Engine > Node template > Intelligent Assessment > User Prompt
- GCP > Compute Engine > Project > Intelligent Assessment
- GCP > Compute Engine > Project > Intelligent Assessment > Context
- GCP > Compute Engine > Project > Intelligent Assessment > User Prompt
- GCP > Compute Engine > Region Disk > Intelligent Assessment
- GCP > Compute Engine > Region Disk > Intelligent Assessment > Context
- GCP > Compute Engine > Region Disk > Intelligent Assessment > User Prompt
- GCP > Compute Engine > Region Health Check > Intelligent Assessment
- GCP > Compute Engine > Region Health Check > Intelligent Assessment > Context
- GCP > Compute Engine > Region Health Check > Intelligent Assessment > User Prompt
- GCP > Compute Engine > Snapshot > Intelligent Assessment
- GCP > Compute Engine > Snapshot > Intelligent Assessment > Context
- GCP > Compute Engine > Snapshot > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- Azure > Storage > Access Key > Intelligent Assessment
- Azure > Storage > Container > Intelligent Assessment
- Azure > Storage > FileShare > Intelligent Assessment
- Azure > Storage > Queue > Intelligent Assessment
- Azure > Storage > Storage Account > Intelligent Assessment
Policy Types
- Azure > Storage > Access Key > Intelligent Assessment
- Azure > Storage > Access Key > Intelligent Assessment > Context
- Azure > Storage > Access Key > Intelligent Assessment > User Prompt
- Azure > Storage > Container > Intelligent Assessment
- Azure > Storage > Container > Intelligent Assessment > Context
- Azure > Storage > Container > Intelligent Assessment > User Prompt
- Azure > Storage > FileShare > Intelligent Assessment
- Azure > Storage > FileShare > Intelligent Assessment > Context
- Azure > Storage > FileShare > Intelligent Assessment > User Prompt
- Azure > Storage > Queue > Intelligent Assessment
- Azure > Storage > Queue > Intelligent Assessment > Context
- Azure > Storage > Queue > Intelligent Assessment > User Prompt
- Azure > Storage > Storage Account > Intelligent Assessment
- Azure > Storage > Storage Account > Intelligent Assessment > Context
- Azure > Storage > Storage Account > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- Azure > IAM > Role Assignment > Intelligent Assessment
- Azure > IAM > Role Definition > Intelligent Assessment
Policy Types
- Azure > IAM > Role Assignment > Intelligent Assessment
- Azure > IAM > Role Assignment > Intelligent Assessment > Context
- Azure > IAM > Role Assignment > Intelligent Assessment > User Prompt
- Azure > IAM > Role Definition > Intelligent Assessment
- Azure > IAM > Role Definition > Intelligent Assessment > Context
- Azure > IAM > Role Definition > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- Azure > Compute > Availability Set > Intelligent Assessment
- Azure > Compute > Disk > Intelligent Assessment
- Azure > Compute > Disk Encryption Set > Intelligent Assessment
- Azure > Compute > Image > Intelligent Assessment
- Azure > Compute > Snapshot > Intelligent Assessment
- Azure > Compute > Ssh Public Key > Intelligent Assessment
- Azure > Compute > Virtual Machine > Intelligent Assessment
- Azure > Compute > Virtual Machine Scale Set > Intelligent Assessment
Policy Types
- Azure > Compute > Availability Set > Intelligent Assessment
- Azure > Compute > Availability Set > Intelligent Assessment > Context
- Azure > Compute > Availability Set > Intelligent Assessment > User Prompt
- Azure > Compute > Disk > Intelligent Assessment
- Azure > Compute > Disk > Intelligent Assessment > Context
- Azure > Compute > Disk > Intelligent Assessment > User Prompt
- Azure > Compute > Disk Encryption Set > Intelligent Assessment
- Azure > Compute > Disk Encryption Set > Intelligent Assessment > Context
- Azure > Compute > Disk Encryption Set > Intelligent Assessment > User Prompt
- Azure > Compute > Image > Intelligent Assessment
- Azure > Compute > Image > Intelligent Assessment > Context
- Azure > Compute > Image > Intelligent Assessment > User Prompt
- Azure > Compute > Snapshot > Intelligent Assessment
- Azure > Compute > Snapshot > Intelligent Assessment > Context
- Azure > Compute > Snapshot > Intelligent Assessment > User Prompt
- Azure > Compute > Ssh Public Key > Intelligent Assessment
- Azure > Compute > Ssh Public Key > Intelligent Assessment > Context
- Azure > Compute > Ssh Public Key > Intelligent Assessment > User Prompt
- Azure > Compute > Virtual Machine > Intelligent Assessment
- Azure > Compute > Virtual Machine > Intelligent Assessment > Context
- Azure > Compute > Virtual Machine > Intelligent Assessment > User Prompt
- Azure > Compute > Virtual Machine Scale Set > Intelligent Assessment
- Azure > Compute > Virtual Machine Scale Set > Intelligent Assessment > Context
- Azure > Compute > Virtual Machine Scale Set > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- AWS > VPC > Flow Log > Intelligent Assessment
- AWS > VPC > Network ACL > Intelligent Assessment
- AWS > VPC > Security Group > Intelligent Assessment
- AWS > VPC > Security Group Rule > Intelligent Assessment
Policy Types
- AWS > VPC > Flow Log > Intelligent Assessment
- AWS > VPC > Flow Log > Intelligent Assessment > Context
- AWS > VPC > Flow Log > Intelligent Assessment > User Prompt
- AWS > VPC > Network ACL > Intelligent Assessment
- AWS > VPC > Network ACL > Intelligent Assessment > Context
- AWS > VPC > Network ACL > Intelligent Assessment > User Prompt
- AWS > VPC > Security Group > Intelligent Assessment
- AWS > VPC > Security Group > Intelligent Assessment > Context
- AWS > VPC > Security Group > Intelligent Assessment > User Prompt
- AWS > VPC > Security Group Rule > Intelligent Assessment
- AWS > VPC > Security Group Rule > Intelligent Assessment > Context
- AWS > VPC > Security Group Rule > Intelligent Assessment > User Prompt
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- AWS > VPC > Egress Only Internet Gateway > Intelligent Assessment
- AWS > VPC > Elastic IP > Intelligent Assessment
- AWS > VPC > Endpoint > Intelligent Assessment
- AWS > VPC > Endpoint Service > Intelligent Assessment
- AWS > VPC > Internet Gateway > Intelligent Assessment
- AWS > VPC > NAT Gateway > Intelligent Assessment
Policy Types
- AWS > VPC > Egress Only Internet Gateway > Intelligent Assessment
- AWS > VPC > Egress Only Internet Gateway > Intelligent Assessment > Context
- AWS > VPC > Egress Only Internet Gateway > Intelligent Assessment > User Prompt
- AWS > VPC > Elastic IP > Intelligent Assessment
- AWS > VPC > Elastic IP > Intelligent Assessment > Context
- AWS > VPC > Elastic IP > Intelligent Assessment > User Prompt
- AWS > VPC > Endpoint > Intelligent Assessment
- AWS > VPC > Endpoint > Intelligent Assessment > Context
- AWS > VPC > Endpoint > Intelligent Assessment > User Prompt
- AWS > VPC > Endpoint Service > Intelligent Assessment
- AWS > VPC > Endpoint Service > Intelligent Assessment > Context
- AWS > VPC > Endpoint Service > Intelligent Assessment > User Prompt
- AWS > VPC > Internet Gateway > Intelligent Assessment
- AWS > VPC > Internet Gateway > Intelligent Assessment > Context
- AWS > VPC > Internet Gateway > Intelligent Assessment > User Prompt
- AWS > VPC > NAT Gateway > Intelligent Assessment
- AWS > VPC > NAT Gateway > Intelligent Assessment > Context
- AWS > VPC > NAT Gateway > Intelligent Assessment > User Prompt
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrols.
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies. - Users can now create and manage tags for VPC transit gateway attachments. To get started, set the
AWS > VPC > Transit Gateway Attachment > Tags > *policies.
Control Types
- AWS > VPC > Customer Gateway > Intelligent Assessment
- AWS > VPC > Peering Connection > Intelligent Assessment
- AWS > VPC > Transit Gateway > Intelligent Assessment
- AWS > VPC > Transit Gateway Attachment > Intelligent Assessment
- AWS > VPC > Transit Gateway Attachment > Intelligent Assessment
- AWS > VPC > Transit Gateway Attachment > Tags
- AWS > VPC > Transit Gateway Route Table > Intelligent Assessment
- AWS > VPC > VPN Connection > Intelligent Assessment
- AWS > VPC > VPN Gateway > Intelligent Assessment
Policy Types
- AWS > VPC > Customer Gateway > Intelligent Assessment
- AWS > VPC > Customer Gateway > Intelligent Assessment > Context
- AWS > VPC > Customer Gateway > Intelligent Assessment > User Prompt
- AWS > VPC > Peering Connection > Intelligent Assessment
- AWS > VPC > Peering Connection > Intelligent Assessment > Context
- AWS > VPC > Peering Connection > Intelligent Assessment > User Prompt
- AWS > VPC > Transit Gateway > Intelligent Assessment
- AWS > VPC > Transit Gateway > Intelligent Assessment > Context
- AWS > VPC > Transit Gateway > Intelligent Assessment > User Prompt
- AWS > VPC > Transit Gateway Attachment > Intelligent Assessment
- AWS > VPC > Transit Gateway Attachment > Intelligent Assessment > Context
- AWS > VPC > Transit Gateway Attachment > Intelligent Assessment > User Prompt
- AWS > VPC > Transit Gateway Attachment > Tags
- AWS > VPC > Transit Gateway Attachment > Tags > Template
- AWS > VPC > Transit Gateway Route Table > Intelligent Assessment
- AWS > VPC > Transit Gateway Route Table > Intelligent Assessment > Context
- AWS > VPC > Transit Gateway Route Table > Intelligent Assessment > User Prompt
- AWS > VPC > VPN Connection > Intelligent Assessment
- AWS > VPC > VPN Connection > Intelligent Assessment > Context
- AWS > VPC > VPN Connection > Intelligent Assessment > User Prompt
- AWS > VPC > VPN Gateway > Intelligent Assessment
- AWS > VPC > VPN Gateway > Intelligent Assessment > Context
- AWS > VPC > VPN Gateway > Intelligent Assessment > User Prompt
Action Types
- AWS > VPC > Transit Gateway Attachment > Set Tags
- AWS > VPC > Transit Gateway Attachment > Skip alarm for Tags control
- AWS > VPC > Transit Gateway Attachment > Skip alarm for Tags control [90 days]
- AWS > VPC > Transit Gateway Attachment > Update Tags
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrol.
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrols.
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrols.
Bug fixes
- Improved the internal handling of user prompts and updated GraphQL dependencies for the
Intelligent Assessmentcontrols.
What's new?
- You can now use the
Intelligent Assessmentcontrols, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set theIntelligent Assessment > *policies.
Control Types
- AWS > EC2 > AMI > Intelligent Assessment
- AWS > EC2 > Account Attributes > Intelligent Assessment
- AWS > EC2 > Application Load Balancer > Intelligent Assessment
- AWS > EC2 > Auto Scaling Group > Intelligent Assessment
- AWS > EC2 > Classic Load Balancer > Intelligent Assessment
- AWS > EC2 > Classic Load Balancer Listener > Intelligent Assessment
- AWS > EC2 > Gateway Load Balancer > Intelligent Assessment
- AWS > EC2 > Instance > Intelligent Assessment
- AWS > EC2 > Key Pair > Intelligent Assessment
- AWS > EC2 > Launch Configuration > Intelligent Assessment
- AWS > EC2 > Launch Template > Intelligent Assessment
- AWS > EC2 > Launch Template Version > Intelligent Assessment
- AWS > EC2 > Listener Rule > Intelligent Assessment
- AWS > EC2 > Load Balancer Listener > Intelligent Assessment
- AWS > EC2 > Network Interface > Intelligent Assessment
- AWS > EC2 > Network Load Balancer > Intelligent Assessment
- AWS > EC2 > Snapshot > Intelligent Assessment
- AWS > EC2 > Target Group > Intelligent Assessment
- AWS > EC2 > Volume > Intelligent Assessment
Policy Types
- AWS > EC2 > AMI > Intelligent Assessment
- AWS > EC2 > AMI > Intelligent Assessment > Context
- AWS > EC2 > AMI > Intelligent Assessment > User Prompt
- AWS > EC2 > Account Attributes > Intelligent Assessment
- AWS > EC2 > Account Attributes > Intelligent Assessment > Context
- AWS > EC2 > Account Attributes > Intelligent Assessment > User Prompt
- AWS > EC2 > Application Load Balancer > Intelligent Assessment
- AWS > EC2 > Application Load Balancer > Intelligent Assessment > Context
- AWS > EC2 > Application Load Balancer > Intelligent Assessment > User Prompt
- AWS > EC2 > Auto Scaling Group > Intelligent Assessment
- AWS > EC2 > Auto Scaling Group > Intelligent Assessment > Context
- AWS > EC2 > Auto Scaling Group > Intelligent Assessment > User Prompt
- AWS > EC2 > Classic Load Balancer > Intelligent Assessment
- AWS > EC2 > Classic Load Balancer > Intelligent Assessment > Context
- AWS > EC2 > Classic Load Balancer > Intelligent Assessment > User Prompt
- AWS > EC2 > Classic Load Balancer Listener > Intelligent Assessment
- AWS > EC2 > Classic Load Balancer Listener > Intelligent Assessment > Context
- AWS > EC2 > Classic Load Balancer Listener > Intelligent Assessment > User Prompt
- AWS > EC2 > Gateway Load Balancer > Intelligent Assessment
- AWS > EC2 > Gateway Load Balancer > Intelligent Assessment > Context
- AWS > EC2 > Gateway Load Balancer > Intelligent Assessment > User Prompt
- AWS > EC2 > Instance > Intelligent Assessment
- AWS > EC2 > Instance > Intelligent Assessment > Context
- AWS > EC2 > Instance > Intelligent Assessment > User Prompt
- AWS > EC2 > Key Pair > Intelligent Assessment
- AWS > EC2 > Key Pair > Intelligent Assessment > Context
- AWS > EC2 > Key Pair > Intelligent Assessment > User Prompt
- AWS > EC2 > Launch Configuration > Intelligent Assessment
- AWS > EC2 > Launch Configuration > Intelligent Assessment > Context
- AWS > EC2 > Launch Configuration > Intelligent Assessment > User Prompt
- AWS > EC2 > Launch Template > Intelligent Assessment
- AWS > EC2 > Launch Template > Intelligent Assessment > Context
- AWS > EC2 > Launch Template > Intelligent Assessment > User Prompt
- AWS > EC2 > Launch Template Version > Intelligent Assessment
- AWS > EC2 > Launch Template Version > Intelligent Assessment > Context
- AWS > EC2 > Launch Template Version > Intelligent Assessment > User Prompt
- AWS > EC2 > Listener Rule > Intelligent Assessment
- AWS > EC2 > Listener Rule > Intelligent Assessment > Context
- AWS > EC2 > Listener Rule > Intelligent Assessment > User Prompt
- AWS > EC2 > Load Balancer Listener > Intelligent Assessment
- AWS > EC2 > Load Balancer Listener > Intelligent Assessment > Context
- AWS > EC2 > Load Balancer Listener > Intelligent Assessment > User Prompt
- AWS > EC2 > Network Interface > Intelligent Assessment
- AWS > EC2 > Network Interface > Intelligent Assessment > Context
- AWS > EC2 > Network Interface > Intelligent Assessment > User Prompt
- AWS > EC2 > Network Load Balancer > Intelligent Assessment
- AWS > EC2 > Network Load Balancer > Intelligent Assessment > Context
- AWS > EC2 > Network Load Balancer > Intelligent Assessment > User Prompt
- AWS > EC2 > Snapshot > Intelligent Assessment
- AWS > EC2 > Snapshot > Intelligent Assessment > Context
- AWS > EC2 > Snapshot > Intelligent Assessment > User Prompt
- AWS > EC2 > Target Group > Intelligent Assessment
- AWS > EC2 > Target Group > Intelligent Assessment > Context
- AWS > EC2 > Target Group > Intelligent Assessment > User Prompt
- AWS > EC2 > Volume > Intelligent Assessment
- AWS > EC2 > Volume > Intelligent Assessment > Context
- AWS > EC2 > Volume > Intelligent Assessment > User Prompt
What's new?
- Improved system prompts for Intelligent Assessment, Intelligent Fixes and Policy Pack Summary.
Requirements
- TE: 5.35.4
What's new?
- New dashboards added: (#129)
- Azure App Service Web App Inventory Report
- Azure Compute Disk Inventory Report
- Azure Compute Virtual Machine Inventory Report
- Azure Cosmos DB Account Inventory Report
- Azure Key Vault Inventory Report
- Azure Kubernetes Cluster Inventory Report
- Azure Network Security Group Inventory Report
- Azure Network Virtual Network Inventory Report
- Azure SQL Database Inventory Report
- Azure SQL Server Inventory Report
- Azure Storage Account Inventory Report
Bug fixes
- Fixed an issue where SAML directory certificate updates applied via Terraform appeared successful but did not persist in the backend. These updates are now correctly processed and retained.
- Resolved an issue where the log message for policySetting resources was unclear when attempting to create policy settings for non-existent or uninstalled policy types. The log output is now more informative and precise.
What's new?
- Improved
Turbot > AI > Control > Intelligent Assessment > System Promptpolicy for better responses from the AI provider. - Updated the default value for
Turbot > AI > Configuration > Max Tokens [Default]policy to 1000.
Requirements
- TE: 5.35.4
What's new?
- AI-generated Policy Pack summaries are now available. To get started, set the
Turbot > AI > Policy Pack > *policies.
Control Types
- Turbot > Policy Pack > Summary
Requirements
- TE: 5.35.4
What's new?
The following 15 mods now have the
Intelligent Assessmentcontrol(s), which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts.aws-backup
v5.13.0aws-cloudwatch
v5.11.0aws-directconnect
v5.6.0aws-dynamodb
v5.15.0aws-events
v5.15.0aws-kms
v5.20.0aws-lambda
v5.15.0aws-route53
v6.8.0aws-s3
v5.32.0aws-sns
v5.18.0aws-sqs
v5.18.0aws-vpc-core
v5.22.0gcp-bigquery
v5.9.0gcp-bigquerydatatransfer
v5.2.0gcp-functions
v5.10.0
Version bump to align with deployment requirements.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new
- Added
tp_indexproperty to partition HCL. Use this to specify the source column for thetp_index. (#414) - Updated collection to apply the configured
tp_index, ordefaultif notp_indexis specified in the config. - Added
--reindexarg tocompact. When set, compact will reindex the partition using configuredtp_indexvalue. (#413)- Removed the partition argument from compact and replaced it with a positional argument.
- Updated
compactcleanup to delete empty folders.
collectnow always validates required columns are present. (Previously this was only done for custom tables.) (#411)
What's new?
- Added Network Access benchmark (
powerpipe benchmark run azure_perimeter.benchmark.network_access) - Added Public Access benchmark (
powerpipe benchmark run azure_perimeter.benchmark.public_access)
What's new?
- New dashboards added: (#363)
- EC2 Instance Inventory Report
- Lambda Function Inventory Report
- EBS Snapshot Inventory Report
- EBS Volume Inventory Report
- S3 Bucket Inventory Report
- RDS DB Instance Inventory Report
- RDS DB Cluster Inventory Report
- CloudTrail Trail Inventory Report
- IAM User Inventory Report
- KMS Key Inventory Report
- VPC Inventory Report
What's new?
- Added support for five optional EC2 Launch Template tags (LaunchTemplateTag1–LaunchTemplateTag5) via SSM parameters. These tags are automatically applied to EC2 instances, EBS volumes, and network interfaces for improved resource classification and automation.
- Introduced the
AmiKmsKeyArnparameter to allow specifying a custom AWS KMS Key ARN for encrypting EBS volumes attached to EC2 instances. This enables support for custom encrypted AMIs. - Added a new
EC2InstanceCustomUserDataparameter that appends additional UserData from SSM. This allows for dynamic EC2 initialization without needing changes to the CloudFormation template.
Version bump to align with deployment requirements.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- You can now configure your preferred provider to use AI capabilities in your workspace.
Policy Types
- Turbot > AI
- Turbot > AI > Configuration
- Turbot > AI > Configuration > API Key [Default]
- Turbot > AI > Configuration > Enabled [Default]
- Turbot > AI > Configuration > Max Tokens [Default]
- Turbot > AI > Configuration > Model [Default]
- Turbot > AI > Configuration > Provider [Default]
- Turbot > AI > Configuration > Temperature [Default]
- Turbot > AI > Control
- Turbot > AI > Control > Intelligent Assessment
- Turbot > AI > Control > Intelligent Assessment > Enabled
- Turbot > AI > Control > Intelligent Assessment > System Prompt
- Turbot > AI > Control > Intelligent Fixes
- Turbot > AI > Control > Intelligent Fixes > Enabled
- Turbot > AI > Control > Intelligent Fixes > System Prompt
- Turbot > AI > Policy Pack
- Turbot > AI > Policy Pack > Summary
- Turbot > AI > Policy Pack > Summary > Enabled
- Turbot > AI > Policy Pack > Summary > System Prompt
Control Categories
- Resource > Allowed
- Resource > Intelligent Assessment
Requirements
- TE: 5.35.4
Enhancements
- Optimized the
aws_s3_buckettable to reduce query time by improving how bucket regions are handled. (#2519)
Bug fixes
- Fixed the
policycolumn ofaws_iam_policytable to correctly return data instead of an error when the policy document contains trailing tab characters. (#2529)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.12.0, which introduces support for the
UnmarshalJSONtransform function, ensuring robust handling of IAM policy JSON columns. (#2529)
What's new?
- New tables added
What's new?
- New tables added
What's new?
- You can now configure shared key access for storage accounts. To get started, set the
Azure > Storage > Storage Account > Shared Key Accesspolicy.
Control Types
- Azure > Storage > Storage Account > Shared Key Access
Policy Types
- Azure > Storage > Storage Account > Shared Key Access
Action Types
- Azure > Storage > Storage Account > Set Shared Key Access
Bug fixes
- The
AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucketcontrol previously failed to evaluate correctly when there were more than oneFieldSelectorspresent underAdvancedEventSelectors. This issue is now fixed. - The
AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucketcontrol has been enhanced to evaluate bothEventSelectorsandAdvancedEventSelectorswhen determining whether object-level logging is enabled. Previously, the control evaluated onlyEventSelectors, which could result in false alarms when logging was configured usingAdvancedEventSelectors.
Bug fixes
- The
AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucketcontrol previously failed to evaluate correctly when there were more than oneFieldSelectorspresent underAdvancedEventSelectors. This issue is now fixed. - The
AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucketcontrol has been enhanced to evaluate bothEventSelectorsandAdvancedEventSelectorswhen determining whether object-level logging is enabled. Previously, the control evaluated onlyEventSelectors, which could result in false alarms when logging was configured usingAdvancedEventSelectors.
Bug fixes
- The
AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated)control previously failed to evaluate correctly when there were more than oneFieldSelectorspresent underAdvancedEventSelectors. This issue is now fixed. - The
AWS > CIS v1.4 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket (Automated)control has been enhanced to evaluate bothEventSelectorsandAdvancedEventSelectorswhen determining whether object-level logging is enabled. Previously, the control evaluated onlyEventSelectors, which could result in false alarms when logging was configured usingAdvancedEventSelectors.
What's new?
- Added support for Fine-grained personal access token via the
tokenconfig argument, with each table’s documentation updated to specify the required permissions. Refer to the plugin's Credentials section for additional information. (#497)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.11.7 which resolves an issue where rate limiters were not being applied to hydrate functions correctly. (#499)
Version bump to align with deployment requirements.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The
AWS > KMS > Key > Policy Statements > Approvedcontrol will now be skipped for AWS-managed KMS keys.
Bug fixes
- The
AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucketcontrol has been enhanced to evaluate bothEventSelectorsandAdvancedEventSelectorswhen determining whether object-level logging is enabled. Previously, the control evaluated onlyEventSelectors, which could result in false alarms when logging was configured usingAdvancedEventSelectors.
Bug fixes
Server
- Fixed access issue in policy pack management.
UI
- Fixed an issue where importing a GCP Organization via the UI did not automatically create the required
Private Keysetting.
- Fixed an issue where importing a GCP Organization via the UI did not automatically create the required
Security Updates
Fixed access issue in policy pack management
In version 5.51.3, a security issue was introduced that mistakenly allowed users with any Turbot/* permissions — at the Turbot level, when using the API — to:
- Create or update policy associations within a policy pack
- Delete a policy pack if it was not attached to any resource
This has now been fixed, and the correct permission model has been restored — only users with Turbot/Admin permissions can perform these operations.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The
AWS > CloudTrail > Trail > CMDBcontrol has been updated to correctly refresh theEventSelectorsandAdvancedEventSelectorsdetails when these settings are removed in AWS. This update ensures that the CMDB data accurately reflects the current state of the trail configuration.
Bug fixes
- The
AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucketcontrol has been enhanced to evaluate bothEventSelectorsandAdvancedEventSelectorswhen determining whether object-level logging is enabled. Previously, the control evaluated onlyEventSelectors, which could result in false alarms when logging was configured usingAdvancedEventSelectors.
Bug fixes
- The
AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated)control has been enhanced to evaluate bothEventSelectorsandAdvancedEventSelectorswhen determining whether object-level logging is enabled. Previously, the control evaluated onlyEventSelectors, which could result in false alarms when logging was configured usingAdvancedEventSelectors.
Bug fixes
- Fix
plugin manager is not runningerror when starting steampipe via a symlink. (#4573)
Breaking changes
- Increased the minimum required
glibcversion to2.34for the FDW, due to the upgrade of the Linux build environment from Ubuntu 20.04 to Ubuntu 22.04 GitHub runners. As a result, Steampipe no longer supports older Linux distributions such as Ubuntu 20.04 and Amazon Linux 2.
Bug fixes
- Fix issue where the FDW did not correctly provide planning cost information for key-columns with an
any-ofrequirement. This led the Postgres planner to choose query plans that do not include filters on those columns, even when filters were present in the query. (#558) - Fix issue where Steampipe was returning a 0 exit code even when a wrong sub-command was run. (#4563)
What's new?
- New tables added
Enhancements
- Optimized the
aws_ecr_image_scan_findingtable to reduce the query timing by removing thelistAwsEcrImageTagsparent hydrate and by adding theimage_tagas an optional qual. (#2492) - Added column
ephemeral_storagetoaws_lambda_functiontable. (#2505) - Added
connectionandconfig-dirflags to the plugin's Export tool.
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.11.7 which resolves an issue where rate limiters were not being applied to hydrate functions correctly, and ensures that errors during data streaming are now properly surfaced by the Export CLI.
Bug fixes
- Load Balancer listeners upserted in Guardrails along with their parent Load Balancers occasionally lacked
createTimestampandcreatedBymetadata. This omission caused theAWS > EC2 > Load Balancer Listener > Approvedcontrol to evaluate incorrectly. We have enhanced our real-time event handling to ensure metadata is accurately populated in such scenarios.
What's new?
- New tables added
- azuread_user_registration_details_report (#248) (Thanks @MarkusGnigler for the contribution!)
Bug fixes
- Fixed infinite loop issues in several tables by ensuring queries stop when no more rows are returned by the API. (#508) (Thanks @QiXingchuan for the contribution!)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.11.6 which improves how errors are handled during query execution. (#523)
What's new?
- Server
- Added support for custom webhook URLs in notifications, allowing integration with any third-party systems beyond Slack and Microsoft Teams.
- ECS tasks now include no-new-privileges for enhanced security posture.
Bug fixes
- Server
- Email notifications now list recipients in the To field instead of BCC for improved clarity.
- Resolved an issue where resource-level policy settings could fail when a large number of policy packs were attached.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- Policy Types:
- Turbot > Notifications > Webhook
- Turbot > Notifications > Webhook > Authorization Header
- Turbot > Notifications > Webhook > Action Template
- Turbot > Notifications > Webhook > Action Template > Body
- Turbot > Notifications > Webhook > Control Template
- Turbot > Notifications > Webhook > Control Template > Body
Requirements
- TE: 5.35.4
Resource Types
- AWS > S3 Table
- AWS > S3 Table > Namespace
- AWS > S3 Table > Table
- AWS > S3 Table > Table Bucket
Control Types
- AWS > S3 Table > Namespace > Active
- AWS > S3 Table > Namespace > CMDB
- AWS > S3 Table > Namespace > Discovery
- AWS > S3 Table > Table > Active
- AWS > S3 Table > Table > CMDB
- AWS > S3 Table > Table > Discovery
- AWS > S3 Table > Table Bucket > Active
- AWS > S3 Table > Table Bucket > CMDB
- AWS > S3 Table > Table Bucket > Discovery
- AWS > S3 Table > Table Bucket > Policy
- AWS > S3 Table > Table Bucket > Policy > Trusted Access
Policy Types
- AWS > S3 Table > API Enabled
- AWS > S3 Table > Approved Regions [Default]
- AWS > S3 Table > Enabled
- AWS > S3 Table > Namespace > Active
- AWS > S3 Table > Namespace > Active > Age
- AWS > S3 Table > Namespace > Active > Last Modified
- AWS > S3 Table > Namespace > CMDB
- AWS > S3 Table > Namespace > Regions
- AWS > S3 Table > Permissions
- AWS > S3 Table > Permissions > Levels
- AWS > S3 Table > Permissions > Levels > Modifiers
- AWS > S3 Table > Permissions > Lockdown
- AWS > S3 Table > Permissions > Lockdown > API Boundary
- AWS > S3 Table > Regions
- AWS > S3 Table > Table > Active
- AWS > S3 Table > Table > Active > Age
- AWS > S3 Table > Table > Active > Last Modified
- AWS > S3 Table > Table > CMDB
- AWS > S3 Table > Table > Regions
- AWS > S3 Table > Table Bucket > Active
- AWS > S3 Table > Table Bucket > Active > Age
- AWS > S3 Table > Table Bucket > Active > Last Modified
- AWS > S3 Table > Table Bucket > CMDB
- AWS > S3 Table > Table Bucket > Policy
- AWS > S3 Table > Table Bucket > Policy > Trusted Access
- AWS > S3 Table > Table Bucket > Policy > Trusted Access > Accounts
- AWS > S3 Table > Table Bucket > Regions
- AWS > S3 Table > Trusted Accounts [Default]
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-s3table
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-s3table
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-s3table
Action Types
- AWS > S3 Table > Namespace > Delete
- AWS > S3 Table > Table > Delete
- AWS > S3 Table > Table Bucket > Delete
- AWS > S3 Table > Table Bucket > Set Policy Trusted Access
Bug fixes
- Fix issue where steampipe was returning 0 exit-code in batch mode even incase of API failures. (#4551)
Dependencies
- Update FDW to 1.12.7 to remediate high vulnerabilities.
What's new?
- New controls added: (#52)
network_application_gateway_with_autoscaling_disablednetwork_load_balancer_with_duplicate_rulesnetwork_load_balancer_with_missing_backendnetwork_load_balancer_with_nonexistent_backendnetwork_private_endpoint_unused
What's new?
- Added support for PostgreSQL 17, including the new hive parameter group.
Bug fixes
- The
AWS > SNS > Subscription > CMDBcontrol previously entered an error state for cross-account subscriptions upserted in Guardrails CMDB. These subscriptions will no longer be upserted into CMDB, preventing the control from entering an error state. - The
AWS > SNS > Subscription > CMDBcontrol did not automatically re-run when a subscription was in thePendingConfirmationstate. This issue has now been resolved.
What's new?
- New tables added
- jenkins_user (Thanks @codenio for the contribution!)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.11.6 which improves how errors are handled during query execution.
What's new?
- The
AWS > VPC > Flow Log > CMDBpolicy now also targets theAWS > VPC > VPC,AWS > VPC > Subnet, andAWS > EC2 > Network Interfaceresource types, enabling more granular policy setting options.
Enhancements
- Added rate-limiter tags to all tables which can be used to smooth request rates and limit the number of parallel requests to avoid hitting API rate limits. (#563)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.11.6 which improves how errors are handled during query execution. (#758)
Enhancements
- Added
external_user_stateandsign_in_activitycolumns toazuread_usertable. (#250) (Thanks @MarkusGnigler for the contribution!) - Added
disable_resilience_defaultscolumn toazuread_conditional_access_policytable. (#251) (Thanks @MarkusGnigler for the contribution!)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.11.6 which improves how errors are handled during query execution. (#249)
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
Bug fixes
- The
Azure > Compute > Virtual Machine > CMDBcontrol previously triggered theAzure > Compute > Disk > Discoverycontrol on the VM's resource group, resulting in unnecessary control re-runs within the workspace. We've now improved the VM's CMDB control to prevent such unnecessary re-runs.
What's new?
- New tables added: (Thanks @l-teles for the new plugin!)
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- Added CIS v4.0.0 benchmark (
powerpipe benchmark run gcp_compliance.benchmark.cis_v400). (#195)
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.11.6 which improves how errors are handled during query execution.
- Recompiled plugin with pipes-sdk-go v0.14.0. (#50)
What's new?
- New sources added:
Enhancements
- The
tp_indexcolumn for theaws_cost_and_usage_focus,aws_cost_and_usage_report, andaws_cost_optimization_recommendationtables is now always set to the valuedefaultinstead of an AWS account ID to improve query times. (#179)
Dependencies
- Bumped github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.17.73 to 1.17.75. (#171)
- Bumped github.com/aws/aws-sdk-go-v2/service/guardduty from 1.54.1 to 1.54.5. (#170)
- Bumped github.com/aws/aws-sdk-go-v2/service/s3 from 1.79.2 to 1.79.3. (#167)
- Bumped github.com/turbot/pipe-fittings/v2 from 2.3.4 to 2.4.1. (#176)
- Bumped golang.org/x/sync from 0.13.0 to 0.14.0. (#172)
v0.14.0 of the Pipes SDK Go is now available.
Enhancements
- Add
db1.mediumas a new supported workspace instance type. - Add
PersonalWorkspacesas a new tenant setting to block / allow creation of personal workspaces in a custom tenant.
Bug fixes
- Server
- Resolved a crash in policy setting expiration control.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Removed the duplicate column
source_regionfromaws_macie2_findingtable schema.
What's new?
- New tables added
- aws_batch_queue (#2486)
- aws_cloudwatch_event_rule (#2487)
- aws_codebuild_fleet (#2488)
- aws_cognito_user_group (#2485)
- aws_ec2_placement_group (#2491)
- aws_emr_studio (#2479)
- aws_macie2_finding (#2481)
- aws_organizations_delegated_administrator (#2477) (Thanks @FuadAbdullah for the contribution!)
- aws_organizations_delegated_services_for_account (#2477) (Thanks @FuadAbdullah for the contribution!)
- aws_s3tables_namespace (#2498)
- aws_s3tables_table_bucket (#2498)
- aws_s3tables_table (#2498)
- aws_ses_template (#2480)
Enhancements
- Added
period_startandperiod_endas optional qualifiers to allaws_cost_*tables to enable custom date range filtering and reduce API usage costs. (#2168) - Updated all
aws_*tables to use AWS Go SDK v2 instead of v1, enabling support for newer AWS regions likeap-southeast-5. (#2370)
Dependencies
- Recompiled plugin with AWS Go SDK v2.1.36.3. (#2495)
Deprecations
- Deprecated
search_start_timeandsearch_end_timecolumns in theaws_cost_usagetable. Please useperiod_startandperiod_endinstead. (#2168)
Bug Fixes
Switch between different workspace instance types to adjust your workspace configuration to better match your workload requirements. Whether you're optimizing for performance or cost, you can choose the instance type that best fits your needs.
For more information, check out the docs.
Persistent workspaces now support a new instance type: db1.medium. This instance type is ideal for larger workloads, including datatanks with multiple tables containing hundreds of partitions.
We've also improved the workspace creation experience. You can now view all available instance types more easily and set the DB volume size during creation, with clear limits outlined for each type.
For more information, check out the docs.
Custom tenant settings now allow owners to manage personal workspaces for users. This includes the ability to enable or disable the creation of personal workspaces.
For more information, check out the docs.
Enhancements to the user experience for creating an AWS integration through Pipes to make it quicker and simpler to import your accounts.
For more information, check out the docs.
Bug fixes
- Server
- Resolved an issue that was preventing users from creating new workspace.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
Enhancements
- Added
allowedToCreateTenantsfield underdefault_user_role_permissionscolumn ofazuread_authorization_policytable. (#243) (Thanks @MarkusGnigler for the contribution!)
Bug fixes
- Update
MinCorePluginVersionto v0.2.5. - Fix issue where the core plugin was incorrectly throttling the downloads if no temp size limit was specified. (#204)
Whats new?
- Return safe bigint values as int instead of string
- Include MCP server version in status resource
Bug fixes
- Server
- Fixed a permission issue affecting visibility of policy packs.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- You can now configure the
AWS > IAM > MFA Virtual > Activecontrol for virtual MFA devices based on their age. To get started, set theAWS > IAM > MFA Virtual > Active > Agepolicy. As part of this enhancement, a new value of45 dayshas been applied to all relevant Active policies.
Policy Types
- AWS > IAM > MFA Virtual > Active > Age
Action Types
- AWS > IAM > MFA Virtual > Delete
What's new
- Add support for memory and temp storage limits for CLI and plugins. (#396, #397)
memory_max_mbcontrols CLI memory usage and conversion worker count and memory allocation.plugin_memory_max_mbcontrols a per-plugin soft memory cap.temp_dir_max_mblimits size of temp data written to disk during a conversion.- conversion worker count is now based on memory limit, if set.
- JSONL to Parquet conversion is now executed in multiple passes, limiting the number of distinct partition keys per conversion.
- Detect and report when a plugin crashes. (#341)
- Update
show sourceoutput to include source properties. (#388)
Bug fixes
- Fix issue where tailpipe was mentioning steampipe in one of the error messages. (#389)
Bug fixes
- Fixed the
sagemaker_notebook_instance_encryption_at_rest_enabledquery to correctly return SageMaker notebook instances with encryption at rest disabled. (#897) - Fixed a syntax error in the
iam_user_one_active_keyquery. (#895) - Fixed the
lambda_function_dead_letter_queue_configuredquery to properly check for Lambda functions with a DLQ (Dead Letter Queue) configured. (#893) - Fixed the
kms_cmk_policy_prohibit_public_access,sns_topic_policy_prohibit_public_access, andsns_topic_policy_prohibit_cross_account_accessqueries to correctly assess whether the associated IAM policies allow public access or cross-account access. (#858, #887)
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
Bug fixes
- Fixed error when adding an empty header value for the
aws_cost_and_usage_reporttable while collecting rows. (#174)
Bug fixes
- Fix intermittent
Reattachment process not founderror when starting steampipe service. (#4507)
What's new?
Server
- Introduced support for initializing a new encryption key baseline for workspaces.
- Users can now see all policy packs defined within the resource hierarchy where they have access, providing clearer insight into inherited policies.
UI
- The page title now dynamically includes the workspace name, helping users distinguish tabs when working across multiple environments.
Bug fixes
- Server
- Refined the backup flow for tenant master keys, improving error handling, increasing stability.
Note
This is a checkpoint version. Guardrails must be updated to v5.51.x first before continuing. It can be any version in v5.51.x series.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- New tables added
Bug fixes
- Fixed the import path in
main.goand the module path ingo.modto use the full GitHub URL.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
Bug fixes
- The
Azure > Subscription > Event Pollercontrol previously processed some real-time events multiple times, resulting in unnecessary Lambda churn. The event processing logic has been improved to ensure each event is handled only once, enhancing overall efficiency. - The
Azure > Subscription > CMDBcontrol previously ran unnecessarily when Guardrails received real-timeMicrosoft.Resources/tags/writeevents for resources other than subscriptions or resource groups. These events will no longer be processed, preventing unnecessary CMDB control runs.
What's new?
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them. Resource Types
AWS > API Gateway > Account
Control Types
- AWS > API Gateway > Account > CMDB
- AWS > API Gateway > Account > Discovery
Policy Types
- AWS > API Gateway > Account > CMDB
- AWS > API Gateway > Account > Regions
Action Types
- AWS > API Gateway > Account > Router
What's new?
- New tables added: (Thanks @smirl for the new plugin!)
Bug fixes
- Improved sensitive data masking in log outputs to include additional value types.
What's new?
- New tables added
- gcp_compute_tpu (#748)
- gcp_firestore_database (#732) (Thanks @pdecat for the contribution!)
Bug fixes
What's new?
- New tables added
- aws_rolesanywhere_profile (#2475) (Thanks @2XXE-SRA for the contribution!)
- aws_rolesanywhere_trust_anchor (#2475) (Thanks @2XXE-SRA for the contribution!)
Enhancements
Bug fixes
Server
- Discovery controls now run more reliably, reducing interruptions caused by premature termination.
- Addressed a race condition that could occasionally result in missed priority events during policy value processing.
UI
- Resolved an issue where resource type values were hard-coded in a hook, improving flexibility and maintainability.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhancements
- Added
allow_cross_tenant_replication,default_to_oauth_authentication,sas_expiration_period,sas_expiration_action,is_local_user_enabled,routing_preference_routing_choice,routing_preference_publish_microsoft_endpoints,routing_preference_publish_internet_endpointscolumns to theazure_storage_accounttable. (#891) - Added
allow_shared_key_accesscolumn to theazure_storage_accounttable. (#889)
Bug Fixes
Bug fixes
- Resolved an issue where parent updates in
resource_turbot_filewere silently ignored. These updates are now processed correctly to ensure changes are properly applied.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
- Web ACL resource type is now deprecated and will be removed in the next major version. Please refer Migrate workloads from AWS WAF Classic for more information.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Resource Types
Renamed
- AWS > WAF > Web ACL to AWS > WAF > Web ACL [Deprecated]
Control Types
Renamed
- AWS > WAF > Web ACL > Active to AWS > WAF > Web ACL [Deprecated] > Active
- AWS > WAF > Web ACL > Approved to AWS > WAF > Web ACL [Deprecated] > Approved
- AWS > WAF > Web ACL > CMDB to AWS > WAF > Web ACL [Deprecated] > CMDB
- AWS > WAF > Web ACL > Discovery to AWS > WAF > Web ACL [Deprecated] > Discovery
- AWS > WAF > Web ACL > Tags to AWS > WAF > Web ACL [Deprecated] > Tags
- AWS > WAF > Web ACL > Usage to AWS > WAF > Web ACL [Deprecated] > Usage
Policy Types
Renamed
- AWS > WAF > Web ACL > Active to AWS > WAF > Web ACL [Deprecated] > Active
- AWS > WAF > Web ACL > Active > Age to AWS > WAF > Web ACL [Deprecated] > Active > Age
- AWS > WAF > Web ACL > Active > Budget to AWS > WAF > Web ACL [Deprecated] > Active > Budget
- AWS > WAF > Web ACL > Active > Last Modified to AWS > WAF > Web ACL [Deprecated] > Active > Last Modified
- AWS > WAF > Web ACL > Approved to AWS > WAF > Web ACL [Deprecated] > Approved
- AWS > WAF > Web ACL > Approved > Budget to AWS > WAF > Web ACL [Deprecated] > Approved > Budget
- AWS > WAF > Web ACL > Approved > Custom to AWS > WAF > Web ACL [Deprecated] > Approved > Custom
- AWS > WAF > Web ACL > Approved > Usage to AWS > WAF > Web ACL [Deprecated] > Approved > Usage
- AWS > WAF > Web ACL > CMDB to AWS > WAF > Web ACL [Deprecated] > CMDB
- AWS > WAF > Web ACL > Tags to AWS > WAF > Web ACL [Deprecated] > Tags
- AWS > WAF > Web ACL > Tags > Template to AWS > WAF > Web ACL [Deprecated] > Tags > Template
- AWS > WAF > Web ACL > Usage to AWS > WAF > Web ACL [Deprecated] > Usage
- AWS > WAF > Web ACL > Usage > Limit to AWS > WAF > Web ACL [Deprecated] > Usage > Limit
Action Types
Renamed
- AWS > WAF > Web ACL > Delete to AWS > WAF > Web ACL [Deprecated] > Delete
- AWS > WAF > Web ACL > Delete from AWS to AWS > WAF > Web ACL [Deprecated] > Delete from AWS
- AWS > WAF > Web ACL > Router to AWS > WAF > Web ACL [Deprecated] > Router
- AWS > WAF > Web ACL > Set Tags to AWS > WAF > Web ACL [Deprecated] > Set Tags
- AWS > WAF > Web ACL > Skip alarm for Active control to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Active control
- AWS > WAF > Web ACL > Skip alarm for Active control [90 days] to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Active control [90 days]
- AWS > WAF > Web ACL > Skip alarm for Approved control to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Approved control
- AWS > WAF > Web ACL > Skip alarm for Approved control [90 days] to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Approved control [90 days]
- AWS > WAF > Web ACL > Skip alarm for Tags control to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Tags control
- AWS > WAF > Web ACL > Skip alarm for Tags control [90 days] to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Tags control [90 days]
- AWS > WAF > Web ACL > Update Tags to AWS > WAF > Web ACL [Deprecated] > Update Tags
Bug fixes
- The
AWS > Secrets Manager > Secret > Stack [Native]control previously failed to import and manage resources outside theus-east-1region. This issue has now been resolved.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
- Pipeline resource type is now deprecated and will be removed in the next major version. Please refer Migrate workloads from AWS Data Pipeline for more information.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Resource Types
Renamed
- AWS > Data Pipeline > Pipeline to AWS > Data Pipeline > Pipeline [Deprecated]
Control Types
Renamed
- AWS > Data Pipeline > Pipeline > Active to AWS > Data Pipeline > Pipeline [Deprecated] > Active
- AWS > Data Pipeline > Pipeline > Approved to AWS > Data Pipeline > Pipeline [Deprecated] > Approved
- AWS > Data Pipeline > Pipeline > CMDB to AWS > Data Pipeline > Pipeline [Deprecated] > CMDB
- AWS > Data Pipeline > Pipeline > Discovery to AWS > Data Pipeline > Pipeline [Deprecated] > Discovery
- AWS > Data Pipeline > Pipeline > Tags to AWS > Data Pipeline > Pipeline [Deprecated] > Tags
Policy Types
Renamed
- AWS > Data Pipeline > Pipeline > Active to AWS > Data Pipeline > Pipeline [Deprecated] > Active
- AWS > Data Pipeline > Pipeline > Active > Age to AWS > Data Pipeline > Pipeline [Deprecated] > Active > Age
- AWS > Data Pipeline > Pipeline > Active > Last Modified to AWS > Data Pipeline > Pipeline [Deprecated] > Active > Last Modified
- AWS > Data Pipeline > Pipeline > Approved to AWS > Data Pipeline > Pipeline [Deprecated] > Approved
- AWS > Data Pipeline > Pipeline > Approved > Custom to AWS > Data Pipeline > Pipeline [Deprecated] > Approved > Custom
- AWS > Data Pipeline > Pipeline > Approved > Regions to AWS > Data Pipeline > Pipeline [Deprecated] > Approved > Regions
- AWS > Data Pipeline > Pipeline > Approved > Usage to AWS > Data Pipeline > Pipeline [Deprecated] > Approved > Usage
- AWS > Data Pipeline > Pipeline > CMDB to AWS > Data Pipeline > Pipeline [Deprecated] > CMDB
- AWS > Data Pipeline > Pipeline > Regions to AWS > Data Pipeline > Pipeline [Deprecated] > Regions
- AWS > Data Pipeline > Pipeline > Tags to AWS > Data Pipeline > Pipeline [Deprecated] > Tags
- AWS > Data Pipeline > Pipeline > Tags > Template to AWS > Data Pipeline > Pipeline [Deprecated] > Tags > Template
Action Types
Renamed
- AWS > Data Pipeline > Pipeline > Delete to AWS > Data Pipeline > Pipeline [Deprecated] > Delete
- AWS > Data Pipeline > Pipeline > Delete from AWS to AWS > Data Pipeline > Pipeline [Deprecated] > Delete from AWS
- AWS > Data Pipeline > Pipeline > Router to AWS > Data Pipeline > Pipeline [Deprecated] > Router
- AWS > Data Pipeline > Pipeline > Set Tags to AWS > Data Pipeline > Pipeline [Deprecated] > Set Tags
- AWS > Data Pipeline > Pipeline > Skip alarm for Active control to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Active control
- AWS > Data Pipeline > Pipeline > Skip alarm for Active control [90 days] to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Active control [90 days]
- AWS > Data Pipeline > Pipeline > Skip alarm for Approved control to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Approved control
- AWS > Data Pipeline > Pipeline > Skip alarm for Approved control [90 days] to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Approved control [90 days]
- AWS > Data Pipeline > Pipeline > Skip alarm for Tags control to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Tags control
- AWS > Data Pipeline > Pipeline > Skip alarm for Tags control [90 days] to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Tags control [90 days]
- AWS > Data Pipeline > Pipeline > Update Tags to AWS > Data Pipeline > Pipeline [Deprecated] > Update Tags
Dependencies
- AWS plugin
v1.12.0or higher is now required. (#882)
What's new?
- Added
iam_user_access_key_age_365andsecretsmanager_secret_rotation_enabledcontrols toall_controls_iamandall_controls_secretsmanagerbenchmarks respectively. (#886) - Refactored GuardDuty queries to skip regions where GuardDuty is not available. (#882)
Bug fixes
- Fixed
eks_cluster_secrets_encryptedquery to automatically returnokinstead of analarmfor EKS clusters with version greater than1.27since they are automatically encrypted by AWS owned KMS keys. (#883)
What's new?
- Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the
Stack [Native] > *policies.
Control Types
- Azure > Resource Group > Stack [Native]
Policy Types
- Azure > Resource Group > Stack [Native]
- Azure > Resource Group > Stack [Native] > Drift Detection
- Azure > Resource Group > Stack [Native] > Drift Detection > Interval
- Azure > Resource Group > Stack [Native] > Modifier
- Azure > Resource Group > Stack [Native] > Secret Variables
- Azure > Resource Group > Stack [Native] > Source
- Azure > Resource Group > Stack [Native] > Timeout
- Azure > Resource Group > Stack [Native] > Variables
- Azure > Resource Group > Stack [Native] > Version
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Bug fixes
- EventBridge rules configured via Event Handlers have been improved to exclude real-time events containing errors from being sent to the Guardrails endpoint. This prevents Guardrails from processing unnecessary error events.
- The default value for the
AWS > Region > Connection Regionpolicy did not evaluate correctly for AWS GovCloud accounts. This issue has been resolved.
What's new?
- Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the
Stack [Native] > *policies.
Control Types
- AWS > Secrets Manager > Secret > Stack [Native]
Policy Types
- AWS > Secrets Manager > Secret > Stack [Native]
- AWS > Secrets Manager > Secret > Stack [Native] > Drift Detection
- AWS > Secrets Manager > Secret > Stack [Native] > Drift Detection > Interval
- AWS > Secrets Manager > Secret > Stack [Native] > Modifier
- AWS > Secrets Manager > Secret > Stack [Native] > Secret Variables
- AWS > Secrets Manager > Secret > Stack [Native] > Source
- AWS > Secrets Manager > Secret > Stack [Native] > Timeout
- AWS > Secrets Manager > Secret > Stack [Native] > Variables
- AWS > Secrets Manager > Secret > Stack [Native] > Version
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Users can now select the default region when logging in to AWS accounts via Guardrails using Role mode. To get started, set the
AWS > Account > Permissions > Default Regionpolicy.
Policy Types
- AWS > Account > Permissions > Default Region
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new
- Initial version of Turbot Guardrails MCP server
- Query resources, controls and types
- Mock and test policy settings and policy packs
Bug fixes
- Fix issue where system-ingestible output format(csv) was humanised(comma separated) leading to a breaking change in query outputs. (#4525)
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Users can now manage endpoint access for clusters. To get started, set the
AWS > EKS > Cluster > Endpoint Access > *policies. - Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Control Types
- AWS > EKS > Cluster > Endpoint Access
Policy Types
- AWS > EKS > Cluster > Endpoint Access
- AWS > EKS > Cluster > Endpoint Access > CIDR Ranges
Action Types
- AWS > EKS > Cluster > Set Endpoint Access
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Bug fixes
- Previously, modifying instance identifiers to use different casing while retaining the same name caused Guardrails to incorrectly update the
DBInstanceIdentifierand the AKA for the resource. Guardrails will now be smarter to avoid updating these details in CMDB data in such scenarios.
Bug fixes
- The
AWS > EC2 > AMI > Discoverycontrol previously failed to fetch all resources, due to the lack of pagination support. This issue has been fixed, and the control will now correctly fetch all available AMIs.
Bug fixes
- Removed unnecessary attributes from the default value of the
Kubernetes > Pod > osquery > Configuration > Columnspolicy, which previously caused churn by unnecessarily triggering theKubernetes > Pod > CMDBcontrol.
Bug fixes
- Server
- Removed stray debug logs.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Server
- Improved error handling for Runnable Monitor and Event Monitor to catch uncaught exceptions.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Control Types:
- Adjusted the sequence of operations for
Turbot > Workspace > Background Tasksto ensure a more reliable and consistent execution flow.
- Adjusted the sequence of operations for
Requirements
- TE: 5.35.4
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Added CIS v5.0.0 benchmark (
powerpipe benchmark run aws_compliance.benchmark.cis_v500). (#881) - Added
lambda_function_logging_config_enabledcontrol toall_controls_lambdabenchmark.
Bug fixes
- Fixed
eks_cluster_secrets_encryptedquery to automatically returnokinstead of analarmfor EKS clusters with version greater than1.27since they are automatically encrypted by AWS owned KMS keys. (#883)
What's new
- Update
MinCorePluginVersionto v0.2.2. - Update tailpipe-plugin-sdk to v0.4.0.
Bug fixes
- Fix source file error for custom tables when using S3 or other external sources. (#188)
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
- Improved the GraphQL input query for the
Configuration Item > Recordpolicy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
Bug fixes
- CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to
Skip. This issue has been resolved; such controls will now correctly transition to a skipped state.
Bug fixes
- The
Azure > Storage > Storage Account > Tagscontrol previously failed to update tags for storage accounts of typeStandardV2_LRS. This issue has been resolved, and the control now correctly updates tags for this storage account type. - The
Azure > Storage > Queue > Discoverycontrol previously entered an error state for storage accounts of kindFileStorage. This issue has been resolved, and the control will now be skipped for such storage accounts.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- You can now configure and manage rotation for secrets. To get started, set the
AWS > Secrets Manager > Secret > Rotation > *policies.
Control Types
- AWS > Secrets Manager > Secret > Rotation
Policy Types
- AWS > Secrets Manager > Secret > Rotation
- AWS > Secrets Manager > Secret > Rotation > Schedule Expression
Action Types
- AWS > Secrets Manager > Secret > Set Rotation
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Bug fixes
Server
- Reduced the time taken to collect and process data in Account > Statistics, resulting in noticeably faster and a smoother experience.
- Enhanced the reliability of Turbot > Mod > Runnable Monitor and Turbot > Mod Event Monitor by improving how they handle temporary lock conflicts, ensuring more consistent operation.
- Fixed an issue where moving a resource between parents could create an incorrect path.
- Policy packs can now only be attached to resources where it is feasible to attach.
UI
- Resolved a layout issue where long resource names could break the detail headers on the Control, Process, and Policy pages.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Bug fixes
- Guardrails previously upserted DB parameter groups into the CMDB with incorrect casing when they were created using uppercase letters in AWS. This occasionally caused the
AWS > RDS > DB Parameter Group > CMDBcontrol to enter an error state due to duplicate AKAs. We have improved the handling of create and copy real-time events for parameter groups to ensure they are now upserted correctly and more reliably.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Dependencies
- Upgraded
containerd,golang.org/x/net, andvitepackages to remediate moderate vulnerabilities.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- New tables added
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Bug fixes
- The
AWS > VPC > Transit Gateway Attachment > CMDBcontrol would sometimes go into an error state whenResourceOwnerIdfor the resource was not available in the CMDB data. This is fixed and the control will now work correctly, as expected.
Bug fixes
- Guardrails stack controls that created or claimed IAM roles would sometimes run unnecessarily due to a mismatch in the default value for
force_detach_policiesin the Terraform mapping for the resource type. We have now removed the conflicting default to prevent such unnecessary executions. You now need to explicitly defineforce_detach_policiesto override the existing Terraform default value (if required by your use case).
Bug fixes
- Fix partition filter argument. (#375)
What's new?
New benchmarks added:
- MITRE ATT&CK v16.1 benchmark (
powerpipe benchmark run aws_vpc_flow_log_detections.benchmark.mitre_attack_v161). - VPC Flow Log Detections benchmark (
powerpipe benchmark run aws_vpc_flow_log_detections.benchmark.vpc_flow_log_detections).
- MITRE ATT&CK v16.1 benchmark (
New dashboards added:
What's new?
- Added
Top 10 Keystable to Activity Dashboard.
Enhancements
- Added link for collecting S3 server access logs in Getting Started section in README and index documentation.
Bug fixes
- Added missing bucket information to
Top 10 URIstables in Activity Dashboard. - Added
folder = "S3"tag to detection queries.
Whats new?
- Initial version of Tailpipe MCP server
- Build and run Powerpipe mods using AI
Whats new?
- Initial version of Steampipe MCP server
- Query cloud infrastructure, SaaS, APIs and more using AI
Whats new?
- Initial version of Tailpipe MCP server
- Support for querying cloud and security logs using AI
What's new?
- You can now configure retention period for log groups. To get started, set the
AWS > Logs > Log Group > Retention > *policies.
Control Types
- AWS > Logs > Log Group > Retention
Policy Types
- AWS > Logs > Log Group > Retention
- AWS > Logs > Log Group > Retention > Period
Action Types
- AWS > Logs > Log Group > Update Retention
Enhancements
- Updated
file_layoutarguments in documentation to wrap values in backticks instead of double quotes to align with Tailpipe CLI v0.2.0 changes. (#140)
Bug fixes
- The
aws_vpc_flow_logtable no longer skips collecting records with log statusSKIPPEDorNODATA. - Updated
aws_cost_and_usage_focus,aws_cost_and_usage_reportandaws_cost_optimization_recommendationtables to store missing column values asnull. (#139) - Fixed typo for
file_layoutinaws_s3_bucketsource doc.
Dependencies
What's new
- Add support for custom tables. ((#225))
- Add
locationto format list/show. (#283) - Add
pluginto source list/show. (#337) - Improve display logic of conversion errors, since we log full error just display first line of error.
Bug fixes
- Plugin list command now correctly cases keys in JSON output.
- Fix display of UUID and Decimal in query results.
- Add comma separators to numeric output in query results. (#685)
- Fix multiple backtick escaping in config - if more than 2 properties are back-ticked, the third onwards were not being escaped.
What's new?
- New benchmarks added:
- Access Log Detections benchmark (
powerpipe benchmark run nginx_access_log_detections.benchmark.access_log_detections). - MITRE ATT&CK v16.1 benchmark (
powerpipe benchmark run nginx_access_log_detections.benchmark.mitre_attack_v161). - OWASP Top 10 2021 benchmark (
powerpipe benchmark run nginx_access_log_detections.benchmark.owasp_top_10_2021).
- Access Log Detections benchmark (
- New dashboards added:
What's new?
New benchmarks added:
- MITRE ATT&CK v16.1 benchmark (
powerpipe benchmark run aws_s3_server_access_log_detections.benchmark.mitre_attack_v161). - S3 Server Access Log Detections benchmark (
powerpipe benchmark run aws_s3_server_access_log_detections.benchmark.s3_server_access_log_detections).
- MITRE ATT&CK v16.1 benchmark (
New dashboards added:
What's new?
New benchmarks added:
- Access Log Detections benchmark (
powerpipe benchmark run apache_access_log_detections.benchmark.access_log_detections). - MITRE ATT&CK v16.1 benchmark (
powerpipe benchmark run apache_access_log_detections.benchmark.mitre_attack_v161). - OWASP Top 10 2021 benchmark (
powerpipe benchmark run apache_access_log_detections.benchmark.owasp_top_10_2021).
- Access Log Detections benchmark (
New dashboards added:
What's new?
- UI
- Added support for multiple input queries (with ability to use Nunjucks template functionality) in the calculated policy editor allowing teams to create complex calculated policies involving a pipeline of GraphQL queries.
Bug fixes
Server
- Turbot/ReadOnly permission is now sufficient to create, delete, and update favorites.
- Resolved an issue that was blocking users from running quick actions due to incorrect permission checks.
- Tightened permissions for smart folder attachments and detachments to prevent unauthorized access.
- Account/ReadOnly users can now successfully manage favorites, including creation, deletion, and updates.
UI
- Policy settings can now be created by users with Account/Admin permission, as intended, instead of incorrectly requiring Account/Owner.
- Quick action runs no longer fail for users with a single grant due to a UI permission check issue.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
v0.13.0 of the Pipes SDK Go is now available.
Breaking changes
Get_1method inUserWorkspaceSchemasServiceused to list tables for a schema renamed toListTablesto denote its exact purpose.Get_1method inOrgWorkspaceSchemasServiceused to list tables for a schema renamed toListTablesto denote its exact purpose.
What's new?
- Add support for
GetTablemethod toUserWorkspaceSchemasServiceto get a specific table for a schema. - Add support for
GetTablemethod toOrgWorkspaceSchemasServiceto get a specific table for a schema.
Enhancements
InstallandUpdatefor both flowpipe and powerpipe mods now support archived mod upload viamultipart/form-datarequest.- Add
SourceTypeto modelWorkspaceModto denote the source of the mod i.e.repositoryorarchive. - Add
AggregatedByto modelWorkspaceSchemato store the list of aggregators that are using the schema.
Turbot Pipes' latest update enhances its built-in query editor with improved schema navigation, integrated documentation, pre-built query examples, and powerful search, making it faster and easier for teams to explore and query cloud data.
For more information on this release, see the blog post or refer to the documentation.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- Users can now create and manage cloud resources using Terraform 1.x via Guardrails, fully leveraging all features available in this version. To get started, set the
Stack [Native] > *policies.
Control Types
- AWS > CloudFront > Distribution > Stack [Native]
Policy Types
- AWS > CloudFront > Distribution > Stack [Native]
- AWS > CloudFront > Distribution > Stack [Native] > Drift Detection
- AWS > CloudFront > Distribution > Stack [Native] > Drift Detection > Interval
- AWS > CloudFront > Distribution > Stack [Native] > Modifier
- AWS > CloudFront > Distribution > Stack [Native] > Secret Variables
- AWS > CloudFront > Distribution > Stack [Native] > Source
- AWS > CloudFront > Distribution > Stack [Native] > Timeout
- AWS > CloudFront > Distribution > Stack [Native] > Variables
- AWS > CloudFront > Distribution > Stack [Native] > Version
All Pipes workspaces are now running Steampipe v1.1.0.
For more information on this Steampipe release, see the release notes.
Bug fixes
- The
GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-iamrendered the real-time events filter for Project User resource type incorrectly, which caused theGCP > Logging > Sink > Configuredcontrol for Logging sinks created via Event Handlers to go into an error state. This issue is now fixed. - The
GCP > IAM > Project User > CMDBcontrol entered an error state due to incorrect internal references introduced in the previous version of the mod (v5.17.0). This issue has been fixed, and the control now works as expected.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- New tables added
- aws_cloudwatch_log_delivery_destination (#2469)
- aws_cloudwatch_log_delivery_source (#2469)
- aws_cloudwatch_log_delivery (#2469)
- aws_cloudwatch_log_destination (#2469)
- aws_elasticache_update_action (#2431) (Thanks @fyqtian for the contribution!)
- aws_quicksight_account_settings (#2467)
- aws_quicksight_data_set (#2467)
- aws_quicksight_data_source (#2467)
- aws_quicksight_group (#2467)
- aws_quicksight_namespace (#2467)
- aws_quicksight_user (#2467)
- aws_quicksight_vpc_connection (#2467)
- aws_s3_multipart_upload (#2456)
Enhancements
- Added
foldermetadata to the documentation of all the AWS tables for improved organization on the Steampipe Hub. (#2465) - Added
inline_policyandinline_policy_stdcolumns toaws_ssoadmin_permission_settable. (#2458) (Thanks @2XXE-SRA for the contribution!) - Updated display name to
AWS.
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.11.5 (#2460)
What's new?
- Policy Types:
- Turbot > Quick Actions > Permission Levels to allow
account,azureandgcpas a permission type. - Added
class: ACCOUNTto Turbot > Notifications > CC > Tag and Turbot > Notifications > CC > Tag > Name.
- Turbot > Quick Actions > Permission Levels to allow
Bug fixes
- Control Types:
- The
Turbot > Workspace > Usagecontrol will be skipped in GovCloud deployments.
- The
Requirements
- TE: 5.35.4
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Bug fixes
- The
GCP > Project > Labelscontrol failed to apply labels to projects according to theGCP > Project > Labels > Templatepolicy. This issue has been fixed.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Internal definitions for the
AWS > Organizationresource type have been updated. All functionality will continue to work smoothly as before.
Bug fixes
- We've updated internal definitions for Quick Actions on the
AWS > S3 > Bucket > Public Access Blockcontrol type. All functionality will continue to work smoothly as before.
What's new?
- The
AWS > EC2 > Target Group > Discoverycontrol sometimes failed to upsert target groups under gateway load balancers that were not present in the CMDB. This occurred because Guardrails was unable to discover those gateway load balancers due to an outdated list of supported regions. The list has been refreshed for theAWS > EC2 > Gateway Load Balancerresource type, enabling Guardrails to discover and manage these resources across all supported AWS regions.
Bug fixes
Server
- Improved how policy values are selected for the priority queue, resulting in faster and more efficient processing.
UI
- Pagination and title-based sorting are now supported in policy targets, making navigation smoother.
- The Permissions modal is more stable and won’t crash if some data is missing.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- CMDB controls for custom tables and records occasionally failed to update data in the CMDB correctly. This issue has been resolved.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Bug fixes
Server
- Resolved an issue that was preventing users from logging in via SAML.
UI
- Action buttons now show up correctly on the process logs page, whether you’re viewing control or policy.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Added support for Contactable interface in various resource types.
Bug fixes
- We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to
Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
What's new?
- Added support to process real-time events for ServiceNow custom tables and their records.
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
Resource Types
- ServiceNow > Custom
- ServiceNow > Custom > Record
- ServiceNow > Custom > Table
Control Types
- ServiceNow > Custom > Record > CMDB
- ServiceNow > Custom > Record > Discovery
- ServiceNow > Custom > Table > Business Rule
- ServiceNow > Custom > Table > CMDB
- ServiceNow > Custom > Table > Discovery
Policy Types
- ServiceNow > Custom > Record > CMDB
- ServiceNow > Custom > Record > CMDB > Query
- ServiceNow > Custom > Record > CMDB > Title
- ServiceNow > Custom > Table > Business Rule
- ServiceNow > Custom > Table > Business Rule > Name
- ServiceNow > Custom > Table > CMDB
- ServiceNow > Custom > Table > CMDB > Tables
Action Types
- ServiceNow > Custom > Record > Router
What's new?
- The
AWS > Region > Discovery > Connection Regionpolicy has been deprecated and will be removed in the next major version of the mod (v6.0.0). Two new policies,AWS > Account > Connection Region [Default]andAWS > Region > Connection Region, have been introduced. These policies streamline connection region management across all global resource types in various services. For the deprecatedAWS > Region > Discovery > Connection Regionpolicy, we recommend migrating existing settings to theAWS > Region > Connection Regionpolicy if you intend to define a connection region for discovering Region resources. Alternatively, you may configure theAWS > Account > Connection Region [Default]policy, which serves as the default region for discovering all global resources across services in your account.
Policy Types
- AWS > Account > Connection Region [Default]
- AWS > Region > Connection Region
Renamed
- AWS > Region > Discovery > Connection Region to AWS > Region > Discovery > Connection Region [Deprecated]
What's new?
- You can now configure a connection region to allow Guardrails to fetch details for S3 accounts in CMDB. To get started, set the
AWS > S3 > Connection Regionpolicy. This policy defaults to the value of theAWS > Account > Connection Region [Default]policy, which can be used to define a default connection region for all global resources in an account.
Policy Types
- AWS > S3 > Connection Region
The schema list view in the Steampipe query editor now hides aggregated connections by default. This change helps highlight the key schemas whilst also improving readability of the list, especially in workspaces with a large number of aggregated connections.
You can still view the aggregated connections by clicking the Show Aggregated Connections option via the schema list settings button. This will expand the list to show all connections, including the aggregated ones.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Bug Fixes
- Table headers for numeric columns are now right-aligned like the row-level cell content. (#755)
Bug fixes
- Guardrails previously processed the
organizations:MoveAccountreal-time event incorrectly for individually imported management accounts, inadvertently deleting them from the CMDB. We have tightened the validation checks to prevent such deletions in these cases.
Bug fixes
- Discovery controls for various SageMaker resources previously attempted to fetch a maximum of 10 resources per API call, which occasionally led to throttling when a high number of resources existed in the account. This limit has now been increased to 100 (the maximum supported by the APIs) to enable the Discovery controls to retrieve all resources without errors and upsert them into the CMDB.
Breaking changes
- Removed the
projects_total_countcolumn from thegithub_organizationandgithub_my_organizationtables. This property was removed from the GitHub GraphQL API as of April 1, 2025, which caused queries using it to fail. We recommend usingprojects_v2_total_countcolumn instead. Please check GitHub GraphQL API changelog for additional details. (#488)
Enhancements
- Added
run_attemptcolumn as an optional qual to theGetConfigofgithub_actions_repository_workflow_runtable. (#464) (Thanks @tsibley for the contribution!!) - Added
run_attemptandprevious_attempt_urlcolumns togithub_actions_repository_workflow_runtable. (#463) (Thanks @tsibley for the contribution!!) - Added
workflow_idcolumn as an optional qual to theListConfigofgithub_actions_repository_workflow_runtable. (#465) (Thanks @tsibley for the contribution!!)
Dependencies
- Recompiled plugin with Go version
1.23.1. (#486) - Recompiled plugin with steampipe-plugin-sdk v5.11.5. (#486)
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Bug fixes
- We have improved event handling configuration to filter AWS Organization events that Guardrails listens for, based on the CMDB policies for resource types. If the CMDB policy for a resource type is not set to
Enforce: Enabled, the EventBridge rule for Organizations will exclude events for that resource type.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Bug fixes
- Renamed
nginx_access_logdefault format fromdefaulttocombined.
Enhancements
- Fixed
apache_access_logtable docs with correct default log format information.
Bug Fixes
- Fix the supported export formats in
powerpipe query runcommand. (#539) - Ensure dashboard UI Table component fetches external link from registry when used rather than during module import. (#720)
Dependencies
- Upgrade
containerdandgolang.org/x/netpackages to remediate moderate vulnerabilities.
What's new?
- Server
- Introducing scoped Account/* permissions to help application teams manage their own accounts.
- Notifications routing based on permissions.
Bug fixes
Server
- Controls no longer crashes when there's a parsing issue in rule-based notifications. Instead, it logs the error gracefully and continues running.
- Fixed a problem where certain operations could trigger a "callback already called" error, improving overall reliability of caching.
- The
Type Installedcontrol now spreads events over time to reduce the likelihood of API throttling during large-scale installations or updates. - Guardrails now skips storing resource tags larger than 1 KB to ensure only valid tags are saved and to avoid potential issues later.
- The osquery worker now correctly uses the TURBOT_RDS_SSL_FILE environment variable to point to the right certificate file, fixing an issue where it previously referenced the wrong path.
- To improve reliability and performance, Guardrails prioritizes events in the order
Type Installed>Policies>Scheduled Actions>Controls. - Resolved an issue where authenticated users without the appropriate permissions were able to access process logs.
UI
- Switching between self and descendant modes no longer clears existing filter configurations — your selections will now persist as expected.
Account Permissions
Introduced a new category of permissions — Account/ — designed specifically for application teams who need limited visibility and control over resources within their own accounts. These are distinct from the Turbot/ permissions used by governance teams.
Account levels:
- Account/Owner
- Account/Admin
- Account/Operator
- Account/ReadOnly
These levels are now explained alongside Turbot/* levels, with clear usage guidance:
- Turbot/* — for managing the Guardrails platform
- Account/* — for managing resources and notifications within cloud accounts
Notification Routing to Guardrails Profiles
You can now route notifications to Guardrails user profiles dynamically based on resource permissions — a major upgrade from static email/webhook targeting. This allows for context-aware delivery to users like Account Owners or Admins.
- Supported formats:
- Specific roles like Account/Owner, Turbot/Owner
- Wildcards like Account/*
- Special role Account/CC for tagging-based routing
- Use case:
- Automatically notify account teams responsible for a resource, based on their assigned permission
Access Controls Refined for Process Logs
Access to process logs is now restricted to users with appropriate permissions, specifically those with Turbot/Metadata or higher.
Previously, any authenticated user could retrieve process logs via the API. This behavior has been corrected to align with expected permission boundaries and prevent overexposure of operational data.
Requirements
- TEF: 1.66.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Cleaned up unnecessary help messages from
AWS > VPC > Security Group Rule > CMDBcontrol.
What's new?
- New tables added
What's new?
- New tables added
What's new
- Add support for plugins with custom formats.
A
formatblock can be defined in config and plugins can provide formatstypesandpresets. Format are supported by the new Nginx and Apache plugins. (#264). - Add
format listandformat showcommands. (#235) - Update the
plugin showcommand to add exported formats and correctly display partitions, etc. (#257) - Improve the error reporting in the collection UI (#247).
- Update all SQL in code and messaging to be lower case.
Bug fixes
- The
GCP > IAM > Service Account > CMDBcontrol would sometimes enter a skipped state for newly imported projects if certain required attributes were missing from the IAM service's CMDB data. The control will now go into a TBD state instead and rerun after five minutes to allow the IAM service's CMDB data to populate correctly for newly imported projects.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Bug fixes
- Guardrails would sometimes ignore the
GCP > BigQuery > Table > CMDBpolicy set toEnforce: Disabledand still upsert table resources via real-time events in CMDB. These resources were subsequently cleaned up by the CMDB control. This issue has been resolved, and the CMDB policy will now be correctly respected before upserting resources.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Bug fixes
- Fixed configuration examples for
aws_cost_and_usage_focus,aws_cost_and_usage_report, andaws_cost_optimization_recommendationtables.
Persistent workspaces now support high-performance SSD storage. This allows you to run your workloads on faster storage, which can be especially useful for queries that require high IOPS or low latency.
Any new persistent workspaces created will automatically use SSD storage. We'll gradually migrate existing persistent workspaces to SSD storage over the next few weeks. This change is included in the current pricing model and will not incur any additional cost.
What's new?
- Policy Types:
- Turbot > Notifications > Email > CC
- Turbot > Notifications > Email > CC > Tag
- Turbot > Notifications > Email > CC > Tag > Name
- Updated Turbot > Workspace > Retention > Activity Retention to 90 days
- Updated default policy for Turbot > Notifications > Rule-Based Routing updated to use
Account/*as the default recipient profile. - Relaxed the regex for MS teams webhook URL in Turbot > Notifications > Rule-Based Routing to allow broader URL formats.
Turbot > Workspace > Retention > Activity Retention
The default retention period for activity has been updated to 90 days (previously unlimited)
Storing too much historical activity data can slow down the system and increase storage costs. By setting a 90-day default, we ensure:
- Faster queries and improved UI performance
- A better balance between data retention and storage efficiency
Need more or less retention? You can adjust based on your needs:
| Retention Period | Ideal For |
|---|---|
| 30 days | High-performance environments |
| 60 days | Balanced usage, recommended for most users |
| 90 days | New default — standard compliance needs |
| 180 / 365 days | Long-term auditing or retention policies |
For self-hosted environments, the 90-day default will apply when upgrading to @turbot/turbot version 5.51.0 or higher, unless a custom retention policy is set.
Requirements
- TE: 5.35.4
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details. - Added support for
af-south-1,ap-east-1,ap-southeast-3,ap-southeast-5,ap-southeast-7,ca-west-1,eu-central-2,eu-south-1,eu-south-2,il-central-1,me-central-1andme-south-1regions in theAWS > Lambda > Regionspolicy. - Corrected the region in the
AWS > Lambda > Function Alias > Regionspolicy by updating us-west-3 to the correct region, us-west-2.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
New benchmarks added:
- Audit Log Detections benchmark (
powerpipe benchmark run github_audit_log_detections.benchmark.audit_log_detections). - MITRE ATT&CK v16.1 benchmark (
powerpipe benchmark run github_audit_log_detections.benchmark.mitre_attack_v161).
- Audit Log Detections benchmark (
New dashboards added:
What's new?
- We've updated internal dependencies and now use newer Azure SDK versions to discover and manage Security Center resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing settings to refer to the updated attributes as mentioned below:
Added:
policy.enforcementModepolicy.nonComplianceMessagespolicy.systemData
Removed:
policy.sku
Renamed:
settings[*].properties.enabledtosettings[*].enabled
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the
AWS > Account > Partitionpolicy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
What's new?
- Added PCI DSS v4.0 benchmark (
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40). (#871)
Bug fixes
- Fixed the
iam_user_one_active_keyquery to correctly evaluate IAM access keys across multiple AWS accounts. (#867) (Thanks @adrianstanislaus for the contribution!!)
Bug fixes
- Real-time delete events for topics would sometimes result in the deletion of subscriptions under a different topic in the CMDB. This issue has been fixed, and subscriptions are now cleaned up more reliably than before.
Bug fixes
- The
AWS > MySQL > Server > CMDBpolicy will now be set toSkipby default because the resource type has been deprecated and will be removed in the next major version. Please check Single Server retirement for more information.
Resource Types
Renamed
- Azure > MySQL > Server to Azure > MySQL > Server [Deprecated]
Control Types
Renamed
- Azure > MySQL > Server > Active to Azure > MySQL > Server [Deprecated] > Active
- Azure > MySQL > Server > Approved to Azure > MySQL > Server [Deprecated] > Approved
- Azure > MySQL > Server > CMDB to Azure > MySQL > Server [Deprecated] > CMDB
- Azure > MySQL > Server > Discovery to Azure > MySQL > Server [Deprecated] > Discovery
- Azure > MySQL > Server > Encryption in Transit to Azure > MySQL > Server [Deprecated] > Encryption in Transit
- Azure > MySQL > Server > Tags to Azure > MySQL > Server [Deprecated] > Tags
Policy Types
Renamed
- Azure > MySQL > Server > Active to Azure > MySQL > Server [Deprecated] > Active
- Azure > MySQL > Server > Active > Age to Azure > MySQL > Server [Deprecated] > Active > Age
- Azure > MySQL > Server > Active > Last Modified to Azure > MySQL > Server [Deprecated] > Active > Last Modified
- Azure > MySQL > Server > Approved to Azure > MySQL > Server [Deprecated] > Approved
- Azure > MySQL > Server > Approved > Custom to Azure > MySQL > Server [Deprecated] > Approved > Custom
- Azure > MySQL > Server > Approved > Regions to Azure > MySQL > Server [Deprecated] > Approved > Regions
- Azure > MySQL > Server > Approved > Usage to Azure > MySQL > Server [Deprecated] > Approved > Usage
- Azure > MySQL > Server > CMDB to Azure > MySQL > Server [Deprecated] > CMDB
- Azure > MySQL > Server > Encryption in Transit to Azure > MySQL > Server [Deprecated] > Encryption in Transit
- Azure > MySQL > Server > Regions to Azure > MySQL > Server [Deprecated] > Regions
- Azure > MySQL > Server > Tags to Azure > MySQL > Server [Deprecated] > Tags
- Azure > MySQL > Server > Tags > Template to Azure > MySQL > Server [Deprecated] > Tags > Template
Action Types
Removed
- Azure > MySQL > Server > Delete
- Azure > MySQL > Server > Router
- Azure > MySQL > Server > Set Tags
- Azure > MySQL > Server > Update Encryption in Transit
What's new?
- New tables added:
Dependencies
- Bumped github.com/aws/aws-sdk-go-v2/config from 1.29.6 to 1.29.9. (#120)
- Bumped github.com/aws/aws-sdk-go-v2/feature/s3/manager. (#124)
- Bumped github.com/aws/aws-sdk-go-v2/service/s3 from 1.77.1 to 1.78.2. (#125)
- Bumped github.com/containerd/containerd from 1.7.18 to 1.7.27. (#126)
- Bumped golang.org/x/net from 0.33.0 to 0.36.0. (#122)
- Bumped golang.org/x/sync from 0.11.0 to 0.12.0. (#117)
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- We have improved our event handling configuration to filter AWS SQS events that Guardrails listens for based on the
AWS > SQS > Queue > CMDBpolicy. If the CMDB policy is not set toEnforce: Enabled, the EventBridge rule for SQS will not be configured, preventing events for that resource type. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Types
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-sqs
Removed
- AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-sqs
What's new?
- Added S3 Lifecycle rules for Hive bucket.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- New tables added
- aws_rds_pending_maintenance_action (#2430) (Thanks @fyqtian for the contribution!)
Bug fixes
- Fixed
aws_health_*tables to correctly reference the AWS Health Global endpoint instead of regional endpoints. (#2450)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.11.4.
- Recompiled plugin with
golang.org/x/netwithv0.36.0. (#2447)
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
Bug fixes
- The
AWS > Turbot > IAMstack control occasionally encountered an error while attaching tags with special characters to Guardrails-managed users and roles. This issue is now fixed.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Added support for Contactable interface in various resource types.
What's new?
- Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
- Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
- Added support for Contactable interface in various resource types.
Bug fixes
- The
Azure > Compute > Disk > Discoverycontrol occasionally encountered an error while upserting attached disks under VMs that were not available in Guardrails CMDB. Now, all disks will be upserted under their respective resource groups, ensuring the Discovery control functions more smoothly and reliably than before.
What's new?
- Added a new SSM parameter to forward the DB logs to CloudWatch log group.
- Added support for postgres version 16.5, 16.6, 16.7 and 16.8.
- Updated defaults for database and cache instances
- Database instance type: Default updated to db.m6g.large.
- Allocated database storage: Default increased to 400 GB.
- Storage throughput: Default set to 500 MB/s.
- Database engine parameter group family: Now defaults to postgres16.
- Database engine version: Updated to 16.4.
- Cache node type: Default updated to cache.r6g.large.
- Allocated IOPS: Default increased to 12,000.
- DB parameter group: Now defaults to HiveParamGroup16.
- Shared buffer: Default set to {DBInstanceClassMemory/20480} for optimized performance.
- Maximum statement duration: Default updated to 600,000 ms (10 minutes) to improve query execution limits.
What's new?
- Added parameter to manage ALB timeout, allowing better control over request handling.
- Added parameter to customize API Gateway domain name. For backward compatibility, the default value remains
gateway. - Added parameter to control message rate in the queue, enabling better queue message management.
- S3 Lifecycle Rules now automatically enable ‘Expired Object Delete Markers’ for cleanup and remove incomplete multipart uploads after 7 days to prevent storage waste.
- HOP limit increased to 2 for improved request forwarding.
- Route53 Record for API Gateway now includes the GatewayPrefix to enhance routing accuracy.
Enhancements
- Added
changelogcolumn tojira_issuetable. (#149) (Thanks @mariusgrigaitis for the contribution!) - Added
updatedcolumn as an optional qual to thejira_issue_worklogtable. (#151) (Thanks @mariusgrigaitis for the contribution!) - Optimized the
jira_issue_commenttable to avoid unnecessary API calls whenissue_idis passed in as an optional qual when querying the table. (#143)
Bug fixes
- Fixed the
jira_issuetable to correctly return data instead of an error whenresolution_dateandstatuscolumns are passed in as the query parameters. (#152) (Thanks @mariusgrigaitis for the contribution!)
Dependencies
- Recompiled plugin with Go version
1.23.1. (#154) - Recompiled plugin with steampipe-plugin-sdk v5.11.3 that addresses critical and high vulnerabilities in dependent packages. (#154)
What's new?
- Added optional config arguments
max_error_retry_attemptsandmin_error_retry_delayto allow customization of the error retry timings. For more information please see Azure plugin configuration. (#873)
Bug fixes
- Fixed the
scopecolumn of theazure_role_assignmenttable to correctly return data instead ofnil. (#868)
Dependencies
- Recompiled plugin with Go version
1.23.1. - Recompiled plugin with steampipe-plugin-sdk v5.11.3 that addresses critical and high vulnerabilities in dependent packages.
What's new?
- New tables added
Enhancements
- Updated
aws_acm_*,aws_sns_*,aws_sqs_*,aws_cloudtrail_*, andaws_guardduty_*tables to use AWS Go SDK V2, enabling dynamic region listing for all AWS partitions. (#2440)
Enhancements
- Added
profilebased authentication support for thealicloud_oss_buckettable. (#498) - Added support for the new
me-central-1,cn-wuhan-lr,cn-nanjing,ap-northeast-2,cn-fuzhou,ap-southeast-6,ap-southeast-7regions. (#491)
Bug fixes
- Fixed the
create_timestampcolumn ofalicloud_alidns_domaintable to correctly return data instead of an error. (#482) - Fixed the
alicloud_slb_load_balancertable to correctly return data instead of apanic interface conversionerror. (#481)
Dependencies
- Recompiled plugin with Go version
1.23.1. (#495) - Recompiled plugin with steampipe-plugin-sdk v5.11.3 that addresses critical and high vulnerabilities in dependent packages. (#495)
What's new?
- New tables added:
Dependencies
Bug fixes
- Guardrails would fail to process real-time delete events for subscriptions. This is now fixed.
- Fixed pagination for
Azure > Turbot > Event Pollercontrol. - Real-time
Microsoft.Resourcestagging events will now be processed only for subscriptions and resource groups, and will be ignored for other resource types. This will avoid unnecessary triggers for subscription & resource group router actions.
Enhancements
- Added
title,description, andfoldertag toActivity Dashboardqueries for improved organization and clarity. - Added
folder = "<service>"tag toservice common tag localsfor better query categorization. - Standardized all queries to use
service common tags, ensuring consistency across detection queries.
Bug fixes
- Fixed the plugin name to use
Chaosinstead ofChaos (Tailpipe). (#6)
Enhancements
- Standardized all example query titles to use
Title Casefor consistency. (#109) - Added
folderfront matter to all queries for improved organization and discoverability in the Hub. (#109)
Bug fixes
- Fixed the
display_nameindocs/index.mdfromAmazon Web ServicestoAWSfor consistency with standard naming conventions. (#109)
Dependencies
- Recompiled plugin with Go version
1.23.1. - Recompiled plugin with steampipe-plugin-sdk v5.11.3 that addresses critical and high vulnerabilities in dependent packages.
Enhancements
- Added support for
sse_customer_algorithm,sse_customer_keyandsse_customer_key_md5optional key quals in theaws_s3_objecttable to list objects encrypted with SSE-C. (#2409) - Added parent hydrate support in the
aws_ecr_image_scan_findingtable to manage the complex join queries. (#2376) - Added
pending_modified_valuescolumn to theaws_rds_db_instancetable. (#2411) - Added tags to
aws_glue_*tables. (#2402) (Thanks @pdecat for the contribution!) - Added tag retrieval example to
aws_ses_domain_identitytable documentation. (#2432) - Added
logging_configcolumn to theaws_lambda_functiontable. (#2423)
Bug fixes
- Fixed the
nil pointer dereferenceerror when querying AWS RDS custom instances. (#2436) - Fixed the
regioncolumn ofaws_wafregional_ruletable to correctly return the resource region instead ofglobal. (#2429) - Fixed the
arncolumn inaws_vpc_eiptable to use the correct format. (#2415) (Thanks @thomasklemm for the contribution!) - Fixed not found errors in
aws_kinesis_consumerandaws_lightsail_instancetables. (#2408) - Fixed the
InvalidParameterExceptionerror inaws_ecs_servicetables when listing tags for older ECS services. (#2410)
Bug fixes
- Refactored IAM and Route 53 queries to use global dimension qualifiers. (#865)
- Fixed
cloudfront_distribution_no_non_existent_s3_originquery to correctly check if the distributions are associated with S3 buckets. (#864) - Fixed the
eks_cluster_control_plane_audit_logging_enabledquery to correctly check if audit logging is enabled or not. (#856) - Fixed the resource column of
vpc_peering_connection_route_table_least_privilegeandvpc_peering_connection_no_cross_account_accessqueries to usearninstead ofid. (#860) - Fixed typo in
iam_user_hardware_mfa_enabledquery. (#851) (Thanks to @ramses999 for the contribution!)
What's new?
- Server
- Added multi region KMS encryption for Tenant Master Key.
- Guardrails now provides an override parameter at the TE level to configure API and Event container memory reservations, improving ECS task scaling and resource flexibility.
Multi Region KMS Key
Starting from TEF v1.65.0 and TE v5.49.0, a new multi-region KMS key is created at the TEF level.
When workspaces are upgraded to TE v5.49.0, Guardrails use this new key to re-encrypt the existing Tenant Master Key within the workspaces. The Tenant Master Key itself remains unchanged-only its encryption is updated. The previous version, encrypted with a regional KMS key, remains available.
If a workspace is downgraded to TE v5.48.0, the multi-region encryption persists. Upon re-upgrading to TE v5.49.0, re-encryption does not occur again.
This process works seamlessly unless TEF is downgraded to a version earlier than v1.65.0.
Requirements
- TEF: 1.65.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- Added contactable interface.
- New policy type classes GUARDRAIL, SETTING, and ACCOUNT have been introduced to define the scope of policies.
Requirements
- TE: 5.35.4
What's new?
- UI
- Update controls trend graph to use the latest counts.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- You can now filter ServiceNow records using encoded query strings and discover them in Guardrails. To get started, set the
CMDB > Querypolicy for various resource types. For more details, refer to the ServiceNow documentation on encoded query strings.
Policy Types
- ServiceNow > Application > CMDB > Query
- ServiceNow > Cost Center > CMDB > Query
- ServiceNow > User > CMDB > Query
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
Enhancements:
- The maximum amount of rows that can be fetched via the query API has been increased from 5,000 to 25,000, allowing users to retrieve more data in a single request.
- Any query executed via the API that ran for 2 minutes prior to this change would be timed out and no data would be returned. The query API will now return all data fetched up to that point if the 2 minute limit is reached.
- Any timed out query API responses that contain data will now have a
206 (Partial Content)status, with408 (Request Timeout)still being the status for any requests that have timed out with no data.
Bug fixes
- Filter policies for real-time events will now evaluate correctly if CMDB policies for resource types are set to
SkiporEnforce: Disabled.
Bug fixes
- The
GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-storagepolicy now respects CMDB policy settings for resource types and filters out real-time events when the policies are set toSkiporEnforce: Disabled. We recommend upgrading thegcpmod to v5.30.2 or higher in order to process real-time events correctly.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- Mute controls if you want to ignore them. The
turbot_control_muteallows muting a control to help streamline operations without compromising security policies.
Bug fixes
- Fixed typo in an error message while calling Guardrails APIs.
Documentation
- Updated example for
turbot_policy_packresource. - Fixed spacing in
turbot_turbot_directorydocumentation.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- UI
- Users can now select permissions (ReadOnly + Global Event Handlers or Full Remediation) to apply to the IAM role in the CFN template when importing an AWS Organization or Account.
Bug fixes
- UI
- Fixed an issue where the terminate process call sometimes received an empty input when terminating a queued process.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Stack [Native]controls now run faster when inskippedstate. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
- Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
What's new?
- Server
- Updated Workspace Manager Lambda to automatically populate the Turbot > Workspace > Guardrails Master Account policy for improved management.
Bug fixes
- UI
- Adjusted stats limit to 30 days, ensuring a full month of data visibility.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The
AWS > VPC > Transit Gateway Attachment > Discovery [Cross-Account]control would sometimes upsert transit gateway attachments in adeletedordeletingstate. This issue is now fixed.
Bug fixes
- The
AWS > VPC > Transit Gateway Attachment > CMDBcontrol previously, in some cases, inadvertently deleted cross-account transit gateway attachments from Guardrails CMDB. This issue has now been fixed.
What's new?
- You can now configure a custom tag name to start/stop DB clusters via the
AWS > RDS > DB Cluster > Schedulecontrol. To get started, set theAWS > RDS > DB Cluster > Schedule Tag > Namepolicy.
Policy Types
- AWS > RDS > DB Cluster > Schedule Tag > Name
What's new?
Action Types
- Azure > Subscription > Router
Bug fixes
- Guardrails would fail to process real-time tagging events for subscriptions. This is now fixed.
- The default template input in
Azure > Subscription > Tags > Templatepolicy referred to an incorrect policy for its value. This is now fixed.
Enhancements
- Added
operation_srcandresource_srccolumns to retain original log data with consistent column naming.
Breaking changes
- The
aws_s3_server_access_logtable index is now based on the source bucket's name instead of the destination bucket's AWS account ID. We recommend deleting existingaws_s3_server_access_logpartition data (e.g.,tailpipe partition delete aws_s3_server_access_log.my_partition) and recollecting your data. (#89)
Bug fixes
- Resolved a race condition in Turbot > Smart Retention to ensure smoother execution.
Requirements
- TE: 5.35.4
Bug fixes
- Fixed the naming convention for EventBridge rule for organization level events.
Bug fixes
- Upgraded actions/upload-artifact to v4, since v3 was deprecated and caused errors. (#41) ((Thanks @ido123ziv for the contribution!))
Dependencies
- Bumped undici from 5.28.4 to 5.28.5 which resolved a moderate Dependabot alert. (#40)
Bug fixes
- In version 5.35.0, we added support for importing an AWS organization into Guardrails but inadvertently introduced a bug that prevented real-time events for the aws-organizations mod from being processed correctly. This issue has now been fixed.
Policy Types
Renamed
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-organizations to AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws
Bug fixes
- Guardrails failed to handle real-time creation and tagging events for organizational account resources. This is now fixed.
Policy Types
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-organizations
Removed
- AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-organizations
What's new?
- New tables added
Enhancements
- Added
Typecolumn inaws_s3_bucketsource arguments table.
Dependencies
- Bumped github.com/aws/aws-sdk-go-v2/config from 1.28.11 to 1.29.6. (#79)
- Bumped github.com/aws/aws-sdk-go-v2/credentials from 1.17.52 to 1.17.57. (#68)
- Bumped github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.17.49 to 1.17.60. (#81)
- Bumped github.com/aws/aws-sdk-go-v2/service/s3 from 1.72.3 to 1.76.0. (#78)
- Bumped github.com/hashicorp/hcl/v2 from 2.20.1 to 2.23.0. (#84)
- Bumped github.com/rs/xid from 1.5.0 to 1.6.0. (#67)
- Bumped github.com/turbot/tailpipe-plugin-sdk from 0.1.0 to 0.1.1. (#75)
- Bumped golang.org/x/sync from 0.10.0 to 0.11.0. (#82)
What's new?
- New tables added
All Pipes workspaces are now running Powerpipe v1.2.0.
For more information on this Powerpipe release, see the release notes.
Bug fixes
- Server
- Rolled back dynamic queueing adjustments to restore previous behavior.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Version bump to align with deployment requirements.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
UI
- Addressed an issue where resource card links on the Resources dashboard were not working as expected.
Server
- Prevented the runnable monitor from entering an infinite loop.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- UI
- Policy pack descriptions are now visible in the list view and detail page header for better clarity.
Bug fixes
- UI
- Run and Terminate buttons now appear properly on the process detail page, ensuring a smoother experience.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The
GCP > Storage > Bucket > Policy > Trusted Accesscontrol previously failed to evaluate results correctly and caused internal process timeouts when Guardrails was denied access to fetch IAM policy bindings for buckets. This issue has been resolved, ensuring that the control now evaluates results and terminates correctly as expected.
Bug fixes
- The
Azure > Compute > Virtual Machine > Tagscontrol would sometimes failed to update tags on spot instances. This is now fixed.
Bug fixes
- The
AWS > S3 > Bucket > Discoverycontrol incorrectly went into a skipped state when theAWS > S3 > Bucket > CMDBpolicy was set toEnforce: Enabled but ignore permission errors. This is fixed and control will now work as expected.
What's new?
- UI
- Added 'Resource Type' column to activity ledger CSV exports.
- Improved usability of the Resource trend graph.
Bug fixes
- Server
- Recursive loops in Lambda are now handled seamlessly without termination.
- Optimize message queue dispatch based on DB CPU usage, connections, and queue load.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- Policy Types:
- Turbot > Workspace > Guardrails Master Account
Requirements
- TE: 5.35.4
Bug Fixes
- Fixed the dashboard code to ensure that the search path prefix is respected. (#717)
v0.15.0 of the Terraform Provider for Pipes is now available.
Breaking Changes
- Attribute
github_installation_idfor resourcepipes_tenant_integrationis now of typeintinstead ofstring. - Attribute
github_installation_idfor resourcepipes_organization_integrationis now of typeintinstead ofstring. - Attribute
github_installation_idfor resourcepipes_user_integrationis now of typeintinstead ofstring.
What's new?
- Data Source
pipes_organization_integration. - Data Source
pipes_tenant_integration. - Data Source
pipes_user_integration. - Data Source
pipes_workspace. - Data Source
pipes_workspace_flowpipe_pipeline. - Resource
pipes_tenant_notifier. - Resource
pipes_organization_notifier. - Resource
pipes_user_notifier. - Resource
pipes_workspace_notifier. - Resource
pipes_workspace_flowpipe_mod. - Resource
pipes_workspace_flowpipe_mod_variable. - Resource
pipes_workspace_flowpipe_trigger.
Enhancements
- Add
last_activity_atattribute to thepipes_tenant_memberresource to track the last time a user performed an activity in the tenant. - Add
last_activity_atattribute to thepipes_organization_memberresource to track the last time a user performed an activity in the organization. - Add
last_activity_atattribute to thepipes_organization_workspace_memberresource to track the last time a user performed an activity in the workspace.
Integrate your developer account, team or custom tenant with GitLab, enabling you to install custom Powerpipe or Flowpipe mods from public or private projects. Push changes for instant deploys and live updates.
For more information, check out the docs.
Bug fixes
- The
Azure > SQL > Server > CMDBcontrol sometimes failed to fetch data for the associated firewall rules. This issue has now been fixed.
Bug fixes
- The
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)control sometimes failed to evaluate the control state correctly. This issue is now fixed.
Dependencies
- Updated FDW to
v1.12.2to remediate critical and high vulnerabilities. (#533)
What's new?
- You can now configure a custom tag name to start/stop DB instances via the
AWS > RDS > DB Instance > Schedulecontrol. To get started, set theAWS > RDS > DB Instance > Schedule Tag > Namepolicy.
Policy Types
- AWS > RDS > DB Instance > Schedule Tag > Name
Bug fixes
- The
AWS > CloudSearch > Domain > CMDBpolicy will now be set toSkipby default because the resource type has been deprecated and will be removed in the next major version. Please check end of support for more information.
Bug fixes
Stack [Native]controls now run faster when inskippedstate. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Bug fixes
Stack [Native]controls now run faster when inskippedstate. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Bug fixes
Stack [Native]controls now run faster when inskippedstate. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Bug fixes
Stack [Native]controls now run faster when inskippedstate. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Bug fixes
Stack [Native]controls now run faster when inskippedstate. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Bug fixes
Stack [Native]controls now run faster when inskippedstate. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Enhancements
- Added the column
last_activity_attopipes_organization_member,pipes_organization_workspace_memberandpipes_tenant_membertables. (#47)
Dependencies
- Recompiled plugin with pipes-go-sdk v0.12.0. (#47)
We are excited to announce the release of five new Tailpipe plugins that make it easy to collect logs from various sources, e.g., AWS CloudTrail logs from S3 buckets, and then query the data with familiar SQL syntax.
For more information on how you can get started with the plugins, please see Learn Tailpipe
Introducing Tailpipe, a high-performance data collection and querying tool that makes it easy to collect, store, and analyze log data.
With Tailpipe you can:
- Collect logs from various sources and store them efficiently
- Query your data with familiar SQL syntax using Tailpipe (or DuckDB!)
- Use Powerpipe to visualize your logs and run detections
Learn more at:
- Website - https://tailpipe.io
- Docs - https://tailpipe.io/docs
- Hub - https://hub.tailpipe.io
- Introduction - https://tailpipe.io/blog/introducing-tailpipe
Whats new
- Added support for
tailpipedetections and detection benchmarks. - Added
tailpipeconnection type. - Added
detectioncommand. - Added default column support for tables. (#567)
- Added support for allowing multiple benchmarks/controls to be filtered/grouped on a single dashboard. (#588)
- Added support for equal/not_equal/in/not_in filters. (#594)
- Added support for displaying documentation in the Benchmark UI. (#591)
- Combined snap/open button into a single split button. (#606)
- Added table column selection to table panel controls. (#631)
- Added table row view. (#636)
- Added support for draggable split pane for dashboard UI right content section. (#648)
- Updated default date_range input to be 7 days. (#641)
- Added cell filtering to tables. (#662)
- Added href support to detection column data. (#642)
- Added table filter side panel for regular tables. (#670)
- Added
500 MBlimit for opening snapshots. (#671) - Added control row detail side panel view. (#672)
- Added heatmap chart. (#673)
What's new?
- New benchmarks added:
- Audit Log Detections benchmark (
powerpipe benchmark run gcp_audit_log_detections.benchmark.audit_log_detections). - MITRE ATT&CK v16.1 benchmark (
powerpipe benchmark run gcp_audit_log_detections.benchmark.mitre_attack_v161).
- Audit Log Detections benchmark (
- New dashboards added:
What's new?
- New benchmarks added:
- Activity Log Detections benchmark (
powerpipe benchmark run azure_activity_log_detections.benchmark.activity_log_detections). - MITRE ATT&CK v16.1 benchmark (
powerpipe benchmark run azure_activity_log_detections.benchmark.mitre_attack_v161).
- Activity Log Detections benchmark (
- New dashboards added:
What's new?
- New benchmarks added:
- CloudTrail Log Detections benchmark (
powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.cloudtrail_log_detections). - MITRE ATT&CK v16.1 benchmark (
powerpipe benchmark run aws_cloudtrail_log_detections.benchmark.mitre_attack_v161).
- CloudTrail Log Detections benchmark (
- New dashboards added:
What's new?
- UI
- Resources and Controls tab now features summary cards for better visibility.
Bug fixes
- UI
- No more NaN values in summary cards; they now display correctly.
- Mute and Run Control buttons now respect proper permission checks in the Control Detail page.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The
AWS > Account > CMDBcontrol occasionally encountered an error state while fetching tagging details for accounts. This issue has now been fixed.
Bug fixes
- In the previous version, we introduced support for fetching AWS tags on accounts imported as part of an organization. However, this inadvertently caused a bug that removed tags added via the Guardrails API or Terraform on existing account resources. This issue has now been fixed, ensuring that tags added via Guardrails are preserved for individual accounts that are not part of any organization.
- Fixed pattern validation for
AWS > Turbot > Event Handlers [Global] > Events > Target > IAM Role ARNpolicy.
Bug fixes
- Minor internal improvements.
Bug fixes
- UI
- The role name was not updating correctly in the CFN template for AWS Org import and has now been fixed.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The real-time event handlers did not process account level events if the associated organization was imported using a delegated account. This is now fixed.
All Pipes workspaces are now running Powerpipe v1.1.0.
For more information on this Powerpipe release, see the release notes.
What's new?
- Guardrails now supports configurable soft limits for API and Event container memory reservations in TEF, improving ECS task scaling and resource flexibility.
- Added Guardrails KMS key, a multi-region KMS key for encrypting internal Turbot Guardrails data.
- Added support for Node.js 22 in the Lambda runtime.
What's new?
- Support for IAM based authentication in Redis.
What's new?
- Added a new SSM parameter to enable GCP organization import.
- Introduced Redis-based IAM authentication support.
What's new?
Server
- Deprecation Notice: The SmartFolder API has been deprecated and replaced with a new Policy Pack API:
createSmartFolder→ UsecreatePolicyPackinstead.deleteSmartFolders→ UsedeletePolicyPacksinstead.attachSmartFolders→ UseattachPolicyPacksinstead.putSmartFolderAttachments→ UseputPolicyPackAttachmentsinstead.updateSmartFolders→ UseupdatePolicyPacksinstead.detachSmartFolders→ UsedetachPolicyPacksinstead.
- The new Policy Pack API introduces targeted resource types, allowing policy packs to be associated only with specific resource types. This is an optional feature, providing more control over policy pack applicability.
- Added Mute/Un-mute Controls, an alternative to policy setting exceptions. When a control is muted, it will still run in the background but will not affect compliance or trigger alerts.
- Introduced the Daily Stats API, which tracks daily statistics for each account, helping users monitor trends and activity over time.
- Added two new policies:
- Policy Setting Levels: Defines where policy settings can be created.
- Policy Pack Levels: Specifies where policy packs can be attached.
- Deprecation Notice: The SmartFolder API has been deprecated and replaced with a new Policy Pack API:
UI
- Added support for muting/un-muting controls directly from the interface.
- The Import Page UI has been redesigned and now supports:
- AWS organization import
- GitHub organization import
- GCP organization import using service-account-impersonation
- Added new metrics with separate charts for resources, controls, and actions, making it easier to track compliance and trends.
Bug fixes
Server
- Fixed native stack (OpenTofu) and stack (Terraform) log order.
UI
- Fixed log message indentation issues for improved readability.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Policy Types:
- Turbot > Workspace > Retention > Account Statistics Retention
- Turbot > Workspace > Retention > Account Statistics Retention > Purge Limit
- Turbot > Workspace > Policy Pack Attachment Levels
- Turbot > Workspace > Policy Setting Levels
Control Types:
- Turbot > Statistics > Accounts
Requirements
- TE: 5.35.4
What's new?
- Users can now discover folders, projects and resources under your organization. To get started, import an organization in your Guardrails workspace.
Resource Types
- GCP > Organization
- GCP > Folder
Control Types
- GCP > Folder > CMDB
- GCP > Folder > Discovery
- GCP > Organization > CMDB
- GCP > Project > Discovery
- GCP > Turbot > Folder Event Poller
- GCP > Turbot > Organization Event Poller
Policy Types
- GCP > External ID Label Name
- GCP > Organization > CMDB
- GCP > Organization > CMDB > Exclude
- GCP > Folder > CMDB
- GCP > Turbot > Folder Event Poller
- GCP > Turbot > Folder Event Poller > Filter
- GCP > Turbot > Folder Event Poller > Interval
- GCP > Turbot > Folder Event Poller > Window
- GCP > Turbot > Organization Event Poller
- GCP > Turbot > Organization Event Poller > Filter
- GCP > Turbot > Organization Event Poller > Interval
- GCP > Turbot > Organization Event Poller > Window
Action Types
- GCP > Folder > Event Poller
- GCP > Folder > Folder Event Handler
- GCP > Folder > Router
- GCP > Organization > Event Poller
- GCP > Organization > Organization Event Handler
- GCP > Organization > Router
What's new?
Users can now exclude subscriptions that they do not wish to import while importing a tenant in Guardrails. To get started, set the
Azure > Tenant > CMDB > Excludepolicy.Users can now create and manage tags for subscriptions. To get started, set the
Azure > Subscription > Tags > *policies.
Control Types
- Azure > Subscription > Tags
Policy Types
- Azure > Subscription > Tags
- Azure > Subscription > Tags > Template
- Azure > Tenant > CMDB > Exclude
Action Types
- Azure > Subscription > Set Tags
What's new?
- Users can now discover OUs, accounts and resources under your organization. To get started, import an organization in your Guardrails workspace.
Resource Types
- AWS > Organization
- AWS > Organization Root
- AWS > Organizational Unit
Control Types
- AWS > Account > Discovery
- AWS > Organization > CMDB
- AWS > Organization Root > CMDB
- AWS > Organization Root > Discovery
- AWS > Organizational Unit > CMDB
- AWS > Organizational Unit > Discovery
- AWS > Turbot > Organization Event Poller
Policy Types
- AWS > Account > Turbot IAM Role > External ID [Default]
- AWS > Account > Turbot IAM Role > Name [Default]
- AWS > Organization > CMDB
- AWS > Organization > CMDB > Exclude
- AWS > Organization > Turbot IAM Role
- AWS > Organization > Turbot IAM Role > External ID
- AWS > Organization Root > CMDB
- AWS > Organizational Unit > CMDB
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-organizations
- AWS > Turbot > Organization Event Poller
- AWS > Turbot > Organization Event Poller > Interval
- AWS > Turbot > Organization Event Poller > Window
Action Types
- AWS > Organization > Organization Event Handler
- AWS > Organization > Organization Event Poller
- AWS > Organization Root > Router
- AWS > Organizational Unit > Router
Bug fixes
- The
GitHub > Organization > Event Handlerscontrol will now useTurbot > Workspace > GitHub > Secretspolicy to set the webhook secret.
What's new?
Resource Types
- GitHub
- GitHub > Organization
- GitHub > Repository
Control Types
- GitHub > Organization > Blocked Users
- GitHub > Organization > CMDB
- GitHub > Organization > Deploy Keys
- GitHub > Organization > Deploy Keys > Enabled
- GitHub > Organization > Event Handlers
- GitHub > Organization > Member Privileges
- GitHub > Organization > Member Privileges > Base Permissions
- GitHub > Organization > Member Privileges > Pages Creation
- GitHub > Organization > Member Privileges > Repository Creation
- GitHub > Organization > Member Privileges > Repository Forking
- GitHub > Repository > CMDB
- GitHub > Repository > Code Security
- GitHub > Repository > Code Security > Push Protection
- GitHub > Repository > Code Security > Secret Scanning
- GitHub > Repository > Default Branch
- GitHub > Repository > Dependabot
- GitHub > Repository > Dependabot > Alerts
- GitHub > Repository > Dependabot > Security Updates
- GitHub > Repository > Discovery
- GitHub > Repository > Discussions
- GitHub > Repository > Discussions > Enabled
- GitHub > Repository > Forking
- GitHub > Repository > Forking > Enabled
- GitHub > Repository > Projects
- GitHub > Repository > Projects > Enabled
- GitHub > Repository > Pull Request
- GitHub > Repository > Pull Request > Delete Branch on Merge
- GitHub > Repository > Pull Request > Merge Configuration
- GitHub > Repository > Visibility
- GitHub > Repository > Wikis
- GitHub > Repository > Wikis > Enabled
Policy Types
- GitHub > Config
- GitHub > Config > Personal Access Token
- GitHub > Login Names
- GitHub > Organization > Blocked Users
- GitHub > Organization > Blocked Users > Usernames
- GitHub > Organization > CMDB
- GitHub > Organization > Deploy Keys
- GitHub > Organization > Deploy Keys > Enabled
- GitHub > Organization > Event Handlers
- GitHub > Organization > Event Handlers > Events
- GitHub > Organization > Member Privileges
- GitHub > Organization > Member Privileges > Base Permissions
- GitHub > Organization > Member Privileges > Pages Creation
- GitHub > Organization > Member Privileges > Repository Creation
- GitHub > Organization > Member Privileges > Repository Forking
- GitHub > Repository > CMDB
- GitHub > Repository > Code Security
- GitHub > Repository > Code Security > Push Protection
- GitHub > Repository > Code Security > Secret Scanning
- GitHub > Repository > Default Branch
- GitHub > Repository > Default Branch > Name
- GitHub > Repository > Dependabot
- GitHub > Repository > Dependabot > Alerts
- GitHub > Repository > Dependabot > Security Updates
- GitHub > Repository > Discussions
- GitHub > Repository > Discussions > Enabled
- GitHub > Repository > Forking
- GitHub > Repository > Forking > Enabled
- GitHub > Repository > Projects
- GitHub > Repository > Projects > Enabled
- GitHub > Repository > Pull Request
- GitHub > Repository > Pull Request > Delete Branch on Merge
- GitHub > Repository > Pull Request > Merge Configuration
- GitHub > Repository > Pull Request > Merge Configuration > Settings
- GitHub > Repository > Visibility
- GitHub > Repository > Wikis
- GitHub > Repository > Wikis > Enabled
Action Types
- GitHub > Organization > Event Handlers
- GitHub > Organization > Router
- GitHub > Organization > Update
- GitHub > Organization > Update Blocked Users
- GitHub > Repository > Router
- GitHub > Repository > Update
- GitHub > Repository > Update Dependabot
Whats new
- Added support for installing mods from GitLab repositories. (#656)
Dependencies
- Upgraded
crypto,net, andgo-gitpackages to remediate critical and high vulnerabilities.
Dependencies
- Upgraded
crypto,net, andgo-gitpackages to remediate critical and high vulnerabilities. (#4462)
Bug fixes
- The
Azure > SQL > Server > CMDBcontrol occasionally deleted servers from Guardrails CMDB when they used the SQL authentication method. This issue has been fixed, and such resources will no longer be removed from the CMDB.
What's new?
- Added support for Drift Detection, Version and Timeout policies for the
Stack [Native]controls.
Policy Types
- Azure > Network > Virtual Network > Stack [Native] > Drift Detection
- Azure > Network > Virtual Network > Stack [Native] > Drift Detection > Interval
- Azure > Network > Virtual Network > Stack [Native] > Timeout
- Azure > Network > Virtual Network > Stack [Native] > Version
What's new?
- Added support for Drift Detection, Version and Timeout policies for the
Stack [Native]controls.
Policy Types
- AWS > VPC > Stack [Native] > Drift Detection
- AWS > VPC > Stack [Native] > Drift Detection > Interval
- AWS > VPC > Stack [Native] > Timeout
- AWS > VPC > Stack [Native] > Version
- AWS > VPC > VPC > Stack [Native] > Drift Detection
- AWS > VPC > VPC > Stack [Native] > Drift Detection > Interval
- AWS > VPC > VPC > Stack [Native] > Timeout
- AWS > VPC > VPC > Stack [Native] > Version
What's new?
- Added support for Drift Detection, Version and Timeout policies for the
Stack [Native]controls.
Policy Types
- AWS > S3 > Bucket > Stack [Native] > Drift Detection
- AWS > S3 > Bucket > Stack [Native] > Drift Detection > Interval
- AWS > S3 > Bucket > Stack [Native] > Timeout
- AWS > S3 > Bucket > Stack [Native] > Version
What's new?
- Added support for Drift Detection, Version and Timeout policies for the
Stack [Native]controls.
Policy Types
- AWS > IAM > Stack [Native] > Drift Detection
- AWS > IAM > Stack [Native] > Drift Detection > Interval
- AWS > IAM > Stack [Native] > Timeout
- AWS > IAM > Stack [Native] > Version
What's new?
- Added support for Drift Detection, Version and Timeout policies for the
Stack [Native]controls.
Policy Types
- GCP > Project > Stack [Native] > Drift Detection
- GCP > Project > Stack [Native] > Drift Detection > Interval
- GCP > Project > Stack [Native] > Timeout
- GCP > Project > Stack [Native] > Version
What's new?
- Added support for Drift Detection, Version and Timeout policies for the
Stack [Native]controls.
Policy Types
- Azure > Subscription > Stack [Native] > Drift Detection
- Azure > Subscription > Stack [Native] > Drift Detection > Interval
- Azure > Subscription > Stack [Native] > Timeout
- Azure > Subscription > Stack [Native] > Version
What's new?
- Added support for Drift Detection, Version and Timeout policies for the
Stack [Native]controls.
Policy Types
- AWS > Account > Stack [Native] > Drift Detection
- AWS > Account > Stack [Native] > Drift Detection > Interval
- AWS > Account > Stack [Native] > Timeout
- AWS > Account > Stack [Native] > Version
- AWS > Region > Stack [Native] > Drift Detection
- AWS > Region > Stack [Native] > Drift Detection > Interval
- AWS > Region > Stack [Native] > Timeout
- AWS > Region > Stack [Native] > Version
Bug fixes
- Fixed an issue where the
Postgres 15 FDW Linux - ARM64plugin build incorrectly usedPostgres 14instead ofPostgres 15. (#53)
Custom tenant, organization and workspace people pages now show the last activity date for each member, allowing owners to track usage of their environments.
For more information, check out the tenant, organization and workspace people docs.
Custom tenant settings now allow owners to control workspace snapshot visibility settings, restricting the use of publicly-shared snapshot links.
For more information, check out the docs.
Bug fixes
- Server
- Added support for drift detection in OpenTofu 1.x (open-source Terraform) integration via Guardrail.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Server
- Added support for OpenTofu v1.8.3 (open source Terraform) container to run Stack [Native] controls.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the
Stack [Native] > *policies.
Control Types
- GCP > Project > Stack [Native]
Policy Types
- GCP > Project > Stack [Native]
- GCP > Project > Stack [Native] > Modifier
- GCP > Project > Stack [Native] > Secret Variables
- GCP > Project > Stack [Native] > Source
- GCP > Project > Stack [Native] > Variables
What's new?
- Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the
Stack [Native] > *policies.
Control Types
- Azure > Subscription > Stack [Native]
Policy Types
- Azure > Subscription > Stack [Native]
- Azure > Subscription > Stack [Native] > Modifier
- Azure > Subscription > Stack [Native] > Secret Variables
- Azure > Subscription > Stack [Native] > Source
- Azure > Subscription > Stack [Native] > Variables
What's new?
- Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the
Stack [Native] > *policies.
Control Types
- Azure > Network > Virtual Network > Stack [Native]
Policy Types
- Azure > Network > Virtual Network > Stack [Native]
- Azure > Network > Virtual Network > Stack [Native] > Modifier
- Azure > Network > Virtual Network > Stack [Native] > Secret Variables
- Azure > Network > Virtual Network > Stack [Native] > Source
- Azure > Network > Virtual Network > Stack [Native] > Variables
What's new?
- Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the
Stack [Native] > *policies.
Control Types
- AWS > VPC > Stack [Native]
- AWS > VPC > VPC > Stack [Native]
Policy Types
- AWS > VPC > Stack [Native]
- AWS > VPC > Stack [Native] > Modifier
- AWS > VPC > Stack [Native] > Secret Variables
- AWS > VPC > Stack [Native] > Source
- AWS > VPC > Stack [Native] > Variables
- AWS > VPC > VPC > Stack [Native]
- AWS > VPC > VPC > Stack [Native] > Modifier
- AWS > VPC > VPC > Stack [Native] > Secret Variables
- AWS > VPC > VPC > Stack [Native] > Source
- AWS > VPC > VPC > Stack [Native] > Variables
What's new?
- Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the
Stack [Native] > *policies.
Control Types
- AWS > Account > Stack [Native]
- AWS > Region > Stack [Native]
Policy Types
- AWS > Account > Stack [Native]
- AWS > Account > Stack [Native] > Modifier
- AWS > Account > Stack [Native] > Secret Variables
- AWS > Account > Stack [Native] > Source
- AWS > Account > Stack [Native] > Variables
- AWS > Region > Stack [Native]
- AWS > Region > Stack [Native] > Modifier
- AWS > Region > Stack [Native] > Secret Variables
- AWS > Region > Stack [Native] > Source
- AWS > Region > Stack [Native] > Variables
What's new?
- Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the
Stack [Native] > *policies.
Control Types
- AWS > S3 > Bucket > Stack [Native]
Policy Types
- AWS > S3 > Bucket [Native]
- AWS > S3 > Bucket [Native] > Modifier
- AWS > S3 > Bucket [Native] > Secret Variables
- AWS > S3 > Bucket [Native] > Source
- AWS > S3 > Bucket [Native] > Variables
What's new?
- Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the
Stack [Native] > *policies.
Control Types
- AWS > IAM > Stack [Native]
Policy Types
- AWS > IAM > Stack [Native]
- AWS > IAM > Stack [Native] > Modifier
- AWS > IAM > Stack [Native] > Secret Variables
- AWS > IAM > Stack [Native] > Source
- AWS > IAM > Stack [Native] > Variables
What's new?
- New tables added
Enhancements
- Added
instance_type_patterncolumn as an optional qual to theaws_ec2_instance_typetable. (#2301) - Added
image_digestcolumn as an optional qual to theaws_ecr_image_scan_findingtable. (#2357) - Added
created_atandupdated_atcolumns as optional quals to theaws_securityhub_findingtable. (#2298) - Added
account_password_presentcolumn toaws_iam_account_summarytable. (#2346) - Add
tagscolumn toaws_backup_plan table. (#2336) (Thanks @pdecat for the contribution!)
Bug fixes
- Fixed the
aws_rds_db_instancetable to correctly return data instead of an error by ignoring theCertificateNotFounderror code. (#2363)
What's new?
- Improved CLI load time for environments with many connection resources.
- Updated Go to v1.23.
Bug fixes
- The real-time Event Handlers would fail to update details for Flow Logs attached to Virtual Networks. This is now fixed.
Bug fixes
- Guardrails would fail to update CMDB for virtual networks when flow logs were created or removed from such resources. This is now fixed.
What's new?
- Added pipelines to run CIS v3.0.0 benchmark. These pipelines can be used to identify Azure resources that are non-compliant with CIS recommendations and also remediate them according to CIS remediation suggestions. For usage information and a full list of pipelines, please see Azure CIS Mod.
What's new?
- Added 109 new 'detect and correct' pipelines to identify Azure resources that are non-compliant with common security and compliance checks. These pipelines can also remediate non-compliant automatically or with approval steps. For usage information and a full list of pipelines, please see Azure Compliance Mod.
Bug fixes
- The
AWS > VPC > VPC > Flow Loggingcontrol previously attempted to destroy and recreate flow logs with CloudWatch log groups as the destination on successive runs due to an incorrect ARN reference to the log destination. This issue is now fixed, and the control will no longer unnecessarily destroy and recreate flow logs in such cases.
What's new?
- New pipelines added: (#22)
encrypt_storage_accountset_mysql_flexible_server_parameterset_postgres_flexible_server_configurationset_postgres_flexible_server_require_secure_transportset_sql_server_tde_keyupdate_compute_disk_encryption_with_cmkupdate_compute_diskupdate_key_vault_rbac_authorizationupdate_sql_server_public_network_accessupdate_storage_account_blob_public_access
What's new?
- New pipelines added: (#81)
generate_iam_credential_report
Bug fixes
- Server
- Minor internal improvements.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.
Bug fixes
- We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.
Bug fixes
- We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.
Bug fixes
- In a previous version, we resolved an issue in the
Azure > Compute > Virtual Machine Scale Set > Tagscontrol to ensure tags were updated correctly for Scale Sets launched via the Azure Marketplace. However, the control occasionally failed to update tags for Scale Sets on certain purchase plans. This issue has now been addressed, and the control will update tags correctly and reliably for all types of Scale Sets.
Bug fixes
- We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.
Bug fixes
- We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.
Bug fixes
- We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.
Bug fixes
- UI
- Updated the filter logic on the Reports page for more accurate results.
- Resolved an issue where resource links in the Permissions section redirected to the profile page instead of the resource page when grouped by resources.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- Users can now define a list of events to filter out while polling for events using the
Azure > Turbot > Event Poller. To get started, set theAzure > Turbot > Event Poller > Excluded Eventspolicy.
Policy Types
- Azure > Turbot > Event Poller > Excluded Events
What's new?
- Users can now check and enforce SQS SSE for queue encryption. To get started, configure the
AWS > SQS > Queue > Encryption at Restpolicy to one of the following values:Check: SQS SSE,Check: SQS SSE or higher,Enforce: SQS SSEorEnforce: SQS SSE or higher.
What's new?
- Check if Kubernetes clusters are approved for use via Guardrails. To get started, set the
Kubernetes > Cluster > Approved > *policies.
Control Types
- Kubernetes > Cluster > Approved
Policy Types
- Kubernetes > Cluster > Approved
- Kubernetes > Cluster > Approved > Custom
Bug fixes
- The
Azure > App Service > Function App > HTTPS Onlycontrol would sometime fail to enable the setting in Azure. This is now fixed.
Bug fixes
- The
GCP > Compute Engine > Instance > Serial Port AccessandGCP > Compute Engine > Instance > Block Project Wide SSH Keyscontrols would sometimes go into an error state due to incorrect references to CMDB attributes. This is fixed and the controls will now work as expected.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
Bug fixes
- Guardrails would fail to delete unapproved ingress rules when the
Azure > Network > Network Security Group > Ingress Rules > Approvedpolicy was set toEnforce: Delete unapproved. This is now fixed.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
Bug fixes
- Guardrails would sometimes update the
createTimestampfor Web Apps and Function Apps incorrectly when processing update events for these resources. We have updated the internal logic to ensure thecreateTimestampis now updated correctly and more reliably than before.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
Bug fixes
- Disks created alongside VMs sometimes lacked
createdBydetails in their metadata. The internal logic has been updated to ensurecreatedBydetails are added more reliably for these disks.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
Bug fixes
- The
GCP > IAM > Service Account Key > Activecontrol has been updated to usevalidAfterTimeinstead ofmetadata.createTimestampto accurately evaluate the age of the resource.
What's new?
- The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
What's new?
- Users can now check and delete DB clusters that are not approved for use if they lack encryption at rest. To get started, set the
AWS > RDS > DB Cluster > Approved > Encryption at Rest > *policies.
Policy Types
- AWS > RDS > DB Cluster > Approved > Encryption at Rest
- AWS > RDS > DB Cluster > Approved > Encryption at Rest > Customer Managed Key
What's new?
- Users can now check if their account spend is
On Targetper Budget. To get started, set theAWS > Account > Budget > Enabledpolicy toCheck: Budget > State is On Target.
Bug fixes
- UI
- Resolved an issue where reports pages could crash if certain information was null
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Server
- Resolved an issue where actor information was not being passed correctly during the process execution, ensuring accurate tracking and processing of actor-related data.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The
AWS > VPC > Route > CMDBcontrol would go into an error state due to an incorrect use of a function from an internal node package. This is now fixed.
Bug fixes
- Guardrails would sometimes update the
createdBydetails for storage accounts due to mishandled real-time update events. This issue has been fixed, andcreatedBydetails will now be stored more reliably and consistently than before. - In a previous version, we inadvertently introduced a bug that prevented the
createTimestampdetails from being stored in the metadata of new storage accounts upserted in Guardrails CMDB. This issue has now been resolved, andcreateTimestampdetails are now stored correctly and reliably.
What's new?
- New tables added
- aws_cost_by_region_monthly (#2310) (Thanks @razbne for the contribution!)
Enhancements
- Added
error,is_public,resource_owner_accountandresource_typeoptional quals foraws_accessanalyzer_findingtable. (#2331) (Thanks @dbermuehler for the contribution!) - Updated the
aws_s3_objecttable to use theHeadObjectAPI to retrieve object metadata. (#2312) (Thanks @JonMerlevede for the contribution!)
Bug fixes
- Fixed the
aws_s3_buckettable to correctly return data by ignoring the not found error ingetBucketTaggingandgetBucketWebsitehydrate functions. (#2335)
Bug fixes
- Fixed the issue where the steampipe interactive meta-command
.cache clearwas not clearing the cache. (#4443)
What's new?
- Added NYDFS 23 benchmark (
powerpipe benchmark run aws_compliance.benchmark.nydfs_23). (#844)
What's new?
- Resource's metadata will now also include
createdBydetails in Guardrails CMDB.
Bug fixes
- The
AWS > VPC > VPC > Flow Loggingcontrol would sometimes fail to update flow logs if the Max Aggregation Interval in the stack's source policy was updated. This is fixed and the stack control will now update such resources correctly, as expected.
What's new?
- Users can now configure the maximum aggregation interval in the
AWS > VPC > VPC > Flow Loggingcontrol. To get started, set theAWS > VPC > VPC > Flow Logging > Cloud Watch > Maximum Aggregation Intervalpolicy and/orAWS > VPC > VPC > Flow Logging > S3 > Maximum Aggregation Intervalpolicy.
Policy Types
- AWS > VPC > VPC > Flow Logging > Cloud Watch > Maximum Aggregation Interval
- AWS > VPC > VPC > Flow Logging > S3 > Maximum Aggregation Interval
Enhancements
- Added
multi_regionandmulti_region_configurationcolumns toaws_kms_keytable. (#2338) (Thanks @pdecat for the contribution!)
Bug fixes
- Fixed the comparison operator
(<= or >=)for number and date filter inaws_inspector2_findingtable. (#2332) (Thanks @dbermuehler for the contribution!)
Bug fixes
- Fixed the
trigger_parameterscolumn of thecircleci_pipelinetable to correctly return data instead ofJSON unmarshallingerror. (#53)
The Okta plugin in Pipes now supports max_backoff, max_retries and request_timeout settings.
To get started, create an Okta connection and add it to your workspace.
What's new?
- New tables added
- gcp_compute_instance_group_manager (#669) (Thanks @pdecat for the contribution!)
Enhancements
- Added
labelsandtagscolumns to thegcp_compute_global_forwarding_ruletable. (#678) (Thanks @pdecat for the contribution!) - Added
database_installed_versionandmaintenance_versioncolumns to thegcp_sql_database_instancetable. (#677) (Thanks @pdecat for the contribution!)
Bug fixes
- Fixed the
gcp_compute_instance_grouptable to correctly return data for regional instance groups'instancescolumn. (#670) (Thanks @pdecat for the contribution!) - Fixed the
kubernetes_node_pooltable to correctly return data instead of an error for node pools with auto-pilot disabled. (#668) (Thanks @multani for the contribution!)
What's new?
- New tables added
Enhancements
- Added
firewall_rulescolumn to theazure_postgresql_flexible_servertable. (#852)
Resource Types
- Azure > SQL > Managed Instance
Control Types
- Azure > SQL > Managed Instance > Active
- Azure > SQL > Managed Instance > Approved
- Azure > SQL > Managed Instance > CMDB
- Azure > SQL > Managed Instance > Discovery
- Azure > SQL > Managed Instance > Tags
Policy Types
- Azure > SQL > Managed Instance > Active
- Azure > SQL > Managed Instance > Active > Age
- Azure > SQL > Managed Instance > Active > Last Modified
- Azure > SQL > Managed Instance > Approved
- Azure > SQL > Managed Instance > Approved > Custom
- Azure > SQL > Managed Instance > Approved > Regions
- Azure > SQL > Managed Instance > Approved > Usage
- Azure > SQL > Managed Instance > CMDB
- Azure > SQL > Managed Instance > Regions
- Azure > SQL > Managed Instance > Tags
- Azure > SQL > Managed Instance > Tags > Template
Action Types
- Azure > SQL > Managed Instance > Delete
- Azure > SQL > Managed Instance > Router
- Azure > SQL > Managed Instance > Set Tags
Bug fixes
- Controls previously targeting the
AWS > IAM > Credential Reportresource type have now been updated to target either theAWS > IAM > RootorAWS > IAM > Userresource types, depending on the specific control requirements. This adjustment more accurately aligns each control with the relevant resources, enabling more precise and targeted checks.
What's new?
- Added CIS v3.0.0 benchmark (
powerpipe benchmark run azure_compliance.benchmark.cis_v300). (#282)
Bug fixes
- Fixed the
elb_application_lb_waf_enabledquery to correctly flag ELB application load balancers as alarm when the associated WAF is disabled. (#840) - Fixed the
cloudfront_distribution_custom_origins_encryption_in_transit_enabledquery to remove duplicate AWS CloudFront distributions from the result. (#829) (Thanks to @sbldevnet for the contribution!) - Fixed the
whereclause of thecloudfront_distribution_use_secure_cipherquery to correctly check if the CloudFront distributions have insecure cipher protocols. (#827) (Thanks to @sbldevnet for the contribution!)
Bug fixes
- The
Azure > Security Center > Security Center > Auto Provisioningcontrol is now deprecated and will now move to an Invalid state if enforcements are applied. This follows the deprecation plan announcement from Azure. The control will be removed in a future mod version.
Control Types
Renamed
- Azure > Security Center > Security Center > Auto Provisioning to Azure > Security Center > Security Center > Auto Provisioning [Deprecated]
Policy Types
Renamed
- Azure > Security Center > Security Center > Auto Provisioning to Azure > Security Center > Security Center > Auto Provisioning [Deprecated]
Action Types
Removed
- Azure > Security Center > Security Center > Update Auto Provisioning
All Pipes workspaces are now running Steampipe v1.0.0.
For more information on this Steampipe release, see the launch post or check out the release notes.
All Pipes workspaces are now running Powerpipe v1.0.0.
For more information on this Powerpipe release, see the launch post or check out the release notes.
With a web UI, point-and-click mod installation, and easy integration with Slack and GitHub, Pipes takes workflows-as-code to the next level.
For more information, see the launch post or check out the docs.
All the components of Turbot's open source suite are now fully integrated into Pipes.
For more information, see the launch post or check out the docs.
Bug Fixes
- Cleaned up documentation and standardized the file naming conventions of
*.ppvars.examplefiles across the following 24 mods to ensure alignment with the Powerpipe v1.0.0 release:steampipe-mod-alicloud-compliancesteampipe-mod-aws-perimetersteampipe-mod-aws-tagssteampipe-mod-aws-thriftysteampipe-mod-aws-top-10steampipe-mod-azure-compliancesteampipe-mod-azure-tagssteampipe-mod-azure-thriftysteampipe-mod-digitalocean-thriftysteampipe-mod-docker-compliancesteampipe-mod-gcp-compliancesteampipe-mod-gcp-labelssteampipe-mod-gcp-thriftysteampipe-mod-github-compliancesteampipe-mod-kubernetes-compliancesteampipe-mod-microsoft365-compliancesteampipe-mod-net-insightssteampipe-mod-oci-compliancesteampipe-mod-oci-thriftysteampipe-mod-snowflake-compliancesteampipe-mod-terraform-aws-compliancesteampipe-mod-terraform-azure-compliancesteampipe-mod-terraform-gcp-compliancesteampipe-mod-terraform-oci-compliance
Bug fixes
- Added missing checks to the 1.12, 1.16, and 1.22 pipelines in CIS v3.0.0 and v4.0.0. (#3)
Bug fixes
- Fix crashing cases when using
--output json. (#594). - Coerce variables set in interactive console to their declared type. (#595).
- Nested pipelines now correctly pauses parent pipelines. (#955).
- Pipeline with
max_concurrencysetting is now automatically paused and will successfully resume. (#957). form_urlis now sanitized.
What's new?
- Added CIS v4.0.0 benchmark (
steampipe check benchmark.cis_v400). (#836) - Added
ebs_encryption_by_default_enabledandvpc_security_group_restrict_ingress_cifs_port_allcontrols to theAll Controlsbenchmark. (#835)
Enhancements
- Added the
ebs_encryption_by_default_enabledcontrol to therbi_cyber_security_annex_i_1_3benchmark. (#835) - Set
python3.8as deprecated Lambda runtime inlambda_function_use_latest_runtimecontrol. (#833) (Thanks to @sbldevnet for the contribution!) - Updated
iam_access_analyzer_enabled_without_findingsandssm_document_prohibit_public_accesscontrols to use latest columns and tables from the AWS plugin. (#835)
Bug fixes
- VPC security group rule controls that check for restricted port access now correctly detect rules with ports in a port range instead of only exact port matches. (#835)
- Fixed the 2.2.1 control in CIS v1.5.0, v2.0.0, v3.0.0 benchmarks to check if EBS encryption by default is enabled instead of individual volume encryption settings. (#835)
- Fixed the
fedramp_moderate_rev_4_sc_28benchmark to check if EBS encryption by default is enabled instead of individual volume encryption settings. (#835)
Deprecated
- Deprecated the
ec2_ebs_default_encryption_enabledcontrol and query. Please use theebs_encryption_by_defaultcontrol and query instead.
What's new?
Control Types
- Kubernetes > CronJob > ServiceNow > Import Set
- Kubernetes > DaemonSet > ServiceNow > Import Set
- Kubernetes > Ingress > ServiceNow > Import Set
- Kubernetes > Job > ServiceNow > Import Set
- Kubernetes > Persistent Volume > ServiceNow > Import Set
- Kubernetes > ReplicationController > ServiceNow > Import Set
- Kubernetes > StatefulSet > ServiceNow > Import Set
Policy Types
- Kubernetes > CronJob > ServiceNow > Import Set
- Kubernetes > CronJob > ServiceNow > Import Set > Archive Columns
- Kubernetes > CronJob > ServiceNow > Import Set > Insert Mode
- Kubernetes > CronJob > ServiceNow > Import Set > Record
- Kubernetes > CronJob > ServiceNow > Import Set > Table Name
- Kubernetes > DaemonSet > ServiceNow > Import Set
- Kubernetes > DaemonSet > ServiceNow > Import Set > Archive Columns
- Kubernetes > DaemonSet > ServiceNow > Import Set > Insert Mode
- Kubernetes > DaemonSet > ServiceNow > Import Set > Record
- Kubernetes > DaemonSet > ServiceNow > Import Set > Table Name
- Kubernetes > Ingress > ServiceNow > Import Set
- Kubernetes > Ingress > ServiceNow > Import Set > Archive Columns
- Kubernetes > Ingress > ServiceNow > Import Set > Insert Mode
- Kubernetes > Ingress > ServiceNow > Import Set > Record
- Kubernetes > Ingress > ServiceNow > Import Set > Table Name
- Kubernetes > Job > ServiceNow > Import Set
- Kubernetes > Job > ServiceNow > Import Set > Archive Columns
- Kubernetes > Job > ServiceNow > Import Set > Insert Mode
- Kubernetes > Job > ServiceNow > Import Set > Record
- Kubernetes > Job > ServiceNow > Import Set > Table Name
- Kubernetes > Persistent Volume > ServiceNow > Import Set
- Kubernetes > Persistent Volume > ServiceNow > Import Set > Archive Columns
- Kubernetes > Persistent Volume > ServiceNow > Import Set > Insert Mode
- Kubernetes > Persistent Volume > ServiceNow > Import Set > Record
- Kubernetes > Persistent Volume > ServiceNow > Import Set > Table Name
- Kubernetes > ReplicationController > ServiceNow > Import Set
- Kubernetes > ReplicationController > ServiceNow > Import Set > Archive Columns
- Kubernetes > ReplicationController > ServiceNow > Import Set > Insert Mode
- Kubernetes > ReplicationController > ServiceNow > Import Set > Record
- Kubernetes > ReplicationController > ServiceNow > Import Set > Table Name
- Kubernetes > StatefulSet > ServiceNow > Import Set
- Kubernetes > StatefulSet > ServiceNow > Import Set > Archive Columns
- Kubernetes > StatefulSet > ServiceNow > Import Set > Insert Mode
- Kubernetes > StatefulSet > ServiceNow > Import Set > Record
- Kubernetes > StatefulSet > ServiceNow > Import Set > Table Name
Bug fixes
- In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
Bug fixes
- Removed unused node package dependencies for tenant lambda functions.
Bug fixes
- Added
verification_tokencolumn toaws_ses_domain_identitytable which was accidentally removed in v1.0.0.
Bug fixes
- In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
Bug fixes
- In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
Bug fixes
- In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
Bug fixes
- In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
Bug fixes
- In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
What's new?
Policy Types
- GCP > Compute Engine > Disk > ServiceNow > Import Set > Insert Mode
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Insert Mode
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Insert Mode
- GCP > Compute Engine > Health Check > ServiceNow > Import Set > Insert Mode
- GCP > Compute Engine > Image > ServiceNow > Import Set > Insert Mode
- GCP > Compute Engine > Instance > ServiceNow > Import Set > Insert Mode
- GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Insert Mode
- GCP > Compute Engine > Node Group > ServiceNow > Import Set > Insert Mode
- GCP > Compute Engine > Node template > ServiceNow > Import Set > Insert Mode
- GCP > Compute Engine > Project > ServiceNow > Import Set > Insert Mode
- GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Insert Mode
- GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Insert Mode
- GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Insert Mode
Bug fixes
- In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
Bug fixes
- In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
Bug fixes
- In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
Bug fixes
- In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
Bug fixes
- In version 5.5.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing Security Center resources in Guardrails. However, this caused controls to enter an error state for US Gov cloud subscriptions because the APIs did not work as expected. We have now updated dependencies that are compatible with both commercial and US Gov cloud subscriptions, ensuring that controls in both environments will work as expected.
- The
Azure > Security Center > Security Center > CMDBcontrol would go into an error state if it was not able to fetch policy assignment details correctly. This issue has now been fixed.
Bug fixes
- In version 5.8.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing Monitor resources in Guardrails. However, this caused controls to enter an error state for US Gov cloud subscriptions because the APIs did not work as expected. We have now updated dependencies that are compatible with both commercial and US Gov cloud subscriptions, ensuring that controls in both environments will work as expected.
Bug fixes
- In version 5.9.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing DNS resources in Guardrails. However, this caused controls to enter an error state due to the inadvertent use of incorrect endpoints. This issue has been fixed, and the controls will now work as expected.
Bug fixes
- In version 5.18.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing Compute resources in Guardrails. However, this caused controls to enter an error state due to the inadvertent use of incorrect endpoints. This issue has been fixed, and the controls will now work as expected.
Bug fixes
- In version 5.4.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing API Management resources in Guardrails. However, this caused controls to enter an error state due to the inadvertent use of incorrect endpoints. This issue has been fixed, and the controls will now work as expected.
What's new?
- Added 84 new 'detect and correct' pipelines to identify AWS resources that are non-compliant with common security and compliance checks. These pipelines can also remediate non-compliant automatically or with approval steps. For usage information and a full list of pipelines, please see AWS Compliance Mod.
What's new?
- Added pipelines to run CIS v3.0.0 and v4.0.0 benchmarks. These pipelines can be used to identify AWS resources that are non-compliant with CIS recommendations and also remediate them according to CIS remediation suggestions. For usage information and a full list of pipelines, please see AWS CIS Mod.
What's new?
- We've updated internal dependencies and now use the new authentication method to discover and manage Automation resources in Guardrails.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
We're excited to announce the v1.0.0 release of 43 Powerpipe mods!
These mods now require Powerpipe. Steampipe users should check the migration guide.
Whats new
connectionresource to manage credentials. Documentation.databaseproperty has been added to mod. A database can be a connection reference, connection string, or Pipes workspace to query.
Deprecations
- Deprecated
databaseCLI arg. See Setting the Database for the new syntax to set the database. - Deprecated
POWERPIPE_DATABASEenv var. See Setting the Database for the new syntax to set the database. - Deprecated
databaseworkspace profile arg. See Setting the Database for the new syntax to set the database.
Breaking changes
The mod functionality, which was previously deprecated and moved to Powerpipe, has been removed in this version.
- Removed the
check,dashboard,mod, andvariablecommands. (#4413) - Removed support for running named queries. (#4416)
- Removed the
watchandmod-locationCLI args from thequerycommand. (#4417) - Removed the
dashboard,dashboard-listen, anddashboard-portCLI args from theservicecommand. (#4418) - Removed the
STEAMPIPE_MOD_LOCATIONandSTEAMPIPE_INTROSPECTIONenv vars. (#4419) - Removed support for deprecated
STEAMPIPE_CLOUD_HOSTandSTEAMPIPE_CLOUD_TOKENenv vars. (#4420) - Removed the
watch,introspection, andmod-locationworkspace profile args. (#4421) - Removed the
checkanddashboardoptions from workspace profiles. (#4422) - Removed the
dashboardoption from global options (default.spc). (#4423)
We're excited to announce the v1.0.0 release of all 76 Flowpipe mods, including 29 Library mods, 6 Standard mods, and 41 Sample mods!
Breaking changes
- Flowpipe v1.0.0 is now required. For a full list of CLI changes, please see the Flowpipe v1.0.0 CHANGELOG.
- In Flowpipe configuration files (
.fpc),credentialandcredential_importresources have been renamed toconnectionandconnection_importrespectively. - Updated the following param types:
approvers:list(string)tolist(notifier).database:stringtoconnection.steampipe.notifier:stringtonotifier.
- Updated the following variable types:
approvers:list(string)tolist(notifier).database:stringtoconnection.steampipe.notifier:stringtonotifier.
- Renamed
credparam toconnand updated its type fromstringtoconn.
What's new?
connectionresource to manage credentials. Documentation.connectionandnotifiertypes for variables and params. (#871)enumvalidation for variables and params.- Defined exit codes for various CLI operations. Documentation.
Bug fixes
- Passing pipeline references to nested mods for execution. (#908)
- Do not crash if pipeline reference is set to a string. (#911)
Deprecation
credentialandcredential_importare deprecated to be replaced withconnectionandconnection_import.
Bug fixes
- In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
We’re excited to announce the v1.0.0 release of 116 Steampipe plugins!
While there are no significant changes in the new plugin versions, this release aligns with Steampipe's v1.0.0 launch. The plugins now adhere to semantic versioning, ensuring backward compatibility within each major version.
Bug fixes
- In v5.3.1, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Key Vault resources in Guardrails. This release includes breaking changes in the CMDB data for key, and secret. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below:
KeyVault > Vault
Added :
enableSoftDeletepublicNetworkAccessenableRbacAuthorization
KeyVault > Key
Added :
hsmPlatform
Removed:
key.ekey.n
KeyVault > Secret
Modified :
IDproperty does not contain the secret version.
Removed:
expiresupdatedcreated
Bug fixes
- The
Azure > Key Vault > Key > CMDBcontrol would go into an error state while fetching key rotation policy details for managed keys. The control will no longer attempt to fetch the key rotation policy details for such keys and will work as expected. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- Added support for PostgresSQL 16.
- Added support for custom hive key.
- Default database engine version changed to 15.7.
- Default cache engine version set to 7.1.
- M4 and R4 instance types removed from the supported database instance list due to deprecation.
What's new?
Server
- Introduced
Activity Retentionfeature for Smart Retention control to enhance version and data management.
- Introduced
UI
- Support for downloading AWS CloudFormation templates directly from the AWS import page.
Bug fixes
Server
- Resolved controls getting stuck when
NotifyorIgnorekeywords were missing in the notification rules.
- Resolved controls getting stuck when
UI
- The
+button for adding permissions now correctly applies the appropriate attributes.
- The
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Policy Types:
- Turbot > Workspace > Retention > Activity Purge Limit.
- Turbot > Workspace > Retention > Activity Retention.
Control Types:
- Add support to
Turbot > Smart Retentioncontrol to enhance version and data management.
- Add support to
Requirements
- TE: 5.35.4
What's new?
- You can now check if flexible servers have a TLS version setting of 1.2 or higher enabled. To get started, set the
Azure > MySQL > Flexible Server > Set Minimum TLS Versionpolicy toCheck: TLS 1.2 or higher.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage resources in Guardrails. This release includes breaking changes in the CMDB data for Azure. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Azure > Management Group
Modified :
- The value of
typeproperty is updated astype: Microsoft.Management/managementGroups, earlier it was/providers/Microsoft.Management/managementGroups
What's new?
- We've updated internal dependencies and now use the new authentication method to discover and manage SQL Virtual Machine resources in Guardrails.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage SQL resources in Guardrails. This release includes breaking changes in the CMDB data for server, database, and elasticpool. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below:
Renamed:
transparentDataEncryption.statustotransparentDataEncryption.statedatabaseThreatDetectionPolicytodatabaseSecurityAlertPolicy
Added:
Azure SQL > Server
- Added
administratorsblock isManagedIdentityInUseautoRotationEnabledexternalGovernanceStatusminimalTlsVersionprivateEndpointConnectionspublicNetworkAccessrestrictOutboundNetworkAccessserverAzureADAdministrator.azureADOnlyAuthentication
Azure SQL > Database
availabilityZonecurrentBackupStorageRedundancydatabaseSecurityAlertPolicy. creationTimetransparentDataEncryption.locationisInfraEncryptionEnabledisLedgerOnmaintenanceConfigurationIdrequestedBackupStorageRedundancymaintenanceConfigurationId
Azure SQL > ElasticPool
maintenanceConfigurationId
Modified:
- The value of the attribute
serverAzureADAdministrator.namehas been changed from string (activeDirectory) to string (ActiveDirectory). - The data type of the attribute
databaseThreatDetectionPolicy.disabledAlertshas been changed from string ("") to object ([]). - The data type of the attribute
databaseThreatDetectionPolicy.emailAddresseshas been changed from string ("") to object ([]). - The data type of the attribute
databaseThreatDetectionPolicy.emailAccountAdminshas been changed from string (Disabled/Enabled) to boolean (false/true). - The data type of the attribute
disabledAlertshas been changed from string ("") to object ([]).
Removed:
databaseThreatDetectionPolicy.useServerDefault
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Resource Providers in Guardrails.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Network resources in Guardrails.
Network > NetworkInterface
Added :
auxiliaryModeauxiliarySkukinddisableTcpStateTracking
Network > PrivateDNSZone
Added :
internalId
Network > VirtualNetworkGateway
Added :
allowVirtualWanTrafficallowRemoteVnetTraffic
Modified :
activeActiveproperty updated asactive
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Monitor resources in Guardrails. This release includes changes in the CMDB data for action groups.
Added:
tagskind
Resource Types
- Azure > Monitor > Metric Alert
Control Types
- Azure > Monitor > Action Group > Tags
- Azure > Monitor > Metric Alert > Active
- Azure > Monitor > Metric Alert > Approved
- Azure > Monitor > Metric Alert > CMDB
- Azure > Monitor > Metric Alert > Discovery
- Azure > Monitor > Metric Alert > Tags
Policy Types
- Azure > Monitor > Action Group > Tags
- Azure > Monitor > Action Group > Tags > Template
- Azure > Monitor > Metric Alert > Active
- Azure > Monitor > Metric Alert > Active > Age
- Azure > Monitor > Metric Alert > Active > Last Modified
- Azure > Monitor > Metric Alert > Approved
- Azure > Monitor > Metric Alert > Approved > Custom
- Azure > Monitor > Metric Alert > Approved > Usage
- Azure > Monitor > Metric Alert > CMDB
- Azure > Monitor > Metric Alert > Tags
- Azure > Monitor > Metric Alert > Tags > Template
- Azure > Monitor > Tags Template [Default]
Action Types
- Azure > Monitor > Action Group > Set Tags
- Azure > Monitor > Metric Alert > Delete
- Azure > Monitor > Metric Alert > Router
- Azure > Monitor > Metric Alert > Set Tags
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Managed Identity resources in Guardrails. This release includes changes in the CMDB data as below.
Removed:
clientSecretUrl
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Log Analytics resources in Guardrails.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage IAM resources in Guardrails.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Firewall resources in Guardrails.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage CosmosDB resources in Guardrails.
Added:
createMode
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The
AWS > Account > Budget > Budgetcontrol would enter an error state for US Gov cloud accounts because the budget APIs are not supported for these accounts. We have updated the control to avoid making these API calls and instead rely on theAWS > Account > Budget > Statepolicy being updated periodically, allowing the control to evaluate the outcome correctly.
What's new?
- You can now configure and manage CI Relationships for various Kubernetes resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.
Control Types
- Kubernetes > Cluster > ServiceNow > Relationships
- Kubernetes > ConfigMap > ServiceNow > Relationships
- Kubernetes > CronJob > ServiceNow > Relationships
- Kubernetes > DaemonSet > ServiceNow > Relationships
- Kubernetes > Deployment > ServiceNow > Relationships
- Kubernetes > Ingress > ServiceNow > Relationships
- Kubernetes > Job > ServiceNow > Relationships
- Kubernetes > Namespace > ServiceNow > Relationships
- Kubernetes > Node > ServiceNow > Relationships
- Kubernetes > Persistent Volume > ServiceNow > Relationships
- Kubernetes > Pod > ServiceNow > Relationships
- Kubernetes > ReplicaSet > ServiceNow > Relationships
- Kubernetes > ReplicationController > ServiceNow > Relationships
- Kubernetes > Service > ServiceNow > Relationships
- Kubernetes > StatefulSet > ServiceNow > Relationships
Policy Types
- Kubernetes > Cluster > ServiceNow > Relationships
- Kubernetes > Cluster > ServiceNow > Relationships > Template
- Kubernetes > ConfigMap > ServiceNow > Relationships
- Kubernetes > ConfigMap > ServiceNow > Relationships > Template
- Kubernetes > CronJob > ServiceNow > Relationships
- Kubernetes > CronJob > ServiceNow > Relationships > Template
- Kubernetes > DaemonSet > ServiceNow > Relationships
- Kubernetes > DaemonSet > ServiceNow > Relationships > Template
- Kubernetes > Deployment > ServiceNow > Relationships
- Kubernetes > Deployment > ServiceNow > Relationships > Template
- Kubernetes > Ingress > ServiceNow > Relationships
- Kubernetes > Ingress > ServiceNow > Relationships > Template
- Kubernetes > Job > ServiceNow > Relationships
- Kubernetes > Job > ServiceNow > Relationships > Template
- Kubernetes > Namespace > ServiceNow > Relationships
- Kubernetes > Namespace > ServiceNow > Relationships > Template
- Kubernetes > Node > ServiceNow > Relationships
- Kubernetes > Node > ServiceNow > Relationships > Template
- Kubernetes > Persistent Volume > ServiceNow > Relationships
- Kubernetes > Persistent Volume > ServiceNow > Relationships > Template
- Kubernetes > Pod > ServiceNow > Relationships
- Kubernetes > Pod > ServiceNow > Relationships > Template
- Kubernetes > ReplicaSet > ServiceNow > Relationships
- Kubernetes > ReplicaSet > ServiceNow > Relationships > Template
- Kubernetes > ReplicationController > ServiceNow > Relationships
- Kubernetes > ReplicationController > ServiceNow > Relationships > Template
- Kubernetes > Service > ServiceNow > Relationships
- Kubernetes > Service > ServiceNow > Relationships > Template
- Kubernetes > StatefulSet > ServiceNow > Relationships
- Kubernetes > StatefulSet > ServiceNow > Relationships > Template
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Load Balancer resources in Guardrails.
What's new?
- You can now configure and manage CI Relationships for projects in ServiceNow. To get started, set the
GCP > Project > ServiceNow > Relationships > *policies.
Control Types
- GCP > Project > ServiceNow > Relationships
Policy Types
- GCP > Project > ServiceNow > Relationships
- GCP > Project > ServiceNow > Relationships > Template
What's new?
- You can now configure and manage CI Relationships for subscriptions in ServiceNow. To get started, set the
Azure > Subscription > ServiceNow > Relationships > *policies.
Control Types
- Azure > Subscription > ServiceNow > Relationships
Policy Types
- Azure > Subscription > ServiceNow > Relationships
- Azure > Subscription > ServiceNow > Relationships > Template
What's new?
- You can now configure and manage CI Relationships for accounts in ServiceNow. To get started, set the
AWS > Account > ServiceNow > Relationships > *policies.
Control Types
- AWS > Account > ServiceNow > Relationships
Policy Types
- AWS > Account > ServiceNow > Relationships
- AWS > Account > ServiceNow > Relationships > Template
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage DNS resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Removed:
tTL
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Databricks resources in Guardrails.
Added:
createdByupdatedBysystemDatacreatedDateTime
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Container Registry resources in Guardrails.
Added:
softDeletePolicyazureADAuthenticationAsArmPolicy
What's new?
- You can now configure and manage CI Relationships for various network resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.
Control Types
- GCP > Network > Firewall > ServiceNow > Relationships
- GCP > Network > Forwarding Rule > ServiceNow > Relationships
- GCP > Network > Network > ServiceNow > Relationships
- GCP > Network > Route > ServiceNow > Relationships
- GCP > Network > Router > ServiceNow > Relationships
- GCP > Network > Subnetwork > ServiceNow > Relationships
- GCP > Network > Target Pool > ServiceNow > Relationships
- GCP > Network > Target VPN Gateway > ServiceNow > Relationships
Policy Types
- GCP > Network > Firewall > ServiceNow > Relationships
- GCP > Network > Firewall > ServiceNow > Relationships > Template
- GCP > Network > Forwarding Rule > ServiceNow > Relationships
- GCP > Network > Forwarding Rule > ServiceNow > Relationships > Template
- GCP > Network > Network > ServiceNow > Relationships
- GCP > Network > Network > ServiceNow > Relationships > Template
- GCP > Network > Route > ServiceNow > Relationships
- GCP > Network > Route > ServiceNow > Relationships > Template
- GCP > Network > Router > ServiceNow > Relationships
- GCP > Network > Router > ServiceNow > Relationships > Template
- GCP > Network > Subnetwork > ServiceNow > Relationships
- GCP > Network > Subnetwork > ServiceNow > Relationships > Template
- GCP > Network > Target Pool > ServiceNow > Relationships
- GCP > Network > Target Pool > ServiceNow > Relationships > Template
- GCP > Network > Target VPN Gateway > ServiceNow > Relationships
- GCP > Network > Target VPN Gateway > ServiceNow > Relationships > Template
What's new?
- You can now configure and manage CI Relationships for various compute engine resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.
Control Types
- GCP > Compute Engine > Disk > ServiceNow > Relationships
- GCP > Compute Engine > Image > ServiceNow > Relationships
- GCP > Compute Engine > Instance > ServiceNow > Relationships
- GCP > Compute Engine > Node Group > ServiceNow > Relationships
- GCP > Compute Engine > Node template > ServiceNow > Relationships
- GCP > Compute Engine > Snapshot > ServiceNow > Relationships
Policy Types
- GCP > Compute Engine > Disk > ServiceNow > Relationships
- GCP > Compute Engine > Disk > ServiceNow > Relationships > Template
- GCP > Compute Engine > Image > ServiceNow > Relationships
- GCP > Compute Engine > Image > ServiceNow > Relationships > Template
- GCP > Compute Engine > Instance > ServiceNow > Relationships
- GCP > Compute Engine > Instance > ServiceNow > Relationships > Template
- GCP > Compute Engine > Node Group > ServiceNow > Relationships
- GCP > Compute Engine > Node Group > ServiceNow > Relationships > Template
- GCP > Compute Engine > Node template > ServiceNow > Relationships
- GCP > Compute Engine > Node template > ServiceNow > Relationships > Template
- GCP > Compute Engine > Snapshot > ServiceNow > Relationships
- GCP > Compute Engine > Snapshot > ServiceNow > Relationships > Template
What's new?
- You can now configure and manage CI Relationships for various network resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.
Control Types
- Azure > Network > Application Security Group > ServiceNow > Import Set
- Azure > Network > Application Security Group > ServiceNow > Relationships
- Azure > Network > Express Route Circuits > ServiceNow > Import Set
- Azure > Network > Network Interface > ServiceNow > Import Set
- Azure > Network > Network Interface > ServiceNow > Relationships
- Azure > Network > Network Security Group > ServiceNow > Relationships
- Azure > Network > Private DNS Zones > ServiceNow > Import Set
- Azure > Network > Private Endpoints > ServiceNow > Import Set
- Azure > Network > Public IP Address > ServiceNow > Import Set
- Azure > Network > Public IP Address > ServiceNow > Relationships
- Azure > Network > Route Table > ServiceNow > Import Set
- Azure > Network > Route Table > ServiceNow > Relationships
- Azure > Network > Subnet > ServiceNow > Import Set
- Azure > Network > Subnet > ServiceNow > Relationships
- Azure > Network > Virtual Network > ServiceNow > Import Set
- Azure > Network > Virtual Network > ServiceNow > Relationships
- Azure > Network > Virtual Network Gateway > ServiceNow > Import Set
- Azure > Network > Virtual Network Gateway > ServiceNow > Relationships
Policy Types
- Azure > Network > Application Security Group > ServiceNow > Import Set
- Azure > Network > Application Security Group > ServiceNow > Import Set > Archive Columns
- Azure > Network > Application Security Group > ServiceNow > Import Set > Insert Mode
- Azure > Network > Application Security Group > ServiceNow > Import Set > Record
- Azure > Network > Application Security Group > ServiceNow > Import Set > Table Name
- Azure > Network > Application Security Group > ServiceNow > Relationships
- Azure > Network > Application Security Group > ServiceNow > Relationships > Template
- Azure > Network > Express Route Circuits > ServiceNow > Import Set
- Azure > Network > Express Route Circuits > ServiceNow > Import Set > Archive Columns
- Azure > Network > Express Route Circuits > ServiceNow > Import Set > Insert Mode
- Azure > Network > Express Route Circuits > ServiceNow > Import Set > Record
- Azure > Network > Express Route Circuits > ServiceNow > Import Set > Table Name
- Azure > Network > Network Interface > ServiceNow > Import Set
- Azure > Network > Network Interface > ServiceNow > Import Set > Archive Columns
- Azure > Network > Network Interface > ServiceNow > Import Set > Insert Mode
- Azure > Network > Network Interface > ServiceNow > Import Set > Record
- Azure > Network > Network Interface > ServiceNow > Import Set > Table Name
- Azure > Network > Network Interface > ServiceNow > Relationships
- Azure > Network > Network Interface > ServiceNow > Relationships > Template
- Azure > Network > Network Security Group > ServiceNow > Import Set > Insert Mode
- Azure > Network > Network Security Group > ServiceNow > Relationships
- Azure > Network > Network Security Group > ServiceNow > Relationships > Template
- Azure > Network > Private DNS Zones > ServiceNow > Import Set
- Azure > Network > Private DNS Zones > ServiceNow > Import Set > Archive Columns
- Azure > Network > Private DNS Zones > ServiceNow > Import Set > Insert Mode
- Azure > Network > Private DNS Zones > ServiceNow > Import Set > Record
- Azure > Network > Private DNS Zones > ServiceNow > Import Set > Table Name
- Azure > Network > Private Endpoints > ServiceNow > Import Set
- Azure > Network > Private Endpoints > ServiceNow > Import Set > Archive Columns
- Azure > Network > Private Endpoints > ServiceNow > Import Set > Insert Mode
- Azure > Network > Private Endpoints > ServiceNow > Import Set > Record
- Azure > Network > Private Endpoints > ServiceNow > Import Set > Table Name
- Azure > Network > Public IP Address > ServiceNow > Import Set
- Azure > Network > Public IP Address > ServiceNow > Import Set > Archive Columns
- Azure > Network > Public IP Address > ServiceNow > Import Set > Insert Mode
- Azure > Network > Public IP Address > ServiceNow > Import Set > Record
- Azure > Network > Public IP Address > ServiceNow > Import Set > Table Name
- Azure > Network > Public IP Address > ServiceNow > Relationships
- Azure > Network > Public IP Address > ServiceNow > Relationships > Template
- Azure > Network > Route Table > ServiceNow > Import Set
- Azure > Network > Route Table > ServiceNow > Import Set > Archive Columns
- Azure > Network > Route Table > ServiceNow > Import Set > Insert Mode
- Azure > Network > Route Table > ServiceNow > Import Set > Record
- Azure > Network > Route Table > ServiceNow > Import Set > Table Name
- Azure > Network > Route Table > ServiceNow > Relationships
- Azure > Network > Route Table > ServiceNow > Relationships > Template
- Azure > Network > Subnet > ServiceNow > Import Set
- Azure > Network > Subnet > ServiceNow > Import Set > Archive Columns
- Azure > Network > Subnet > ServiceNow > Import Set > Insert Mode
- Azure > Network > Subnet > ServiceNow > Import Set > Record
- Azure > Network > Subnet > ServiceNow > Import Set > Table Name
- Azure > Network > Subnet > ServiceNow > Relationships
- Azure > Network > Subnet > ServiceNow > Relationships > Template
- Azure > Network > Virtual Network > ServiceNow > Import Set
- Azure > Network > Virtual Network > ServiceNow > Import Set > Archive Columns
- Azure > Network > Virtual Network > ServiceNow > Import Set > Insert Mode
- Azure > Network > Virtual Network > ServiceNow > Import Set > Record
- Azure > Network > Virtual Network > ServiceNow > Import Set > Table Name
- Azure > Network > Virtual Network > ServiceNow > Relationships
- Azure > Network > Virtual Network > ServiceNow > Relationships > Template
- Azure > Network > Virtual Network Gateway > ServiceNow > Import Set
- Azure > Network > Virtual Network Gateway > ServiceNow > Import Set > Archive Columns
- Azure > Network > Virtual Network Gateway > ServiceNow > Import Set > Insert Mode
- Azure > Network > Virtual Network Gateway > ServiceNow > Import Set > Record
- Azure > Network > Virtual Network Gateway > ServiceNow > Import Set > Table Name
- Azure > Network > Virtual Network Gateway > ServiceNow > Relationships
- Azure > Network > Virtual Network Gateway > ServiceNow > Relationships > Template
What's new?
- You can now configure and manage CI Relationships for various compute resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.
Control Types
- Azure > Compute > Availability Set > ServiceNow > Relationships
- Azure > Compute > Disk > ServiceNow > Relationships
- Azure > Compute > Image > ServiceNow > Relationships
- Azure > Compute > Snapshot > ServiceNow > Relationships
- Azure > Compute > Virtual Machine > ServiceNow > Relationships
Policy Types
- Azure > Compute > Availability Set > ServiceNow > Import Set > Insert Mode
- Azure > Compute > Availability Set > ServiceNow > Relationships
- Azure > Compute > Availability Set > ServiceNow > Relationships > Template
- Azure > Compute > Disk > ServiceNow > Import Set > Insert Mode
- Azure > Compute > Disk > ServiceNow > Relationships
- Azure > Compute > Disk > ServiceNow > Relationships > Template
- Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Insert Mode
- Azure > Compute > Image > ServiceNow > Import Set > Insert Mode
- Azure > Compute > Image > ServiceNow > Relationships
- Azure > Compute > Image > ServiceNow > Relationships > Template
- Azure > Compute > Snapshot > ServiceNow > Import Set > Insert Mode
- Azure > Compute > Snapshot > ServiceNow > Relationships
- Azure > Compute > Snapshot > ServiceNow > Relationships > Template
- Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Insert Mode
- Azure > Compute > Virtual Machine > ServiceNow > Import Set > Insert Mode
- Azure > Compute > Virtual Machine > ServiceNow > Relationships
- Azure > Compute > Virtual Machine > ServiceNow > Relationships > Template
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Insert Mode
What's new?
- You can now configure and manage CI Relationships for global regions, multi-regions, regions and zones in ServiceNow. To get started, set the
GCP > Global Region > ServiceNow > Relationships > *,GCP > Multi-Region > ServiceNow > Relationships > *,GCP > Region > ServiceNow > Relationships > *andGCP > Zone > ServiceNow > Relationships > *policies respectively.
Control Types
- GCP > Global Region > ServiceNow > Relationships
- GCP > Multi-Region > ServiceNow > Relationships
- GCP > Region > ServiceNow > Relationships
- GCP > Zone > ServiceNow > Relationships
Policy Types
- GCP > Global Region > ServiceNow > Relationships
- GCP > Global Region > ServiceNow > Relationships > Template
- GCP > Multi-Region > ServiceNow > Relationships
- GCP > Multi-Region > ServiceNow > Relationships > Template
- GCP > Region > ServiceNow > Relationships
- GCP > Region > ServiceNow > Relationships > Template
- GCP > Zone > ServiceNow > Relationships
- GCP > Zone > ServiceNow > Relationships > Template
What's new?
- You can now configure and manage CI Relationships for buckets and objects in ServiceNow. To get started, set the
GCP > Storage > Bucket > ServiceNow > Relationships > *andGCP > Storage > Object > ServiceNow > Relationships > *policies respectively.
Control Types
- GCP > Storage > Bucket > ServiceNow > Relationships
- GCP > Storage > Object > ServiceNow > Relationships
Policy Types
- GCP > Storage > Bucket > ServiceNow > Relationships
- GCP > Storage > Bucket > ServiceNow > Relationships > Template
- GCP > Storage > Object > ServiceNow > Relationships
- GCP > Storage > Object > ServiceNow > Relationships > Template
What's new?
- You can now configure and manage CI Relationships for resource groups in ServiceNow. To get started, set the
Azure > Resource Group > ServiceNow > Relationships > *policies.
Control Types
- Azure > Resource Group > ServiceNow > Relationships
Policy Types
- Azure > Resource Group > ServiceNow > Relationships
- Azure > Resource Group > ServiceNow > Relationships > Template
What's new?
- You can now configure and manage CI Relationships for containers, file shares, queues and storage accounts in ServiceNow. To get started, set the
Azure > Storage > Container > ServiceNow > Relationships > *,Azure > Storage > File Share > ServiceNow > Relationships > *,Azure > Storage > Queue > ServiceNow > Relationships > *andAzure > Storage > Storage Account > ServiceNow > Relationships > *policies respectively.
Control Types
- Azure > Storage > Container > ServiceNow > Relationships
- Azure > Storage > FileShare > ServiceNow > Relationships
- Azure > Storage > Queue > ServiceNow > Relationships
- Azure > Storage > Storage Account > ServiceNow > Relationships
Policy Types
- Azure > Storage > Container > ServiceNow > Import Set > Insert Mode
- Azure > Storage > Container > ServiceNow > Relationships
- Azure > Storage > Container > ServiceNow > Relationships > Template
- Azure > Storage > FileShare > ServiceNow > Import Set > Insert Mode
- Azure > Storage > FileShare > ServiceNow > Relationships
- Azure > Storage > FileShare > ServiceNow > Relationships > Template
- Azure > Storage > Queue > ServiceNow > Import Set > Insert Mode
- Azure > Storage > Queue > ServiceNow > Relationships
- Azure > Storage > Queue > ServiceNow > Relationships > Template
- Azure > Storage > Storage Account > ServiceNow > Import Set > Insert Mode
- Azure > Storage > Storage Account > ServiceNow > Relationships
- Azure > Storage > Storage Account > ServiceNow > Relationships > Template
What's new?
- You can now configure and manage CI Relationships for elastic IPs, internet gateways and NAT gateways in ServiceNow. To get started, set the
AWS > VPC > Elastic IP > ServiceNow > Relationships > *,AWS > VPC > Internet Gateway > ServiceNow > Relationships > *andAWS > VPC > NAT Gateway > ServiceNow > Relationships > *policies respectively.
Control Types
- AWS > VPC > Elastic IP > ServiceNow > Relationships
- AWS > VPC > Internet Gateway > ServiceNow
- AWS > VPC > Internet Gateway > ServiceNow > Configuration Item
- AWS > VPC > Internet Gateway > ServiceNow > Relationships
- AWS > VPC > Internet Gateway > ServiceNow > Table
- AWS > VPC > NAT Gateway > ServiceNow
- AWS > VPC > NAT Gateway > ServiceNow > Configuration Item
- AWS > VPC > NAT Gateway > ServiceNow > Relationships
- AWS > VPC > NAT Gateway > ServiceNow > Table
Policy Types
- AWS > VPC > Elastic IP > ServiceNow > Relationships
- AWS > VPC > Elastic IP > ServiceNow > Relationships > Template
- AWS > VPC > Internet Gateway > ServiceNow
- AWS > VPC > Internet Gateway > ServiceNow > Configuration Item
- AWS > VPC > Internet Gateway > ServiceNow > Configuration Item > Record
- AWS > VPC > Internet Gateway > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > Internet Gateway > ServiceNow > Relationships
- AWS > VPC > Internet Gateway > ServiceNow > Relationships > Template
- AWS > VPC > Internet Gateway > ServiceNow > Table
- AWS > VPC > Internet Gateway > ServiceNow > Table > Definition
- AWS > VPC > NAT Gateway > ServiceNow
- AWS > VPC > NAT Gateway > ServiceNow > Configuration Item
- AWS > VPC > NAT Gateway > ServiceNow > Configuration Item > Record
- AWS > VPC > NAT Gateway > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > NAT Gateway > ServiceNow > Relationships
- AWS > VPC > NAT Gateway > ServiceNow > Relationships > Template
- AWS > VPC > NAT Gateway > ServiceNow > Table
- AWS > VPC > NAT Gateway > ServiceNow > Table > Definition
Control Types
- AWS > VPC > Customer Gateway > ServiceNow
- AWS > VPC > Customer Gateway > ServiceNow > Configuration Item
- AWS > VPC > Customer Gateway > ServiceNow > Relationships
- AWS > VPC > Customer Gateway > ServiceNow > Table
- AWS > VPC > Transit Gateway > ServiceNow
- AWS > VPC > Transit Gateway > ServiceNow > Configuration Item
- AWS > VPC > Transit Gateway > ServiceNow > Relationships
- AWS > VPC > Transit Gateway > ServiceNow > Table
- AWS > VPC > VPN Gateway > ServiceNow
- AWS > VPC > VPN Gateway > ServiceNow > Configuration Item
- AWS > VPC > VPN Gateway > ServiceNow > Relationships
- AWS > VPC > VPN Gateway > ServiceNow > Table
Policy Types
- AWS > VPC > Customer Gateway > ServiceNow
- AWS > VPC > Customer Gateway > ServiceNow > Configuration Item
- AWS > VPC > Customer Gateway > ServiceNow > Configuration Item > Record
- AWS > VPC > Customer Gateway > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > Customer Gateway > ServiceNow > Relationships
- AWS > VPC > Customer Gateway > ServiceNow > Relationships > Template
- AWS > VPC > Customer Gateway > ServiceNow > Table
- AWS > VPC > Customer Gateway > ServiceNow > Table > Definition
- AWS > VPC > Transit Gateway > ServiceNow
- AWS > VPC > Transit Gateway > ServiceNow > Configuration Item
- AWS > VPC > Transit Gateway > ServiceNow > Configuration Item > Record
- AWS > VPC > Transit Gateway > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > Transit Gateway > ServiceNow > Relationships
- AWS > VPC > Transit Gateway > ServiceNow > Relationships > Template
- AWS > VPC > Transit Gateway > ServiceNow > Table
- AWS > VPC > Transit Gateway > ServiceNow > Table > Definition
- AWS > VPC > VPN Gateway > ServiceNow
- AWS > VPC > VPN Gateway > ServiceNow > Configuration Item
- AWS > VPC > VPN Gateway > ServiceNow > Configuration Item > Record
- AWS > VPC > VPN Gateway > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > VPN Gateway > ServiceNow > Relationships
- AWS > VPC > VPN Gateway > ServiceNow > Relationships > Template
- AWS > VPC > VPN Gateway > ServiceNow > Table
- AWS > VPC > VPN Gateway > ServiceNow > Table > Definition
What's new?
- You can now configure and manage CI Relationships for AMIs, instances, key pairs, network interfaces, snapshots and volumes in ServiceNow. To get started, set the
AWS > EC2 > AMI > ServiceNow > Relationships > *,AWS > EC2 > Instance > ServiceNow > Relationships > *,AWS > EC2 > Key Pair > ServiceNow > Relationships > *,AWS > EC2 > Network Interface > ServiceNow > Relationships > *,AWS > EC2 > Snapshot > ServiceNow > Relationships > *andAWS > EC2 > Volume > ServiceNow > Relationships > *policies respectively.
Control Types
- AWS > EC2 > AMI > ServiceNow
- AWS > EC2 > AMI > ServiceNow > Configuration Item
- AWS > EC2 > AMI > ServiceNow > Relationships
- AWS > EC2 > AMI > ServiceNow > Table
- AWS > EC2 > Instance > ServiceNow > Relationships
- AWS > EC2 > Key Pair > ServiceNow
- AWS > EC2 > Key Pair > ServiceNow > Configuration Item
- AWS > EC2 > Key Pair > ServiceNow > Relationships
- AWS > EC2 > Key Pair > ServiceNow > Table
- AWS > EC2 > Network Interface > ServiceNow
- AWS > EC2 > Network Interface > ServiceNow > Configuration Item
- AWS > EC2 > Network Interface > ServiceNow > Relationships
- AWS > EC2 > Network Interface > ServiceNow > Table
- AWS > EC2 > Snapshot > ServiceNow > Relationships
- AWS > EC2 > Volume > ServiceNow > Relationships
Policy Types
- AWS > EC2 > AMI > ServiceNow
- AWS > EC2 > AMI > ServiceNow > Configuration Item
- AWS > EC2 > AMI > ServiceNow > Configuration Item > Record
- AWS > EC2 > AMI > ServiceNow > Configuration Item > Table Definition
- AWS > EC2 > AMI > ServiceNow > Relationships
- AWS > EC2 > AMI > ServiceNow > Relationships > Template
- AWS > EC2 > AMI > ServiceNow > Table
- AWS > EC2 > AMI > ServiceNow > Table > Definition
- AWS > EC2 > Instance > ServiceNow > Relationships
- AWS > EC2 > Instance > ServiceNow > Relationships > Template
- AWS > EC2 > Key Pair > ServiceNow
- AWS > EC2 > Key Pair > ServiceNow > Configuration Item
- AWS > EC2 > Key Pair > ServiceNow > Configuration Item > Record
- AWS > EC2 > Key Pair > ServiceNow > Configuration Item > Table Definition
- AWS > EC2 > Key Pair > ServiceNow > Relationships
- AWS > EC2 > Key Pair > ServiceNow > Relationships > Template
- AWS > EC2 > Key Pair > ServiceNow > Table
- AWS > EC2 > Key Pair > ServiceNow > Table > Definition
- AWS > EC2 > Network Interface > ServiceNow
- AWS > EC2 > Network Interface > ServiceNow > Configuration Item
- AWS > EC2 > Network Interface > ServiceNow > Configuration Item > Record
- AWS > EC2 > Network Interface > ServiceNow > Configuration Item > Table Definition
- AWS > EC2 > Network Interface > ServiceNow > Relationships
- AWS > EC2 > Network Interface > ServiceNow > Relationships > Template
- AWS > EC2 > Network Interface > ServiceNow > Table
- AWS > EC2 > Network Interface > ServiceNow > Table > Definition
- AWS > EC2 > Snapshot > ServiceNow > Relationships
- AWS > EC2 > Snapshot > ServiceNow > Relationships > Template
- AWS > EC2 > Volume > ServiceNow > Relationships
- AWS > EC2 > Volume > ServiceNow > Relationships > Template
What's new?
Control Types
- GCP > Vertex AI > Endpoint > ServiceNow
- GCP > Vertex AI > Endpoint > ServiceNow > Configuration Item
- GCP > Vertex AI > Endpoint > ServiceNow > Import Set
- GCP > Vertex AI > Endpoint > ServiceNow > Table
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Configuration Item
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Table
Policy Types
- GCP > Vertex AI > Endpoint > ServiceNow
- GCP > Vertex AI > Endpoint > ServiceNow > Configuration Item
- GCP > Vertex AI > Endpoint > ServiceNow > Configuration Item > Record
- GCP > Vertex AI > Endpoint > ServiceNow > Configuration Item > Table Definition
- GCP > Vertex AI > Endpoint > ServiceNow > Import Set
- GCP > Vertex AI > Endpoint > ServiceNow > Import Set > Archive Columns
- GCP > Vertex AI > Endpoint > ServiceNow > Import Set > Insert Mode
- GCP > Vertex AI > Endpoint > ServiceNow > Import Set > Record
- GCP > Vertex AI > Endpoint > ServiceNow > Import Set > Table Name
- GCP > Vertex AI > Endpoint > ServiceNow > Table
- GCP > Vertex AI > Endpoint > ServiceNow > Table > Definition
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Configuration Item
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Configuration Item > Record
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Configuration Item > Table Definition
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set > Archive Columns
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set > Insert Mode
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set > Record
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set > Table Name
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Table
- GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Table > Definition
What's new?
Control Types
- GCP > Dataplex > Lake > ServiceNow
- GCP > Dataplex > Lake > ServiceNow > Configuration Item
- GCP > Dataplex > Lake > ServiceNow > Import Set
- GCP > Dataplex > Lake > ServiceNow > Table
- GCP > Dataplex > Task > ServiceNow
- GCP > Dataplex > Task > ServiceNow > Configuration Item
- GCP > Dataplex > Task > ServiceNow > Import Set
- GCP > Dataplex > Task > ServiceNow > Table
- GCP > Dataplex > Zone > ServiceNow
- GCP > Dataplex > Zone > ServiceNow > Configuration Item
- GCP > Dataplex > Zone > ServiceNow > Import Set
- GCP > Dataplex > Zone > ServiceNow > Table
Policy Types
- GCP > Dataplex > Lake > ServiceNow
- GCP > Dataplex > Lake > ServiceNow > Configuration Item
- GCP > Dataplex > Lake > ServiceNow > Configuration Item > Record
- GCP > Dataplex > Lake > ServiceNow > Configuration Item > Table Definition
- GCP > Dataplex > Lake > ServiceNow > Import Set
- GCP > Dataplex > Lake > ServiceNow > Import Set > Archive Columns
- GCP > Dataplex > Lake > ServiceNow > Import Set > Insert Mode
- GCP > Dataplex > Lake > ServiceNow > Import Set > Record
- GCP > Dataplex > Lake > ServiceNow > Import Set > Table Name
- GCP > Dataplex > Lake > ServiceNow > Table
- GCP > Dataplex > Lake > ServiceNow > Table > Definition
- GCP > Dataplex > Task > ServiceNow
- GCP > Dataplex > Task > ServiceNow > Configuration Item
- GCP > Dataplex > Task > ServiceNow > Configuration Item > Record
- GCP > Dataplex > Task > ServiceNow > Configuration Item > Table Definition
- GCP > Dataplex > Task > ServiceNow > Import Set
- GCP > Dataplex > Task > ServiceNow > Import Set > Archive Columns
- GCP > Dataplex > Task > ServiceNow > Import Set > Insert Mode
- GCP > Dataplex > Task > ServiceNow > Import Set > Record
- GCP > Dataplex > Task > ServiceNow > Import Set > Table Name
- GCP > Dataplex > Task > ServiceNow > Table
- GCP > Dataplex > Task > ServiceNow > Table > Definition
- GCP > Dataplex > Zone > ServiceNow
- GCP > Dataplex > Zone > ServiceNow > Configuration Item
- GCP > Dataplex > Zone > ServiceNow > Configuration Item > Record
- GCP > Dataplex > Zone > ServiceNow > Configuration Item > Table Definition
- GCP > Dataplex > Zone > ServiceNow > Import Set
- GCP > Dataplex > Zone > ServiceNow > Import Set > Archive Columns
- GCP > Dataplex > Zone > ServiceNow > Import Set > Insert Mode
- GCP > Dataplex > Zone > ServiceNow > Import Set > Record
- GCP > Dataplex > Zone > ServiceNow > Import Set > Table Name
- GCP > Dataplex > Zone > ServiceNow > Table
- GCP > Dataplex > Zone > ServiceNow > Table > Definition
What's new?
- You can now configure and manage CI Relationships for flow logs, network ACLs, security groups and security group rules in ServiceNow. To get started, set the
AWS > VPC > Flow Log > ServiceNow > Relationships > *,AWS > VPC > Network ACL > ServiceNow > Relationships > *,AWS > VPC > Security Group > ServiceNow > Relationships > *andAWS > VPC > Security Group Rule > ServiceNow > Relationships > *policies respectively.
Control Types
- AWS > VPC > Flow Log > ServiceNow
- AWS > VPC > Flow Log > ServiceNow > Configuration Item
- AWS > VPC > Flow Log > ServiceNow > Relationships
- AWS > VPC > Flow Log > ServiceNow > Table
- AWS > VPC > Network ACL > ServiceNow > Relationships
- AWS > VPC > Security Group > ServiceNow > Relationships
- AWS > VPC > Security Group Rule > ServiceNow
- AWS > VPC > Security Group Rule > ServiceNow > Configuration Item
- AWS > VPC > Security Group Rule > ServiceNow > Relationships
- AWS > VPC > Security Group Rule > ServiceNow > Table
Policy Types
- AWS > VPC > Flow Log > ServiceNow
- AWS > VPC > Flow Log > ServiceNow > Configuration Item
- AWS > VPC > Flow Log > ServiceNow > Configuration Item > Record
- AWS > VPC > Flow Log > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > Flow Log > ServiceNow > Relationships
- AWS > VPC > Flow Log > ServiceNow > Relationships > Template
- AWS > VPC > Flow Log > ServiceNow > Table
- AWS > VPC > Flow Log > ServiceNow > Table > Definition
- AWS > VPC > Network ACL > ServiceNow > Relationships
- AWS > VPC > Network ACL > ServiceNow > Relationships > Template
- AWS > VPC > Security Group > ServiceNow > Relationships
- AWS > VPC > Security Group > ServiceNow > Relationships > Template
- AWS > VPC > Security Group Rule > ServiceNow
- AWS > VPC > Security Group Rule > ServiceNow > Configuration Item
- AWS > VPC > Security Group Rule > ServiceNow > Configuration Item > Record
- AWS > VPC > Security Group Rule > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > Security Group Rule > ServiceNow > Relationships
- AWS > VPC > Security Group Rule > ServiceNow > Relationships > Template
- AWS > VPC > Security Group Rule > ServiceNow > Table
- AWS > VPC > Security Group Rule > ServiceNow > Table > Definition
What's new?
- You can now configure and manage CI Relationships for route tables, subnets and VPCs in ServiceNow. To get started, set the
AWS > VPC > Route Table > ServiceNow > Relationships > *,AWS > VPC > Subnet > ServiceNow > Relationships > *andAWS > VPC > VPC > ServiceNow > Relationships > *policies respectively.
Control Types
- AWS > VPC > Route Table > ServiceNow > Relationships
- AWS > VPC > Subnet > ServiceNow > Relationships
- AWS > VPC > VPC > ServiceNow > Relationships
Policy Types
- AWS > VPC > Route Table > ServiceNow > Relationships
- AWS > VPC > Route Table > ServiceNow > Relationships > Template
- AWS > VPC > Subnet > ServiceNow > Relationships
- AWS > VPC > Subnet > ServiceNow > Relationships > Template
- AWS > VPC > VPC > ServiceNow > Relationships
- AWS > VPC > VPC > ServiceNow > Relationships > Template
What's new?
Control Types
- AWS > Account > ServiceNow
- AWS > Account > ServiceNow > Configuration Item
- AWS > Account > ServiceNow > Table
- AWS > Region > ServiceNow
- AWS > Region > ServiceNow > Configuration Item
- AWS > Region > ServiceNow > Relationships
- AWS > Region > ServiceNow > Table
Policy Types
- AWS > Account > ServiceNow
- AWS > Account > ServiceNow > Configuration Item
- AWS > Account > ServiceNow > Configuration Item > Record
- AWS > Account > ServiceNow > Configuration Item > Table Definition
- AWS > Account > ServiceNow > Table
- AWS > Account > ServiceNow > Table > Definition
- AWS > Region > ServiceNow
- AWS > Region > ServiceNow > Configuration Item
- AWS > Region > ServiceNow > Configuration Item > Record
- AWS > Region > ServiceNow > Configuration Item > Table Definition
- AWS > Region > ServiceNow > Relationships
- AWS > Region > ServiceNow > Relationships > Template
- AWS > Region > ServiceNow > Table
- AWS > Region > ServiceNow > Table > Definition
What's new?
- You can now configure and manage CI Relationships for buckets in ServiceNow. To get started, set the
AWS > S3 > Bucket > ServiceNow > Relationships > *policies.
Control Types
- AWS > S3 > Bucket > ServiceNow > Relationships
Policy Types
- AWS > S3 > Bucket > ServiceNow > Import Set > Insert Mode
- AWS > S3 > Bucket > ServiceNow > Relationships
- AWS > S3 > Bucket > ServiceNow > Relationships > Template
What's new?
AWS/Billing/Admin,AWS/Billing/MetadataandAWS/Billing/Operatornow also include purchase orders permissions.
Bug fixes
- Server
- Removed recursive loop detection logic, as this is now managed effectively by Lambda.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Fixed the issue where the search path setting was not retained while navigating to a different dashboard. (#325)
What's new?
- Support for AWS Graviton instance with ARM64 architecture.
What's new?
- Added support to process enable and disable real-time events for Dataplex.
Resource Types
- GCP > Dataplex
- GCP > Dataplex > Lake
- GCP > Dataplex > Task
- GCP > Dataplex > Zone
Control Types
- GCP > Dataplex > API Enabled
- GCP > Dataplex > CMDB
- GCP > Dataplex > Discovery
- GCP > Dataplex > Lake > Active
- GCP > Dataplex > Lake > Approved
- GCP > Dataplex > Lake > CMDB
- GCP > Dataplex > Lake > Discovery
- GCP > Dataplex > Lake > Labels
- GCP > Dataplex > Lake > Usage
- GCP > Dataplex > Task > Active
- GCP > Dataplex > Task > Approved
- GCP > Dataplex > Task > CMDB
- GCP > Dataplex > Task > Discovery
- GCP > Dataplex > Task > Labels
- GCP > Dataplex > Task > Usage
- GCP > Dataplex > Zone > Active
- GCP > Dataplex > Zone > Approved
- GCP > Dataplex > Zone > CMDB
- GCP > Dataplex > Zone > Discovery
- GCP > Dataplex > Zone > Labels
- GCP > Dataplex > Zone > Usage
Policy Types
- GCP > Dataplex > API Enabled
- GCP > Dataplex > Approved Regions [Default]
- GCP > Dataplex > CMDB
- GCP > Dataplex > Enabled
- GCP > Dataplex > Labels Template [Default]
- GCP > Dataplex > Lake > Active
- GCP > Dataplex > Lake > Active > Age
- GCP > Dataplex > Lake > Active > Last Modified
- GCP > Dataplex > Lake > Approved
- GCP > Dataplex > Lake > Approved > Custom
- GCP > Dataplex > Lake > Approved > Regions
- GCP > Dataplex > Lake > Approved > Usage
- GCP > Dataplex > Lake > CMDB
- GCP > Dataplex > Lake > Labels
- GCP > Dataplex > Lake > Labels > Template
- GCP > Dataplex > Lake > Regions
- GCP > Dataplex > Lake > Usage
- GCP > Dataplex > Lake > Usage > Limit
- GCP > Dataplex > Permissions
- GCP > Dataplex > Permissions > Levels
- GCP > Dataplex > Permissions > Levels > Modifiers
- GCP > Dataplex > Regions
- GCP > Dataplex > Task > Active
- GCP > Dataplex > Task > Active > Age
- GCP > Dataplex > Task > Active > Last Modified
- GCP > Dataplex > Task > Approved
- GCP > Dataplex > Task > Approved > Custom
- GCP > Dataplex > Task > Approved > Regions
- GCP > Dataplex > Task > Approved > Usage
- GCP > Dataplex > Task > CMDB
- GCP > Dataplex > Task > Labels
- GCP > Dataplex > Task > Labels > Template
- GCP > Dataplex > Task > Regions
- GCP > Dataplex > Task > Usage
- GCP > Dataplex > Task > Usage > Limit
- GCP > Dataplex > Zone > Active
- GCP > Dataplex > Zone > Active > Age
- GCP > Dataplex > Zone > Active > Last Modified
- GCP > Dataplex > Zone > Approved
- GCP > Dataplex > Zone > Approved > Custom
- GCP > Dataplex > Zone > Approved > Regions
- GCP > Dataplex > Zone > Approved > Usage
- GCP > Dataplex > Zone > CMDB
- GCP > Dataplex > Zone > Labels
- GCP > Dataplex > Zone > Labels > Template
- GCP > Dataplex > Zone > Regions
- GCP > Dataplex > Zone > Usage
- GCP > Dataplex > Zone > Usage > Limit
- GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-dataplex
- GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-dataplex
- GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-dataplex
Action Types
- GCP > Dataplex > Lake > Delete
- GCP > Dataplex > Lake > Router
- GCP > Dataplex > Lake > Set Labels
- GCP > Dataplex > Set API Enabled
- GCP > Dataplex > Task > Delete
- GCP > Dataplex > Task > Router
- GCP > Dataplex > Task > Set Labels
- GCP > Dataplex > Zone > Delete
- GCP > Dataplex > Zone > Router
- GCP > Dataplex > Zone > Set Labels
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage compute resources in Guardrails. This release includes breaking changes in the CMDB data for virtual machine. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below
Added:
In Azure > Compute > Disk:
supportedCapabilities.diskControllerTypesdiskIopsReadWritelastOwnershipUpdateTime
In Azure > Compute > Virtual Machine:
resourcestimeCreatedetag
In Azure > Compute > Virtual Machine Scale Set:
constrainedMaximumCapacityetagscaleInPolicytimeCreatedupgradePolicystorageProfile. diskControllerType
In Azure > Compute > Snapshot:
dataAccessAuthModeincrementalSnapshotFamilyId
Removed:
In Azure > Compute > Virtual Machine:
statuses.time
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage App Service resources in Guardrails.
Added:
Azure > App Service > App Service Plan
elasticScaleEnablednumberOfWorkerszoneRedundant
Azure > App Service > Function App
configuration.acrUseManagedIdentityCredsconfiguration.acrUserManagedIdentityIDconfiguration.elasticWebAppScaleLimitconfiguration.ipSecurityRestrictionsDefaultActionconfiguration.metadataconfiguration.minTlsCipherSuiteconfiguration.scmIpSecurityRestrictionsDefaultActiondnsConfigurationpublicNetworkAccessvnetBackupRestoreEnabledvnetContentShareEnabledvnetImagePullEnabledvnetRouteAllEnabled
Azure > App Service > Web App
configuration.acrUseManagedIdentityCredsconfiguration.acrUserManagedIdentityIDconfiguration.elasticWebAppScaleLimitconfiguration.ipSecurityRestrictionsDefaultActionconfiguration.metadataconfiguration.minTlsCipherSuiteconfiguration.scmIpSecurityRestrictionsDefaultActiondnsConfigurationpublicNetworkAccessvnetBackupRestoreEnabledvnetContentShareEnabledvnetImagePullEnabledvnetRouteAllEnabled
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage API Management resources in Guardrails.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Security Center resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below
Renamed:
JitNetworkAccessPoliciestojitNetworkAccessPoliciesPricingtopricingLocationstolocations
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage MySQL resources in Guardrails.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Front Door Service resources in Guardrails. This release includes breaking changes in the CMDB data for Front Door Service. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Added:
frontdoorIdrulesEnginesextendedPropertiesbackendPoolsSettingsbackendPool.privateLinkAliasbackendPool.privateLinkLocationbackendPool.privateEndpointStatusbackendPool.privateLinkResourceIdbackendPool.privateLinkApprovalMessageroutingRule.rulesEngineroutingRule.routeConfiguration.odataTyperoutingRule.routeConfiguration.cacheConfiguration.cacheDurationroutingRule.routeConfiguration.cacheConfiguration.queryParametersroutingRule.webApplicationFirewallPolicyLink
Modified:
routingRule.backendPooltoroutingRule.routeConfiguration.backendPoolroutingRule.forwardingProtocoltoroutingRule.routeConfiguration.forwardingProtocolroutingRule.customForwardingPathtoroutingRule.routeConfiguration.customForwardingPathroutingRule.cacheConfiguration.dynamicCompressiontoroutingRule.routeConfiguration.cacheConfiguration. dynamicCompressionroutingRule.cacheConfiguration.queryParameterStripDirectivetoroutingRule.routeConfiguration.cacheConfiguration. queryParameterStripDirective
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Data Factory resources in Guardrails.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage AKS resources in Guardrails.
Added:
networkProfile.podCidrsnetworkProfile.ipFamiliesnetworkProfile.outboundTypenetworkProfile.serviceCidrsnetworkProfile.networkPolicynetworkProfile.loadBalancerProfile.backendPoolTypenetworkProfile.loadBalancerProfile.countIPv6networkProfile.loadBalancerProfile.idleTimeoutInMinutesnetworkProfile.loadBalancerProfile.allocatedOutboundPortsagentPoolProfiles.modeagentPoolProfiles.osSKUagentPoolProfiles.enableFipsagentPoolProfiles.osDiskTypeagentPoolProfiles.spotMaxPriceagentPoolProfiles.scaleDownModeagentPoolProfiles.enableUltraSSDagentPoolProfiles.kubeletDiskTypeagentPoolProfiles.upgradeSettings.maxSurgeagentPoolProfiles.nodeImageVersionagentPoolProfiles.enableEncryptionAtHostagentPoolProfiles.currentOrchestratorVersion
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage SignalR resources in Guardrails.
Added:
hostNamePrefixserverless. connectionTimeoutInSeconds
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Service Bus resources in Guardrails.
Added:
Azure > Service Bus > Namespace
disableLocalAuthstatuszoneRedundant
Azure > Service Bus > Queue
maxMessageSizeInKilobytes
Azure > Service Bus > Topic
maxMessageSizeInKilobytes
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Relay resources in Guardrails.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Recovery Service resources in Guardrails.
Added: Azure > Recovery Service > Vault
properties.backupStorageVersionproperties.bcdrSecurityLevelproperties.publicNetworkAccessproperties.restoreSettingsproperties.secureScoreproperties.securitySettings
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The
AWS > RoboMaker > Robot Application > CMDB,AWS > RoboMaker > Fleet > CMDBandAWS > RoboMaker > Robot > CMDBpolicies will now be set toSkipby default because the resource types have been deprecated and will be removed in the next major version. Please check end of support for more information.
What's new?
- Track and manage Fargate FIPS Mode for Gov cloud accounts via Guardrails. To get started, set the
AWS > ECS > Account Settings > Fargate FIPS Modepolicy. - The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled.
Resource Types
- AWS > ECS > Account Settings
Control Types
- AWS > ECS > Account Settings > CMDB
- AWS > ECS > Account Settings > Discovery
- AWS > ECS > Account Settings > Fargate FIPS Mode
Policy Types
- AWS > ECS > Account Settings > CMDB
- AWS > ECS > Account Settings > Fargate FIPS Mode
- AWS > ECS > Account Settings > Regions
Action Types
- AWS > ECS > Account Settings > Router
- AWS > ECS > Account Settings > Update Fargate FIPS Mode
What's new?
Server
- Introduced support for multi-architecture images, now compatible with both ARM64 and x86_64.
- Added a default resource query to the context of calculated policies.
- Updated several node packages to newer versions for improved functionality and security.
- Updated Lambda to support recursive loops.
UI
- Now you can use the
+sign to grant permissions in the context of both the identity and resource. - Updated several node packages to newer versions for improved functionality and security.
- Now you can use the
Bug fixes
Server
- Azure Credential Resolver now respects proxy settings, adding full proxy support.
UI
- Updated policy pack Terraform to correctly reference turbot_policy_pack.
- Adjusted the Admin page layout for improved usability.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
The Prisma Cloud plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
Enhancements
- Added an optional param
blocksto thepost_messagepipeline. (#24) (Thanks @johnlayton for the contribution!)
Bug fixes
resource/turbot_policy_pack_attachment:terraform applyfailed to detect existing Policy Pack attachments. (#181)
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Application Insights resources in Guardrails. This release includes changes in the CMDB data as below.
Added:
flowTyperequestSource
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Application Gateway resources in Guardrails.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
Resource Types
- AWS > Support
Policy Types
- AWS > Support > API Enabled
- AWS > Support > Enabled
- AWS > Support > Permissions
- AWS > Support > Permissions > Levels
- AWS > Support > Permissions > Levels > Modifiers
- AWS > Support > Permissions > Lockdown
- AWS > Support > Permissions > Lockdown > API Boundary
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-support
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-support
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-support
What's new?
- Users can now manage whether
AWS/Usergrant should includesupport:*permissions. To get started, set theAWS > Account > Permissions > Support Levelpolicy.
Policy Types
- AWS > Account > Permissions > Support Level
Bug fixes
- The
AWS > Turbot > IAMstack control did not correctly evaluate user memberships in custom IAM groups when theAWS > Turbot > Permissions > Custom Group Levels [Account]policy was set, and users were granted permissions for those custom IAM groups. This issue has now been fixed.
Bug fixes
- The
AWS > EC2 > Volume > CMDBcontrol would sometimes run unnecessarily due to a bad internal GraphQL dependency. This is now fixed.
Bug fixes
- A precheck dependency on the
Kubernetes > Cluster > CMDB > Expirationpolicy was inadvertently added to theKubernetes > Cluster > CMDBcontrol. This precheck condition has now been removed.
Resource Types
- GCP > Vertex AI
- GCP > Vertex AI > Endpoint
- GCP > Vertex AI > Notebook Runtime Template
Control Types
- GCP > Vertex AI > API Enabled
- GCP > Vertex AI > CMDB
- GCP > Vertex AI > Discovery
- GCP > Vertex AI > Endpoint > Active
- GCP > Vertex AI > Endpoint > Approved
- GCP > Vertex AI > Endpoint > CMDB
- GCP > Vertex AI > Endpoint > Discovery
- GCP > Vertex AI > Endpoint > Labels
- GCP > Vertex AI > Endpoint > Usage
- GCP > Vertex AI > Notebook Runtime Template > Active
- GCP > Vertex AI > Notebook Runtime Template > Approved
- GCP > Vertex AI > Notebook Runtime Template > CMDB
- GCP > Vertex AI > Notebook Runtime Template > Discovery
- GCP > Vertex AI > Notebook Runtime Template > Router
- GCP > Vertex AI > Notebook Runtime Template > Usage
Policy Types
- GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-vertexai
- GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-vertexai
- GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-vertexai
- GCP > Vertex AI > API Enabled
- GCP > Vertex AI > Approved Regions [Default]
- GCP > Vertex AI > CMDB
- GCP > Vertex AI > Enabled
- GCP > Vertex AI > Endpoint > Active
- GCP > Vertex AI > Endpoint > Active > Age
- GCP > Vertex AI > Endpoint > Active > Last Modified
- GCP > Vertex AI > Endpoint > Approved
- GCP > Vertex AI > Endpoint > Approved > Custom
- GCP > Vertex AI > Endpoint > Approved > Regions
- GCP > Vertex AI > Endpoint > Approved > Usage
- GCP > Vertex AI > Endpoint > CMDB
- GCP > Vertex AI > Endpoint > Labels
- GCP > Vertex AI > Endpoint > Labels > Template
- GCP > Vertex AI > Endpoint > Regions
- GCP > Vertex AI > Endpoint > Usage
- GCP > Vertex AI > Endpoint > Usage > Limit
- GCP > Vertex AI > Labels Template [Default]
- GCP > Vertex AI > Notebook Runtime Template > Active
- GCP > Vertex AI > Notebook Runtime Template > Active > Age
- GCP > Vertex AI > Notebook Runtime Template > Active > Last Modified
- GCP > Vertex AI > Notebook Runtime Template > Approved
- GCP > Vertex AI > Notebook Runtime Template > Approved > Custom
- GCP > Vertex AI > Notebook Runtime Template > Approved > Regions
- GCP > Vertex AI > Notebook Runtime Template > Approved > Usage
- GCP > Vertex AI > Notebook Runtime Template > CMDB
- GCP > Vertex AI > Notebook Runtime Template > Regions
- GCP > Vertex AI > Notebook Runtime Template > Usage
- GCP > Vertex AI > Notebook Runtime Template > Usage > Limit
- GCP > Vertex AI > Permissions
- GCP > Vertex AI > Permissions > Levels
- GCP > Vertex AI > Permissions > Levels > Modifiers
- GCP > Vertex AI > Regions
Action Types
- GCP > Vertex AI > Endpoint > Delete
- GCP > Vertex AI > Endpoint > Router
- GCP > Vertex AI > Endpoint > Set Labels
- GCP > Vertex AI > Notebook Runtime Template > Delete
- GCP > Vertex AI > Set API Enabled
What's new?
- Added support to process real-time enable and disable events for Vertex AI API via Service Usage APIs.
What's new?
- New tables added
Bug fixes
- Fixed the
rulescolumn inokta_signon_policy,okta_password_policy,okta_idp_discovery_policyandokta_authentication_policytables to correctly return data instead ofnull. (#145)
Dependencies
- Recompiled plugin with Go version
1.22. (#146) - Recompiled plugin with steampipe-plugin-sdk v5.10.4 that fixes logging in the plugin export tool. (#146)
All Pipes workspaces are now running Steampipe v0.24.0.
For more information on this Steampipe release, see the release notes.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Search Management resources in Guardrails.
Added:
authOptionsdisableLocalAuthencryptionWithCmknetworkRuleSetprivateEndpointConnectionspublicNetworkAccesssemanticSearchsharedPrivateLinkResources
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
Enhancements
- The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. - Added the
versionflag to the plugin's Export tool. (#65)
Bug fixes
- Fixed pagination across all the tables. (#34)
Dependencies
- Recompiled plugin with Go version
1.22. (#43) - Recompiled plugin with steampipe-plugin-sdk v5.10.4 that fixes logging in the plugin export tool. (#43)
What's new?
- Initial release with support for installing Powerpipe and adding it to $PATH.
What's new?
- Initial release with support for running Powerpipe benchmarks and controls, creating annotations for Infrastructure as Code (IaC) checks, and uploading snapshots to Turbot Pipes.
What's new?
Action Types
- GCP > Storage > Bucket > Set Fine-grained Access Control
- GCP > Storage > Bucket > Set Uniform Access Control
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Synapse Analytics resources in Guardrails.
Added: Azure > Synapse Analytics > Workspace
azureADOnlyAuthenticationcreateManagedPrivateEndpointencryptionextraPropertiespublicNetworkAccesssettingstrustedServiceBypassEnabledworkspaceUID
Azure > Synapse Analytics > SQL Pool
storageAccountType
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
Action Types
- Azure > Storage > Storage Account > Set Minimum TLS Version
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage PostgreSQL resources in Guardrails. This release includes breaking changes in the CMDB data for server and flexible server. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below
Added:
authConfigdataEncryptionstandbyAvailabilityZonenetwork. delegatedSubnetResourceIdnetwork. privateDnsZoneArmResourceIdreplicaCapacityreplicationRolesystemDataconfigurations.documentationLinkconfigurations.isConfigPendingRestartconfigurations.isDynamicConfigconfigurations.isReadOnlyconfigurations.unit
Modified:
- The data type of the attribute
firewallRuleshas been changed from array ([]) to object ({}).
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Network Watcher resources in Guardrails.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- Fixed an issue where credentials from the imported foreign schema were lost after restarting the session in the Postgres FDW extension of the plugin. (#2275)
Dependencies
- Recompiled plugin with Go version
1.22. (#450) - Recompiled plugin with steampipe-plugin-sdk v5.10.4 that fixes logging in the plugin export tool. (#450)
What's new?
- New tables added
Enhancements
- Added
connection_infocolumn to thegcp_alloydb_instancetable. (#651)
Bug fixes
- Removed the
namecolumn from thegcp_bigquery_tabletable since the API response did not include this field. (#648)
Dependencies
- Recompiled plugin with Go version
1.22. (#635) - Recompiled plugin with steampipe-plugin-sdk v5.10.4 that fixes logging in the plugin export tool. (#635)
Bug fixes
- Fixed the CLI to correctly display the latest released version when using the
steampipe -vcommand. (#4388)
Bug fixes
- Fixed an issue where Steampipe failed to download the embedded PostgreSQL database and FDW during installation. (#4382)
Deprecations
- This GitHub Action is deprecated and will no longer be maintained. Please use Powerpipe Action Check instead.
Bug fixes
- Fixed secret references for AWS creds in README.
Dependencies
- Bumped @actions/core from v0.10.0 to v0.10.1.
- Bumped @vercel/ncc from v0.38.0 to v0.38.1.
- Bumped actions/setup-node from 3 to 4. (#95)
- Bumped actions/upload-artifact from 3 to 4. (#100)
- Bumped braces from 3.0.2 to 3.0.3. (#109)
- Bumped eslint from 8.52.0 to 8.56.0. (#101)
- Bumped eslint from 8.56.0 to 9.2.0. (#108)
- Bumped github/codeql-action from 2 to 3. (#99)
- Bumped semver from v7.5.4 to v7.6.3.
- Update to node v20 in action and check-dist workflow (#104) (Thanks @francois2metz for the contribution!)
Bug fixes
triggerintrospection output correctly showsparamattribute. (#900)
Bug fixes
- The
serviceProperties.table.clientRequestIdandserviceProperties.table.requestIdproperties for storage accounts have now been madedynamicto avoid unnecessary notifications in the activity tab.
Bug fixes
- Fixed incorrect references to various Quick Actions.
Whats new
- Added the ability to configure plugin startup timeout. (#4320)
- Installed FDW and embedded Postgres database from GHCR instead of GCP. (#4344)
- Updated query JSON output format to add a
columnsproperty containing the column information. This allows us to handle duplicate column names by appending a unique suffix to duplicate column name (#4317)
Existing query JSON format:
$ steampipe query "select account_id, arn from aws_account" --output json{ "rows": [ { "account_id": "123456789012", "arn": "arn:aws:::123456789012" } ]}New query JSON format(with new columns property):
$ steampipe query "select account_id, arn from aws_account" --output json{ "columns": [ { "name": "account_id", "data_type": "text" }, { "name": "arn", "data_type": "text" } ], "rows": [ { "account_id": "123456789012", "arn": "arn:aws:::123456789012" } ]}Bug fixes
- Fixed the issue where the plugin manager was incorrectly reporting a shutdown. (#4365)
What's new?
tagsargument inpipeline paramandmod variableresources. (#898).- Updated
Dockerdependency to v27.1.2.
What's new?
Policy Types
- Kubernetes > Cluster > ServiceNow > Import Set > Insert Mode
- Kubernetes > ConfigMap > ServiceNow > Import Set > Insert Mode
- Kubernetes > Deployment > ServiceNow > Import Set > Insert Mode
- Kubernetes > Namespace > ServiceNow > Import Set > Insert Mode
- Kubernetes > Node > ServiceNow > Import Set > Insert Mode
- Kubernetes > Pod > ServiceNow > Import Set > Insert Mode
- Kubernetes > ReplicaSet > ServiceNow > Import Set > Insert Mode
- Kubernetes > Service > ServiceNow > Import Set > Insert Mode
Bug fixes
- Improved error handling for
osqueryerror events.
Bug fixes
- Query controls for various resource types will now go into an invalid state if we receive an error from the
osqueryagent.
What's new?
- New tables added
Enhancements
- Added
time_createdcolumn to theazure_compute_virtual_machinetable. (#831) - Added
ip_configuration,linked_public_ip_address,nat_gatewayandservice_public_ip_addresscolumns to theazure_public_iptable. (#836) - Added 20 new columns to the
azure_postgresql_flexible_servertable. (#824)
Bug fixes
- Fixed the
ip_configurationscolumn of theazure_subnettable to correctly return data instead ofnull. (#822) - Fixed the
web_application_firewall_configurationcolumn ofazure_application_gatewaytable to correctly return data instead ofnull. (#835)
Dependencies
- Recompiled plugin with Go version
1.22. (#832) - Recompiled plugin with steampipe-plugin-sdk v5.10.4 that fixes logging in the plugin export tool.
- Updated the
azure_mysql_flexible_serverandazure_postgresql_flexible_servertables to use the new Azure ARM Go package. (#820)
What's new?
- New tables added
Enhancements
- Updated the
aws_ec2_amitable to correctly return disabled AMIs on passing thedisabledvalue to thestateoptional qual (where state = 'disabled'). (#2277) - Added 100+ new columns across all tables per
AWS Go SDK v2 1.27.0. (#2139)
Dependencies
- Recompiled plugin with Go version
1.22. (#2283) - Recompiled plugin with steampipe-plugin-sdk v5.10.4 that fixes logging in the plugin export tool. (#2286)
Bug fixes
sourceattribute in function step is now evaluated relative to the its mod directory rather than the root mod directory. (#895).
What's new?
- Added Australian Cyber Security Center (ACSC) Essential Eight benchmark (
powerpipe benchmark run aws_compliance.benchmark.acsc_essential_eight). (#823)
What's new?
Policy Types
- GCP > Storage > Bucket > ServiceNow > Import Set > Insert Mode
- GCP > Storage > Object > ServiceNow > Import Set > Insert Mode
Control Types
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set
Policy Types
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set > Archive Columns
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set > Insert Mode
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set > Record
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set > Table Name
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set > Archive Columns
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set > Insert Mode
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set > Record
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set > Table Name
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set > Archive Columns
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set > Insert Mode
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set > Record
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set > Table Name
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set > Archive Columns
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set > Insert Mode
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set > Record
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set > Table Name
What's new?
Policy Types
- GCP > Global Region > ServiceNow > Import Set > Insert Mode
- GCP > Multi-Region > ServiceNow > Import Set > Insert Mode
- GCP > Project > ServiceNow > Import Set > Insert Mode
- GCP > Region > ServiceNow > Import Set > Insert Mode
- GCP > Zone > ServiceNow > Import Set > Insert Mode
Control Types
- Azure > AKS > Managed Cluster > ServiceNow > Import Set
Policy Types
- Azure > AKS > Managed Cluster > ServiceNow > Import Set
- Azure > AKS > Managed Cluster > ServiceNow > Import Set > Archive Columns
- Azure > AKS > Managed Cluster > ServiceNow > Import Set > Insert Mode
- Azure > AKS > Managed Cluster > ServiceNow > Import Set > Record
- Azure > AKS > Managed Cluster > ServiceNow > Import Set > Table Name
What's new?
Policy Types
- Azure > Subscription > ServiceNow > Import Set > Insert Mode
What's new?
Policy Types
- ServiceNow > Import Set > Insert Mode [Default]
Bug fixes
- Guardrails did not correctly raise the real-time
modifyVolumeevent for EBS Volume Notifications. This issue is now fixed.
What's new?
- The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
- Fixed incorrect references to various Quick Actions.
Action Types
- AWS > SWF > Domain > Delete from AWS
What's new?
- The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
- Fixed incorrect references to various Quick Actions.
What's new?
- The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
- Fixed incorrect references to various Quick Actions.
What's new?
- The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
- Fixed incorrect references to various Quick Actions.
Bug fixes
- Fixed incorrect references to various Quick Actions.
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
- Fixed incorrect references to various Quick Actions.
What's new?
- The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
- Fixed incorrect references to various Quick Actions.
What's new?
- Volume's metadata will now also include
createdBydetails in Guardrails CMDB. - The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled.
Bug fixes
- The
AWS > EC2 > Volume > Performance Configurationcontrol would sometimes fail to set the expected configuration perAWS > EC2 > Volume > Performance Configuration > *policies and move to an Invalid state if the required data was not available for new volumes in the CMDB. The control will now move to TBD instead and retry after 5 minutes to fetch the required data correctly and set the performance configuration as expected.
What's new?
- The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
- Fixed incorrect references to various Quick Actions.
What's new?
- The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
- Fixed incorrect references to various Quick Actions.
What's new?
- Support for Node.js 20 in the Lambda runtime.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Enhancements
- The
VPC Security Groupdetail page now includes information on the following associated services: (#352) (Thanks @maxcorbin for the contribution!)Amazon MQ brokerECS serviceECS task
GCP integrations now make use of temporary credentials via service account impersonation using the Service Account Token Creator role.
For more information, check out the docs.
What's new?
- The
Azure > Storage> Storage Account > CMDBcontrol will now also fetch diagnostic settings details and store them in CMDB. - Track and manage storage account access keys in Guardrails CMDB.
Resource Types
- Azure > Storage > Access Key
Control Types
- Azure > Storage > Access Key > CMDB
- Azure > Storage > Access Key > Discovery
Policy Types
- Azure > Storage > Access Key > CMDB
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
- The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
- Fixed the AKA format for rule group v2 global and regional resource types.
What's new?
- Added SOC2 2017 benchmark (
powerpipe benchmark run gcp_compliance.benchmark.soc_2_2017). (#181)
Bug fixes
- The
Import Setcontrols will not require permissions to read thesys_db_object&sys_dictionarytables in ServiceNow.
Bug fixes
- The
Import Setcontrols will not require permissions to read thesys_db_object&sys_dictionarytables in ServiceNow.
Bug fixes
- The
Import Setcontrols will not require permissions to read thesys_db_object&sys_dictionarytables in ServiceNow.
Bug fixes
- The
Import Setcontrols will not require permissions to read thesys_db_object&sys_dictionarytables in ServiceNow.
Control Types
- GCP > Global Region > ServiceNow
- GCP > Global Region > ServiceNow > Configuration Item
- GCP > Global Region > ServiceNow > Import Set
- GCP > Global Region > ServiceNow > Table
- GCP > Multi-Region > ServiceNow
- GCP > Multi-Region > ServiceNow > Configuration Item
- GCP > Multi-Region > ServiceNow > Import Set
- GCP > Multi-Region > ServiceNow > Table
- GCP > Region > ServiceNow
- GCP > Region > ServiceNow > Configuration Item
- GCP > Region > ServiceNow > Import Set
- GCP > Region > ServiceNow > Table
- GCP > Zone > ServiceNow
- GCP > Zone > ServiceNow > Configuration Item
- GCP > Zone > ServiceNow > Import Set
- GCP > Zone > ServiceNow > Table
Policy Types
- GCP > Global Region > ServiceNow
- GCP > Global Region > ServiceNow > Configuration Item
- GCP > Global Region > ServiceNow > Configuration Item > Record
- GCP > Global Region > ServiceNow > Configuration Item > Table Definition
- GCP > Global Region > ServiceNow > Import Set
- GCP > Global Region > ServiceNow > Import Set > Archive Columns
- GCP > Global Region > ServiceNow > Import Set > Record
- GCP > Global Region > ServiceNow > Import Set > Table Name
- GCP > Global Region > ServiceNow > Table
- GCP > Global Region > ServiceNow > Table > Definition
- GCP > Multi-Region > ServiceNow
- GCP > Multi-Region > ServiceNow > Configuration Item
- GCP > Multi-Region > ServiceNow > Configuration Item > Record
- GCP > Multi-Region > ServiceNow > Configuration Item > Table Definition
- GCP > Multi-Region > ServiceNow > Import Set
- GCP > Multi-Region > ServiceNow > Import Set > Archive Columns
- GCP > Multi-Region > ServiceNow > Import Set > Record
- GCP > Multi-Region > ServiceNow > Import Set > Table Name
- GCP > Multi-Region > ServiceNow > Table
- GCP > Multi-Region > ServiceNow > Table > Definition
- GCP > Region > ServiceNow
- GCP > Region > ServiceNow > Configuration Item
- GCP > Region > ServiceNow > Configuration Item > Record
- GCP > Region > ServiceNow > Configuration Item > Table Definition
- GCP > Region > ServiceNow > Import Set
- GCP > Region > ServiceNow > Import Set > Archive Columns
- GCP > Region > ServiceNow > Import Set > Record
- GCP > Region > ServiceNow > Import Set > Table Name
- GCP > Region > ServiceNow > Table
- GCP > Region > ServiceNow > Table > Definition
- GCP > Zone > ServiceNow
- GCP > Zone > ServiceNow > Configuration Item
- GCP > Zone > ServiceNow > Configuration Item > Record
- GCP > Zone > ServiceNow > Configuration Item > Table Definition
- GCP > Zone > ServiceNow > Import Set
- GCP > Zone > ServiceNow > Import Set > Archive Columns
- GCP > Zone > ServiceNow > Import Set > Record
- GCP > Zone > ServiceNow > Import Set > Table Name
- GCP > Zone > ServiceNow > Table
- GCP > Zone > ServiceNow > Table > Definition
Bug fixes
- The
Import Setcontrols will not require permissions to read thesys_db_object&sys_dictionarytables in ServiceNow.
Bug fixes
- The
Import Setcontrols will not require permissions to read thesys_db_object&sys_dictionarytables in ServiceNow.
Bug fixes
- The
Import Setcontrols will not require permissions to read thesys_db_object&sys_dictionarytables in ServiceNow.
Bug fixes
- The
Import Setcontrols will not require permissions to read thesys_db_object&sys_dictionarytables in ServiceNow.
Bug fixes
- The
Import Setcontrols will not require permissions to read thesys_db_object&sys_dictionarytables in ServiceNow.
What's new?
- You can now configure parameter groups for DB clusters. To get started, set the
AWS > RDS > DB Cluster > Parameter Group > *policies.
Control Types
- AWS > RDS > DB Cluster > Parameter Group
Policy Types
- AWS > RDS > DB Cluster > Parameter Group
- AWS > RDS > DB Cluster > Parameter Group > Name
Action Types
- AWS > RDS > DB Cluster > Update Parameter Group
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Enhancements
- Added a default value for the
base_tag_rulesvariable. (#18)
Enhancements
- Added a default value for the
base_tag_rulesvariable. (#28)
Bug fixes
- Fixed an issue where Steampipe failed to create a new connection if it was outside the defined search path. (#4353)
Bug fixes
Server
- Resolved an issue where policy values were not being terminated due to a race condition.
- The ServiceNow credentials resolver will now display a clear message when the instance is hibernate or unavailable state.
UI
- Fixed an issue where filters on the Resource Explorer page were not functioning correctly.
- The
Importbutton on the Connect page has been updated toConnect.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- We have updated various policies set during project imports to allow for a smoother import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
You can now configure Master Authorized Networks for region and zone clusters via Guardrails. To get started, set the
GCP > Kubernetes Engine > Region Cluster > Master Authorized Networks ConfigandGCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Configpolicies respectively.Improved descriptions for various resource types to ensure they are clearer and more helpful.
Control Types
- GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config
Policy Types
- GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config
Action Types
- GCP > Kubernetes Engine > Region Cluster > Set Desired Master Authorized Network Config
- GCP > Kubernetes Engine > Zone Cluster > Set Desired Master Authorized Network Config
What's new?
- We have updated various policies set during subscription imports to allow for a smoother import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
Resource Types
- Azure > Network > Private Link Service
Control Types
- Azure > Network > Private Link Service > Active
- Azure > Network > Private Link Service > Approved
- Azure > Network > Private Link Service > CMDB
- Azure > Network > Private Link Service > Discovery
- Azure > Network > Private Link Service > Tags
Policy Types
- Azure > Network > Private Link Service > Active
- Azure > Network > Private Link Service > Active > Age
- Azure > Network > Private Link Service > Active > Last Modified
- Azure > Network > Private Link Service > Approved
- Azure > Network > Private Link Service > Approved > Custom
- Azure > Network > Private Link Service > Approved > Regions
- Azure > Network > Private Link Service > Approved > Usage
- Azure > Network > Private Link Service > CMDB
- Azure > Network > Private Link Service > Regions
- Azure > Network > Private Link Service > Tags
- Azure > Network > Private Link Service > Tags > Template
Action Types
- Azure > Network > Private Link Service > Delete
- Azure > Network > Private Link Service > Router
- Azure > Network > Private Link Service > Set Tags
What's new?
- The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled.
Bug fixes
- In version 5.25.0, we added support to ignore permission errors on a bucket via the CMDB policy
Enforce: Enabled but ignore permission errors. However, the CMDB control previously ignored permission errors only on theHeadBucketoperation and still entered an error state for permission errors on sub-API calls. The CMDB control will now ignore all sub-API calls if theHeadBucketoperation is denied access. If the HeadBucket operation is successful, the control will attempt to make all sub-API calls and ignore access denied errors if encountered.
Bug fixes
- Complex nested map data type in
pipeline paramno longer fails with amismatched typeserror. (#879).
What's new?
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
Resource Types
- Azure > Provider > Container Registry
Control Types
- Azure > Provider > Container Registry > CMDB
- Azure > Provider > Container Registry > Discovery
- Azure > Provider > Container Registry > Registered
Policy Types
- Azure > Provider > Container Registry > CMDB
- Azure > Provider > Container Registry > Registered
Action Types
- Azure > Provider > Container Registry > Set Registered
Resource Types
- Azure > Container Registry
- Azure > Container Registry > Registry
Control Types
- Azure > Container Registry > Registry > Active
- Azure > Container Registry > Registry > Approved
- Azure > Container Registry > Registry > CMDB
- Azure > Container Registry > Registry > Discovery
- Azure > Container Registry > Registry > Tags
Policy Types
- Azure > Container Registry > Approved Regions [Default]
- Azure > Container Registry > Enabled
- Azure > Container Registry > Permissions
- Azure > Container Registry > Permissions > Levels
- Azure > Container Registry > Permissions > Levels > Modifiers
- Azure > Container Registry > Regions
- Azure > Container Registry > Registry > Active
- Azure > Container Registry > Registry > Active > Age
- Azure > Container Registry > Registry > Active > Last Modified
- Azure > Container Registry > Registry > Approved
- Azure > Container Registry > Registry > Approved > Custom
- Azure > Container Registry > Registry > Approved > Regions
- Azure > Container Registry > Registry > Approved > Usage
- Azure > Container Registry > Registry > CMDB
- Azure > Container Registry > Registry > Regions
- Azure > Container Registry > Registry > Tags
- Azure > Container Registry > Registry > Tags > Template
- Azure > Container Registry > Tags Template [Default]
- Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-containerregistry
- Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-containerregistry
Action Types
- Azure > Container Registry > Registry > Delete
- Azure > Container Registry > Registry > Router
- Azure > Container Registry > Registry > Set Tags
What's new?
- The
Approved > Usagepolicy for resource types will now default toApprovedinstead ofApproved if AWS > {service} > Enabled. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- The
AWS > VPC > VPC > Stackcontrol would sometimes go into an error state while upserting newly created flow logs in Guardrails due to incorrect mapping of its parent resource. This issue has now been fixed, and the control will upsert flow logs more consistently and reliably than before.
Bug fixes
- The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to
Enforce: Enabledfor the service.
What's new?
- Added support for Postgres versions 13.14, 13.15, 13.16, 14.11, 14.12, 14.13 and 15.8.
- Updated Default value for the RDS certificate to
rds-ca-rsa4096-g1.
5.0.0 (2024-08-13)
Resource Types
- Azure > Managed Identity
- Azure > Managed Identity > User Assigned Identity
Control Types
- Azure > Managed Identity > User Assigned Identity > Active
- Azure > Managed Identity > User Assigned Identity > Approved
- Azure > Managed Identity > User Assigned Identity > CMDB
- Azure > Managed Identity > User Assigned Identity > Discovery
- Azure > Managed Identity > User Assigned Identity > Tags
Policy Types
- Azure > Managed Identity > Approved Regions [Default]
- Azure > Managed Identity > Enabled
- Azure > Managed Identity > Permissions
- Azure > Managed Identity > Permissions > Levels
- Azure > Managed Identity > Permissions > Levels > Modifiers
- Azure > Managed Identity > Regions
- Azure > Managed Identity > Tags Template [Default]
- Azure > Managed Identity > User Assigned Identity > Active
- Azure > Managed Identity > User Assigned Identity > Active > Age
- Azure > Managed Identity > User Assigned Identity > Active > Last Modified
- Azure > Managed Identity > User Assigned Identity > Approved
- Azure > Managed Identity > User Assigned Identity > Approved > Custom
- Azure > Managed Identity > User Assigned Identity > Approved > Regions
- Azure > Managed Identity > User Assigned Identity > Approved > Usage
- Azure > Managed Identity > User Assigned Identity > CMDB
- Azure > Managed Identity > User Assigned Identity > Regions
- Azure > Managed Identity > User Assigned Identity > Tags
- Azure > Managed Identity > User Assigned Identity > Tags > Template
- Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-managedidentity
- Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-managedidentity
Action Types
- Azure > Managed Identity > User Assigned Identity > Delete
- Azure > Managed Identity > User Assigned Identity > Router
- Azure > Managed Identity > User Assigned Identity > Set Tags
What's new?
- The
AWS > Turbot > Logging > Bucket > Default Encryptionpolicy is now deprecated because all buckets are now encrypted by default in AWS. As a result, all buckets created and managed via theAWS > Turbot > Logging > Bucketstack control will now be encrypted byAWS SSEby default. We've also removed ACL settings for buckets and now apply bucket ownership controls instead via the stack control to align with the latest AWS recommendations. Please upgrade the@turbot/aws-s3mod to v5.26.0 for the stack control to work reliably as before. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
Policy Types
Renamed
- AWS > Turbot > Logging > Bucket > Default Encryption to AWS > Turbot > Logging > Bucket > Default Encryption [Deprecated]
What's new?
- Added support for
aws_s3_bucket_ownership_controlsTerraform resource for buckets. - Improved descriptions for various resource types to ensure they are clearer and more helpful.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- Users can now configure the Terraform version for the
AWS > Config > Configuration Recordingstack control. To get started, set theAWS > Config > Configuration Recording > Terraform Versionpolicy. We recommend using versions 0.11, 0.12, or 0.15 for this control to create and manage resources effectively and reliably.
Policy Types
- AWS > Config > Configuration Recording > Terraform Version
What's new?
- New tables added
- prismacloud_account
- prismacloud_alert
- prismacloud_alert_rule
- prismacloud_compliance_breakdown_requirement_summary
- prismacloud_compliance_breakdown_statistic
- prismacloud_compliance_breakdown_summary
- prismacloud_compliance_requirement
- prismacloud_compliance_standard
- prismacloud_iam_permission
- prismacloud_iam_role
- prismacloud_iam_user
- prismacloud_inventory_api_endpoint
- prismacloud_inventory_asset_explorer
- prismacloud_inventory_asset_view
- prismacloud_inventory_workload
- prismacloud_inventory_workload_container_image
- prismacloud_inventory_workload_host
- prismacloud_permission_group
- prismacloud_policy
- prismacloud_prioritized_vulnerabilitiy
- prismacloud_report
- prismacloud_resource
- prismacloud_trusted_alert_ip
- prismacloud_vulnerabilitiy_asset
- prismacloud_vulnerabilitiy_burndown
- prismacloud_vulnerabilitiy_overview
What's new?
- New tables added
Enhancements
- The
euuidcolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linode accounts. (#56) - The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. (#60) - Added the
versionflag to the plugin's Export tool. (#65)
Dependencies
- Recompiled plugin with linode-sdk-for-go v1.37.0. (#56)
- Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that
QueryDatapassed toConnectionKeyColumnsvalue callback is populated withConnectionManager. (#55)
What's new?
- Users can now create and manage labels on Pub/Sub topics created via the
GCP > Turbot > Event Handlers > Pub/Subcontrol. To get started, set theGCP > Turbot > Event Handlers > Pub/Sub > Topic > Labelspolicy.
Policy Types
- GCP > Turbot > Event Handlers > Pub/Sub > Subscription > Labels > Ignore Changes
- GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels
- GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels > Ignore Changes
Bug fixes
- Guardrails failed to cleanup deleted security group rules via the real-time
ec2:RevokeSecurityGroupEgressandec2:RevokeSecurityGroupIngressevents. This issue is now fixed.
Bug fixes
- The
AWS > Turbot > Event Handlerscontrol did not correctly raise the real-timeCreateTagsandDeleteTagsevents for VPC security group rules. This issue is now fixed.
Enhancements
- Added
ReaderandData Accessrole assignment information to thedocs/index.mdfile. (#811)
Bug fixes
- Fixed the
azure_compute_virtual_machinetable to correctly populate theguest_configuration_assignmentscolumn across allAzureenvironments. (#816) - Fixed the
azure_role_assignmenttable to correctly return the result while using any mode of plugin authentication. (#809) - Fixed the paging issue in the
azure_monitor_activity_log_eventtable. (#810) - Fixed the caching issue in the standalone plugin FDW extensions. (#480)
Enhancements
- Added
location_typecolumn as an optional qual to theaws_ec2_instance_availabilitytable and 6 new columns to theaws_ec2_instance_typetable. (#2078) - Updated docs for
aws_appautoscaling_policyandaws_appautoscaling_targettables to add information on required quals. (#2247) - Added the
typecolumn as an optional qual to theaws_auditmanager_controltable. (#2254)
Bug fixes
- Fixed the
GetConfigdefinition of theaws_auditmanager_controltable to correctly return data instead of an error. (#2254) - Fixed the
aws_kms_key_rotationtable to correctly returnnilwhenever anAccessDeniedExceptionerror is returned by the API. (#2253) - Fixed the caching issue in the standalone plugin FDW extensions. (#480)
What's new?
- Users can now configure flow logging for subnetworks. To get started, set the
GCP > Network > Subnetwork > Flow Logpolicy.
Control Types
- GCP > Network > Subnetwork > Flow Log
Policy Types
- GCP > Network > Subnetwork > Flow Log
Action Types
- GCP > Network > Subnetwork > Set Flow Log
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.
Resource Types
- Azure > Provider > Elastic
- Azure > Provider > Managed Identity
Control Types
- Azure > Provider > Elastic > CMDB
- Azure > Provider > Elastic > Discovery
- Azure > Provider > Elastic > Registered
- Azure > Provider > Managed Identity > CMDB
- Azure > Provider > Managed Identity > Discovery
- Azure > Provider > Managed Identity > Registered
Policy Types
- Azure > Provider > Elastic > CMDB
- Azure > Provider > Elastic > Registered
- Azure > Provider > Managed Identity > CMDB
- Azure > Provider > Managed Identity > Registered
Action Types
- Azure > Provider > Elastic > Set Registered
- Azure > Provider > Managed Identity > Set Registered
Bug fixes
- The
variablecommand no longer fails if the.flowpipedirectory in the user's home directory is not created yet. (#872).
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- You can now disable inactive or unapproved service accounts via Guardrails. To get started, set the
GCP > IAM > Service Account > ActiveorGCP > IAM > Service Account > Approvedpolicy toEnforce: Disable inactive with <x> days warningorEnforce: Disable unapprovedrespectively.
Action Types
- GCP > IAM > Service Account > Disable
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.
Bug fixes
- The
AWS > ECR > Repository > CMDBcontrol went into an error state for shared repositories upserted incorrectly in Guardrails CMDB. Shared repositories will now not be upserted under shared accounts or regions, but will only be upserted under their owner accounts and regions.
Bug fixes
- Guardrails failed to process the real-time event
ec2:CreateReplaceRootVolumeTaskfor instances. This is now fixed.
Enhancements
- Added the following controls to the
All Controlsbenchmark: (#176)alloydb_instance_log_error_verbosity_database_flag_default_or_stricteralloydb_instance_log_min_error_statement_database_flag_configuredalloydb_instance_log_min_messages_database_flag_error
Enhancements
- Added the following controls to the
All Controlsbenchmark: (#274)application_gateway_waf_uses_specified_modeapplication_insights_block_log_ingestion_and_querying_from_publiclog_analytics_workspace_block_log_ingestion_and_querying_from_publiclog_analytics_workspace_block_non_azure_ingestion
Bug fixes
- Fixed the
storage_account_block_public_accessquery to correctly check if thepublic_network_accesscolumn of theazure_storage_accounttable is correctly set todisabledor not as per the CIS documentation. (#277)
v0.14.0 of the Terraform Provider for Pipes is now available.
Breaking Changes
- Functionality for resource
resources/pipes_workspace_connectionmoved to manage connections at the workspace level. Previously, the resource used to manageattachmentof connections to the workspace defined at the respective identity level. Please follow the migration guide for migrating your existing configuration into the new model. - Resource
resources/pipes_connectiondoes not support management of user level connections in line with changes in Pipes.
What's new?
- Resource
pipes_organization_connection - Resource
pipes_organization_connection_folder - Resource
pipes_organization_connection_folder_permission - Resource
pipes_organization_connection_permission - Resource
pipes_organization_integration - Resource
pipes_tenant_connection - Resource
pipes_tenant_connection_folder - Resource
pipes_tenant_connection_folder_permission - Resource
pipes_tenant_connection_permission - Resource
pipes_tenant_integration - Resource
pipes_user_integration - Resource
pipes_workspace_connection_folder - Resource
pipes_workspace_schema
Enhancements
- Resource
resources/pipes_workspace_modadd support for storing attributestate_reason
v0.10.0 of the Pipes SDK Go is now available.
What's new?
- Intregation Management APIs for
Tenants,Users,Organizations,UserWorkspacesandOrgWorkspaces. - Tenant Connection Management APIs.
- Tenant Connection Folder Management APIs.
- User Connection Folder Management APIs.
- Organization Connection Management APIs.
- Organization Connection Folder Management APIs.
- Workspace Connection Management APIs.
- Workspace Connection Folder Management APIs.
- Permission Management APIs for
ConnectionsandConnectionFolders.
Enhancements
- Add support for installing mods that are associated to integrations.
- Add support for setting search path prefix for a workspace.
What's new?
Server
- Made notifications faster by improving the query, which enhances the performance of the resource activity tab.
UI
- Fixed a bug where policy pack creation would fail if the AKA was not provided from the user interface.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The
Azure > Resource Group > ServiceNow > Configuration Itemcontrol would fail to fetch instance credentials internally and did not process the data correctly in ServiceNow. This issue has now been fixed.
Bug fixes
- The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
Bug fixes
- The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
Bug fixes
- The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
Control Types
- GCP > Project > ServiceNow > Import Set
Policy Types
- GCP > Project > ServiceNow > Import Set
- GCP > Project > ServiceNow > Import Set > Archive Columns
- GCP > Project > ServiceNow > Import Set > Record
- GCP > Project > ServiceNow > Import Set > Table Name
Bug fixes
- The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
Bug fixes
- The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
Bug fixes
- The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
Bug fixes
- The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
Bug fixes
- The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
What's new?
- Added support for Postgres versions 15.6 and 15.7.
What's new?
- We've updated internal dependencies and now use the latest Azure SDK versions to poll events from Azure Monitor and process them in Guardrails. You won't notice any difference, and things will continue to work smoothly as before.
What's new?
AWS/DynamoDB/Admin,AWS/DynamoDB/MetadataandAWS/DynamoDB/Operatornow include permissions for Resource Policy, Imports, Time to Live and Global Table Version.
Breaking changes
- Removed the following columns in
gcp_cloudfunctions_functiontable to align with the new API response structure: (#612)environment_variablessource_upload_urlversion_id
What's new?
- Added the
impersonate_access_tokenconfig argument to support plugin authentication by using a pre-generated temporary access token. (#621)
Enhancements
- Added 17 new columns to the
gcp_cloudfunctions_functiontable. (#612)
Bug fixes
- Fixed the cache key issue in the
SecretManagerservice client creation. (#624)
What's new?
Control Types
- Azure > Network > Network Security Group > ServiceNow > Import Set
Policy Types
- Azure > Network > Network Security Group > ServiceNow > Import Set
- Azure > Network > Network Security Group > ServiceNow > Import Set > Archive Columns
- Azure > Network > Network Security Group > ServiceNow > Import Set > Record
- Azure > Network > Network Security Group > ServiceNow > Import Set > Table Name
What's new?
Control Types
- Azure > Subscription > ServiceNow > Import Set
Policy Types
- Azure > Subscription > ServiceNow > Import Set
- Azure > Subscription > ServiceNow > Import Set > Archive Columns
- Azure > Subscription > ServiceNow > Import Set > Record
- Azure > Subscription > ServiceNow > Import Set > Table Name
What's new?
- Users can now enable/disable
Table loggingforStorage AccountsviaAzure > Storage > Storage Account > Table > Loggingcontrol. To get started, set theAzure > Storage > Storage Account > Table > Loggingpolicy.
Control Types
- Azure > Storage > Storage Account > Encryption at Rest
- Azure > Storage > Storage Account > Table
- Azure > Storage > Storage Account > Table > Logging
Policy Types
- Azure > Storage > Storage Account > Encryption at Rest
- Azure > Storage > Storage Account > Encryption at Rest > Customer Managed Key
- Azure > Storage > Storage Account > Table
- Azure > Storage > Storage Account > Table > Logging
- Azure > Storage > Storage Account > Table > Logging > Properties
- Azure > Storage > Storage Account > Table > Logging > Retention Days
Action Types
Azure > Storage > Storage Account > Update Encryption at Rest
Azure > Storage > Storage Account > Update Storage Account Table Logging
The Storage Account CMDB data will now also include information about the account's table service properties.
We've removed the dependency on
listKeyspermission forAzure > Storage Account > Container > Discoveryto run its course to completion. This release includes breaking changes in the CMDB data for containers. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Renamed:
isImmutableStorageWithVersioningEnabled to isImmutableStorageWithVersioning.enabled
Removed:
preventEncryptionScopeOverride
Bug fixes
- The
Azure > Storage > Storage Account > CMDBcontrol would go into an error state while trying to fetch default Queue and Blob properties if Guardrails did not have permission to list the storage account keys. The control will now not attempt to fetch default Queue and Blob properties if Guardrails does not have the required access forlistKeys, and will run its course to completion without going into an error state.
Bug fixes
- Improved error message for the
AWS > S3 > Bucket > CMDBcontrol if it would go into an error state due to insufficient permissions for theheadBucketoperation.
What's new?
- Server
- Migrated from Node.js 18 to Node.js 20 for improved performance and security.
- Updated the Mod Lambda architecture to ARM64 for better efficiency.
- Added support for Node.js 20 in the Lambda runtime.
Bug fixes
- Server
- Resolved an issue where the next tick timestamp was not being set for large commands
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- UI
- Resolved deletion issue from UI for Policy Packs with latest Turbot Mod(5.45.0) and TE 5.45.0.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Server
- Minor internal improvements.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Import a tree of folders and projects as Pipes connections, control permissions for workspaces, and auto-create aggregators.
For more information, see the launch post or check out the docs.
You can now create connections at the custom tenant, organization or workspace level in Pipes, along with grouping of these within folders to allow easier sharing of related connections.
This is coupled with a fine-grained permissions model, allowing you to share connections & folders broadly across a custom tenant, or restrict access to specific organizations and/or their workspaces.
For more information, check out the docs:
Import a tree of management groups and subscriptions as Pipes connections, control permissions for workspaces, and auto-create aggregators.
For more information, see the launch post or check out the docs.
Import a tree of OUs and accounts as Pipes connections, control permissions for workspaces, and auto-create aggregators.
For more information, see the launch post or check out the docs.
What's new?
Control Types
- Kubernetes > CronJob > ServiceNow
- Kubernetes > CronJob > ServiceNow > Configuration Item
- Kubernetes > CronJob > ServiceNow > Table
- Kubernetes > DaemonSet > ServiceNow
- Kubernetes > DaemonSet > ServiceNow > Configuration Item
- Kubernetes > DaemonSet > ServiceNow > Table
- Kubernetes > Ingress > ServiceNow
- Kubernetes > Ingress > ServiceNow > Configuration Item
- Kubernetes > Ingress > ServiceNow > Table
- Kubernetes > Job > ServiceNow
- Kubernetes > Job > ServiceNow > Configuration Item
- Kubernetes > Job > ServiceNow > Table
- Kubernetes > Persistent Volume > ServiceNow
- Kubernetes > Persistent Volume > ServiceNow > Configuration Item
- Kubernetes > Persistent Volume > ServiceNow > Table
- Kubernetes > ReplicationController > ServiceNow
- Kubernetes > ReplicationController > ServiceNow > Configuration Item
- Kubernetes > ReplicationController > ServiceNow > Table
- Kubernetes > StatefulSet > ServiceNow
- Kubernetes > StatefulSet > ServiceNow > Configuration Item
- Kubernetes > StatefulSet > ServiceNow > Table
Policy Types
- Kubernetes > CronJob > ServiceNow
- Kubernetes > CronJob > ServiceNow > Configuration Item
- Kubernetes > CronJob > ServiceNow > Configuration Item > Record
- Kubernetes > CronJob > ServiceNow > Configuration Item > Table Definition
- Kubernetes > CronJob > ServiceNow > Table
- Kubernetes > CronJob > ServiceNow > Table > Definition
- Kubernetes > DaemonSet > ServiceNow
- Kubernetes > DaemonSet > ServiceNow > Configuration Item
- Kubernetes > DaemonSet > ServiceNow > Configuration Item > Record
- Kubernetes > DaemonSet > ServiceNow > Configuration Item > Table Definition
- Kubernetes > DaemonSet > ServiceNow > Table
- Kubernetes > DaemonSet > ServiceNow > Table > Definition
- Kubernetes > Ingress > ServiceNow
- Kubernetes > Ingress > ServiceNow > Configuration Item
- Kubernetes > Ingress > ServiceNow > Configuration Item > Record
- Kubernetes > Ingress > ServiceNow > Configuration Item > Table Definition
- Kubernetes > Ingress > ServiceNow > Table
- Kubernetes > Ingress > ServiceNow > Table > Definition
- Kubernetes > Job > ServiceNow
- Kubernetes > Job > ServiceNow > Configuration Item
- Kubernetes > Job > ServiceNow > Configuration Item > Record
- Kubernetes > Job > ServiceNow > Configuration Item > Table Definition
- Kubernetes > Job > ServiceNow > Table
- Kubernetes > Job > ServiceNow > Table > Definition
- Kubernetes > Persistent Volume > ServiceNow
- Kubernetes > Persistent Volume > ServiceNow > Configuration Item
- Kubernetes > Persistent Volume > ServiceNow > Configuration Item > Record
- Kubernetes > Persistent Volume > ServiceNow > Configuration Item > Table Definition
- Kubernetes > Persistent Volume > ServiceNow > Table
- Kubernetes > Persistent Volume > ServiceNow > Table > Definition
- Kubernetes > ReplicationController > ServiceNow
- Kubernetes > ReplicationController > ServiceNow > Configuration Item
- Kubernetes > ReplicationController > ServiceNow > Configuration Item > Record
- Kubernetes > ReplicationController > ServiceNow > Configuration Item > Table Definition
- Kubernetes > ReplicationController > ServiceNow > Table
- Kubernetes > ReplicationController > ServiceNow > Table > Definition
- Kubernetes > StatefulSet > ServiceNow
- Kubernetes > StatefulSet > ServiceNow > Configuration Item
- Kubernetes > StatefulSet > ServiceNow > Configuration Item > Record
- Kubernetes > StatefulSet > ServiceNow > Configuration Item > Table Definition
- Kubernetes > StatefulSet > ServiceNow > Table
- Kubernetes > StatefulSet > ServiceNow > Table > Definition
What's new?
Resource Types
- Kubernetes > CronJob
- Kubernetes > DaemonSet
- Kubernetes > Ingress
- Kubernetes > Job
- Kubernetes > Persistent Volume
- Kubernetes > ReplicationController
- Kubernetes > StatefulSet
Control Types
- Kubernetes > ConfigMap > Active
- Kubernetes > CronJob > Active
- Kubernetes > CronJob > Annotations
- Kubernetes > CronJob > Approved
- Kubernetes > CronJob > CMDB
- Kubernetes > CronJob > Labels
- Kubernetes > CronJob > Query
- Kubernetes > DaemonSet > Active
- Kubernetes > DaemonSet > Annotations
- Kubernetes > DaemonSet > Approved
- Kubernetes > DaemonSet > CMDB
- Kubernetes > DaemonSet > Labels
- Kubernetes > DaemonSet > Query
- Kubernetes > Deployment > Active
- Kubernetes > Ingress > Active
- Kubernetes > Ingress > Annotations
- Kubernetes > Ingress > Approved
- Kubernetes > Ingress > CMDB
- Kubernetes > Ingress > Labels
- Kubernetes > Ingress > Query
- Kubernetes > Job > Active
- Kubernetes > Job > Annotations
- Kubernetes > Job > Approved
- Kubernetes > Job > CMDB
- Kubernetes > Job > Labels
- Kubernetes > Job > Query
- Kubernetes > Namespace > Active
- Kubernetes > Node > Active
- Kubernetes > Persistent Volume > Active
- Kubernetes > Persistent Volume > Annotations
- Kubernetes > Persistent Volume > Approved
- Kubernetes > Persistent Volume > CMDB
- Kubernetes > Persistent Volume > Labels
- Kubernetes > Persistent Volume > Query
- Kubernetes > Pod > Active
- Kubernetes > ReplicaSet > Active
- Kubernetes > ReplicationController > Active
- Kubernetes > ReplicationController > Annotations
- Kubernetes > ReplicationController > Approved
- Kubernetes > ReplicationController > CMDB
- Kubernetes > ReplicationController > Labels
- Kubernetes > ReplicationController > Query
- Kubernetes > Service > Active
- Kubernetes > StatefulSet > Active
- Kubernetes > StatefulSet > Annotations
- Kubernetes > StatefulSet > Approved
- Kubernetes > StatefulSet > CMDB
- Kubernetes > StatefulSet > Labels
- Kubernetes > StatefulSet > Query
Policy Types
- Kubernetes > Cluster > CMDB > Expiration
- Kubernetes > Cluster > CMDB > Expiration > Expiration Days
- Kubernetes > Cluster > osquery
- Kubernetes > Cluster > osquery > Configuration
- Kubernetes > ConfigMap > Active
- Kubernetes > ConfigMap > Active > Age
- Kubernetes > ConfigMap > Active > Last Modified
- Kubernetes > CronJob > Active
- Kubernetes > CronJob > Active > Age
- Kubernetes > CronJob > Active > Last Modified
- Kubernetes > CronJob > Annotations
- Kubernetes > CronJob > Annotations > Template
- Kubernetes > CronJob > Approved
- Kubernetes > CronJob > Approved > Custom
- Kubernetes > CronJob > CMDB
- Kubernetes > CronJob > Labels
- Kubernetes > CronJob > Labels > Template
- Kubernetes > CronJob > osquery
- Kubernetes > CronJob > osquery > Configuration
- Kubernetes > CronJob > osquery > Configuration > Columns
- Kubernetes > CronJob > osquery > Configuration > Interval
- Kubernetes > CronJob > osquery > Configuration > Name
- Kubernetes > DaemonSet > Active
- Kubernetes > DaemonSet > Active > Age
- Kubernetes > DaemonSet > Active > Last Modified
- Kubernetes > DaemonSet > Annotations
- Kubernetes > DaemonSet > Annotations > Template
- Kubernetes > DaemonSet > Approved
- Kubernetes > DaemonSet > Approved > Custom
- Kubernetes > DaemonSet > CMDB
- Kubernetes > DaemonSet > Labels
- Kubernetes > DaemonSet > Labels > Template
- Kubernetes > DaemonSet > osquery
- Kubernetes > DaemonSet > osquery > Configuration
- Kubernetes > DaemonSet > osquery > Configuration > Columns
- Kubernetes > DaemonSet > osquery > Configuration > Interval
- Kubernetes > DaemonSet > osquery > Configuration > Name
- Kubernetes > Deployment > Active
- Kubernetes > Deployment > Active > Age
- Kubernetes > Deployment > Active > Last Modified
- Kubernetes > Ingress > Active
- Kubernetes > Ingress > Active > Age
- Kubernetes > Ingress > Active > Last Modified
- Kubernetes > Ingress > Annotations
- Kubernetes > Ingress > Annotations > Template
- Kubernetes > Ingress > Approved
- Kubernetes > Ingress > Approved > Custom
- Kubernetes > Ingress > CMDB
- Kubernetes > Ingress > Labels
- Kubernetes > Ingress > Labels > Template
- Kubernetes > Ingress > osquery
- Kubernetes > Ingress > osquery > Configuration
- Kubernetes > Ingress > osquery > Configuration > Columns
- Kubernetes > Ingress > osquery > Configuration > Interval
- Kubernetes > Ingress > osquery > Configuration > Name
- Kubernetes > Job > Active
- Kubernetes > Job > Active > Age
- Kubernetes > Job > Active > Last Modified
- Kubernetes > Job > Annotations
- Kubernetes > Job > Annotations > Template
- Kubernetes > Job > Approved
- Kubernetes > Job > Approved > Custom
- Kubernetes > Job > CMDB
- Kubernetes > Job > Labels
- Kubernetes > Job > Labels > Template
- Kubernetes > Job > osquery
- Kubernetes > Job > osquery > Configuration
- Kubernetes > Job > osquery > Configuration > Columns
- Kubernetes > Job > osquery > Configuration > Interval
- Kubernetes > Job > osquery > Configuration > Name
- Kubernetes > Namespace > Active
- Kubernetes > Namespace > Active > Age
- Kubernetes > Namespace > Active > Last Modified
- Kubernetes > Node > Active
- Kubernetes > Node > Active > Age
- Kubernetes > Node > Active > Last Modified
- Kubernetes > Persistent Volume > Active
- Kubernetes > Persistent Volume > Active > Age
- Kubernetes > Persistent Volume > Active > Last Modified
- Kubernetes > Persistent Volume > Annotations
- Kubernetes > Persistent Volume > Annotations > Template
- Kubernetes > Persistent Volume > Approved
- Kubernetes > Persistent Volume > Approved > Custom
- Kubernetes > Persistent Volume > CMDB
- Kubernetes > Persistent Volume > Labels
- Kubernetes > Persistent Volume > Labels > Template
- Kubernetes > Persistent Volume > osquery
- Kubernetes > Persistent Volume > osquery > Configuration
- Kubernetes > Persistent Volume > osquery > Configuration > Columns
- Kubernetes > Persistent Volume > osquery > Configuration > Interval
- Kubernetes > Persistent Volume > osquery > Configuration > Name
- Kubernetes > Pod > Active
- Kubernetes > Pod > Active > Age
- Kubernetes > Pod > Active > Last Modified
- Kubernetes > ReplicaSet > Active
- Kubernetes > ReplicaSet > Active > Age
- Kubernetes > ReplicaSet > Active > Last Modified
- Kubernetes > ReplicationController > Active
- Kubernetes > ReplicationController > Active > Age
- Kubernetes > ReplicationController > Active > Last Modified
- Kubernetes > ReplicationController > Annotations
- Kubernetes > ReplicationController > Annotations > Template
- Kubernetes > ReplicationController > Approved
- Kubernetes > ReplicationController > Approved > Custom
- Kubernetes > ReplicationController > CMDB
- Kubernetes > ReplicationController > Labels
- Kubernetes > ReplicationController > Labels > Template
- Kubernetes > ReplicationController > osquery
- Kubernetes > ReplicationController > osquery > Configuration
- Kubernetes > ReplicationController > osquery > Configuration > Columns
- Kubernetes > ReplicationController > osquery > Configuration > Interval
- Kubernetes > ReplicationController > osquery > Configuration > Name
- Kubernetes > Service > Active
- Kubernetes > Service > Active > Age
- Kubernetes > Service > Active > Last Modified
- Kubernetes > StatefulSet > Active
- Kubernetes > StatefulSet > Active > Age
- Kubernetes > StatefulSet > Active > Last Modified
- Kubernetes > StatefulSet > Annotations
- Kubernetes > StatefulSet > Annotations > Template
- Kubernetes > StatefulSet > Approved
- Kubernetes > StatefulSet > Approved > Custom
- Kubernetes > StatefulSet > CMDB
- Kubernetes > StatefulSet > Labels
- Kubernetes > StatefulSet > Labels > Template
- Kubernetes > StatefulSet > osquery
- Kubernetes > StatefulSet > osquery > Configuration
- Kubernetes > StatefulSet > osquery > Configuration > Columns
- Kubernetes > StatefulSet > osquery > Configuration > Interval
- Kubernetes > StatefulSet > osquery > Configuration > Name
Action Types
- Kubernetes > Cluster > Router
- Kubernetes > CronJob > Router
- Kubernetes > DaemonSet > Router
- Kubernetes > Ingress > Router
- Kubernetes > Job > Router
- Kubernetes > Persistent Volume > Router
- Kubernetes > ReplicationController > Router
- Kubernetes > StatefulSet > Router
Bug fixes
- CMDB controls for various resources sometimes failed to process a large number of updates that occurred in quick succession via Cluster events. We’ve improved our GraphQL queries to handle such a load, and the controls will now be able to process such events more smoothly and reliably than before.
What's new?
- The
AWS > S3 > Bucket > CMDBcontrol would go into an error state if Guardrails did not have permissions to call theheadBucketoperation on a bucket. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set theAWS > S3 > Bucket > CMDBpolicy toEnforce: Enabled but ignore permission errors.
Bug fixes
- Server
- Minor internal improvements.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- In the previous version, we fixed an issue with the
Azure > App Service > Web App > Client Certificate Modecontrol, ensuring that the Client Certificate Mode is set toRequirecorrectly. However, we missed an edge case where the control wouldn’t enforce any mode other than the default setting ofIgnore. We have now addressed all cases, and the control will work more reliably and consistently than before.
What's new?
- Interactive workflows in the terminal via console integration. Blog.
- Simplified progress output for
flowpipe pipeline runcommand when running in Client mode and not using the--verbosearg. --data-dirparameter to specify the location of the event store database. (#852).--execution-idparameter to specify custom execution id for pipeline run. (#856).- Update
Goversion to v1.22.4.
Bug fixes
What's new?
- Added 22
detect and correctpipelines to identify unused and underutilized GCP resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see GCP Thrifty Mod.
What's new?
- Detect and correct misconfigured labels across 8 GCP resource types.
- Automatically add mandatory labels (e.g.
env,owner). - Clean up prohibited labels (e.g.
secret,key). - Reconcile shorthand or misspelled label keys to standardized keys (e.g.
cctocost_center). - Update label values to conform to expected standards, ensuring consistency (e.g.
Prodtoprod).
For detailed usage information and a full list of pipelines, please see GCP Labels Mod.
What's new?
- Added 24
detect and correctpipelines to identify unused and underutilized Azure resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see Azure Thrifty Mod.
What's new?
- Detect and correct misconfigured tags across 55+ Azure resource types.
- Automatically add mandatory tags (e.g.
env,owner). - Clean up prohibited tags (e.g.
secret,key). - Reconcile shorthand or misspelled tag keys to standardized keys (e.g.
cctocost_center). - Update tag values to conform to expected standards, ensuring consistency (e.g.
Prodtoprod).
For detailed usage information and a full list of pipelines, please see Azure Tags Mod.
What's new?
- The mod has been updated to run in the Wizard mode by default.
What's new?
- Detect and correct misconfigured tags across 65+ AWS resource types.
- Automatically add mandatory tags (e.g.
env,owner). - Clean up prohibited tags (e.g.
secret,key). - Reconcile shorthand or misspelled tag keys to standardized keys (e.g.
cctocost_center). - Update tag values to conform to expected standards, ensuring consistency (e.g.
Prodtoprod).
For detailed usage information and a full list of pipelines, please see AWS Tags Mod.
What's new?
- Updated AWS Lambda function architecture to ARM64 for improved performance and cost efficiency.
What's new?
Server
- Improved memory optimization for Redis.
- Updated all AWS Lambda functions in the TE environment to use ARM64 architecture for improved performance and cost efficiency.
- Allow notifications rules to accept nunjucks for Email address.
- Updated several node packages to newer versions for improved functionality and security.
UI
Smart Foldersare now calledPolicy Packs.- Now you can add AKA while creating
Policy Packsfrom UI.
Bug fixes
Server
- Fixed an issue where controls remained in TBD state for accounts imported without an External ID.
UI
- Removed the unsupported feature for rearranging
Policy Packsfrom the UI.
- Removed the unsupported feature for rearranging
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The Import Set policies for various Kubernetes resources will no longer include the
Enforce: Syncpolicy value for integrating Import Sets in ServiceNow.
Control Types
- GCP > Storage > Object > ServiceNow > Import Set
Policy Types
- GCP > Storage > Object > ServiceNow > Import Set
- GCP > Storage > Object > ServiceNow > Import Set > Archive Columns
- GCP > Storage > Object > ServiceNow > Import Set > Record
- GCP > Storage > Object > ServiceNow > Import Set > Table Name
Control Types
- GCP > Compute Engine > Disk > ServiceNow > Import Set
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set
- GCP > Compute Engine > Health Check > ServiceNow > Import Set
- GCP > Compute Engine > Image > ServiceNow > Import Set
- GCP > Compute Engine > Instance > ServiceNow > Import Set
- GCP > Compute Engine > Instance Template > ServiceNow > Import Set
- GCP > Compute Engine > Node Group > ServiceNow > Import Set
- GCP > Compute Engine > Node template > ServiceNow > Import Set
- GCP > Compute Engine > Project > ServiceNow > Import Set
- GCP > Compute Engine > Region Disk > ServiceNow > Import Set
- GCP > Compute Engine > Region Health Check > ServiceNow > Import Set
- GCP > Compute Engine > Snapshot > ServiceNow > Import Set
Policy Types
- GCP > Compute Engine > Disk > ServiceNow > Import Set
- GCP > Compute Engine > Disk > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > Disk > ServiceNow > Import Set > Record
- GCP > Compute Engine > Disk > ServiceNow > Import Set > Table Name
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Record
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Table Name
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Record
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Table Name
- GCP > Compute Engine > Health Check > ServiceNow > Import Set
- GCP > Compute Engine > Health Check > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > Health Check > ServiceNow > Import Set > Record
- GCP > Compute Engine > Health Check > ServiceNow > Import Set > Table Name
- GCP > Compute Engine > Image > ServiceNow > Import Set
- GCP > Compute Engine > Image > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > Image > ServiceNow > Import Set > Record
- GCP > Compute Engine > Image > ServiceNow > Import Set > Table Name
- GCP > Compute Engine > Instance > ServiceNow > Import Set
- GCP > Compute Engine > Instance > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > Instance > ServiceNow > Import Set > Record
- GCP > Compute Engine > Instance > ServiceNow > Import Set > Table Name
- GCP > Compute Engine > Instance Template > ServiceNow > Import Set
- GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Record
- GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Table Name
- GCP > Compute Engine > Node Group > ServiceNow > Import Set
- GCP > Compute Engine > Node Group > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > Node Group > ServiceNow > Import Set > Record
- GCP > Compute Engine > Node Group > ServiceNow > Import Set > Table Name
- GCP > Compute Engine > Node template > ServiceNow > Import Set
- GCP > Compute Engine > Node template > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > Node template > ServiceNow > Import Set > Record
- GCP > Compute Engine > Node template > ServiceNow > Import Set > Table Name
- GCP > Compute Engine > Project > ServiceNow > Import Set
- GCP > Compute Engine > Project > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > Project > ServiceNow > Import Set > Record
- GCP > Compute Engine > Project > ServiceNow > Import Set > Table Name
- GCP > Compute Engine > Region Disk > ServiceNow > Import Set
- GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Record
- GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Table Name
- GCP > Compute Engine > Region Health Check > ServiceNow > Import Set
- GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Record
- GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Table Name
- GCP > Compute Engine > Snapshot > ServiceNow > Import Set
- GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Archive Columns
- GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Record
- GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Table Name
Control Types
- Azure > Storage > Container > ServiceNow > Import Set
- Azure > Storage > FileShare > ServiceNow > Import Set
- Azure > Storage > Queue > ServiceNow > Import Set
Policy Types
- Azure > Storage > Container > ServiceNow > Import Set
- Azure > Storage > Container > ServiceNow > Import Set > Archive Columns
- Azure > Storage > Container > ServiceNow > Import Set > Record
- Azure > Storage > Container > ServiceNow > Import Set > Table Name
- Azure > Storage > FileShare > ServiceNow > Import Set
- Azure > Storage > FileShare > ServiceNow > Import Set > Archive Columns
- Azure > Storage > FileShare > ServiceNow > Import Set > Record
- Azure > Storage > FileShare > ServiceNow > Import Set > Table Name
- Azure > Storage > Queue > ServiceNow > Import Set
- Azure > Storage > Queue > ServiceNow > Import Set > Archive Columns
- Azure > Storage > Queue > ServiceNow > Import Set > Record
- Azure > Storage > Queue > ServiceNow > Import Set > Table Name
Control Types
- Azure > Compute > Availability Set > ServiceNow > Import Set
- Azure > Compute > Disk > ServiceNow > Import Set
- Azure > Compute > Disk Encryption Set > ServiceNow > Import Set
- Azure > Compute > Image > ServiceNow > Import Set
- Azure > Compute > Snapshot > ServiceNow > Import Set
- Azure > Compute > Ssh Public Key > ServiceNow > Import Set
- Azure > Compute > Virtual Machine > ServiceNow > Import Set
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set
Policy Types
- Azure > Compute > Availability Set > ServiceNow > Import Set
- Azure > Compute > Availability Set > ServiceNow > Import Set > Archive Columns
- Azure > Compute > Availability Set > ServiceNow > Import Set > Record
- Azure > Compute > Availability Set > ServiceNow > Import Set > Table Name
- Azure > Compute > Disk > ServiceNow > Import Set
- Azure > Compute > Disk > ServiceNow > Import Set > Archive Columns
- Azure > Compute > Disk > ServiceNow > Import Set > Record
- Azure > Compute > Disk > ServiceNow > Import Set > Table Name
- Azure > Compute > Disk Encryption Set > ServiceNow > Import Set
- Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Archive Columns
- Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Record
- Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Table Name
- Azure > Compute > Image > ServiceNow > Import Set
- Azure > Compute > Image > ServiceNow > Import Set > Archive Columns
- Azure > Compute > Image > ServiceNow > Import Set > Record
- Azure > Compute > Image > ServiceNow > Import Set > Table Name
- Azure > Compute > Snapshot > ServiceNow > Import Set
- Azure > Compute > Snapshot > ServiceNow > Import Set > Archive Columns
- Azure > Compute > Snapshot > ServiceNow > Import Set > Record
- Azure > Compute > Snapshot > ServiceNow > Import Set > Table Name
- Azure > Compute > Ssh Public Key > ServiceNow > Import Set
- Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Archive Columns
- Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Record
- Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Table Name
- Azure > Compute > Virtual Machine > ServiceNow > Import Set
- Azure > Compute > Virtual Machine > ServiceNow > Import Set > Archive Columns
- Azure > Compute > Virtual Machine > ServiceNow > Import Set > Record
- Azure > Compute > Virtual Machine > ServiceNow > Import Set > Table Name
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Archive Columns
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Record
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Table Name
Control Types
- AWS > S3 > Bucket > ServiceNow > Import Set
Policy Types
- AWS > S3 > Bucket > ServiceNow > Import Set
- AWS > S3 > Bucket > ServiceNow > Import Set > Archive Columns
- AWS > S3 > Bucket > ServiceNow > Import Set > Record
- AWS > S3 > Bucket > ServiceNow > Import Set > Table Name
What's new?
- Added support to archive Import Sets in ServiceNow.
What's new?
- New tables added
Bug fixes
- Fixed the
power_statecolumn of theazure_compute_virtual_machinetable to correctly return data instead of anil pointer dereferenceerror. (#804)
Bug fixes
- The
Azure > App Service > Web App > Client Certificate Modecontrol did not applyEnforce: Requiresettings correctly. This is now fixed.
What's new?
- Added support for
google_monitoring_alert_policyandgoogle_monitoring_notification_channelTerraform resources.
Control Types
- GCP > Monitoring > Alert Policy > Configured
- GCP > Monitoring > Notification Channel > Configured
Policy Types
- GCP > Monitoring > Alert Policy > Configured
- GCP > Monitoring > Alert Policy > Configured > Claim Precedence
- GCP > Monitoring > Alert Policy > Configured > Source
- GCP > Monitoring > Notification Channel > Configured
- GCP > Monitoring > Notification Channel > Configured > Claim Precedence
- GCP > Monitoring > Notification Channel > Configured > Source
What's new?
- Added support for
google_logging_metricTerraform resource.
Control Types
- GCP > Logging > Metric > Configured
Policy Types
- GCP > Logging > Metric > Configured
- GCP > Logging > Metric > Configured > Claim Precedence
- GCP > Logging > Metric > Configured > Source
Bug fixes
- The
Azure > Storage > Storage Account > Queue > Loggingcontrol failed to set queue logging properties correctly. This issue has been fixed, and the control will now function correctly as intended.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
- Fixed plugin loading issues by eliminating the need for manual caching, ensuring smoother and more reliable plugin installations. (#50)
What's new?
- Added the
insecure_skip_verifyconnection config argument to support bypassing theSSL/TLScertificate verification while querying the tables. (#48)
Enhancements
- The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage.
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.1 that adds support for connection key columns. (#49)
Bug fixes
- Fixed issue where local Docker config for the credential store was used when installing plugins from GHCR, enabling installation from GHCR to work even if docker-credential-desktop is not in PATH. (#4323)
- Fixed issue where Steampipe returned a 0 exit code even if it failed to export a snapshot. (#4276)
- Fixed issue where the query command did not support the legacy 'true' and 'false' values for the --timing flag. (#4282)
- Fixed issue where SPS output was not working. (#4297)
- Fixed issue where loading connection plugins did not return successfully created connections if some connections failed due to the configuration not being available. (#474)
- Fixed issue where scan info in query JSON output was shown even when the timing configuration was not set to verbose. (#4292)
What's new?
- Users can now configure Shielded Instance Configuration for instances. To get started, set
GCP > Compute > Instance > Shielded Instance Configuration > *policies.
Control Types
- GCP > Compute Engine > Instance > Shielded Instance Configuration
Policy Types
- GCP > Compute Engine > Instance > Shielded Instance Configuration
- GCP > Compute Engine > Instance > Shielded Instance Configuration > Integrity Monitoring
- GCP > Compute Engine > Instance > Shielded Instance Configuration > Secure Boot
- GCP > Compute Engine > Instance > Shielded Instance Configuration > vTPM
Action Types
- GCP > Compute Engine > Instance > Set Shielded Instance Configuration
What's new?
- The
Azure > CIS v2.0 > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)control will also evaluate SQL databases for SKU Basic/Consumption.
Control Types
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.06 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
Policy Types
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.06 - Ensure that Network Security Group flow logs are captured and sent to Log Analytics
Bug fixes
- The
Azure > CIS v2.0 > 4 - Database Services > 01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed keycontrol did not evaluate the result correctly, as expected. This is now fixed.
The CrowdStrike plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
DOCUMENTATION:
resource/turbot_policy_pack: Added documentation forakasattribute for the resource. (#179)
What's new?
- Users can now configure Encryption In Transit for instances. To get started, set the
GCP > SQL > Instance > Encryption In Transitpolicy.
Control Types
- GCP > SQL > Instance > Encryption In Transit
Policy Types
- GCP > SQL > Instance > Encryption In Transit
Action Types
- GCP > SQL > Instance > Update Encryption in Transit
What's new?
Control Types
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure API Keys Only Exist for Active Services
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure API Keys Are Restricted to Only APIs That Application Needs Access
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure API Keys Are Rotated Every 90 Days
Policy Types
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure API Keys Only Exist for Active Services
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure API Keys Are Restricted to Only APIs That Application Needs Access
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure API Keys Are Rotated Every 90 Days
What's new?
- Users can now upgrade the SKU from
BasictoStandardfor Public IP Addresss viaAzure > Network > Public IP Address > Standard SKUcontrol. To get started, set theAzure > Network > Public IP Address > Standard SKUpolicy.
Control Types
- Azure > Network > Public IP Address > Standard SKU
Policy Types
- Azure > Network > Public IP Address > Standard SKU
- Azure > Network > Public IP Address > Standard SKU > SKU Tier
Action Types
- Azure > Network > Public IP Address > Update SKU to Standard
What's new?
- We've added guardrails to help secure access to your database accounts' public endpoints. All database accounts have public endpoints that are accessible through the internet by default. This access can be limited to specific IP ranges, virtual network subnets, and trusted Microsoft services by defining firewall and virtual network rules.
To get started configuring these rules through Guardrails, the following policies should set according to your desired firewall rules configuration:
Azure > Cosmos DB > Database Account > Firewall - Configure default access rules for the public endpoint
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved - Remove unapproved IP ranges
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required - Grant access to specific IP ranges
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved - Remove unapproved virtual network subnets
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required - Grant access to specific virtual network subnets
Please note that if the Azure > Cosmos DB > Database Account > Firewall policy is set to Enforce: Allow only approved virtual networks and IP ranges, only applications in the configured IP ranges, virtual network subnets, and trusted Microsoft services will be allowed to access the database accounts. If these boundaries are not properly configured beforehand or an application is outside of these boundaries, it will lose access to the database accounts.
Control Types
- Azure > Cosmos DB > Database Account > Firewall
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required
Policy Types
- Azure > Cosmos DB > Database Account > Firewall
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > CIDR Ranges
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > Compiled Rules
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > Rules
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Compiled Items
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Exceptions
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Items
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Compiled Rules
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Rules
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Subnets
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required > Items
Action Types
- Azure > Cosmos DB > Database Account > Update Firewall Default Access Rule
- Azure > Cosmos DB > Database Account > Update Firewall IP Ranges
- Azure > Cosmos DB > Database Account > Update Firewall Virtual Networks
Bug fixes
- Various Discovery and CMDB controls entered an error state because they used outdated APIs that no longer functioned as expected. We have updated internal package dependencies, and those controls now operate smoothly as intended.
Bug fixes
- Resolved an issue where an empty outbound_cidr_ranges SSM parameter caused a validation error. Now, if the outbound_cidr_ranges parameter is empty, it will be set to None.
What's new?
- Added M7i and M7i-flex instance type.
- Updated the HealthCheckProxy lambda function to use python 3.10.
Bug fixes
- The
GCP > Project > CMDBcontrol went into an error state while fetching Access Approval settings for the project if Access Transparency was disabled at the organization level. We have now handled such cases gracefully, and the control will fetch all available details without going into an error state.
What's new?
- Users can now configure authorized networks for instances in Guardrails. To get started, set the
GCP > SQL > Instance > Authorized Network > *policies. - Users can now configure Database Flags for instances in Guardrails. To get started, set the
GCP > SQL > Instance > Database Flagspolicy. - Users can now clean up and stop tracking SQL resources in Guardrails. To get started, set the
GCP > SQL > CMDBpolicy toEnforce: Disabled.
Control Types
- GCP > SQL > Instance > Authorized Network
- GCP > SQL > Instance > Authorized Network > Approved
- GCP > SQL > Instance > Database Flags
Policy Types
- GCP > SQL > Instance > Authorized Network
- GCP > SQL > Instance > Authorized Network > Approved
- GCP > SQL > Instance > Authorized Network > Approved > CIDR Ranges
- GCP > SQL > Instance > Database Flags
- GCP > SQL > Instance > Database Flags > MySQL
- GCP > SQL > Instance > Database Flags > MySQL > Template
- GCP > SQL > Instance > Database Flags > PostgreSQL
- GCP > SQL > Instance > Database Flags > PostgreSQL > Template
- GCP > SQL > Instance > Database Flags > SQL Server
- GCP > SQL > Instance > Database Flags > SQL Server > Template
Action Types
- GCP > SQL > Instance > Update Authorized Network
- GCP > SQL > Instance > Update Database Flags
What's new?
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Storage resources in Guardrails. This release includes breaking changes in the CMDB data for storage accounts. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Renamed:
serviceProperties.blob.DeleteRetentionPolicytoserviceProperties.blob.deleteRetentionPolicyserviceProperties.blob.DeleteRetentionPolicy.DaystoserviceProperties.blob.deleteRetentionPolicy.daysserviceProperties.blob.DeleteRetentionPolicy.EnabledtoserviceProperties.blob.deleteRetentionPolicy.enabledserviceProperties.blob.StaticWebsitetoserviceProperties.blob.staticWebsiteserviceProperties.blob.StaticWebsite.EnabledtoserviceProperties.blob.staticWebsite.enabledserviceProperties.blob.loggingtoserviceProperties.blob.blobAnalyticsLoggingserviceProperties.queue.loggingtoserviceProperties.queue.queueAnalyticsLogging
Added:
serviceProperties.blob.deleteRetentionPolicy.AllowPermanentDelete
Modified:
- The data type of the attribute
serviceProperties.blob.corshas been changed from string ("") to array ([]). - The data type of the attribute
serviceProperties.queue.corshas been changed from string ("") to array ([]).
Users can now enable/disable
Blob loggingfor storage accounts. To get started, set theAzure > Storage > Storage Account > Blob > Logging > *policies.Users can now check if storage accounts are approved for use based on Infrastructure Encryption settings. To get started, set the
Azure > Storage > Storage Account > Approved > Infrastructure Encryptionpolicy.
Control Types
- Azure > Storage > Storage Account > Blob
- Azure > Storage > Storage Account > Blob > Logging
Renamed
- Azure > Storage > Storage Account > Public Access to Azure > Storage > Storage Account > Blob Public Access
Policy Types
- Azure > Storage > Storage Account > Approved > Infrastructure Encryption
- Azure > Storage > Storage Account > Blob
- Azure > Storage > Storage Account > Blob > Logging
- Azure > Storage > Storage Account > Blob > Logging > Properties
- Azure > Storage > Storage Account > Blob > Logging > Retention Days
Renamed
- Azure > Storage > Storage Account > Public Access to Azure > Storage > Storage Account > Blob Public Access
Action Types
- Azure > Storage > Storage Account > Update Storage Account Blob Logging
Renamed
- Azure > Storage > Storage Account > Set Public Access to Azure > Storage > Storage Account > Set Blob Public Access
What's new?
- Users can now configure Client Certificate Mode for web apps. To get started, set the
Azure > App Service > Web App > Client Certificate Modepolicy.
Control Types
- Azure > App Service > Web App > Client Certificate Mode
Policy Types
- Azure > App Service > Web App > Client Certificate Mode
Action Types
- Azure > App Service > Web App > Set Client Certificate Mode
What's new?
- New tables added
Enhancements
- The
domaincolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Okta organizations. (#120) - Added support to specify the time period in
.spcfile formax retries,request timeout, andmax backoff timeas required. (#112) - Added
profilecolumn to theokta_factortable. (#130)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that
QueryDatapassed toConnectionKeyColumnsvalue callback is populated withConnectionManager. (#120)
Enhancements
- The
organization_idcolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linear accounts. (#34)
Bug fixes
- Fixed the plugin to correctly check for a valid Personal Access token. (#33)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that
QueryDatapassed toConnectionKeyColumnsvalue callback is populated withConnectionManager. (#34)
Enhancements
- Added column
power_stateto theazure_compute_virtual_machine_scale_set_vmtable. (#800) (Thanks @pdepdecatcat for the contribution!)
Bug fixes
- Fixed the
azure_log_alerttable to correctly return values foractions,condition,description,enabled, andscopescolumns instead ofnull. (#796)
What's new?
Resource Types
- GCP > IAM > API Key
Control Types
- GCP > IAM > API Key > Active
- GCP > IAM > API Key > Approved
- GCP > IAM > API Key > CMDB
- GCP > IAM > API Key > Discovery
- GCP > IAM > API Key > Usage
Policy Types
- GCP > IAM > API Key > Active
- GCP > IAM > API Key > Active > Age
- GCP > IAM > API Key > Active > Last Modified
- GCP > IAM > API Key > Approved
- GCP > IAM > API Key > Approved > Custom
- GCP > IAM > API Key > Approved > Usage
- GCP > IAM > API Key > CMDB
- GCP > IAM > API Key > Usage
- GCP > IAM > API Key > Usage > Limit
Action Types
- GCP > IAM > API Key > Delete
- GCP > IAM > API Key > Router
What's new?
- You can now configure Encryption at Rest for datasets. To get started, set the
GCP > BigQuery > Dataset > Encryption at Rest > *policies.
Control Types
- GCP > BigQuery > Dataset > Encryption at Rest
Policy Types
- GCP > BigQuery > Dataset > Encryption at Rest
- GCP > BigQuery > Dataset > Encryption at Rest > Customer Managed Key
Action Types
- GCP > BigQuery > Dataset > Update Encryption At Rest
What's new?
Control Types
- Kubernetes > Cluster > ServiceNow > Import Set
- Kubernetes > ConfigMap > ServiceNow > Import Set
- Kubernetes > Deployment > ServiceNow > Import Set
- Kubernetes > Namespace > ServiceNow > Import Set
- Kubernetes > Node > ServiceNow > Import Set
- Kubernetes > Pod > ServiceNow > Import Set
- Kubernetes > ReplicaSet > ServiceNow > Import Set
- Kubernetes > Service > ServiceNow > Import Set
Policy Types
- Kubernetes > Cluster > ServiceNow > Import Set
- Kubernetes > Cluster > ServiceNow > Import Set > Archive Columns
- Kubernetes > Cluster > ServiceNow > Import Set > Record
- Kubernetes > Cluster > ServiceNow > Import Set > Table Name
- Kubernetes > ConfigMap > ServiceNow > Import Set
- Kubernetes > ConfigMap > ServiceNow > Import Set > Archive Columns
- Kubernetes > ConfigMap > ServiceNow > Import Set > Record
- Kubernetes > ConfigMap > ServiceNow > Import Set > Table Name
- Kubernetes > Deployment > ServiceNow > Import Set
- Kubernetes > Deployment > ServiceNow > Import Set > Archive Columns
- Kubernetes > Deployment > ServiceNow > Import Set > Record
- Kubernetes > Deployment > ServiceNow > Import Set > Table Name
- Kubernetes > Namespace > ServiceNow > Import Set
- Kubernetes > Namespace > ServiceNow > Import Set > Archive Columns
- Kubernetes > Namespace > ServiceNow > Import Set > Record
- Kubernetes > Namespace > ServiceNow > Import Set > Table Name
- Kubernetes > Node > ServiceNow > Import Set
- Kubernetes > Node > ServiceNow > Import Set > Archive Columns
- Kubernetes > Node > ServiceNow > Import Set > Record
- Kubernetes > Node > ServiceNow > Import Set > Table Name
- Kubernetes > Pod > ServiceNow > Import Set
- Kubernetes > Pod > ServiceNow > Import Set > Archive Columns
- Kubernetes > Pod > ServiceNow > Import Set > Record
- Kubernetes > Pod > ServiceNow > Import Set > Table Name
- Kubernetes > ReplicaSet > ServiceNow > Import Set
- Kubernetes > ReplicaSet > ServiceNow > Import Set > Archive Columns
- Kubernetes > ReplicaSet > ServiceNow > Import Set > Record
- Kubernetes > ReplicaSet > ServiceNow > Import Set > Table Name
- Kubernetes > Service > ServiceNow > Import Set
- Kubernetes > Service > ServiceNow > Import Set > Archive Columns
- Kubernetes > Service > ServiceNow > Import Set > Record
- Kubernetes > Service > ServiceNow > Import Set > Table Name
Bug fixes
- Guardrails failed to process real-time snapshot events if the
AWS > EC2 > Snapshot > CMDBpolicy was set toEnforce: Enabled for Snapshots not created with AWS Backup. This issue has now been fixed.
What's new?
- Users can now configure DNSSEC for managed zones via Guardrails. To get started, set the
GCP > DNS > Managed Zone > DNSSEC Configurationpolicy. - Users can now configure logging for DNS policies. To get started, set the
GCP > DNS > Policy > Loggingpolicy.
Control Types
- GCP > DNS > Managed Zone > DNSSEC Configuration
- GCP > DNS > Policy > Logging
Policy Types
- GCP > DNS > Managed Zone > DNSSEC Configuration
- GCP > DNS > Policy > Logging
Action Types
- GCP > DNS > Managed Zone > Update DNSSEC Configuration
- GCP > DNS > Policy > Update Logging
Bug fixes
- Discovery controls for various resource types would go into an error state without discovering resources and upserting them in Guardrails CMDB due to a bad internal build. This issue has been fixed, and those controls will now work correctly as expected.
What's new?
- Users can now enable/disable Trusted Launch for all second generation virtual machines. To get started, set the
Azure > Compute > Virtual Machine > Trusted launchpolicy. - You can now configure Encryption at Rest for Disks. To get started, set the
Azure > Compute > Disk > Encryption at Rest > *policies.
Control Types
- Azure > Compute > Disk > Encryption at Rest
- Azure > Compute > Virtual Machine > Trusted Launch
Policy Types
- Azure > Compute > Disk > Encryption at Rest
- Azure > Compute > Disk > Encryption at Rest > Disk Encryption Set
- Azure > Compute > Virtual Machine > Trusted launch
Action Types
- Azure > Compute > Disk > Update Encryption at Rest
- Azure > Compute > Virtual Machine > Update Trusted Luanch
What's new?
- User can now register web apps with Entra ID to connect to other Azure services securely without the need for usernames and passwords. To get started, set the
Azure > App Service > Web App > System Assigned Identitypolicy. - Diagnostic Settings details will now also be available for Web Apps in Guardrails CMDB.
Control Types
- Azure > App Service > Web App > System Assigned Identity
Policy Types
- Azure > App Service > Web App > System Assigned Identity
Action Types
- Azure > App Service > Web App > Set System Assigned Identity
Bug fixes
- The
Azure > App Service > Web App > FTPS Statecontrol failed to set the FTPS State correctly for web apps. This issue is now fixed.
What's new?
Policy Types
- GCP > BigQuery > Dataset > Approved > Custom
What's new?
- Users can now configure retention policy for flow logs. To get started, set the
Azure > Network Watcher > Flow Log > Retention Policy > *policies.
Control Types
- Azure > Network Watcher > Flow Log > Retention Policy
Policy Types
- Azure > Network Watcher > Flow Log > Retention Policy
- Azure > Network Watcher > Flow Log > Retention Policy > Days
Action Types
- Azure > Network Watcher > Flow Log > Update Retention Policy
What's new?
- The
Azure > Active Directory > Directory > CMDBcontrol will now also fetch named locations and authorization policy details and store them in CMDB.
Bug fixes
- Account Password Policy details did not refresh correctly in Guardrails CMDB if those settings were reset to defaults in AWS. This resulted in the
AWS > IAM > Account Password Policy > Settingscontrol not applying custom settings correctly. This issue is fixed, and the CMDB details will now refresh correctly, allowing the corresponding Settings control to work as expected.
What's new?
- New tables added
Bug fixes
What's new?
- The
Azure > Security Center > Security Center > CMDBcontrol will now also fetch security settings details and store them in CMDB.
Bug fixes
- Discovery controls for various resource types would go into an error state without discovering resources and upserting them in Guardrails CMDB due to a bad internal build. This issue has been fixed, and those controls will now work correctly as expected.
Bug fixes
- Fixed the export tool of the plugin to return a non-zero error code instead of 0 whenever an error occurred. (#79)
Bug fixes
- Server
- Resolved an issue that caused control targeting to accounts fail when AWS Gov accounts were imported in commercial environment.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
The default value for GCP > Storage > Bucket > ServiceNow > Import Set now shows the resource_type_uri correctly.
Control Types
Added
- GCP > Storage > Bucket > ServiceNow > Import Set
Policy Types
Added
- GCP > Storage > Bucket > ServiceNow > Import Set
- GCP > Storage > Bucket > ServiceNow > Import Set > Archive Columns
- GCP > Storage > Bucket > ServiceNow > Import Set > Record
- GCP > Storage > Bucket > ServiceNow > Import Set > Table Name
What's new?
ServiceNow > Turbot > Watches > GCP Archive and Delete Recordaction now supports archivingImport Setrecords.
Control Types
Added
- Azure > Storage > Storage Account > ServiceNow > Import Set
Policy Types
Added
- Azure > Storage > Storage Account > ServiceNow > Import Set
- Azure > Storage > Storage Account > ServiceNow > Import Set > Archive Columns
- Azure > Storage > Storage Account > ServiceNow > Import Set > Record
- Azure > Storage > Storage Account > ServiceNow > Import Set > Table Name
What's new?
ServiceNow > Turbot > Watches > Azure Archive and Delete Recordaction now supports archivingImport Setrecords.
Bug fixes
- Default policy values for
ServiceNow > Application > CMDB,ServiceNow > Cost Center > CMDB&ServiceNow > User > CMDBhave been updated fromEnforce: EnabledtoSkip.
Policy Types
Added
- ServiceNow > Import Set
- ServiceNow > Import Set > Table Name [Default]
Bug fixes
- Server
- Minor internal improvements.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Server
- The
OUTBOUND_SECURITY_GROUP_IDenvironment variable in Lambda functions now defaults to using the TEF outbound security group when there is no override specified in TEF and TE.
- The
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The
Azure > Network > Network Security Group > Ingress Rules > ApprovedandAzure > Network > Network Security Group > Egress Rules > Approvedcontrols previously deleted an entire rule if at least one of the corresponding port prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected port prefixes instead of deleting the entire rule in such cases.
Bug fixes
- Reverted the export CLI behavior to return
<nil>fornullvalues instead of"". (#77)
Bug fixes
- Reverted the export CLI behavior to return
<nil>fornullvalues instead of"". (#77)
Bug fixes
- Reverted the export CLI behavior to return
<nil>fornullvalues instead of"". (#77)
Bug fixes
- The
AWS > RDS > DB Instance > Approvedcontrol will now be skipped for instances that belong to a cluster. To check if a cluster is approved for use, please set theAWS > RDS > DB Cluster > Approved > *policies. - The
AWS > RDS > DB Instance > Approvedcontrol did not stop an unapproved instance if the corresponding policy was set toEnforce: Stop unapprovedorEnforce: Stop unapproved if new, and deletion protection for the instance was enabled. The control will now stop instances correctly in such cases.
What's new
- New tables added
Enhancements
- Added 9 new columns to the
aws_elasticache_clustertable. (#2224)
Bug fixes
What's new?
- Server
- The creation of the
EncryptionInTransitTopicPolicy has shifted from a custom resource to AWS CloudFormation’sAWS::SNS::TopicPolicy.
- The creation of the
Bug fixes
- Server
- Changes to notifications introduced in version 5.44.2 have been rolled back due to issues with specific queries. This action restores previous functionality and ensures stability across the platform.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhancements
- Optimized
log_group_metric_*queries to minimize API usage, achieving faster performance. (#802)
What's new?
Server
- Made notifications faster by improving the query, which enhances the performance of the activity tab.
UI
- The
Depends-ontab on the controls page has been renamed toRelated. It now includes the information from the Depends-on tab along with additional related controls information.
- The
Bug fixes
- Server
- Fixed an issue where sometimes an older mod version was used instead of the latest one after a mod upgrade. Now, the cache is properly updated to always use the latest version.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The
Azure > Network > Network Security Group > Ingress Rules > Approvedcontrol would sometimes fail to revoke rejected rules when the corresponding policy was set toEnforce: Delete unapproved. This has been fixed, and the control will now work more reliably and consistently than before.
What's new?
- New tables added
Enhancements
- The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. (#101) - Added the
versionflag to the plugin's Export tool. (#65)
Bug fixes
- Fixed the
argumentscolumn ofterraform_resourcetable to correctly return thetypefield. (#99) (#92)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.1 that adds support for connection key columns. (#92)
What's new?
- New tables added
Enhancements
Bug fixes
Turbot > osquery > Event Handleraction was not able to handle events for large payloads. This issue is now fixed.
Bug fixes
- The
GCP > Project > CMDBcontrol would incorrectly delete a project from Guardrails CMDB if it was unable to fetch Access Approval settings for the project. This issue has been fixed and the control will now attempt to fetch all available details and will not delete the project from CMDB.
All Pipes workspaces are now running Steampipe v0.23.2.
For more information on this Steampipe release, see the release notes.
All Pipes workspaces are now running Powerpipe v0.4.0.
For more information on this Powerpipe release, see the release notes.
Bug fixes
- Users can now configure Auto Provisioning for Azure Security Center in Guardrails. To get started, set the
Azure > Security Center > Security Center > Auto Provisioningpolicy.
Control Types
- Azure > Security Center > Security Center > Auto Provisioning
Policy Types
- Azure > Security Center > Security Center > Auto Provisioning
Action Types
- Azure > Security Center > Security Center > Update Auto Provisioning
Bug fixes
- Fixed the issue of missing and inconsistent columns in Kubernetes CRD tables. (#229) (Thanks @dongho-jung for the contribution!!)
What's new?
- New tables added
- aws_route53_vpc_association_authorization (#2199) (Thanks @jramosf for the contribution!)
Enhancements
- Updated
aws_s3_bucket,aws_s3_bucket_intelligent_tiering_configuration,aws_s3_objectandaws_s3_object_versiontables to useHeadBucketAPI instead ofGetBucketLocationto fetch the region that the bucket resides in. (#2082) (Thanks @pdecat for the contribution!) - Added column
create_timetoaws_ec2_key_pairtable. (#2196) (Thanks @kasadaamos for the contribution!) - Added
instance_typecolumn as an optional qual to theaws_ec2_instance_typetable. (#2200)
Bug fixes
- Fixed the
akascolumn inaws_health_affected_entitytable to correctly return data instead of an error by handling events that do not have anyARN. (#2189) - Fixed
cnameandendpoint_urlcolumns ofaws_elastic_beanstalk_environmenttable to correctly return data instead ofnull. (#2201) - Fixed the
aws_api_gatewayv2_*tables to correctly return data instead of an error by excluding support for the new unsupportedil-central-1region. (#2190)
What's new?
- New tables added
Enhancements
- The
login_idcolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Jira connections. (#119) - The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. (#128) - Added the
versionflag to the plugin's Export tool. (#65)
Bug fixes
- Fixed pagination in the
jira_boardtable to correctly return all the data instead of partial results. (#127)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.1 that adds support for connection key columns. (#119)
What's new?
- New tables added
Bug fixes
- Fixed the
public_network_access_for_ingestionand thepublic_network_access_for_querycolumns of theazure_application_insighttable to be ofStringdata type instead ofJSON. (#769) - Fixed the
azure_role_assignmenttable to correctly return values forprincipal_idandprincipal_typecolumns instead ofnull. (#763) - Fixed the
web_application_firewall_configurationcolumn of theazure_application_gatewaytable to correctly return data instead ofnull. (#770)
What's new?
- Added FedRAMP High benchmark (
powerpipe benchmark run azure_compliance.benchmark.fedramp_high). (#270)
What's new?
- Subscription CMDB data will now also include tagging details for the subscription.
What's new?
- The
Azure > Security Center > Security Center > Defender Plancontrol now also supports services like Cloud Posture, Containers and Cosmos DB.
What's new?
- New tables added
Bug fixes
What's new?
Server
- Added support for newer auth mechanism to fetch temporary Azure credentials via the
@azure/msal-nodepackage.
- Added support for newer auth mechanism to fetch temporary Azure credentials via the
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- Users can now skip upserting snapshots in Guardrails CMDB if they are created via the AWS Backup service. To get started, set the
AWS > EC2 > Snapshot > CMDBpolicy toEnforce: Enabled for Snapshots not created with AWS Backup.
Bug fixes
- The
AWS > Turbot > Service Roles > Sourcepolicy went to an invalid state if all but theAWS > Turbot > Service Roles > Event Handlers [Global]policy was enabled. This issue impacted theAWS > Turbot > Service Rolesstack control, preventing the role from being created correctly. This has been fixed, and theAWS > Turbot > Service Roles > Sourcepolicy will now work as expected.
Bug fixes
- The
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registeredcontrol did not evaluate the result correctly, as expected. This is now fixed.
Whats new
- Updated JSON and snapshot output to handle duplicate column names - append a unique suffix to duplicate column names. (#375)
Bug fixes
- Fixed bug when generating a snapshot from a benchmark run, the row data is empty if any of the rows are in error. (#366)
- Updated mod install to only install or update mods which are command targets (and their dependencies). Set default pull mode for install is latest if there is a target, and minimal if no target is given. (#381)
- Fixed incorrect help message for output in powerpipe benchmark/control run. (#367)
- Fixed issue where
POWERPIPE_PORTenv var was not being honoured. (#362) - Updated timing metadata output to rename
durationfield toduration_msfor consistency with steampipe. (#368) - Dashboard graph should not crash if an invalid edge category color is provided. (#364)
- Dashboard flow/hierarchy components should show panel controls. (#363)
Updated output formats
The rows property in the JSON and snapshot output will now have unique column names for duplicate column names.
The columns property will have the original column name as original_name.
For example, for the query:
powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output pps
Here is the updated JSON output:
powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output json{ "columns": [ { "name": "title", "data_type": "text" }, { "name": "title_t5zj1", "data_type": "text", "original_name": "title" }, { "name": "title_t5zj2", "data_type": "text", "original_name": "title" } ], "rows": [ { "title": "arn:aws:::882789663776", "title_t5zj1": "882789663776", "title_t5zj2": "882789663776" }, ], "metadata": { "rows_returned": 3, "duration_ms": "202ms" }}Here is the updated snapshot output:
{ "schema_version": "20240130", "panels": { "custom.dashboard.sql_e5br7b82": { "dashboard": "custom.dashboard.sql_e5br7b82", "name": "custom.dashboard.sql_e5br7b82", "panel_type": "dashboard", "source_definition": "", "status": "complete", "title": "Custom query [e5br7b82]" }, "custom.table.results": { "dashboard": "custom.dashboard.sql_e5br7b82", "name": "custom.table.results", "panel_type": "table", "source_definition": "", "status": "complete", "sql": " select arn as title, account_id as title, title as title from aws_account", "properties": { "name": "results" }, "data": { "columns": [ { "name": "title", "data_type": "TEXT" }, { "name": "title_t5zj1", "data_type": "TEXT", "original_name": "title" }, { "name": "title_t5zj2", "data_type": "TEXT", "original_name": "title" } ], "rows": [ { "title": "arn:aws:::876515858155", "title_t5zj1": "876515858155", "title_t5zj2": "morales-aaa" }, { "title": "arn:aws:::882789663776", "title_t5zj1": "882789663776", "title_t5zj2": "882789663776" }, { "title": "arn:aws:::097350876455", "title_t5zj1": "097350876455", "title_t5zj2": "turbot-silverwater" } ] } } }, "inputs": {}, "variables": {}, "search_path": null, "start_time": "2024-06-06T14:50:16.906739+01:00", "end_time": "2024-06-06T14:50:16.991955+01:00", "layout": { "name": "custom.dashboard.sql_e5br7b82", "children": [ { "name": "custom.table.results", "panel_type": "table" } ], "panel_type": "dashboard" }}What's new?
Updated the existing Flags attribute to include new specific flags that control the operation of Mod Lambda functions within a Virtual Private Cloud (VPC). This update allows Lambdas to use static IP addresses, improving network stability and predictability across different cloud environments. New flags Added to Flags Attribute:
- LAMBDA_IN_VPC_AWS
- LAMBDA_IN_VPC_AZURE
- LAMBDA_IN_VPC_GCP
- LAMBDA_IN_VPC_SERVICENOW
Introduced a new SSM parameter outbound_cidr_ranges to retrieve the Elastic IPs associated with the NAT gateways.
What's new?
Server
- You can now configure Mod Lambda functions to run within a VPC across various providers including AWS, Azure, ServiceNow, and GCP. This update ensures Lambdas operate with static CIDR ranges.
- Enhanced
osquery/loggerAPI to support payloads up to 10MB.
Requirements
- TEF: 1.59.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Minor fixes and improvements.
Bug fixes
- The
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registeredcontrol did not evaluate the result correctly, as expected. This is now fixed.
What's new?
- Added Reserve Bank of India - IT Framework for NBFC Regulatory Compliance benchmark (powerpipe benchmark run aws_compliance.benchmark.rbi_itf_nbfc). (#798)
Bug fixes
- The
Azure > Network > Network Security Group > Ingress Rules > ApprovedandAzure > Network > Network Security Group > Egress Rules > Approvedcontrols previously deleted an entire rule if at least one of the corresponding address prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected address prefix instead of deleting the entire rule in such cases.
What's new?
Add support for installing mods from a branch or from the local file system. (#849).
To install from a branch:
flowpipe mod install github.com/turbot/flowpipe-mod-aws-thrifty#mainTo reference a mod in the local file system:
flowpipe mod install ../mods/local_mod_folder
Add
--pullflag tomodcommand to control the mod update strategy. (#849). Possible update strategies are:full- check branch and tags for both latest and accuracylatest- update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)development- update branches and broken constraints to latest, leave satisfied constraints unchangedminimal- only update broken constraints, do not check branches for new commits
- Variable list and show commands. (#373)
Bug fixes
- Pipeline references declared in subsequent files are correctly identified and processed.
- Preserves pipeline params ordering as specified in the pipeline definition. (#408)
What's new?
- Added Reserve Bank of India - IT Framework for NBFC Regulatory Compliance
benchmark (
powerpipe benchmark run azure_compliance.benchmark.rbi_itf_nbfc_v2017). (#267)
Bug fixes
- The
GCP > Turbot > Event Handlers > Loggingwould go into an Invalid state because of incorrect filter patterns defined in theGCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransferpolicy. This is fixed and the control will now work as expected.
Bug fixes
- Guardrails would sometimes process the real-time event
compute.networks.deletefor default networks incorrectly, resulting in the inadvertent deletion of those networks from CMDB. This is now fixed.
What's new?
Resource Types
- AWS > AppFabric
Policy Types
- AWS > AppFabric > API Enabled
- AWS > AppFabric > Approved Regions [Default]
- AWS > AppFabric > Enabled
- AWS > AppFabric > Permissions
- AWS > AppFabric > Permissions > Levels
- AWS > AppFabric > Permissions > Levels > Modifiers
- AWS > AppFabric > Permissions > Lockdown
- AWS > AppFabric > Permissions > Lockdown > API Boundary
- AWS > AppFabric > Regions
- AWS > AppFabric > Tags Template [Default]
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-appfabric
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-appfabric
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-appfabric
What's new?
Control Types
- GCP > IAM > Project User > Approved
Policy Types
- GCP > IAM > Project User > Approved
- GCP > IAM > Project User > Approved > Custom
- GCP > IAM > Project User > Approved > Usage
Bug fixes
- Guardrails failed to process the real-time event
s3:PutBucketReplicationfor buckets. This is now fixed. - The
AWS > S3 > Bucket > Access Loggingcontrol would sometimes go into an error state if the target bucket name started with a number. This is fixed and the control will now work more smoothly and consistently than before.
Enhancements
- The
user_idcolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Pipes connections. (#27) - The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. (#32) - Added the
versionflag to the plugin's Export tool. (#65)
Bug fixes
- Fixed the plugin to correctly authenticate against a custom tenant in
Pipesinstead of returning a401error. (#30)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.1 that adds support for connection key columns. (#27)
The Semgrep plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
- Added
Detect and Correctpipeline for DynamoDB tables with stale data. (#34)
What's new?
- Added the following new pipeline:
delete_dynamodb_table
What's new?
- New tables added
- github_blob (#430) (Thanks @rmhartog for the contribution!)
- github_repository_content (#317)
Enhancements
- The
login_idcolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Github connections. (#422) - The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. (#219) - Added the
versionflag to the plugin's Export tool. (#65)
Bug fixes
- Fixed the plugin support for Github OAuth Access token to work correctly. (#432)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.1 that adds support for connection key columns. (#422)
Bug fixes
- Updated Postgres FDW to
v1.11.2to remove unnecessaryNOTICElevel log messages. (#469)
What's new?
- Added NIST SP 800-171 Revision 2 benchmark (
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2). (#264)
Integrate your developer account, team or custom tenant with GitHub, enabling you to install custom Powerpipe mods from public or private repositories. Push changes for instant deploys and live updates.
For more information, see the launch post or check out the docs.
Bug fixes
- Guardrails failed to discover system storage containers (e.g.
$logs) for storage accounts. This is now fixed.
Bug fixes
- Added support to process enable and disable real-time events for BigQuery Data Transfer API via Service Usage APIs.
5.0.0 (2024-05-15)
What's new?
Resource Types
- GCP > BigQuery Data Transfer
- GCP > BigQuery Data Transfer > Transfer Config
Control Types
- GCP > BigQuery Data Transfer > API Enabled
- GCP > BigQuery Data Transfer > CMDB
- GCP > BigQuery Data Transfer > Discovery
- GCP > BigQuery Data Transfer > Transfer Config > Active
- GCP > BigQuery Data Transfer > Transfer Config > Approved
- GCP > BigQuery Data Transfer > Transfer Config > CMDB
- GCP > BigQuery Data Transfer > Transfer Config > Discovery
- GCP > BigQuery Data Transfer > Transfer Config > Usage
Policy Types
- GCP > BigQuery Data Transfer > API Enabled
- GCP > BigQuery Data Transfer > Approved Regions [Default]
- GCP > BigQuery Data Transfer > CMDB
- GCP > BigQuery Data Transfer > Enabled
- GCP > BigQuery Data Transfer > Permissions
- GCP > BigQuery Data Transfer > Permissions > Levels
- GCP > BigQuery Data Transfer > Permissions > Levels > Modifiers
- GCP > BigQuery Data Transfer > Regions
- GCP > BigQuery Data Transfer > Transfer Config > Active
- GCP > BigQuery Data Transfer > Transfer Config > Active > Age
- GCP > BigQuery Data Transfer > Transfer Config > Active > Last Modified
- GCP > BigQuery Data Transfer > Transfer Config > Approved
- GCP > BigQuery Data Transfer > Transfer Config > Approved > Custom
- GCP > BigQuery Data Transfer > Transfer Config > Approved > Usage
- GCP > BigQuery Data Transfer > Transfer Config > CMDB
- GCP > BigQuery Data Transfer > Transfer Config > Regions
- GCP > BigQuery Data Transfer > Transfer Config > Usage
- GCP > BigQuery Data Transfer > Transfer Config > Usage > Limit
- GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer
- GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-bigquerydatatransfer
- GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-bigquerydatatransfer
Action Types
- GCP > BigQuery Data Transfer > Set API Enabled
- GCP > BigQuery Data Transfer > Transfer Config > Delete
- GCP > BigQuery Data Transfer > Transfer Config > Router
Bug fixes
- Load
localsin order of dependency. (#399).
What's new?
- New dashboards added:
- New benchmark added:
Enhancements
- Optimized queries to leverage the connection-level qualifiers for faster execution time and lower API load. To benefit from these enhancements, please upgrade to AliCloud v0.22.0 or higher. (#95)
Whats new
Added support for installing mods from a branch or from the local file system. (#285)
To install from a branch:
powerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected#mainTo reference a mod in the local file system:
powerpipe mod install ../mods/local_mod_folderAdded
--pullflag tomod,dashboardandbenchmarkcommands to control the mod update strategy. (#352). Possible update strategies are:full- check branch and tags for both latest and accuracylatest- update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)development- update branches and broken constraints to latest, leave satisfied constraints unchangedminimal- only update broken constraints, do not check branches for new commits
Bug fixes
- Fixed control category titles to use
osqueryinstead ofOsquery.
Bug fixes
Kubernetes > Noderesources will no longer include theconditions.lastHeartbeatTimeorresource_versionproperties to avoid unnecessary notifications in the activity tab.
What's new?
Resource Types
- AWS > EventBridge Scheduler
Policy Types
- AWS > EventBridge Scheduler > API Enabled
- AWS > EventBridge Scheduler > Approved Regions [Default]
- AWS > EventBridge Scheduler > Enabled
- AWS > EventBridge Scheduler > Permissions
- AWS > EventBridge Scheduler > Permissions > Levels
- AWS > EventBridge Scheduler > Permissions > Levels > Modifiers
- AWS > EventBridge Scheduler > Permissions > Lockdown
- AWS > EventBridge Scheduler > Permissions > Lockdown > API Boundary
- AWS > EventBridge Scheduler > Regions
- AWS > EventBridge Scheduler > Tags Template [Default]
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-eventbridgescheduler
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-eventbridgescheduler
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-eventbridgescheduler
What's new?
Resource Types
- AWS > EventBridge Pipes
Policy Types
- AWS > EventBridge Pipes > API Enabled
- AWS > EventBridge Pipes > Approved Regions [Default]
- AWS > EventBridge Pipes > Enabled
- AWS > EventBridge Pipes > Permissions
- AWS > EventBridge Pipes > Permissions > Levels
- AWS > EventBridge Pipes > Permissions > Levels > Modifiers
- AWS > EventBridge Pipes > Permissions > Lockdown
- AWS > EventBridge Pipes > Permissions > Lockdown > API Boundary
- AWS > EventBridge Pipes > Regions
- AWS > EventBridge Pipes > Tags Template [Default]
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-eventbridgepipes
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-eventbridgepipes
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-eventbridgepipes
Enhancements
- The
tenant_idcolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Microsoft 365 subscriptions. (#50) - The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. (#55) - Added the
versionflag to the plugin's Export tool. (#65)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that
QueryDatapassed toConnectionKeyColumnsvalue callback is populated withConnectionManager. (#50)
Enhancements
- The
tenant_idcolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#175) - The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. (#180) - Added support for
China cloudendpoint and scope based on the environment. (#174) - Added the
versionflag to the plugin's Export tool. (#65)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that
QueryDatapassed toConnectionKeyColumnsvalue callback is populated withConnectionManager. (#175)
What's new?
- Added 30 new 'detect and correct' pipelines to identify unused and underutilized AWS resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see AWS Thrifty Mod.
Enhancements
- Optimized queries to leverage the connection-level qualifiers for faster execution time and lower API load. To benefit from these enhancements, please upgrade to GCP v0.52.0 or higher. (#78)
Enhancements
- Optimized queries to leverage the connection-level qualifiers for faster execution time and lower API load. To benefit from these enhancements, please upgrade to Azure v0.56.0 or higher. (#124)
Enhancements
- Optimized queries to leverage the connection-level qualifiers for faster execution time and lower API load. To benefit from these enhancements, please upgrade to AWS v0.136.0 or higher. (#347)
What's new?
Server
- Added a new GraphQL resolver for osquery to generate an enrollSecret.
- Added new REST APIs for osquery management, which includes:
api/latest/osquery/enrollapi/latest/osquery/configapi/latest/osquery/logger
- Introduced a dedicated worker, along with SQS FIFO queue and SNS topic FIFO, to run osquery operations.
- Implemented a new
serviceNowCredentialresolver specifically for Kubernetes clusters. - Upgraded our SDK (
@turbot/sdk) to version 5.15.0 and our fn toolkit (@turbot/fn) to version 5.22.0, to support FIFO queues.
UI
- Added support for connecting to Kubernetes, facilitating easier integration and management.
- Added report for AWS CIS v2.0.
- Added report for AWS CIS v3.0.
- Added report for Azure CIS v2.0.
- Added report for GCP CIS v2.0.
Requirements
- TEF: 1.58.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types
- Kubernetes > Cluster > ServiceNow
- Kubernetes > Cluster > ServiceNow > Configuration Item
- Kubernetes > Cluster > ServiceNow > Table
- Kubernetes > ConfigMap > ServiceNow
- Kubernetes > ConfigMap > ServiceNow > Configuration Item
- Kubernetes > ConfigMap > ServiceNow > Table
- Kubernetes > Deployment > ServiceNow
- Kubernetes > Deployment > ServiceNow > Configuration Item
- Kubernetes > Deployment > ServiceNow > Table
- Kubernetes > Namespace > ServiceNow
- Kubernetes > Namespace > ServiceNow > Configuration Item
- Kubernetes > Namespace > ServiceNow > Table
- Kubernetes > Node > ServiceNow
- Kubernetes > Node > ServiceNow > Configuration Item
- Kubernetes > Node > ServiceNow > Table
- Kubernetes > Pod > ServiceNow
- Kubernetes > Pod > ServiceNow > Configuration Item
- Kubernetes > Pod > ServiceNow > Table
- Kubernetes > ReplicaSet > ServiceNow
- Kubernetes > ReplicaSet > ServiceNow > Configuration Item
- Kubernetes > ReplicaSet > ServiceNow > Table
- Kubernetes > Service > ServiceNow
- Kubernetes > Service > ServiceNow > Configuration Item
- Kubernetes > Service > ServiceNow > Table
- ServiceNow > Turbot > Watches > Kubernetes
Policy Types
- Kubernetes > Cluster > ServiceNow
- Kubernetes > Cluster > ServiceNow > Configuration Item
- Kubernetes > Cluster > ServiceNow > Configuration Item > Record
- Kubernetes > Cluster > ServiceNow > Configuration Item > Table Definition
- Kubernetes > Cluster > ServiceNow > Table
- Kubernetes > Cluster > ServiceNow > Table > Definition
- Kubernetes > ConfigMap > ServiceNow
- Kubernetes > ConfigMap > ServiceNow > Configuration Item
- Kubernetes > ConfigMap > ServiceNow > Configuration Item > Record
- Kubernetes > ConfigMap > ServiceNow > Configuration Item > Table Definition
- Kubernetes > ConfigMap > ServiceNow > Table
- Kubernetes > ConfigMap > ServiceNow > Table > Definition
- Kubernetes > Deployment > ServiceNow
- Kubernetes > Deployment > ServiceNow > Configuration Item
- Kubernetes > Deployment > ServiceNow > Configuration Item > Record
- Kubernetes > Deployment > ServiceNow > Configuration Item > Table Definition
- Kubernetes > Deployment > ServiceNow > Table
- Kubernetes > Deployment > ServiceNow > Table > Definition
- Kubernetes > Namespace > ServiceNow
- Kubernetes > Namespace > ServiceNow > Configuration Item
- Kubernetes > Namespace > ServiceNow > Configuration Item > Record
- Kubernetes > Namespace > ServiceNow > Configuration Item > Table Definition
- Kubernetes > Namespace > ServiceNow > Table
- Kubernetes > Namespace > ServiceNow > Table > Definition
- Kubernetes > Node > ServiceNow
- Kubernetes > Node > ServiceNow > Configuration Item
- Kubernetes > Node > ServiceNow > Configuration Item > Record
- Kubernetes > Node > ServiceNow > Configuration Item > Table Definition
- Kubernetes > Node > ServiceNow > Table
- Kubernetes > Node > ServiceNow > Table > Definition
- Kubernetes > Pod > ServiceNow
- Kubernetes > Pod > ServiceNow > Configuration Item
- Kubernetes > Pod > ServiceNow > Configuration Item > Record
- Kubernetes > Pod > ServiceNow > Configuration Item > Table Definition
- Kubernetes > Pod > ServiceNow > Table
- Kubernetes > Pod > ServiceNow > Table > Definition
- Kubernetes > ReplicaSet > ServiceNow
- Kubernetes > ReplicaSet > ServiceNow > Configuration Item
- Kubernetes > ReplicaSet > ServiceNow > Configuration Item > Record
- Kubernetes > ReplicaSet > ServiceNow > Configuration Item > Table Definition
- Kubernetes > ReplicaSet > ServiceNow > Table
- Kubernetes > ReplicaSet > ServiceNow > Table > Definition
- Kubernetes > Service > ServiceNow
- Kubernetes > Service > ServiceNow > Configuration Item
- Kubernetes > Service > ServiceNow > Configuration Item > Record
- Kubernetes > Service > ServiceNow > Configuration Item > Table Definition
- Kubernetes > Service > ServiceNow > Table
- Kubernetes > Service > ServiceNow > Table > Definition
- ServiceNow > Turbot > Watches > Kubernetes
Action Types
- ServiceNow > Turbot > Watches > Kubernetes Archive And Delete Record
What's new?
Resource Types
- osquery
Control Types
- Turbot > Workspace > osquery
- Turbot > Workspace > osquery > Secret Rotation
Policy Types
- Turbot > Workspace > osquery
- Turbot > Workspace > osquery > Enroll Secret Expiration
- Turbot > Workspace > osquery > Secrets
- Turbot > Workspace > osquery > Secrets > Expiration Period
- Turbot > Workspace > osquery > Secrets > Rotation
- osquery > Configuration
Action Types
- Turbot > Rotate osquery Secret
- osquery > Event Handler
What's new?
Resource Types
- Kubernetes
- Kubernetes > Cluster
- Kubernetes > ConfigMap
- Kubernetes > Deployment
- Kubernetes > Namespace
- Kubernetes > Node
- Kubernetes > Pod
- Kubernetes > ReplicaSet
- Kubernetes > Service
Control Types
- Kubernetes > Cluster > CMDB
- Kubernetes > ConfigMap > Annotations
- Kubernetes > ConfigMap > Approved
- Kubernetes > ConfigMap > CMDB
- Kubernetes > ConfigMap > Labels
- Kubernetes > ConfigMap > Query
- Kubernetes > Deployment > Annotations
- Kubernetes > Deployment > Approved
- Kubernetes > Deployment > CMDB
- Kubernetes > Deployment > Labels
- Kubernetes > Deployment > Query
- Kubernetes > Namespace > Annotations
- Kubernetes > Namespace > Approved
- Kubernetes > Namespace > CMDB
- Kubernetes > Namespace > Labels
- Kubernetes > Namespace > Query
- Kubernetes > Node > Annotations
- Kubernetes > Node > Approved
- Kubernetes > Node > CMDB
- Kubernetes > Node > Labels
- Kubernetes > Node > Query
- Kubernetes > Pod > Annotations
- Kubernetes > Pod > Approved
- Kubernetes > Pod > CMDB
- Kubernetes > Pod > Labels
- Kubernetes > Pod > Query
- Kubernetes > ReplicaSet > Annotations
- Kubernetes > ReplicaSet > Approved
- Kubernetes > ReplicaSet > CMDB
- Kubernetes > ReplicaSet > Labels
- Kubernetes > ReplicaSet > Query
- Kubernetes > Service > Annotations
- Kubernetes > Service > Approved
- Kubernetes > Service > CMDB
- Kubernetes > Service > Labels
- Kubernetes > Service > Query
Policy Types
- Kubernetes > Cluster > CMDB
- Kubernetes > ConfigMap > Annotations
- Kubernetes > ConfigMap > Annotations > Template
- Kubernetes > ConfigMap > Approved
- Kubernetes > ConfigMap > Approved > Custom
- Kubernetes > ConfigMap > CMDB
- Kubernetes > ConfigMap > Labels
- Kubernetes > ConfigMap > Labels > Template
- Kubernetes > ConfigMap > osquery
- Kubernetes > ConfigMap > osquery > Configuration
- Kubernetes > ConfigMap > osquery > Configuration > Columns
- Kubernetes > ConfigMap > osquery > Configuration > Interval
- Kubernetes > ConfigMap > osquery > Configuration > Name
- Kubernetes > Deployment > Annotations
- Kubernetes > Deployment > Annotations > Template
- Kubernetes > Deployment > Approved
- Kubernetes > Deployment > Approved > Custom
- Kubernetes > Deployment > CMDB
- Kubernetes > Deployment > Labels
- Kubernetes > Deployment > Labels > Template
- Kubernetes > Deployment > osquery
- Kubernetes > Deployment > osquery > Configuration
- Kubernetes > Deployment > osquery > Configuration > Columns
- Kubernetes > Deployment > osquery > Configuration > Interval
- Kubernetes > Deployment > osquery > Configuration > Name
- Kubernetes > Namespace > Annotations
- Kubernetes > Namespace > Annotations > Template
- Kubernetes > Namespace > Approved
- Kubernetes > Namespace > Approved > Custom
- Kubernetes > Namespace > CMDB
- Kubernetes > Namespace > Labels
- Kubernetes > Namespace > Labels > Template
- Kubernetes > Namespace > osquery
- Kubernetes > Namespace > osquery > Configuration
- Kubernetes > Namespace > osquery > Configuration > Columns
- Kubernetes > Namespace > osquery > Configuration > Interval
- Kubernetes > Namespace > osquery > Configuration > Name
- Kubernetes > Node > Annotations
- Kubernetes > Node > Annotations > Template
- Kubernetes > Node > Approved
- Kubernetes > Node > Approved > Custom
- Kubernetes > Node > CMDB
- Kubernetes > Node > Labels
- Kubernetes > Node > Labels > Template
- Kubernetes > Node > osquery
- Kubernetes > Node > osquery > Configuration
- Kubernetes > Node > osquery > Configuration > Columns
- Kubernetes > Node > osquery > Configuration > Interval
- Kubernetes > Node > osquery > Configuration > Name
- Kubernetes > Pod > Annotations
- Kubernetes > Pod > Annotations > Template
- Kubernetes > Pod > Approved
- Kubernetes > Pod > Approved > Custom
- Kubernetes > Pod > CMDB
- Kubernetes > Pod > Labels
- Kubernetes > Pod > Labels > Template
- Kubernetes > Pod > osquery
- Kubernetes > Pod > osquery > Configuration
- Kubernetes > Pod > osquery > Configuration > Columns
- Kubernetes > Pod > osquery > Configuration > Interval
- Kubernetes > Pod > osquery > Configuration > Name
- Kubernetes > ReplicaSet > Annotations
- Kubernetes > ReplicaSet > Annotations > Template
- Kubernetes > ReplicaSet > Approved
- Kubernetes > ReplicaSet > Approved > Custom
- Kubernetes > ReplicaSet > CMDB
- Kubernetes > ReplicaSet > Labels
- Kubernetes > ReplicaSet > Labels > Template
- Kubernetes > ReplicaSet > osquery
- Kubernetes > ReplicaSet > osquery > Configuration
- Kubernetes > ReplicaSet > osquery > Configuration > Columns
- Kubernetes > ReplicaSet > osquery > Configuration > Interval
- Kubernetes > ReplicaSet > osquery > Configuration > Name
- Kubernetes > Service > Annotations
- Kubernetes > Service > Annotations > Template
- Kubernetes > Service > Approved
- Kubernetes > Service > Approved > Custom
- Kubernetes > Service > CMDB
- Kubernetes > Service > Labels
- Kubernetes > Service > Labels > Template
- Kubernetes > Service > osquery
- Kubernetes > Service > osquery > Configuration
- Kubernetes > Service > osquery > Configuration > Columns
- Kubernetes > Service > osquery > Configuration > Interval
- Kubernetes > Service > osquery > Configuration > Name
- Kubernetes > osquery
- Kubernetes > osquery > Decorators
Action Types
- Kubernetes > ConfigMap > Router
- Kubernetes > Deployment > Router
- Kubernetes > Namespace > Router
- Kubernetes > Node > Router
- Kubernetes > Pod > Router
- Kubernetes > ReplicaSet > Router
- Kubernetes > Service > Router
Bug fixes
- The
GCP > IAM > Service Account Key > Activecontrol will no longer attempt to delete a system-managed service account key deemed inactive by the control.
What's new?
- You can now determine if an IAM access key for a user is latest and deactivate or delete any keys that are not, using Guardrails. To get started, set the
AWS > IAM > Access Key > Active > Latestpolicy. - You can now determine if an IAM server certificate is active based on its expiration. To get started, set the
AWS > IAM > Server Certificate > Active > Expiredpolicy.
Policy Types
- AWS > IAM > Access Key > Active > Latest
- AWS > IAM > Server Certificate > Active > Expired
- New tables added
Enhancements
- The
tenant_idcolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple OCI tenants. (#606) - The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. (#614) - Added the
versionflag to the plugin's Export tool. (#65)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.0 that adds support for connection key columns. (#606)
- Recompiled plugin with github.com/hashicorp/go-getter v1.7.4. (#611)
Enhancements
- The
projectcolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple GCP projects. (#564) - The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. (#580) - Added the
versionflag to the plugin's Export tool. (#65)****
Bug fixes
- Fixed the table
gcp_cloudfunctions_functionto listgen2cloud functions. (#568) (Thanks @ashutoshmore658 for the contribution!)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.0 that adds support for connection key columns. (#564)
- Recompiled plugin with github.com/hashicorp/go-getter v1.7.4. (#570)
Enhancements
- The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. (#756)
Bug fixes
- Fixed the
server_propertiescolumn in theazure_postgresql_flexible_servertable to correctly return data instead ofnil. (#754)
Dependencies
- Recompiled plugin with azure-sdk-for-go v68.0.0+incompatible. (#747)
- Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that
QueryDatapassed toConnectionKeyColumnsvalue callback is populated withConnectionManager. (#755)
Enhancements
- The
account_idcolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Alibaba Cloud accounts. (#406) - The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. (#419) - Added the
versionflag to the plugin's Export tool. (#65)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.0 that adds support for connection key columns. (#406)
- Recompiled plugin with github.com/hashicorp/go-getter v1.7.4. (#412)
Bug fixes
- The
GCP > Project > CMDBcontrol would go into an error state if Access Approval API was disabled in GCP. This is now fixed.
Enhancements
- The
context_namecolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Kubernetes connections. (#217) - The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage. (#219) - Added the
versionflag to the plugin's Export tool. (#65)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.0 that adds support for connection key columns. (#217)
- Recompiled plugin with github.com/hashicorp/go-getter v1.7.4. (#218)
v0.138.0 [2024-05-09]
Enhancements
- The Plugin and the Steampipe Anywhere binaries are now built with the
netgopackage for both the Linux and Darwin systems. (#219) (#2180)
Bug fixes
- Fixed the
aws_ebs_snapshottable to correctly return data instead of an empty row. (#2185)
Dependencies
- Recompiled plugin with github.com/hashicorp/go-getter v1.7.4. (#2178)
Whats new
Added support for connection key columns: (#768)
A
connection key columndefines a column whose value maps 1-1 to a Steampipe connection and so can be used to filter connections when executing an aggregator query. These columns are treated as (optional) KeyColumns. This means they are taken into account in the query planning.Added support for verbose timing information. (#4244)
Added support for pushing down sort order. (#447)
Updated limit pushdown logic to push down the limit if all sort clauses are pushed down. (#458)
Added support for
WHERE column=val1 OR column=val2 OR column=val3...Migrated from plugin registry from GCP to GHCR. (#4232)
Bug fixes
Bug fixes
- Ensured
QueryDatapassed to connection key column value callback is populated withConnectionManager. (#797)
What's new?
- Implemented SNS topic to handle critical alarms notifications.
- Added Product, Vendor Tags to the IAM Role resources created by the TEF stack.
- Introduced a new SSM parameter to manage the reserved concurrency settings for the osquery worker lambda function.
- Updated Log Bucket Lifecycle Policies:
- Increased Retention Period: Extended the retention period of the lifecycle policy for logs in the log bucket with the
/processesprefix from 1 day to 2 days. - New Policy Addition: Implemented a new lifecycle policy for managing log retention in the log bucket for logs with the
/osqueryprefix.
- Increased Retention Period: Extended the retention period of the lifecycle policy for logs in the log bucket with the
What's new?
- Implemented critical alarms for RDS DB CPU utilization, DB Max Connections and Redis ElastiCache Memory utilization.
- Added Product, Vendor Tags to the IAM Role resources created by the TED stack.
Bug fixes
- The
Azure > Compute > Virtual Machine Scale Set > Tagscontrol would sometimes fail to update tags correctly for Scale Sets launched via Azure marketplace. This is fixed and the control will now update tags correctly, as expected.
What's new?
- Revoke ingress rules that are unapproved for use in Network ACLs. To get started, set the
AWS > VPC > Network ACL > Ingress Rules > Approved > *policies.
Bug fixes
- Minor fixes and improvements.
What's new?
- You can now delete existing Mount Targets which are unapproved for use in the account. To get started, set the
AWS > EFS > Mount Target > Approvedpolicy toEnforce: Delete unapproved.
What's new?
- Create and manage
aws_cloudwatch_metric_alarmresources via Guardrails stacks.
Control Types
- AWS > CloudWatch > Alarm > Configured
Policy Types
- AWS > CloudWatch > Alarm > Configured
- AWS > CloudWatch > Alarm > Configured > Claim Precedence
- AWS > CloudWatch > Alarm > Configured > Source
Bug fixes
- Added support for
aws_securityhub_accountTerraform resource.
What's new?
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
Control Types
- AWS > CIS v3.0
- AWS > CIS v3.0 > 1 - Identity and Access Management
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
- AWS > CIS v3.0 > 2 - Storage
- AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
- AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
- AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
- AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
- AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
- AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
- AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
- AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
- AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
- AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
- AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
- AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
- AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
- AWS > CIS v3.0 > 3 - Logging
- AWS > CIS v3.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
- AWS > CIS v3.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
- AWS > CIS v3.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions
- AWS > CIS v3.0 > 3 - Logging > 3.04 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- AWS > CIS v3.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
- AWS > CIS v3.0 > 3 - Logging > 3.06 - Ensure rotation for customer created symmetric CMKs is enabled
- AWS > CIS v3.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs
- AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket
- AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket
- AWS > CIS v3.0 > 4 - Monitoring
- AWS > CIS v3.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
- AWS > CIS v3.0 > 5 - Networking
- AWS > CIS v3.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
- AWS > CIS v3.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- AWS > CIS v3.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
- AWS > CIS v3.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
- AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
- AWS > CIS v3.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2
Policy Types
- AWS > CIS v3.0
- AWS > CIS v3.0 > 1 - Identity and Access Management
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account > Attestation
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
- AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation
- AWS > CIS v3.0 > 1 - Identity and Access Management > Maximum Attestation Duration
- AWS > CIS v3.0 > 2 - Storage
- AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
- AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
- AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets
- AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
- AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation
- AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
- AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
- AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
- AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
- AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
- AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
- AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
- AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
- AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
- AWS > CIS v3.0 > 2 - Storage > Maximum Attestation Duration
- AWS > CIS v3.0 > 3 - Logging
- AWS > CIS v3.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
- AWS > CIS v3.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
- AWS > CIS v3.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions
- AWS > CIS v3.0 > 3 - Logging > 3.04 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- AWS > CIS v3.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
- AWS > CIS v3.0 > 3 - Logging > 3.06 - Ensure rotation for customer created symmetric CMKs is enabled
- AWS > CIS v3.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs
- AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket
- AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket
- AWS > CIS v3.0 > 3 - Logging > Maximum Attestation Duration
- AWS > CIS v3.0 > 4 - Monitoring
- AWS > CIS v3.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
- AWS > CIS v3.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
- AWS > CIS v3.0 > 4 - Monitoring > Maximum Attestation Duration
- AWS > CIS v3.0 > 5 - Networking
- AWS > CIS v3.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
- AWS > CIS v3.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- AWS > CIS v3.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
- AWS > CIS v3.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
- AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
- AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' > Attestation
- AWS > CIS v3.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2
- AWS > CIS v3.0 > 5 - Networking > Maximum Attestation Duration
- AWS > CIS v3.0 > Maximum Attestation Duration
Bug fixes
- Server
- Minor internal improvements.
Requirements
- TEF: 1.57.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Resource Types:
- GCP > DNS > Policy
Control Types:
- GCP > DNS > Policy > Active
- GCP > DNS > Policy > Approved
- GCP > DNS > Policy > CMDB
- GCP > DNS > Policy > Discovery
- GCP > DNS > Policy > Usage
Policy Types:
- GCP > DNS > Policy > Active
- GCP > DNS > Policy > Active > Age
- GCP > DNS > Policy > Active > Last Modified
- GCP > DNS > Policy > Approved
- GCP > DNS > Policy > Approved > Custom
- GCP > DNS > Policy > Approved > Usage
- GCP > DNS > Policy > CMDB
- GCP > DNS > Policy > Usage
- GCP > DNS > Policy > Usage > Limit
Action Types:
- GCP > DNS > Policy > Delete
- GCP > DNS > Policy > Router
What's new?
Control Types
- GCP > CIS v2.0
- GCP > CIS v2.0 > 1 - Identity and Access Management
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
- GCP > CIS v2.0 > 2 - Logging and Monitoring
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
- GCP > CIS v2.0 > 3 - Networking
- GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project
- GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects
- GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS
- GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
- GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
- GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet
- GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet
- GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
- GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
- GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
- GCP > CIS v2.0 > 4 - Virtual Machines
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
- GCP > CIS v2.0 > 5 - Storage
- GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
- GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
- GCP > CIS v2.0 > 7 - BigQuery
- GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
- GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
- GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets
Policy Types
- GCP > CIS v2.0
- GCP > CIS v2.0 > 1 - Identity and Access Management
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used > Attestation
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts > Attestation
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts > Attestation
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization > Attestation
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
- GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager > Attestation
- GCP > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration
- GCP > CIS v2.0 > 2 - Logging and Monitoring
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' > Attestation
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
- GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
- GCP > CIS v2.0 > 2 - Logging and Monitoring > Maximum Attestation Duration
- GCP > CIS v2.0 > 3 - Networking
- GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project
- GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects
- GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS
- GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
- GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
- GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet
- GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet
- GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
- GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
- GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
- GCP > CIS v2.0 > 4 - Virtual Machines
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections > Attestation
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
- GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects > Attestation
- GCP > CIS v2.0 > 4 - Virtual Machines > Maximum Attestation Duration
- GCP > CIS v2.0 > 5 - Storage
- GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
- GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges > Attestation
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
- GCP > CIS v2.0 > 6 - Cloud SQL Database Services > Maximum Attestation Duration
- GCP > CIS v2.0 > 7 - BigQuery
- GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
- GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
- GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets
- GCP > CIS v2.0 > Maximum Attestation Duration
Bug fixes
- Minor fixes and improvements.
What's new?
- Access approval setting details for projects is now be available in Project CMDB.
Bug fixes
- Server
- Minor internal improvements.
Requirements
- TEF: 1.57.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- New tables added
Enhancements
- The
subscription_idcolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#740) - Added the
versionflag to the plugin's Export tool. (#65)
Bug fixes
- Fixed the plugin's Postgres FDW Extension crash issue.
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.10.0 that adds support for connection key columns. (#745)
Bug fixes
- Action Type for
Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approvedcontrol did not render correctly on mod inspect. This is now fixed.
What's new?
- New tables added
Enhancements
- Added the
versionflag to the plugin's Export tool. (#65)
Bug fixes
- Fixed intermittent FDW crashes when certain postgres errors resulted in a signal 16 being raised. (#455)
- Fixed the broken Postgres 14, Postgres 15 and SQLite x86_64 binaries for Darwin operating systems.
Whats new
- It is now possible to set a timeout for benchmark and dashboard execution. These can be set:
- In the workspace using properties:
dashboard_timeoutandbenchmark_timeout - Using the
--dashboard-timeoutflag for thedashboard runandservercommands - Using the
--benchmark-timeoutflag for thebenchmark runcommands. - Using the environment variables
POWERPIPE_DASHBOARD_TIMEOUTandPOWERPIPE_BENCHMARK_TIMEOUTrespectively. (#336)
- In the workspace using properties:
- Support installing private mods using a GitHub app token. (#381).
- Improve the layout of filter and grouping components for control tags and dimensions. (#263)
- Remove the
dashboard input listanddashboard input showcommands. - Add thousands separator to numeric values in dashboard tables. (#315)
- Only show benchmark cards for statuses that are contained in the current filter and add status to filter on card click. (#322)
Bug fixes
All new Pipes workspaces will be running Powerpipe v0.2.0 and existing workspaces will be upgraded by Monday 29th April 2024.
For more information on this Powerpipe release, see the release notes.
Bug fixes
- Server
- Minor internal improvements.
Requirements
- TEF: 1.57.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The
Azure > Storage > Storage Account > Data Protectioncontrol would go into an error state when container delete retention policy data was not available in CMDB. This issue is fixed and the control will now work as expected.
What's new?
- You can now removed unapproved Firewall IP Ranges on PostgreSQL servers and flexi servers. To get started, set the
Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > *andAzure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > *policies respectively. - You can now stop unapproved flexi servers. To get started, set the
Azure > PostgreSQL > Flexible Server > Approvedpolicy toEnforce: Stop unapprovedorEnforce: Stop unapproved if new.
Control Types
- Azure > PostgreSQL > Flexible Server > Firewall
- Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges
- Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
- Azure > PostgreSQL > Server > Firewall
- Azure > PostgreSQL > Server > Firewall > IP Ranges
- Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved
Policy Types
- Azure > PostgreSQL > Flexible Server > Firewall
- Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges
- Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
- Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > Compiled Rules
- Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > IP Addresses
- Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > Rules
- Azure > PostgreSQL > Server > Firewall
- Azure > PostgreSQL > Server > Firewall > IP Ranges
- Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved
- Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > Compiled Rules
- Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > IP Addresses
- Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > Rules
Action Types
- Azure > PostgreSQL > Flexible Server > Stop
- Azure > PostgreSQL > Server > Update Firewall IP Ranges
Bug fixes
- Fixed control category names for v7.2.10, v7.7.10 and v7.14.1.
What's new?
Control Types
- Azure > CIS v2.0
- Azure > CIS v2.0 > 01 - Identity and Access Management
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 Ensure That 'Number of methods required to reset' is set to '2'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure
User consent for applicationsis set toDo not allow user consent - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
- Azure > CIS v2.0 > 02 - Microsoft Defender
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring
- Azure > CIS v2.0 > 03 - Storage Accounts
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that
Enable Infrastructure Encryptionfor Each Storage Account in Azure Storage is Set toenabled - Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"
- Azure > CIS v2.0 > 04 - Database Services
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
- Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL
- Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
- Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
- Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
- Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database
- Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB
- Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible
- Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
- Azure > CIS v2.0 > 05 - Logging and Monitoring
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
- Azure > CIS v2.0 > 06 - Networking
- Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted
- Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted
- Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted
- Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
- Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled'
- Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
- Azure > CIS v2.0 > 07 - Virtual Machines
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.02 - Ensure Virtual Machines are utilizing Managed Disks
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted
- Azure > CIS v2.0 > 08 - Key Vault
- Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable
- Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault
- Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault
- Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- Azure > CIS v2.0 > 09 - Application Services
- Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service
- Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
- Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption
- Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service
- Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App
- Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
- Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App
- Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
- Azure > CIS v2.0 > 09 - Application Services > 9.10 - Ensure FTP deployments are Disabled
- Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets
- Azure > CIS v2.0 > 10 - Miscellaneous
- Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
Policy Types
- Azure > CIS v2.0
- Azure > CIS v2.0 > 01 - Identity and Access Management
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure
User consent for applicationsis set toDo not allow user consent - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure
User consent for applicationsis set toDo not allow user consent> Attestation - Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' > Attestation
- Azure > CIS v2.0 > 01 - Identity and Access Management > Maximum Attestation Duration
- Azure > CIS v2.0 > 02 - Microsoft Defender
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' > Attestation
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' > Attestation
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' > Attestation
- Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring
- Azure > CIS v2.0 > 02 - Microsoft Defender > Maximum Attestation Duration
- Azure > CIS v2.0 > 03 - Storage Accounts
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that
Enable Infrastructure Encryptionfor Each Storage Account in Azure Storage is Set toenabled - Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account > Attestation
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"
- Azure > CIS v2.0 > 03 - Storage Accounts > Maximum Attestation Duration
- Azure > CIS v2.0 > 04 - Database Services
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
- Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
- Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL
- Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
- Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
- Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
- Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database
- Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
- Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB
- Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible
- Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
- Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible > Attestation
- Azure > CIS v2.0 > 04 - Database Services > Maximum Attestation Duration
- Azure > CIS v2.0 > 05 - Logging and Monitoring
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
- Azure > CIS v2.0 > 05 - Logging and Monitoring > Maximum Attestation Duration
- Azure > CIS v2.0 > 06 - Networking
- Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted
- Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted
- Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted
- Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
- Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled'
- Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
- Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis > Attestation
- Azure > CIS v2.0 > 06 - Networking > Maximum Attestation Duration
- Azure > CIS v2.0 > 07 - Virtual Machines
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.02 - Ensure Virtual Machines are utilizing Managed Disks
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed > Attestation
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed > Attestation
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted
- Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted > Attestation
- Azure > CIS v2.0 > 07 - Virtual Machines > Maximum Attestation Duration
- Azure > CIS v2.0 > 08 - Key Vault
- Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable
- Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault
- Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault
- Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services > Attestation
- Azure > CIS v2.0 > 08 - Key Vault > Maximum Attestation Duration
- Azure > CIS v2.0 > 09 - Application Services
- Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service
- Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
- Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption
- Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service
- Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App
- Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App > Attestation
- Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
- Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App > Attestation
- Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App
- Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App > Attestation
- Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
- Azure > CIS v2.0 > 09 - Application Services > 9.10 - Ensure FTP deployments are Disabled
- Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets
- Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets > Attestation
- Azure > CIS v2.0 > 09 - Application Services > Maximum Attestation Duration
- Azure > CIS v2.0 > 10 - Miscellaneous
- Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
- Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation
- Azure > CIS v2.0 > 10 - Miscellaneous > Maximum Attestation Duration
- Azure > CIS v2.0 > Maximum Attestation Duration
What's new?
- Server
- Implemented monitoring for
worker_factoryin the CloudWatch Dashboard widgets "Events Queue Activity" and "Events Queue Backlog". - Established a CloudWatch Alarm for the
_worker_factoryqueue. - Product, Vendor Tags to the IAM Role resources created by the TE stack.
- Adjusted the threshold for the CloudWatch Alarm monitoring the
_workerqueue.
- Implemented monitoring for
Bug fixes
Server
- Now, users with only Turbot/User access will no longer see grants or active grants belonging to other users. This ensures that you only view grants that are relevant to your permissions.
- Control will move to error if it fails to determine the state at precheck.
- System resilience has been enhanced through extended TTL settings and refined management of suspended processes, aiming to improve stability and reduce backlog issues.
- Refined management of various processes to improve stability and reduce backlog issues.
UI
- Converted the
template_inputproperty of the policy setting in the Terraform plan to YAML format, improving clarity and manageability.
- Converted the
Requirements
- TEF: 1.57.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- Moved the
Turbot > Process Monitorcontrol to operate within the priority queue, ensuring more timely and efficient processing of critical tasks. - Updated the
Turbot > Workspace > Background Taskscontrol to modify the next_tick_timestamp for any policy values that previously had incorrect defaults.
Bug fixes
- Minor fixes and improvements.
What's new?
- You can now configure rotation reminders for access keys and soft delete for blobs and containers in storage accounts. To get started, set the
Azure > Storage > Storage Account > Access Keys > Rotation Reminder > *andAzure > Storage > Storage Account > Data Protection > Soft Delete > *policies respectively.
Control Types
- Azure > Storage > Storage Account > Access Keys
- Azure > Storage > Storage Account > Access Keys > Rotation Reminder
- Azure > Storage > Storage Account > Data Protection
- Azure > Storage > Storage Account > Data Protection > Soft Delete
Policy Types
- Azure > Storage > Storage Account > Access Keys
- Azure > Storage > Storage Account > Access Keys > Rotation Reminder
- Azure > Storage > Storage Account > Access Keys > Rotation Reminder > Days
- Azure > Storage > Storage Account > Data Protection
- Azure > Storage > Storage Account > Data Protection > Soft Delete
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs > Retention Days
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers > Retention Days
Action Types
- Azure > Storage > Storage Account > Set Data Protection Soft Delete
- Azure > Storage > Storage Account > Update Rotation Reminder
What's new?
- You can now removed unapproved Firewall IP Ranges on SQL servers. To get started, set the
Azure > SQL > Server > Firewall > IP Ranges > Approved > *policies.
Control Types
- Azure > SQL > Server > Firewall
- Azure > SQL > Server > Firewall > IP Ranges
- Azure > SQL > Server > Firewall > IP Ranges > Approved
Policy Types
- Azure > SQL > Server > Firewall
- Azure > SQL > Server > Firewall > IP Ranges
- Azure > SQL > Server > Firewall > IP Ranges > Approved
- Azure > SQL > Server > Firewall > IP Ranges > Approved > Compiled Rules
- Azure > SQL > Server > Firewall > IP Ranges > Approved > IP Addresses
- Azure > SQL > Server > Firewall > IP Ranges > Approved > Rules
Action Types
- Azure > SQL > Server > Update Firewall IP Ranges
Enhancements
- Updated the
workspace_dashboarddashboard to include information on the accounts, resources, and active controls across different workspaces. (#31) - Updated the
workspace_account_reportdashboard to display resources, policy settings, alerts, and active controls across workspaces instead of the TE version. (#31)
Enhancements
- Optimized several queries to minimize API usage, achieving faster performance. (#786)
Bug fixes
- The
rotationPeriodandnextRotationTimeattributes for Crypto Keys did not update correctly in CMDB when the rotation policy for such keys was removed. This is now fixed.
What's new?
- You can now configure Encryption in Transit for Flexi Servers. To get started, set the
Azure > MySQL > Flexible Server > Encryption in Transit > *policies. - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
Control Types
- Azure > MySQL > Flexible Server > Encryption in Transit
Policy Types
- Azure > MySQL > Flexible Server > Encryption in Transit
Action Types
- Azure > MySQL > Flexible Server > Update Encryption in Transit
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
Policy Types
- Azure > App Service > App Service Plan > Approved > Custom
- Azure > App Service > Function App > Approved > Custom
- Azure > App Service > Web App > Approved > Custom
Bug fixes
- The
AWS > VPC > Flow Log > Configuredcontrol would sometimes go into an error state for flow logs created via the AWS console, even though they were correctly claimed by a Guardrails stack. This is now fixed.
What's new?
- New tables added
Enhancements
- The
account_idcolumn has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple AWS accounts. (#2133)
Bug fixes
- Fixed the
getDirectoryServiceSnapshotLimitandgetDirectoryServiceEventTopicshydrate calls in theaws_directory_service_directorytable to correctly returnnilfor the unsupportedADConnectorservices instead of an error. (#2170)
What's new?
- New tables added: (Thanks @jplanckeel for the new plugin!)
What's new?
- You can now configure log checkpoints for Flexi Servers. To get started, set the
Azure > PostgreSQL > Flexible Server > Audit Logging > *policies. - We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Control Types
- Azure > PostgreSQL > Flexible Server > Audit Logging
Policy Types
- Azure > PostgreSQL > Flexible Server > Audit Logging
- Azure > PostgreSQL > Flexible Server > Audit Logging > Log Checkpoints
Action Types
- Azure > PostgreSQL > Flexible Server > Update Audit Logging
What's new?
- You can now configure expiration for Key Vault Keys and Secrets. To get started, set the
Azure > Key Vault > Key > Expiration > *andAzure > Key Vault > Secret > Expiration > *policies respectively.
Control Types
- Azure > Key Vault > Key > Expiration
- Azure > Key Vault > Secret > Expiration
Policy Types
- Azure > Key Vault > Key > Expiration
- Azure > Key Vault > Key > Expiration > Days [Default]
- Azure > Key Vault > Secret > Expiration
- Azure > Key Vault > Secret > Expiration > Days [Default]
Action Types
- Azure > Key Vault > Key > Set Expiration
- Azure > Key Vault > Secret > Set Expiration
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- Added CIS v3.0.0 benchmark (
powerpipe benchmark run gcp_compliance.benchmark.cis_v300). (#158)
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
- The
Azure > Storage > Storage Account > Queue > Loggingcontrol would go into a skipped state for storage accounts, irrespective of any policy setting for Logging. This issue is fixed and the control will now work as expected.
v0.40.0 [2024-04-12]
What's new?
- New tables added
- Added support for plugin authentication using
Github App. Please refer Github plugin configuration for more information. (#414)
Bug fixes
What's new?
- New tables added
Enhancements
- Added
snapshot_block_public_access_statecolumn toaws_ec2_regional_settingstable. (#2077)
Bug fixes
- Fixed the
getDirectoryServiceSnapshotLimitandgetDirectoryServiceEventTopicshydrate calls in theaws_directory_service_directorytable to correctly returnnilfor unsupportedSharedMicrosoftADservices instead of an error. (#2156)
What's new?
- New tables added: (Thanks @ramirezj for the new plugin!)
What's new?
- You can now delete existing Public IP Addresses which are unapproved for use in the Subscription. To get started, set the
Azure > Network > Public IP Address > Approvedpolicy toEnforce: Delete unapproved.
Bug fixes
- The
Turbot > IAM > Permissions > Compiled > Levels > Accountpolicy now correctly checks the workspace version if it's installed on a workspace version < 5.50.0.
What's new?
- You can now configure Encryption in Transit for Flexi Servers. To get started, set the
Azure > PostgresSql > Flexible Server > Encryption in Transit > *policies.
Control Types
- Azure > PostgreSQL > Flexible Server > Encryption in Transit
Policy Types
- Azure > PostgreSQL > Flexible Server > Encryption in Transit
Action Types
- Azure > PostgreSQL > Flexible Server > Update Encryption in Transit
Bug fixes
- Updated the
foundational_security_lambda_2control to check for the latest Lambda runtimes as per the AWS FSBP document. (#778) (Thanks @sbldevnet for the contribution!) - Fixed the title of
secretsmanager_secret_unused_90_daycontrol. (#783)
What's new?
- You can now delete existing Entra ID users which are unapproved to be used in the Tenant. To get started, set the
Azure > Active Directory > User > Approvedpolicy toEnforce: Delete unapproved.
Policy Types
- Azure > Active Directory > User > Approved > Custom
What's new?
- You can now configure TLS version for Flexi Servers. To get started, set the
Azure > MySQL > Flexible Server > Minimum TLS Version > *policies.
Enhancements
- Added the following controls to the
All Controlsbenchmark: (#253)cosmosdb_account_uses_aad_and_rbaciam_user_not_allowed_to_create_tenantssecuritycenter_image_scan_enabled
Bug fixes
- Updated the
postgres_db_server_allow_access_to_azure_services_disabledquery to check if theendIpAddresscolumn is set to0.0.0.0instead of255.255.255.255as per the CIS documentation. (#253)
Bug fixes
- Removed
Account/UserandAccount/Metadatalevels from the default Account > Permission policy
What's new?
- Added: Support for Postgres versions 11.21 and 11.22.
What's new?
- Account CMDB data will now also include alternate security contact details.
What's new?
Control Types
- AWS > CIS v2.0
- AWS > CIS v2.0 > 1 - Identity and Access Management
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
- AWS > CIS v2.0 > 2 - Storage
- AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
- AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
- AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
- AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
- AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
- AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
- AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
- AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
- AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
- AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
- AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
- AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
- AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
- AWS > CIS v2.0 > 3 - Logging
- AWS > CIS v2.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
- AWS > CIS v2.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
- AWS > CIS v2.0 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
- AWS > CIS v2.0 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs
- AWS > CIS v2.0 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions
- AWS > CIS v2.0 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- AWS > CIS v2.0 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
- AWS > CIS v2.0 > 3 - Logging > 3.08 - Ensure rotation for customer created symmetric CMKs is enabled
- AWS > CIS v2.0 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs
- AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket
- AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket
- AWS > CIS v2.0 > 4 - Monitoring
- AWS > CIS v2.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
- AWS > CIS v2.0 > 5 - Networking
- AWS > CIS v2.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
- AWS > CIS v2.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- AWS > CIS v2.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
- AWS > CIS v2.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
- AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
- AWS > CIS v2.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2
Policy Types
- AWS > CIS v2.0
- AWS > CIS v2.0 > 1 - Identity and Access Management
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account > Attestation
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
- AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation
- AWS > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration
- AWS > CIS v2.0 > 2 - Storage
- AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
- AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
- AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets
- AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
- AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation
- AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
- AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
- AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
- AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
- AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
- AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
- AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
- AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
- AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
- AWS > CIS v2.0 > 2 - Storage > Maximum Attestation Duration
- AWS > CIS v2.0 > 3 - Logging
- AWS > CIS v2.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
- AWS > CIS v2.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
- AWS > CIS v2.0 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
- AWS > CIS v2.0 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs
- AWS > CIS v2.0 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions
- AWS > CIS v2.0 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- AWS > CIS v2.0 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
- AWS > CIS v2.0 > 3 - Logging > 3.08 - Ensure rotation for customer created symmetric CMKs is enabled
- AWS > CIS v2.0 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs
- AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket
- AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket
- AWS > CIS v2.0 > 3 - Logging > Maximum Attestation Duration
- AWS > CIS v2.0 > 4 - Monitoring
- AWS > CIS v2.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
- AWS > CIS v2.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
- AWS > CIS v2.0 > 4 - Monitoring > Maximum Attestation Duration
- AWS > CIS v2.0 > 5 - Networking
- AWS > CIS v2.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
- AWS > CIS v2.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- AWS > CIS v2.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
- AWS > CIS v2.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
- AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
- AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' > Attestation
- AWS > CIS v2.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2
- AWS > CIS v2.0 > 5 - Networking > Maximum Attestation Duration
- AWS > CIS v2.0 > Maximum Attestation Duration
What's new?
- New tables added
Enhancements
- Added support for nested dashboards. (#4208)
Bug fixes
- Fixed the issue where local plugins were not being loaded. (#4196)
- Re-added support for 'implicit' local plugins (i.e. the plugin binary exists but there is no entry in the
versions.json). (#4223) - Fixed the issue where the daily update check message showed a
<nil>when there was no message to show. (#4206)
Bug fixes
- SQL Instances were sometimes not updated/cleaned up correctly via real-time events in Guardrails. This is now fixed.
What's new?
- You can now manage IMDS defaults for EC2 per region. To get started, set the
AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > *policies.
Bug fixes
- The
AWS > EC2 > Instance > Approvedcontrol would sometimes fail to stop instances that were discovered in Guardrails via real-time events if theAWS > EC2 > Instance > Approvedpolicy was set toEnforce: Stop unapproved if new. This is now fixed.
What's new?
- Storage Account CMDB data will now also include details about the account's blob service properties.
What's new?
- You can now configure
connection_throttlingparameter for PostgreSQL servers. To get started, set theAzure > PostgreSQL > Server > Audit Logging > Connection Throttlingpolicy.
What's new?
- TLS version and audit log details will now be available in CMDB for Flexi Servers.
What's new?
- Users can now disable unapproved Keys in AWS. To get started, set the
AWS > KMS > Key > Approvedpolicy toEnforce: Disable unapproved.
What's new?
- New tables added
Enhancements
- Added support for
quota_projectconfig arg to provide users the ability to set theProject IDused for billing and quota. (#556)
Bug fixes
- Fixed the
retry_policy_maximum_backoffandretry_policy_minimum_backoffcolumns ofgcp_pubsub_subscriptiontable to correctly return data. (#552) (Thanks to @mvanholsteijn for the contribution!)
What's new?
- New tables added
- aws_backup_job (#2145) (Thanks @rogerioacp for the contribution!)
- aws_elastic_beanstalk_application_version (#2150)
- aws_rds_db_engine_version (#2098)
- aws_s3_object_version (#2070)
- aws_servicequotas_service (#2070)
Bug fixes
- Fixed the
aws_vpc_eiptable to return anAccess Deniederror instead of anInvalid Memory Address or Nil Pointer Dereferenceerror when aService Control Policyis applied to an account for a specific region. (#2136) - Fixed the
aws_s3_bucketterraform script to prevent theAccessControlListNotSupported: The bucket does not allow ACLserror during thePutBucketAclterraform call. (#2080) (Thanks @pdecat for the contribution!) - Fixed an issue where querying regional tables while using AWS profiles with
cross-accountrole credentials results in the correct error being reported instead of zero rows. (#2137) - Fixed pagination in the
aws_ebs_snapshottable to make fewer API calls when thelimitparameter is passed to the query. (#2088)
What's new?
- New control added:
rds_mysql_postresql_db_no_unsupported_version(#174)
Bug fixes
- In v5.15.1, we introduced the policy value
Enforce: Enabled but ignore permission errorsfor theAWS > SNS > Subscription > CMDBpolicy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy toEnforce: Enabled but ignore permission errorsinadvertently introduced a bug, resulting in the removal of real-time events for Subscription from the SNS EventBridge rule created by the Event Handlers. This issue has now been fixed.
Bug fixes
- In v5.13.0, we introduced the policy value
Enforce: Enabled but ignore permission errorsfor theAWS > KMS > Key > CMDBpolicy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy toEnforce: Enabled but ignore permission errorsinadvertently introduced a bug, resulting in the removal of the EventBridge Rule for KMS by the Event Handlers. This issue has now been fixed.
Bug fixes
loopblock now works incontainer,function,messageandinputsteps.- Use HCL expressions in
max_concurrencystep argument. (#800). throw,retryanderrorblock now works forinputstep.
Breaking changes
- The
Foundational Security Best Practices v1.0.0benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)- The
foundational_security_elbv2sub-benchmark have been removed. - The following controls are no longer included in the benchmarks:
foundational_security_cloudfront_2foundational_security_ec2_22foundational_security_s3_4
- The
Enhancements
- The
Foundational Security Best Practices v1.0.0benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)- The following sub-benchmarks have been added to the
foundational_securitybenchmark:foundational_security_appsyncfoundational_security_backupfoundational_security_eventbridgefoundational_security_fsxfoundational_security_mskfoundational_security_pcafoundational_security_route53foundational_security_sfn
- The following controls have been added to the benchmarks:
foundational_security_acm_2foundational_security_appsync_2foundational_security_backup_1foundational_security_cloudfront_13foundational_security_dms_6foundational_security_dms_7foundational_security_dms_8foundational_security_dms_9foundational_security_docdb_3foundational_security_docdb_4foundational_security_docdb_5foundational_security_dms_9foundational_security_dynamodb_6foundational_security_ec2_51foundational_security_ecs_9foundational_security_eks_8foundational_security_elasticbeanstalk_3foundational_security_emr_2foundational_security_eventbridge_3foundational_security_fsx_1foundational_security_msk_1foundational_security_networkfirewall_2foundational_security_networkfirewall_9foundational_security_opensearch_10foundational_security_pca_1foundational_security_rds_34foundational_security_rds_35foundational_security_route53_2foundational_security_s3_19foundational_security_sfn_1foundational_security_waf_12
- The following sub-benchmarks have been added to the
What's new?
- New tables added
Enhancements
v0.13.2 of the Terraform Provider for Pipes is now available.
Bug fixes
pipes_workspace_datatank_table: SetPartPersetting for datatank table to benilif nothing is passed in configuration while updating a datatank table. (#23)
Enhancements:
resources/pipes_workspace: Add support for passingdesired_state,db_volume_size_bytesattribute when creating or updating a workspace. Add missing attributestate_reason.resources/pipes_workspace_pipeline: Add support for passingdesired_stateattribute when creating or updating a pipeline. Add attributesstateandstate_reason.resources/pipes_workspace_datatank: Add support for passingdesired_stateattribute when creating a datatank.resources/pipes_workspace_datatank_table: Add support for passingdesired_stateattribute when creating a datatank_table.
Bug fixes
- Fixed the
project_license_table,project_other_license_countandproject_weak_copyleft_license_countqueries to use the latest version of EUP (European Union Public License 1.2). (#13)
Bug fixes
- Fixed the
repository_license_table,repository_other_license_countandrepository_weak_copyleft_license_countqueries to use the latest version of EUP (European Union Public License 1.2). (#25)
Bug fixes
- Fixed the CIS controls from
cis_v200_2_4tocis_v200_2_11to correctly evaluate results when using the aggregator connection of the GCP plugin. (#154)
Bug fixes
- Input step respects the
max_concurrencyargument. (#798). - Erroneous error message detecting a missing credential where there isn't one.
- HCL
try()function should be evaluated at runtime rather than parse time. - Integration and input step URLs should use the provided custom host & port. (#792).
- Shows filename and line number for invalid step references.
Bug fixes
- Server
- Minor internal improvements.
Requirements
- TEF: 1.57.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
- AWS > ECR > Repository > Policy
- AWS > ECR > Repository > Policy > Required
Policy Types:
- AWS > ECR > Repository > Policy
- AWS > ECR > Repository > Policy > Required
- AWS > ECR > Repository > Policy > Required > Items
Action Types:
- AWS > ECR > Repository > Update Repository policy
Bug fixes
- When exporting or displaying a
benchmark runresult as a snapshot, ensure the top level panel has a valid summary. (#274) - Update
mod listoutput to includeresource_nameandmodfields.
Bug fixes
- Server
- Account import will be smoother and more consistent than before.
Requirements
- TEF: 1.57.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Guardrails will now exclude upserting VPC resources that are shared from other accounts and only upsert resources that belong to the owner account.
- Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to
Enforce: Disabled. This is now fixed.
What's new?
- Added CIS v2.1.0 benchmark (
powerpipe benchmark run azure_compliance.benchmark.cis_v210). (#250)
Whats new
- Optimize workspace load time for large workspaces with multiple dependent mods. (#365)
All new Pipes workspaces will be running Powerpipe v0.4.1 and existing workspaces will be upgraded by Monday 29th July 2024.
For more information on this Powerpipe release, see the release notes.
All new Pipes workspaces will be running Steampipe v0.22.1 and existing workspaces will be upgraded by Monday 18th March 2024.
For more information on this Steampipe release, see the release notes.
All new Pipes workspaces will be running Powerpipe v0.1.2 and existing workspaces will be upgraded by Monday 18th March 2024.
For more information on this Powerpipe release, see the release notes.
Bug fixes
- The
AWS > VPC > VPC > Stackcontrol failed to claim security group rules correctly if theprotocolfor such rules was set toAllorTCPin the stack's source policy. This issue has been fixed, and the control will now claim such rules correctly.
Bug fixes
- We have updated various policy definitions set during account imports to allow for a smoother account import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.
What's new?
- New tables added
- aws_acmpca_certificate_authority (#2125)
- aws_dms_endpoint (#1992)
- aws_dms_replication_task (#2110)
- aws_docdb_cluster_snapshot (#2123)
- aws_transfer_user (#2089) (Thanks @jramosf for the contribution!)
Enhancements
- Added
auto_minor_version_upgradecolumn toaws_rds_db_clustertable. (#2109) - Added
open_zfs_configurationcolumn toaws_fsx_file_systemtable. (#2113) - Added
logging_configurationcolumn toaws_networkfirewall_firewalltable. (#2115) - Added
lf_tagscolumn toaws_glue_catalog_tabletable. (#2128)
Bug fixes
- Fixed the query in the
aws_s3_buckettable doc to correctly filter out buckets without theapplicationtag. (#2093) - Fixed the
aws_cloudtrail_lookup_eventinput param to pass correctlyend_timeas an optional qual. (#2102) - Fixed the
arncolumn of theaws_elastic_beanstalk_environmenttable to correctly return data instead ofnull. (#2105) - Fixed the
template_body_jsoncolumn of theaws_cloudformation_stacktable to correctly return data by adding a new transform functionformatJsonBody, replacing theUnmarshalYAMLtransform function. (#1959) - Fixed the
next_execution_timecolumn ofaws_ssm_maintenance_windowtable to be ofStringdatatype instead ofTIMESTAMP. (#2116) - Renamed the
client_log_optionscolumn toconnection_log_optionsinaws_ec2_client_vpn_endpointtable to correctly return data instead ofnull. (#2122)
Whats new
- Improved startup performance with high plugin count - parallelize plugin startup. (#4183)
- Added database SSL password support for encrypted private key in order to handle your own certificates. (#4149)
Bug fixes
- Fixed issue where plugin list cannot re-create top-level versions.json file if the file has been corrupted or empty. (#4191)
Notice
- Scripts must use the permanent installation script at https://steampipe.io/install/steampipe.sh.
- The script above is automatically updated when the script moves location.
install.shhas been moved from the top level folder to thescriptsfolder.- Scripts directly referencing the raw GitHub location must be updated.
Notice
Steampipe will no longer officially publish or support a Dockerfile or container images.
Steampipe can be run in a containerized setup. We run it ourselves that way as part of Turbot Pipes. But, we've decided to cease publishing an supporting a container definition because:
- The CLI is optimized for developer use on the command line.
- Everyone has specific goals and requirements for their containers.
- Container setup requires various mounts and access to configuration files.
- It's hard to support containers across many different environments.
We welcome users to create and share your own open-source container definitions for Steampipe!
Bug fixes
- UI
- Fixed the AWS login dropdown button to accurately display both existing and new grants.
Requirements
- TEF: 1.57.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- Unsupported US Gov cloud regions were inadvertently included in the
AWS > SageMaker > Code Repository > Regionspolicy, which led to theAWS > SageMaker > Code Repository > Discoverycontrol being in an error state for those regions. We've now removed the unsupported US Gov cloud regions from the Regions policy.
What's new?
- Policy Types:
- AWS > SageMaker > Notebook Instance > Approved > Custom
Bug fixes
- Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to
Enforce: Disabled. This is now fixed.
Bug fixes
- Multiselect Inputs with preselected Options now correctly pre-populate in Slack.
- Change detection in
throwandoutputblock in pipeline steps works correctly with ternary operators and will not trigger mod reload for white space changes.
Bug fixes
- Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to
Enforce: Disabled. This is now fixed. - In the previous version, we fixed an issue with the
AWS > VPC > VPC > Stackcontrol that prevented it from recognizing security group rules with the port range set to 0 correctly. However, the control still failed to claim existing security group rules available in Guardrails CMDB, due to an inadvertent bug introduced in v5.9.2. This issue has now been fixed, and the control will correctly claim existing security group rules.
Bug fixes
- Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to
Enforce: Disabled. This is now fixed.
Bug fixes
- Previously, Guardrails unnecessarily listened to and processed real-time
listsevents for various storage resources. We've now improved our events filter to ignore theselistsevents, thereby reducing unnecessary processing.
Bug fixes
- Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to
Enforce: Disabled. This is now fixed.
Bug fixes
- Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to
Enforce: Disabled. This is now fixed.
Bug fixes
- Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to
Enforce: Disabled. This is now fixed. - The
AWS > EC2 > Snapshot > ActiveandAWS > EC2 > Snapshot > Approvedcontrols will now not attempt to delete a snapshot if it has one or more AMIs attached to it. - In the previous version, although we fixed a bug to prevent upserting volumes and snapshots with incorrect AKAs, there was still a provision for instances to be upserted with incorrect AKAs. We have now addressed this issue as well, ensuring instances are upserted more correctly and consistently than before.
- The deprecated
ec2-reports:*permissions are now removed from the mod.
v0.13.1 of the Terraform Provider for Pipes is now available.
Bug fixes
- Ensure tags are passed during creation of resource
pipes_workspace_pipelineand are only updated when a valid value is present in the Terraform configuration.
All new Pipes workspaces will be running Steampipe v0.22.0 and existing workspaces will be upgraded by Monday 11th March 2024.
For more information on this Steampipe release, see the release post or release notes.
Dashboards in Turbot Pipes are now powered by Powerpipe, allowing you to filter, group and share custom views of your cloud benchmarks.
All new Pipes workspaces will be running Powerpipe v0.1.0 and existing workspaces will be upgraded by Monday 11th March 2024.
For more information on the launch of Powerpipe, see the launch post or release notes.
Bug fixes
- Guardrails will now exclude upserting VPC resources that are shared from other accounts and only upsert resources that belong to the owner account.
- In the previous version, we believed we had resolved an issue with Internet Gateways not being upserted into the CMDB while processing real-time
CreateDefaultVpcevents. However, we overlooked an edge case in the fix. We have now addressed this issue, ensuring that Internet Gateways will be reliably discovered and upserted into the Guardrails CMDB. We recommend updating theaws-vpc-coremod to version 5.17.1 or higher to enable Guardrails to correctly process real-time CreateDefaultVpc events for Internet Gateways. - Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to
Enforce: Disabled. This is now fixed.
We're thrilled to announce the release of 52 new Powerpipe mods, featuring pre-built dashboards and benchmarks for cloud inventory & insights, security & compliance, cost management and shift-left scanning. These include the 43 Steampipe mods to visualize AWS, Azure, GCP, GitHub, Terraform and more using Steampipe as the database. And 9 new, ready-to-use Powerpipe mods providing easy to learn examples to visualize data in Postgres, SQLite, DuckDB, and MySQL!
A full list of mods can be found in the Powerpipe Hub.
For more information on how you can get started incorporating these mods into your own custom dashboards and benchmarks, please see Introducing Powerpipe - Composable Mods.
Introducing Powerpipe - Dashboards for DevOps.
Benchmarks - 5,000+ open-source controls from CIS, NIST, PCI, HIPAA, FedRamp and more. Run instantly on your machine or as part of your deployment pipeline.
Relationship Diagrams - The only dashboarding tool designed from the ground up to visualize DevOps data. Explore your cloud,understand relationships and drill down to the details.
Dashboards & Reports - High level dashboards provide a quick management view. Reports highlight misconfigurations and attention areas. Filter, pivot and snapshot results.
Code, not clicks - Our dashboards are code. Version controlled, composable, shareable, easy to edit - designed for the way you work. Join our open-source community!
Learn more at:
- Website - https://powerpipe.io
- Docs - https://powerpipe.io/docs
- Hub - https://hub.powerpipe.io
- Introduction - https://powerpipe.io/blog/introducing-powerpipe
Bug fixes
- The
AWS > VPC > VPC > Stackcontrol would sometimes go into an error state after creating security group rules with port range set to 0. This occurred because the control failed to recognize the existing rule in Guardrails CMDB and attempted to create a new rule instead. This issue has been fixed, and the stack control will now work correctly as expected. - The
AWS > VPC > Security Group > CMDBcontrol would sometimes go into an error state for security groups shared from other AWS accounts. We will now exclude shared security groups and only upsert security groups that belong to the owner account.
What's new?
You can now also manage the IAM Permissions model for Guardrails Users via the
AWS > Turbot > IAM > Managedcontrol. TheAWS > Turbot > IAM > Managedcontrol is faster and more efficient than the existingAWS > Turbot > IAMcontrol because it utilizes Native AWS APIs rather than Terraform to manage IAM resources. Please note that this feature will work as intended only on TE v5.42.19 or higher andturbot-iammod v5.11.0 or higher.Control Types
- AWS > Turbot > IAM > Group
- AWS > Turbot > IAM > Group > Managed
- AWS > Turbot > IAM > Managed
- AWS > Turbot > IAM > Policy
- AWS > Turbot > IAM > Policy > Managed
- AWS > Turbot > IAM > Role
- AWS > Turbot > IAM > Role > Managed
- AWS > Turbot > IAM > User
- AWS > Turbot > IAM > User > Managed
Policy Types
- AWS > Turbot > IAM > Managed
Policy Types Renamed
- AWS > IAM > Turbot to AWS > Turbot > IAM
Action Types
- AWS > Account > Provision Managed Resources
- AWS > IAM > Group > Detach and delete
- AWS > IAM > Group > IAM Group Managed
- AWS > IAM > Policy > Detach and delete
- AWS > IAM > Role > IAM Role Managed
- AWS > IAM > User > IAM User Managed
Bug fixes
The AWS > IAM > Group > CMDB, AWS > IAM > Role > CMDB, and AWS > IAM > User > CMDB controls previously failed to fetch all attachments for groups, roles, and users, respectively, due to the lack of pagination support. This issue has been fixed, and the controls will now correctly fetch all respective attachments.
Steampipe unbundled, introducing Powerpipe
Powerpipe is now the recommended way to run dashboards and benchmarks!
Mods still work as normal in Steampipe for now, but they are deprecated and will be removed in a future release:
Whats new
- Added
versioncolumn tosteampipe_plugintable. (#4141) - Direct all errors and warnings to standard error (stderr). (4162)
Bug fixes
- Fixed the issue where
search_path_prefixset indatabase optionsdoes not alter the search path. (#4160) - Fix issue where
asffoutput was always missing the first row. (#4157)
Deprecations and migrations
- Steampipe mods and dashboards are now separately available in Powerpipe, a new open-source project. The steampipe mod, check and dashboard commands have been deprecated and will be removed in a future version. Migration guide.
- Deprecated
cloud-hostandcloud-tokenCLI args, and replaced them withpipes-hostandpipes-tokenrespectively. (#4137) - Deprecated
STEAMPIPE_CLOUD_HOSTandSTEAMPIPE_CLOUD_TOKENenv vars, replaced withPIPES_HOSTandPIPES_TOKENrespectively. (#4137) - Deprecated
cloud_hostandcloud_tokenworkspace args, replaced withpipes_hostandpipes_tokenrespectively. (#4137) - Removed support for deprecated
terminal options. (#3751) - Removed support for deprecated
max_parallelproperty ingeneral options. (#4132) - Removed support for deprecated
connection options. (#4131) - Removed deprecated
versionproperty from the modrequireblock. (#3750)
What's new?
- Workflow - message step for easy notifications. Documentation.
- Workflow - input step for buttons, text and other data. Documentation.
- Workflow - simple, reusable integration and notifier configuration for HTTP, Slack and Email. Documentation
- Import Steampipe connections as Flowpipe credentials. Documentation.
- Manage concurrency of pipelines and steps.
- New credential types:
alicloudandmastodon. - Shorter hash for HTTP triggers for simpler URLs.
- DuckDB support in query step & trigger.
- Step metadata, like
started_atandfinished_atadded under aflowpipeattribute. - Moved
flowpipe.dbinto the mod-level.flowpipedirectory. connection_stringin query step and trigger renamed todatabase.
Deprecation
- Email step. Please use the message step instead.
Bug fixes
log_levelworkspace setting is now respected (#618).- Default
listenflag should be network, not localhost (#694) - Trigger attributes are now validated (#225).
- Pipeline output attributes are now validated (#239).
- Pipeline param default value data type is now validated against the specified type (#262).
- Removed titles when merging multiple error messages (#263).
- Runtime resolution of pipeline reference and credentials are now working correctly. (#732).
- Scheduled triggers are now re-scheduled when mod files have changed.
- File watcher reliability improvements.
Bug fixes
- Updated
metadataparam type increate_ticketpipeline to be consistent with similar param types.
Bug fixes
- Fixed
secretparam type increate_secretpipeline.
Bug fixes
- Fixed broken links to credential import docs in various sample READMEs.
What's new?
- Added the following new sample mods: (#108)
add_s3_bucket_cost_center_tagsaws_iam_access_key_events_notifier_with_multiple_pipelinesaws_iam_access_key_events_notifier_with_single_pipelinedeactivate_expired_aws_iam_access_keys_using_queriesdeactivate_expired_aws_iam_access_keys_with_approvalnotify_new_aws_iam_access_keys
Enhancements
- Updated all AWS, Azure, PagerDuty, Slack, Zendesk library mod dependency versions in several sample mods. (#108)
Bug fixes
Server
- Updated the tier for the SSM parameter
/tenant/${workspaceFullId}toAdvanced. - Delete operations for resources is now faster and more efficient than before.
- Auto mod update control for mods will now look only for recommended versions instead of available and recommended.
- Fixed policy value resolution to default to the value of
resolvedSchemaif not available in the schema.
- Updated the tier for the SSM parameter
UI
- Fixed a table typo in the Steampipe query used in the resources developer tab.
- Display the AWS login button when setting permissions via the
AWS > Turbot > IAM > Managedcontrol.
Requirements
- TEF: 1.57.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The default value for
Turbot > IAM > Permissions > Compiled > Levels > Turbotpolicy will now be evaluated correctly and consistently.
Bug fixes
- SSM Parameters with incorrect names would sometimes be inadvertently upserted in Guardrails CMDB. This issue has now been fixed.
What's new?
The
AWS > S3 > BucketCMDB data will now also include information about Bucket Intelligent Tiering Configuration.A few policy values in the
AWS > S3 > Bucket > Encyprion at Restpolicy have now been deprecated and will be removed in the next major mod version (v6.0.0) because they are no longer supported by AWS.| Deprecated Values
|- | Check: None
| Check: None or higher
| Enforce: None
| Enforce: None or higher
Bug fixes
- Removed duplicate
ticket_idparam fromupdate_ticket_commentpipeline.
Bug fixes
- Fixed invalid type for
licenseparam increate_userpipeline. (#6)
Bug fixes
- Fixed mismatched types for
generate_ssh_keysparam in various Compute VM test pipelines.
Bug fixes
- Previously, Guardrails did not upsert Internet Gateways into the CMDB while processing real-time
CreateDefaultVpcevents. This issue has been fixed, and Internet Gateways will now be more reliably upserted into the Guardrails CMDB. We recommend updating theaws-vpc-coremod to v5.17.1 or higher to allow Guardrails to process theCreateDefaultVpcevent for Internet Gateways correctly.
Bug fixes
- Previously, Guardrails did not upsert DHCP Options into the CMDB while processing real-time
CreateDefaultVpcevents. This issue has been fixed, and DHCP Options will now be more reliably upserted into the Guardrails CMDB.
Bug fixes
- Previously, Guardrails unnecessarily listened to and processed real-time
listsevents for various Dataproc resources. We've now improved our events filter to ignore theselistsevents, thereby reducing unnecessary processing.
Bug fixes
- The
GCP > Turbot > Event Handlers > Pub/Substack control previously attempted to create a topic and its IAM member incorrectly when theGCP > Turbot > Event Handlers > Logging > Unique Writer Identitypolicy was set toEnforce: Unique Identity, but the project number for the project was not available. This is fixed and the control will transition to an Invalid state until Guardrails can correctly fetch the project number.
Bug fixes
- Fixed the type mismatch of the input parameter in the
get_channel_historypipeline. (#20)
What's new?
Control Types:
- GCP > Pub/Sub > Topic > Labels
Policy Types:
- GCP > Pub/Sub > Topic > Labels
- GCP > Pub/Sub > Topic > Labels > Template
Action Types
- GCP > Pub/Sub > Topic > Set Labels
Bug fixes
- In a previous version (v5.6.2), we introduced a change in the
AWS > S3 > Bucket > Encryption in TransitandAWS > S3 > Bucket > Encryption at Restcontrol to wait for a few minutes before applying the respective policies to new buckets created via Cloudformation Stacks. We've now extended this feature to all buckets regardless of how they were created, to ensure that IaC changes can be correctly applied to buckets without interference from immediate policy enforcements.
What's new?
- New dashboards added:
- OpenSearch Domain Detail (#75) (Thanks @Errahulaws for the contribution!)
What's new?
- Added support for Advanced Tier for SSM Parameters.
- Increased the visibility timeout from 60 seconds to 7200 seconds and decreased the message retention period to 7 days for runnable DLQ.
What's new?
- Added: Support for Postgres versions 14.9, 14.10, 15.4 and 15.5.
- Added: Support for Redis 7.1.
- Added: m6gd.medium to instance type parameter for RDS.
- Added: Support for Advanced Tier for SSM Parameters.
- Removed: t4.micro and t4.small from instance type parameter for RDS.
Note
To use the latest RDS certificate in commercial cloud, please upgrade TE to 5.42.3 or higher and update the RDS CA Certificate for Commercial Cloud parameter.
Bug fixes
Server
- Added: Support for AWS Custom Group Levels.
- Updated: The DLQ lambda timeout has been updated to 2 minutes instead of 1 minute.
- Updated: The Events DLQ visibility timeout has been increased from 15 minutes to 4 hours.
- Updated: The Events DLQ MessageRetentionPeriod has been decreased from 14 days to 7 days.
UI
- Added: Action button to run immediate policy value.
Requirements
- TEF: 1.57.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- Added support for group permission levels.
What's new?
Control Types:
- GCP > Firebase > Android App > ServiceNow
- GCP > Firebase > Android App > ServiceNow > Configuration Item
- GCP > Firebase > Android App > ServiceNow > Table
- GCP > Firebase > Firebase Project > ServiceNow
- GCP > Firebase > Firebase Project > ServiceNow > Configuration Item
- GCP > Firebase > Firebase Project > ServiceNow > Table
- GCP > Firebase > Web App > ServiceNow
- GCP > Firebase > Web App > ServiceNow > Configuration Item
- GCP > Firebase > Web App > ServiceNow > Table
- GCP > Firebase > iOS App > ServiceNow
- GCP > Firebase > iOS App > ServiceNow > Configuration Item
- GCP > Firebase > iOS App > ServiceNow > Table
Policy Types:
- GCP > Firebase > Android App > ServiceNow
- GCP > Firebase > Android App > ServiceNow > Configuration Item
- GCP > Firebase > Android App > ServiceNow > Configuration Item > Record
- GCP > Firebase > Android App > ServiceNow > Configuration Item > Table Definition
- GCP > Firebase > Android App > ServiceNow > Table
- GCP > Firebase > Android App > ServiceNow > Table > Definition
- GCP > Firebase > Firebase Project > ServiceNow
- GCP > Firebase > Firebase Project > ServiceNow > Configuration Item
- GCP > Firebase > Firebase Project > ServiceNow > Configuration Item > Record
- GCP > Firebase > Firebase Project > ServiceNow > Configuration Item > Table Definition
- GCP > Firebase > Firebase Project > ServiceNow > Table
- GCP > Firebase > Firebase Project > ServiceNow > Table > Definition
- GCP > Firebase > Web App > ServiceNow
- GCP > Firebase > Web App > ServiceNow > Configuration Item
- GCP > Firebase > Web App > ServiceNow > Configuration Item > Record
- GCP > Firebase > Web App > ServiceNow > Configuration Item > Table Definition
- GCP > Firebase > Web App > ServiceNow > Table
- GCP > Firebase > Web App > ServiceNow > Table > Definition
- GCP > Firebase > iOS App > ServiceNow
- GCP > Firebase > iOS App > ServiceNow > Configuration Item
- GCP > Firebase > iOS App > ServiceNow > Configuration Item > Record
- GCP > Firebase > iOS App > ServiceNow > Configuration Item > Table Definition
- GCP > Firebase > iOS App > ServiceNow > Table
- GCP > Firebase > iOS App > ServiceNow > Table > Definition
What's new?
- The
AWS > Secrets Manager > Secret > CMDBcontrol would go into an error state if Guardrails did not have permissions to describe a secret. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set theAWS > Secrets Manager > Secret > CMDBpolicy toEnforce: Enabled but ignore permission errors.
What's new?
You can now attach custom IAM Groups to Guardrails users if the
AWS > Turbot > Permissionspolicy is set toEnforce: User Mode. To get started, set theAWS > Turbot > Permissions > Custom Group Levels [Account]policy and then attach the custom group to a user via the Grant Permission button on the Permissions page. Please note that this feature will work as intended only on TE v5.42.18 or higher andturbot-iammod v5.11.0 or higher.Policy Types:
- AWS > Turbot > Permissions > Custom Group Levels [Account]
Policy Types renamed:
- AWS > Turbot > Permissions > Custom Levels [Account] to AWS > Turbot > Permissions > Custom Role Levels [Account]
- AWS > Turbot > Permissions > Custom Levels [Folder] to AWS > Turbot > Permissions > Custom Role Levels [Folder]
What's new?
- New tables added
Bug fixes
- Fixed the
InvalidParameterCombinationerror when querying theaws_rds_db_instancetable. (#2085) - Fixed
aws_rds_db_instance_metric_write_iops_dailytable to correctly displayWriteIOPSinstead ofReadIOPS. (#2079)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.9.0 that fixes critical caching issues. (#2067)
Bug fixes
- Fixed the hierarchy in the benchmark list by properly integrating
Cloud Functionsbenchmark intoall_controlsbenchmark. (#146)
What's new?
- Removed support for Memoized functions to be directly assigned as column hydrate functions. Instead, require a wrapper hydrate function. (#756) (#738)
Bug fixes
- If cache is disabled for the server, but enabled for the client, the query execution code tries to stream to the cache even though there is no active set operation. (#740)
What's new?
Control Types:
- GCP > Network > Address > ServiceNow
- GCP > Network > Address > ServiceNow > Configuration Item
- GCP > Network > Address > ServiceNow > Table
- GCP > Network > Backend Bucket > ServiceNow
- GCP > Network > Backend Bucket > ServiceNow > Configuration Item
- GCP > Network > Backend Bucket > ServiceNow > Table
- GCP > Network > Backend Service > ServiceNow
- GCP > Network > Backend Service > ServiceNow > Configuration Item
- GCP > Network > Backend Service > ServiceNow > Table
- GCP > Network > Firewall > ServiceNow
- GCP > Network > Firewall > ServiceNow > Configuration Item
- GCP > Network > Firewall > ServiceNow > Table
- GCP > Network > Forwarding Rule > ServiceNow
- GCP > Network > Forwarding Rule > ServiceNow > Configuration Item
- GCP > Network > Forwarding Rule > ServiceNow > Table
- GCP > Network > Global Address > ServiceNow
- GCP > Network > Global Address > ServiceNow > Configuration Item
- GCP > Network > Global Address > ServiceNow > Table
- GCP > Network > Global Forwarding Rule > ServiceNow
- GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item
- GCP > Network > Global Forwarding Rule > ServiceNow > Table
- GCP > Network > Interconnect > ServiceNow
- GCP > Network > Interconnect > ServiceNow > Configuration Item
- GCP > Network > Interconnect > ServiceNow > Table
- GCP > Network > Packet Mirroring > ServiceNow
- GCP > Network > Packet Mirroring > ServiceNow > Configuration Item
- GCP > Network > Packet Mirroring > ServiceNow > Table
- GCP > Network > Region Backend Service > ServiceNow
- GCP > Network > Region Backend Service > ServiceNow > Configuration Item
- GCP > Network > Region Backend Service > ServiceNow > Table
- GCP > Network > Region SSL Certificate > ServiceNow
- GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item
- GCP > Network > Region SSL Certificate > ServiceNow > Table
- GCP > Network > Region Target HTTPS Proxy > ServiceNow
- GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item
- GCP > Network > Region Target HTTPS Proxy > ServiceNow > Table
- GCP > Network > Region URL Map > ServiceNow
- GCP > Network > Region URL Map > ServiceNow > Configuration Item
- GCP > Network > Region URL Map > ServiceNow > Table
- GCP > Network > Route > ServiceNow
- GCP > Network > Route > ServiceNow > Configuration Item
- GCP > Network > Route > ServiceNow > Table
- GCP > Network > Router > ServiceNow
- GCP > Network > Router > ServiceNow > Configuration Item
- GCP > Network > Router > ServiceNow > Table
- GCP > Network > SSL Certificate > ServiceNow
- GCP > Network > SSL Certificate > ServiceNow > Configuration Item
- GCP > Network > SSL Certificate > ServiceNow > Table
- GCP > Network > SSL Policy > ServiceNow
- GCP > Network > SSL Policy > ServiceNow > Configuration Item
- GCP > Network > SSL Policy > ServiceNow > Table
- GCP > Network > Target HTTPS Proxy > ServiceNow
- GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item
- GCP > Network > Target HTTPS Proxy > ServiceNow > Table
- GCP > Network > Target Pool > ServiceNow
- GCP > Network > Target Pool > ServiceNow > Configuration Item
- GCP > Network > Target Pool > ServiceNow > Table
- GCP > Network > Target SSL Proxy > ServiceNow
- GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item
- GCP > Network > Target SSL Proxy > ServiceNow > Table
- GCP > Network > Target TCP Proxy > ServiceNow
- GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item
- GCP > Network > Target TCP Proxy > ServiceNow > Table
- GCP > Network > Target VPN Gateway > ServiceNow
- GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item
- GCP > Network > Target VPN Gateway > ServiceNow > Table
- GCP > Network > URL Map > ServiceNow
- GCP > Network > URL Map > ServiceNow > Configuration Item
- GCP > Network > URL Map > ServiceNow > Table
- GCP > Network > VPN Tunnel > ServiceNow
- GCP > Network > VPN Tunnel > ServiceNow > Configuration Item
- GCP > Network > VPN Tunnel > ServiceNow > Table
Policy Types:
- GCP > Network > Address > ServiceNow
- GCP > Network > Address > ServiceNow > Configuration Item
- GCP > Network > Address > ServiceNow > Configuration Item > Record
- GCP > Network > Address > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Address > ServiceNow > Table
- GCP > Network > Address > ServiceNow > Table > Definition
- GCP > Network > Backend Bucket > ServiceNow
- GCP > Network > Backend Bucket > ServiceNow > Configuration Item
- GCP > Network > Backend Bucket > ServiceNow > Configuration Item > Record
- GCP > Network > Backend Bucket > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Backend Bucket > ServiceNow > Table
- GCP > Network > Backend Bucket > ServiceNow > Table > Definition
- GCP > Network > Backend Service > ServiceNow
- GCP > Network > Backend Service > ServiceNow > Configuration Item
- GCP > Network > Backend Service > ServiceNow > Configuration Item > Record
- GCP > Network > Backend Service > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Backend Service > ServiceNow > Table
- GCP > Network > Backend Service > ServiceNow > Table > Definition
- GCP > Network > Firewall > ServiceNow
- GCP > Network > Firewall > ServiceNow > Configuration Item
- GCP > Network > Firewall > ServiceNow > Configuration Item > Record
- GCP > Network > Firewall > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Firewall > ServiceNow > Table
- GCP > Network > Firewall > ServiceNow > Table > Definition
- GCP > Network > Forwarding Rule > ServiceNow
- GCP > Network > Forwarding Rule > ServiceNow > Configuration Item
- GCP > Network > Forwarding Rule > ServiceNow > Configuration Item > Record
- GCP > Network > Forwarding Rule > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Forwarding Rule > ServiceNow > Table
- GCP > Network > Forwarding Rule > ServiceNow > Table > Definition
- GCP > Network > Global Address > ServiceNow
- GCP > Network > Global Address > ServiceNow > Configuration Item
- GCP > Network > Global Address > ServiceNow > Configuration Item > Record
- GCP > Network > Global Address > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Global Address > ServiceNow > Table
- GCP > Network > Global Address > ServiceNow > Table > Definition
- GCP > Network > Global Forwarding Rule > ServiceNow
- GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item
- GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item > Record
- GCP > Network > Global Forwarding Rule > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Global Forwarding Rule > ServiceNow > Table
- GCP > Network > Global Forwarding Rule > ServiceNow > Table > Definition
- GCP > Network > Interconnect > ServiceNow
- GCP > Network > Interconnect > ServiceNow > Configuration Item
- GCP > Network > Interconnect > ServiceNow > Configuration Item > Record
- GCP > Network > Interconnect > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Interconnect > ServiceNow > Table
- GCP > Network > Interconnect > ServiceNow > Table > Definition
- GCP > Network > Packet Mirroring > ServiceNow
- GCP > Network > Packet Mirroring > ServiceNow > Configuration Item
- GCP > Network > Packet Mirroring > ServiceNow > Configuration Item > Record
- GCP > Network > Packet Mirroring > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Packet Mirroring > ServiceNow > Table
- GCP > Network > Packet Mirroring > ServiceNow > Table > Definition
- GCP > Network > Region Backend Service > ServiceNow
- GCP > Network > Region Backend Service > ServiceNow > Configuration Item
- GCP > Network > Region Backend Service > ServiceNow > Configuration Item > Record
- GCP > Network > Region Backend Service > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Region Backend Service > ServiceNow > Table
- GCP > Network > Region Backend Service > ServiceNow > Table > Definition
- GCP > Network > Region SSL Certificate > ServiceNow
- GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item
- GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item > Record
- GCP > Network > Region SSL Certificate > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Region SSL Certificate > ServiceNow > Table
- GCP > Network > Region SSL Certificate > ServiceNow > Table > Definition
- GCP > Network > Region Target HTTPS Proxy > ServiceNow
- GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item
- GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item > Record
- GCP > Network > Region Target HTTPS Proxy > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Region Target HTTPS Proxy > ServiceNow > Table
- GCP > Network > Region Target HTTPS Proxy > ServiceNow > Table > Definition
- GCP > Network > Region URL Map > ServiceNow
- GCP > Network > Region URL Map > ServiceNow > Configuration Item
- GCP > Network > Region URL Map > ServiceNow > Configuration Item > Record
- GCP > Network > Region URL Map > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Region URL Map > ServiceNow > Table
- GCP > Network > Region URL Map > ServiceNow > Table > Definition
- GCP > Network > Route > ServiceNow
- GCP > Network > Route > ServiceNow > Configuration Item
- GCP > Network > Route > ServiceNow > Configuration Item > Record
- GCP > Network > Route > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Route > ServiceNow > Table
- GCP > Network > Route > ServiceNow > Table > Definition
- GCP > Network > Router > ServiceNow
- GCP > Network > Router > ServiceNow > Configuration Item
- GCP > Network > Router > ServiceNow > Configuration Item > Record
- GCP > Network > Router > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Router > ServiceNow > Table
- GCP > Network > Router > ServiceNow > Table > Definition
- GCP > Network > SSL Certificate > ServiceNow
- GCP > Network > SSL Certificate > ServiceNow > Configuration Item
- GCP > Network > SSL Certificate > ServiceNow > Configuration Item > Record
- GCP > Network > SSL Certificate > ServiceNow > Configuration Item > Table Definition
- GCP > Network > SSL Certificate > ServiceNow > Table
- GCP > Network > SSL Certificate > ServiceNow > Table > Definition
- GCP > Network > SSL Policy > ServiceNow
- GCP > Network > SSL Policy > ServiceNow > Configuration Item
- GCP > Network > SSL Policy > ServiceNow > Configuration Item > Record
- GCP > Network > SSL Policy > ServiceNow > Configuration Item > Table Definition
- GCP > Network > SSL Policy > ServiceNow > Table
- GCP > Network > SSL Policy > ServiceNow > Table > Definition
- GCP > Network > Target HTTPS Proxy > ServiceNow
- GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item
- GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item > Record
- GCP > Network > Target HTTPS Proxy > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Target HTTPS Proxy > ServiceNow > Table
- GCP > Network > Target HTTPS Proxy > ServiceNow > Table > Definition
- GCP > Network > Target Pool > ServiceNow
- GCP > Network > Target Pool > ServiceNow > Configuration Item
- GCP > Network > Target Pool > ServiceNow > Configuration Item > Record
- GCP > Network > Target Pool > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Target Pool > ServiceNow > Table
- GCP > Network > Target Pool > ServiceNow > Table > Definition
- GCP > Network > Target SSL Proxy > ServiceNow
- GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item
- GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item > Record
- GCP > Network > Target SSL Proxy > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Target SSL Proxy > ServiceNow > Table
- GCP > Network > Target SSL Proxy > ServiceNow > Table > Definition
- GCP > Network > Target TCP Proxy > ServiceNow
- GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item
- GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item > Record
- GCP > Network > Target TCP Proxy > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Target TCP Proxy > ServiceNow > Table
- GCP > Network > Target TCP Proxy > ServiceNow > Table > Definition
- GCP > Network > Target VPN Gateway > ServiceNow
- GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item
- GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item > Record
- GCP > Network > Target VPN Gateway > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Target VPN Gateway > ServiceNow > Table
- GCP > Network > Target VPN Gateway > ServiceNow > Table > Definition
- GCP > Network > URL Map > ServiceNow
- GCP > Network > URL Map > ServiceNow > Configuration Item
- GCP > Network > URL Map > ServiceNow > Configuration Item > Record
- GCP > Network > URL Map > ServiceNow > Configuration Item > Table Definition
- GCP > Network > URL Map > ServiceNow > Table
- GCP > Network > URL Map > ServiceNow > Table > Definition
- GCP > Network > VPN Tunnel > ServiceNow
- GCP > Network > VPN Tunnel > ServiceNow > Configuration Item
- GCP > Network > VPN Tunnel > ServiceNow > Configuration Item > Record
- GCP > Network > VPN Tunnel > ServiceNow > Configuration Item > Table Definition
- GCP > Network > VPN Tunnel > ServiceNow > Table
- GCP > Network > VPN Tunnel > ServiceNow > Table > Definition
Bug fixes
- Fixed growing memory usage following file watching events when running dashboard server. (#4150)
Bug fixes
- The
AWS > VPC > VPC > Stackcontrol would sometimes fail to claim existing Flow Logs in Guardrails CMDB. This is now fixed.
What's new?
Control Types:
- GCP > IAM > Project Role > ServiceNow
- GCP > IAM > Project Role > ServiceNow > Configuration Item
- GCP > IAM > Project Role > ServiceNow > Table
- GCP > IAM > Project User > ServiceNow
- GCP > IAM > Project User > ServiceNow > Configuration Item
- GCP > IAM > Project User > ServiceNow > Table
- GCP > IAM > Service Account > ServiceNow
- GCP > IAM > Service Account > ServiceNow > Configuration Item
- GCP > IAM > Service Account > ServiceNow > Table
- GCP > IAM > Service Account Key > ServiceNow
- GCP > IAM > Service Account Key > ServiceNow > Configuration Item
- GCP > IAM > Service Account Key > ServiceNow > Table
- GCP > Project > Policy > ServiceNow
- GCP > Project > Policy > ServiceNow > Configuration Item
- GCP > Project > Policy > ServiceNow > Table
Policy Types:
- GCP > IAM > Project Role > ServiceNow
- GCP > IAM > Project Role > ServiceNow > Configuration Item
- GCP > IAM > Project Role > ServiceNow > Configuration Item > Record
- GCP > IAM > Project Role > ServiceNow > Configuration Item > Table Definition
- GCP > IAM > Project Role > ServiceNow > Table
- GCP > IAM > Project Role > ServiceNow > Table > Definition
- GCP > IAM > Project User > ServiceNow
- GCP > IAM > Project User > ServiceNow > Configuration Item
- GCP > IAM > Project User > ServiceNow > Configuration Item > Record
- GCP > IAM > Project User > ServiceNow > Configuration Item > Table Definition
- GCP > IAM > Project User > ServiceNow > Table
- GCP > IAM > Project User > ServiceNow > Table > Definition
- GCP > IAM > Service Account > ServiceNow
- GCP > IAM > Service Account > ServiceNow > Configuration Item
- GCP > IAM > Service Account > ServiceNow > Configuration Item > Record
- GCP > IAM > Service Account > ServiceNow > Configuration Item > Table Definition
- GCP > IAM > Service Account > ServiceNow > Table
- GCP > IAM > Service Account > ServiceNow > Table > Definition
- GCP > IAM > Service Account Key > ServiceNow
- GCP > IAM > Service Account Key > ServiceNow > Configuration Item
- GCP > IAM > Service Account Key > ServiceNow > Configuration Item > Record
- GCP > IAM > Service Account Key > ServiceNow > Configuration Item > Table Definition
- GCP > IAM > Service Account Key > ServiceNow > Table
- GCP > IAM > Service Account Key > ServiceNow > Table > Definition
- GCP > Project > Policy > ServiceNow
- GCP > Project > Policy > ServiceNow > Configuration Item
- GCP > Project > Policy > ServiceNow > Configuration Item > Record
- GCP > Project > Policy > ServiceNow > Configuration Item > Table Definition
- GCP > Project > Policy > ServiceNow > Table
- GCP > Project > Policy > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > Functions > Function > ServiceNow
- GCP > Functions > Function > ServiceNow > Configuration Item
- GCP > Functions > Function > ServiceNow > Table
Policy Types:
- GCP > Functions > Function > ServiceNow
- GCP > Functions > Function > ServiceNow > Configuration Item
- GCP > Functions > Function > ServiceNow > Configuration Item > Record
- GCP > Functions > Function > ServiceNow > Configuration Item > Table Definition
- GCP > Functions > Function > ServiceNow > Table
- GCP > Functions > Function > ServiceNow > Table > Definition
Bug fixes
- The
AWS > SNS > Subscription > CMDBcontrol would go into an error state if Guardrails did not have permissions to describe a subscription. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set theAWS > SNS > Subscription > CMDBpolicy toEnforce: Enabled but ignore permission errors.
Dependencies
- AWS plugin
v0.131.0or higher is now required. (#747)
Enhancements
- Added 11 new controls to the
All Controlsbenchmark across the following services: (#747)API GatewayDMSEMRMQVPC
Bug fixes
- Fixed the
foundational_security_ssm_2control to correctly evaluate results when patches are not applicable for SSM managed EC2 instances. (#761)
What's new?
Control Types:
- GCP > Project > ServiceNow
- GCP > Project > ServiceNow > Configuration Item
- GCP > Project > ServiceNow > Table
Policy Types:
- GCP > Project > ServiceNow
- GCP > Project > ServiceNow > Configuration Item
- GCP > Project > ServiceNow > Configuration Item > Record
- GCP > Project > ServiceNow > Configuration Item > Table Definition
- GCP > Project > ServiceNow > Table
- GCP > Project > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > Memorystore > Instance > ServiceNow
- GCP > Memorystore > Instance > ServiceNow > Configuration Item
- GCP > Memorystore > Instance > ServiceNow > Table
Policy Types:
- GCP > Memorystore > Instance > ServiceNow
- GCP > Memorystore > Instance > ServiceNow > Configuration Item
- GCP > Memorystore > Instance > ServiceNow > Configuration Item > Record
- GCP > Memorystore > Instance > ServiceNow > Configuration Item > Table Definition
- GCP > Memorystore > Instance > ServiceNow > Table
- GCP > Memorystore > Instance > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > Storage > Object > ServiceNow
- GCP > Storage > Object > ServiceNow > Configuration Item
- GCP > Storage > Object > ServiceNow > Table
Policy Types:
- GCP > Storage > Object > ServiceNow
- GCP > Storage > Object > ServiceNow > Configuration Item
- GCP > Storage > Object > ServiceNow > Configuration Item > Record
- GCP > Storage > Object > ServiceNow > Configuration Item > Table Definition
- GCP > Storage > Object > ServiceNow > Table
- GCP > Storage > Object > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > Secret Manager > Secret > ServiceNow
- GCP > Secret Manager > Secret > ServiceNow > Configuration Item
- GCP > Secret Manager > Secret > ServiceNow > Table
Policy Types:
- GCP > Secret Manager > Secret > ServiceNow
- GCP > Secret Manager > Secret > ServiceNow > Configuration Item
- GCP > Secret Manager > Secret > ServiceNow > Configuration Item > Record
- GCP > Secret Manager > Secret > ServiceNow > Configuration Item > Table Definition
- GCP > Secret Manager > Secret > ServiceNow > Table
- GCP > Secret Manager > Secret > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > Scheduler > Job > ServiceNow
- GCP > Scheduler > Job > ServiceNow > Configuration Item
- GCP > Scheduler > Job > ServiceNow > Table
Policy Types:
- GCP > Scheduler > Job > ServiceNow
- GCP > Scheduler > Job > ServiceNow > Configuration Item
- GCP > Scheduler > Job > ServiceNow > Configuration Item > Record
- GCP > Scheduler > Job > ServiceNow > Configuration Item > Table Definition
- GCP > Scheduler > Job > ServiceNow > Table
- GCP > Scheduler > Job > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > Dataproc > Cluster > ServiceNow
- GCP > Dataproc > Cluster > ServiceNow > Configuration Item
- GCP > Dataproc > Cluster > ServiceNow > Table
- GCP > Dataproc > Job > ServiceNow
- GCP > Dataproc > Job > ServiceNow > Configuration Item
- GCP > Dataproc > Job > ServiceNow > Table
- GCP > Dataproc > Workflow Template > ServiceNow
- GCP > Dataproc > Workflow Template > ServiceNow > Configuration Item
- GCP > Dataproc > Workflow Template > ServiceNow > Table
Policy Types:
- GCP > Dataproc > Cluster > ServiceNow
- GCP > Dataproc > Cluster > ServiceNow > Configuration Item
- GCP > Dataproc > Cluster > ServiceNow > Configuration Item > Record
- GCP > Dataproc > Cluster > ServiceNow > Configuration Item > Table Definition
- GCP > Dataproc > Cluster > ServiceNow > Table
- GCP > Dataproc > Cluster > ServiceNow > Table > Definition
- GCP > Dataproc > Job > ServiceNow
- GCP > Dataproc > Job > ServiceNow > Configuration Item
- GCP > Dataproc > Job > ServiceNow > Configuration Item > Record
- GCP > Dataproc > Job > ServiceNow > Configuration Item > Table Definition
- GCP > Dataproc > Job > ServiceNow > Table
- GCP > Dataproc > Job > ServiceNow > Table > Definition
- GCP > Dataproc > Workflow Template > ServiceNow
- GCP > Dataproc > Workflow Template > ServiceNow > Configuration Item
- GCP > Dataproc > Workflow Template > ServiceNow > Configuration Item > Record
- GCP > Dataproc > Workflow Template > ServiceNow > Configuration Item > Table Definition
- GCP > Dataproc > Workflow Template > ServiceNow > Table
- GCP > Dataproc > Workflow Template > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > Composer > Environment > ServiceNow
- GCP > Composer > Environment > ServiceNow > Configuration Item
- GCP > Composer > Environment > ServiceNow > Table
Policy Types:
- GCP > Composer > Environment > ServiceNow
- GCP > Composer > Environment > ServiceNow > Configuration Item
- GCP > Composer > Environment > ServiceNow > Configuration Item > Record
- GCP > Composer > Environment > ServiceNow > Configuration Item > Table Definition
- GCP > Composer > Environment > ServiceNow > Table
- GCP > Composer > Environment > ServiceNow > Table > Definition
The timeout for scheduled snapshot pipelines has been extended from 10 minutes to 1 hour, giving complex benchmarks and dashboards longer to successfully complete.
What's new?
Control Types:
- GCP > Monitoring > Alert Policy > ServiceNow
- GCP > Monitoring > Alert Policy > ServiceNow > Configuration Item
- GCP > Monitoring > Alert Policy > ServiceNow > Table
- GCP > Monitoring > Group > ServiceNow
- GCP > Monitoring > Group > ServiceNow > Configuration Item
- GCP > Monitoring > Group > ServiceNow > Table
- GCP > Monitoring > Notification Channel > ServiceNow
- GCP > Monitoring > Notification Channel > ServiceNow > Configuration Item
- GCP > Monitoring > Notification Channel > ServiceNow > Table
Policy Types:
- GCP > Monitoring > Alert Policy > ServiceNow
- GCP > Monitoring > Alert Policy > ServiceNow > Configuration Item
- GCP > Monitoring > Alert Policy > ServiceNow > Configuration Item > Record
- GCP > Monitoring > Alert Policy > ServiceNow > Configuration Item > Table Definition
- GCP > Monitoring > Alert Policy > ServiceNow > Table
- GCP > Monitoring > Alert Policy > ServiceNow > Table > Definition
- GCP > Monitoring > Group > ServiceNow
- GCP > Monitoring > Group > ServiceNow > Configuration Item
- GCP > Monitoring > Group > ServiceNow > Configuration Item > Record
- GCP > Monitoring > Group > ServiceNow > Configuration Item > Table Definition
- GCP > Monitoring > Group > ServiceNow > Table
- GCP > Monitoring > Group > ServiceNow > Table > Definition
- GCP > Monitoring > Notification Channel > ServiceNow
- GCP > Monitoring > Notification Channel > ServiceNow > Configuration Item
- GCP > Monitoring > Notification Channel > ServiceNow > Configuration Item > Record
- GCP > Monitoring > Notification Channel > ServiceNow > Configuration Item > Table Definition
- GCP > Monitoring > Notification Channel > ServiceNow > Table
- GCP > Monitoring > Notification Channel > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > DNS > Managed Zone > ServiceNow
- GCP > DNS > Managed Zone > ServiceNow > Configuration Item
- GCP > DNS > Managed Zone > ServiceNow > Table
Policy Types:
- GCP > DNS > Managed Zone > ServiceNow
- GCP > DNS > Managed Zone > ServiceNow > Configuration Item
- GCP > DNS > Managed Zone > ServiceNow > Configuration Item > Record
- GCP > DNS > Managed Zone > ServiceNow > Configuration Item > Table Definition
- GCP > DNS > Managed Zone > ServiceNow > Table
- GCP > DNS > Managed Zone > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > Datapipeline > Pipeline > ServiceNow
- GCP > Datapipeline > Pipeline > ServiceNow > Configuration Item
- GCP > Datapipeline > Pipeline > ServiceNow > Table
Policy Types:
- GCP > Datapipeline > Pipeline > ServiceNow
- GCP > Datapipeline > Pipeline > ServiceNow > Configuration Item
- GCP > Datapipeline > Pipeline > ServiceNow > Configuration Item > Record
- GCP > Datapipeline > Pipeline > ServiceNow > Configuration Item > Table Definition
- GCP > Datapipeline > Pipeline > ServiceNow > Table
- GCP > Datapipeline > Pipeline > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > Dataflow > Job > ServiceNow
- GCP > Dataflow > Job > ServiceNow > Configuration Item
- GCP > Dataflow > Job > ServiceNow > Table
Policy Types:
- GCP > Dataflow > Job > ServiceNow
- GCP > Dataflow > Job > ServiceNow > Configuration Item
- GCP > Dataflow > Job > ServiceNow > Configuration Item > Record
- GCP > Dataflow > Job > ServiceNow > Configuration Item > Table Definition
- GCP > Dataflow > Job > ServiceNow > Table
- GCP > Dataflow > Job > ServiceNow > Table > Definition
Bug fixes
- The
GCP > Compute Engine > Instance Template > CMDBcontrol would sometimes go into an error state due to a bad internal build. This is fixed and the control will now work as expected.
Bug fixes
- Due to an inadvertently introduced issue with an internal build for
Azure > Subscription, importing subscriptions encountered schema validation problems. This issue has been resolved, and you can now successfully import subscriptions as before.
Bug fixes
- In the previous version, while we improved on the way we discovered missing Snapshots and Volumes while processing their update events, we inadvertently introduced a bug where some resources were upserted with incorrect AKAs. Such resources with malformed AKAs should now be cleaned up automatically from the environment, and Guardrails will now discover resources more correctly and consistently than before.
- In a previous version (v5.31.4), we implemented a feature to Discover Instances while processing their update events respectively, if those resources were missing from Guardrails CMDB. In busy environments, this would sometimes cause unnecessary Lambda executions. We've now improved this behavior to upsert the missing resources in a lighter and faster way.
Bug fixes
- Fixed the typo in the
scaleway_billing_consumptiontable docs to useconsumptioninstead ofconsumtion. (#80)
What's new?
- New tables added
- scaleway_account_project (#53) (Thanks @jplanckeel for the contribution!)
- scaleway_billing_consumption (#70) (Thanks @jplanckeel for the contribution!)
Enhancements
- Improved the plugin error message when invalid credentials are set in the
wiz.spcfile. (#23)
Bug fixes
- Fixed the
service_ticketscolumn inwiz_issuetable by removing theactionsubfield from theServiceTicketsfield in the GraphQL response since it was no longer available. (#24 #25) (Thanks @sycophantic for the contribution!)
Bug fixes
- Removed duplicate control
rds_db_cluster_encrypted_with_kms_cmk. (#105)
Bug fixes
- Removed duplicate node
service_account. (#56)
What's new?
- New tables added
Bug fixes
What's new?
- Added support for
ap-northeast-3in theAWS > Account > Regionspolicy.
What's new?
- Added support for
af-south-1,ap-northeast-3,ap-south-2,ap-southeast-3,ap-southeast-4,ca-west-1,eu-central-2,eu-south-1,eu-south-2,il-central-1andme-central-1regions in theAWS > Logs > Regionspolicy.
What's new?
You can now configure Block Public Access for Snapshots. To get started, set the
AWS > EC2 > Account Attributes > Block Public Access for Snapshotspolicy.You can now also disable Block Public Access for AMIs. To get started, set the
AWS > EC2 > Account Attributes > Block Public Access for AMIspolicy.AWS/EC2/Admin,AWS/EC2/MetadataandAWS/EC2/Operatornow includes permissions for Verified Access Endpoints, Verified Access Groups and Verified Access Trust Providers.Control Types:
- AWS > EC2 > Account Attributes > Block Public Access for Snapshots
Policy Types:
- AWS > EC2 > Account Attributes > Block Public Access for Snapshots
Action Types:
- AWS > EC2 > Account Attributes > Update Block Public Access for Snapshots
Bug fixes
- In a previous version (v5.31.4), we implemented a feature to Discover Snapshots and Volumes while processing their update events respectively, if those resources were missing from Guardrails CMDB. In busy environments, this would sometimes cause unnecessary Lambda executions. We've now improved this behavior to upsert the missing resources in a lighter and faster way.
What's new?
- New table added
- tfe_project (#42) (Thanks @edebrye for the contribution!)
Bug fixes
- Fixed the plugin initialization error by returning only the static tables when invalid config parameters were set for dynamic tables. #39
What's new?
- Added
create_branch,delete_branchandget_branchpipelines. (#10)
v0.86 [2024-02-08]
What's new?
- Added CIS v3.0.0 benchmark (
steampipe check benchmark.cis_v300). (#755)
What's new?
- Updated: MaxPalyloadSize parameter description.
- Updated: Turbot Policy Parameter to add back
Deny: *for HTTP in SNS Policy.
What's new?
- Added: Postgres versions 13.12 and 13.13.
- Updated: CloudWatch Alarms will now use TEF SNS topic.
Bug fixes
- Server
- Added the
Deny:*policy for HTTP traffic back to the turbot-policy-parameter custom lambda code. - Event DLQ should not set the control or policy value to error if there has been a new process started for the control or policy value.
- Run next should drop the events in case of recursive loop.
- Add additional retryable throttling codes for actions.
- Added the
Requirements
- TEF: 1.55.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
Bug fixes
- Fixed
HomeDirectoryModfileCheckreturning false positive, causing errors when executing steampipe out of the home directory. (#4118)
v1.10.1 of the Terraform Provider for Guardrails is now available.
Bug fixes
resource/turbot_file: terraform apply failed to updatecontentof an existing File in Guardrails. This is now fixed.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- GCP > Logging > Exclusion > Approved > Custom
- GCP > Logging > Metric > Approved > Custom
- GCP > Logging > Sink > Approved > Custom
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
- GCP > Kubernetes Engine > Region Cluster > Approved > Custom
- GCP > Kubernetes Engine > Region Node Pool > Approved > Custom
- GCP > Kubernetes Engine > Zone Cluster > Approved > Custom
- GCP > Kubernetes Engine > Zone Node Pool > Approved > Custom
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- GCP > Dataflow > Job > Approved > Custom
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
Bug fixes
The
AWS > EC2 > Key Pair > Discoverycontrol would sometimes go into an error state if a Key Pair alias included escape characters. This is now fixed.Control Types renamed:
AWS > EC2 > Volume > ConfigurationtoAWS > EC2 > Volume > Performance Configuration
Policy Types renamed:
AWS > EC2 > Volume > ConfigurationtoAWS > EC2 > Volume > Performance ConfigurationAWS > EC2 > Volume > Configuration > IOPS CapacitytoAWS > EC2 > Volume > Performance Configuration > IOPS CapacityAWS > EC2 > Volume > Configuration > ThroughputtoAWS > EC2 > Volume > Performance Configuration > ThroughputAWS > EC2 > Volume > Configuration > TypetoAWS > EC2 > Volume > Performance Configuration > Type
Action Types renamed:
AWS > EC2 > Volume > Update ConfigurationtoAWS > EC2 > Volume > Update Performance Configuration
Enhancements
- Updated all the tables to fetch the column data using hydrate functions to optimize the API calls and increase query speed when querying specific columns. (#30)
Bug fixes
- The
Turbot > Policy Setting Expirationcontrol will now run every 12 hours to manage policy setting expirations more consistently than before.
Bug fixes
- Fix the commands in
add_labels_to_compute_diskandadd_labels_to_compute_instancepipelines. (#7)
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- New tables added
What's new?
- Added
OAuthconfig support to provide users the ability to setOAuth secret client IDandOAuth secret valueof a service principal. For more information, please see Databricks plugin configuration. (#6) (Thanks @rinzool for the contribution!) - Added
Configobject to directly pass credentials to the client. (#10)
What's new?
- New tables added
Enhancements
- Added the
authorization_rulescolumn toazure_servicebus_namespacetable. (#719)
Enhancements
- Optimized
aws_cloudwatch_log_streamtable's query performance by addingdescending,log_group_name,log_stream_name_prefixandorder_bynew optional key qual columns. (#1951) - Optimized
aws_ssm_inventorytable's query performance by adding new optional key qual columns such asfilter_key,filter_value,network_attribute_key,network_attribute_value, etc. (#1980)
Bug fixes
- Fixed
aws_cloudwatch_log_grouptable key column to be globally unique by filtering the results by region. (#1976) - Removed duplicate memoizing of getCommonColumns function from
aws_s3_multi_region_access_pointandaws_ec2_launch_templatetables.(#2065) - Fixed error for column
type_namein tableaws_ssm_inventory_entry. (#1980) - Added the missing rate-limiter tags for
aws_s3_buckettable'sGetBucketLocationhydrate function to optimize query performance. (#2066)
Bug fixes
- The Org policy details in the Project CMDB data will now be properly and consistently sorted.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
- GCP > Scheduler > Job > Approved > Custom
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- New tables added
Dependencies
- Azure plugin
v0.53.0or higher is now required. (#242)
Enhancements
- Added 41 new controls to the
All Controlsbenchmark across the following services: (#234 #233)Active DirectoryApp ServiceBatchComputeContainer InstanceKey VaultKubernetes ServiceNetworkRecovery ServiceService BusStorage
Bug fixes
- Fixed the description of
CIS_v150_2_1_9control. (#238) (Thanks @sfunkernw for the contribution!)
v0.13.0 of the Terraform Provider for Pipes is now available.
What's new?
- Data Source
pipes_tenant. - Resource
pipes_tenant_member.
Enhancements
- Resource
pipes_organization_membernow supports adding users directly to an organization in a custom tenant, rather than by invitation.
What's new?
Control Types:
- GCP > Cloud Run > Service > ServiceNow
- GCP > Cloud Run > Service > ServiceNow > Configuration Item
- GCP > Cloud Run > Service > ServiceNow > Table
Policy Types:
- GCP > Cloud Run > Service > ServiceNow
- GCP > Cloud Run > Service > ServiceNow > Configuration Item
- GCP > Cloud Run > Service > ServiceNow > Configuration Item > Record
- GCP > Cloud Run > Service > ServiceNow > Configuration Item > Table Definition
- GCP > Cloud Run > Service > ServiceNow > Table
- GCP > Cloud Run > Service > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > Spanner > Database > ServiceNow
- GCP > Spanner > Database > ServiceNow > Configuration Item
- GCP > Spanner > Database > ServiceNow > Table
- GCP > Spanner > Instance > ServiceNow
- GCP > Spanner > Instance > ServiceNow > Configuration Item
- GCP > Spanner > Instance > ServiceNow > Table
Policy Types:
- GCP > Spanner > Database > ServiceNow
- GCP > Spanner > Database > ServiceNow > Configuration Item
- GCP > Spanner > Database > ServiceNow > Configuration Item > Record
- GCP > Spanner > Database > ServiceNow > Configuration Item > Table Definition
- GCP > Spanner > Database > ServiceNow > Table
- GCP > Spanner > Database > ServiceNow > Table > Definition
- GCP > Spanner > Instance > ServiceNow
- GCP > Spanner > Instance > ServiceNow > Configuration Item
- GCP > Spanner > Instance > ServiceNow > Configuration Item > Record
- GCP > Spanner > Instance > ServiceNow > Configuration Item > Table Definition
- GCP > Spanner > Instance > ServiceNow > Table
- GCP > Spanner > Instance > ServiceNow > Table > Definition
What's new?
Control Types:
- AWS > EC2 > Volume > Configuration
Policy Types:
- AWS > EC2 > Volume > Configuration
- AWS > EC2 > Volume > Configuration > IOPS Capacity
- AWS > EC2 > Volume > Configuration > Throughput
- AWS > EC2 > Volume > Configuration > Type
Action Types:
- AWS > EC2 > Volume > Update Configuration
Breaking changes
- Removed the
iam_root_user_virtual_mfacontrol since it is not recommended as good practice. (#743) - Replaced
iam_account_password_policy_strongwithiam_account_password_policy_strong_min_reuse_24in theGDPR,FFIECandCISA Cyber Essentialsbenchmarks to align more accurately with the requirements specified in the AWS Config rules. (#739)
Bug fixes
- Updated the dashboard image to correctly list all the 25 benchmarks. (#748)
What's new?
- New tables added
What's new?
- Query trigger type to watch & event on database changes. Documentation.
- HTTP trigger can now handle both GET and POST methods. Documentation.
- Query steps & triggers now support Postgres, MySQL, SQLite, and Postgres.
- Define container step using a
sourceargument for inline image definitions. - Add a
timeoutto pipeline steps. - Enable or disable triggers using the
enabledattribute. - Improved and expanded output for
flowpipe server. - Improved and standardized output for CLI
listandshowcommands. - Expanded intervals available in schedule and query triggers (e.g.
5m,10m, etc). - New credential types: BitBucket, Datadog, Freshdesk, JumpCloud, ServiceNow, Turbot Guardrails.
- Automatic check & notify for new CLI versions.
Bug fixes
- Implemented a more descriptive error message for server startup failures.
- Fixed Step Arguments unable to be referenced in the Pipeline definition.
- Added missing
execution_modeargument to HTTP Trigger (#533). - Fixed
argsarguments unable to be updated in the Pipeline Step loop block (#559). - Fixed an issue in the bootstrap process for identifying the config path.
Bug fixes
- Fixed schema clone function failing if table has an LTREE column. (#4079)
- Maintained the order of execution when running multiple queries in batch mode. (#3728)
- Fixed issue where using any meta-command would load connection state even if not required. (#3614)
- Fixed issue where plugin version file back-filling would write
versions.jsonto the CWD if the plugin folder is not found. (#4073) - Simplified and fixed available port check. (#4030)
What's new?
- New tables added
What's new?
- Added the
kubernetes_cluster_no_cluster_level_node_poolcontrol to theKubernetesbenchmark. (#53)
What's new?
- New tables added
Enhancements
What's new?
- New tables added
Enhancements
- Added column
iam_policytogcp_cloud_run_servicetable. (#531) - Optimized the
gcp_logging_log_entrytable result or result timing by applying a timestamp filter. (#508) - Added the
json_payload,proto_payload,metadata,resource,operation, andtagscolumns togcp_logging_log_entrytable. (#508)
Bug fixes
- Fixed the
addons_config,network_configandnetwork_policycolumn ofgcp_kubernetes_clustertable to correctly return data instead of null. (#530) - Fixed the
end_timecolumn of thegcp_sql_backuptable to returnnullinstead of an error when end time is unavailable for a SQL backup. (#534) - Fixed the
enqueued_time,start_timeandwindow_start_timecolumns of thegcp_sql_backuptable to returnnullinstead of an error when timestamp is unavailable for a SQL backup. (#536)
Enhancements
- Added the
audit_policycolumn toazure_sql_databaseandazure_sql_servertables. (#711) - Added the
webhookscolumn toazure_container_registrytable. (#710) - Added the
disable_local_authandstatuscolumns toazure_servicebus_namespacetable. (#715)
Bug fixes
- Fixed the
azure_key_vault_secrettable to correctly return data when keyvault name is in camel-case. (#638)
Bug fixes
- Fixed the
low_iops_ebs_volumescontrol to now suggest convertingio1andio2volumes toGP3volumes, when the baseIOPSis less than16000instead of3000. (#167)
What's new?
- Server
- You can now update API size limit via the MAX_PAYLOAD_SIZE parameter.
Requirements
- TEF: 1.55.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
What's new?
Resource Types:
- AWS > Kinesis > Kinesis Video Stream
Control Types:
- AWS > Kinesis > Kinesis Video Stream > Active
- AWS > Kinesis > Kinesis Video Stream > Approved
- AWS > Kinesis > Kinesis Video Stream > CMDB
- AWS > Kinesis > Kinesis Video Stream > Discovery
- AWS > Kinesis > Kinesis Video Stream > Tags
Policy Types:
- AWS > Kinesis > Kinesis Video Stream > Active
- AWS > Kinesis > Kinesis Video Stream > Active > Age
- AWS > Kinesis > Kinesis Video Stream > Active > Budget
- AWS > Kinesis > Kinesis Video Stream > Active > Last Modified
- AWS > Kinesis > Kinesis Video Stream > Approved
- AWS > Kinesis > Kinesis Video Stream > Approved > Budget
- AWS > Kinesis > Kinesis Video Stream > Approved > Custom
- AWS > Kinesis > Kinesis Video Stream > Approved > Regions
- AWS > Kinesis > Kinesis Video Stream > Approved > Usage
- AWS > Kinesis > Kinesis Video Stream > CMDB
- AWS > Kinesis > Kinesis Video Stream > Regions
- AWS > Kinesis > Kinesis Video Stream > Tags
- AWS > Kinesis > Kinesis Video Stream > Tags > Template
Action Types:
- AWS > Kinesis > Kinesis Video Stream > Delete
- AWS > Kinesis > Kinesis Video Stream > Delete from AWS
- AWS > Kinesis > Kinesis Video Stream > Router
- AWS > Kinesis > Kinesis Video Stream > Set Tags
- AWS > Kinesis > Kinesis Video Stream > Skip alarm for Active control
- AWS > Kinesis > Kinesis Video Stream > Skip alarm for Active control [90 days]
- AWS > Kinesis > Kinesis Video Stream > Skip alarm for Approved control
- AWS > Kinesis > Kinesis Video Stream > Skip alarm for Approved control [90 days]
- AWS > Kinesis > Kinesis Video Stream > Skip alarm for Tags control
- AWS > Kinesis > Kinesis Video Stream > Skip alarm for Tags control [90 days]
- AWS > Kinesis > Kinesis Video Stream > Update Tags
What's new?
- New tables added
Enhancements
- Added
deletion_protection_enabledcolumn toaws_dynamodb_tabletable. (#2049)
Bug fixes
What's new?
Control Types:
- GCP > Logging > Exclusion > ServiceNow
- GCP > Logging > Exclusion > ServiceNow > Configuration Item
- GCP > Logging > Exclusion > ServiceNow > Table
- GCP > Logging > Metric > ServiceNow
- GCP > Logging > Metric > ServiceNow > Configuration Item
- GCP > Logging > Metric > ServiceNow > Table
- GCP > Logging > Sink > ServiceNow
- GCP > Logging > Sink > ServiceNow > Configuration Item
- GCP > Logging > Sink > ServiceNow > Table
Policy Types:
- GCP > Logging > Exclusion > ServiceNow
- GCP > Logging > Exclusion > ServiceNow > Configuration Item
- GCP > Logging > Exclusion > ServiceNow > Configuration Item > Record
- GCP > Logging > Exclusion > ServiceNow > Configuration Item > Table Definition
- GCP > Logging > Exclusion > ServiceNow > Table
- GCP > Logging > Exclusion > ServiceNow > Table > Definition
- GCP > Logging > Metric > ServiceNow
- GCP > Logging > Metric > ServiceNow > Configuration Item
- GCP > Logging > Metric > ServiceNow > Configuration Item > Record
- GCP > Logging > Metric > ServiceNow > Configuration Item > Table Definition
- GCP > Logging > Metric > ServiceNow > Table
- GCP > Logging > Metric > ServiceNow > Table > Definition
- GCP > Logging > Sink > ServiceNow
- GCP > Logging > Sink > ServiceNow > Configuration Item
- GCP > Logging > Sink > ServiceNow > Configuration Item > Record
- GCP > Logging > Sink > ServiceNow > Configuration Item > Table Definition
- GCP > Logging > Sink > ServiceNow > Table
- GCP > Logging > Sink > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > Compute Engine > HTTP Health Check > ServiceNow
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Configuration Item
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Table
- GCP > Compute Engine > HTTPS Health Check > ServiceNow
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Configuration Item
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Table
- GCP > Compute Engine > Health Check > ServiceNow
- GCP > Compute Engine > Health Check > ServiceNow > Configuration Item
- GCP > Compute Engine > Health Check > ServiceNow > Table
- GCP > Compute Engine > Instance Template > ServiceNow
- GCP > Compute Engine > Instance Template > ServiceNow > Configuration Item
- GCP > Compute Engine > Instance Template > ServiceNow > Table
- GCP > Compute Engine > Node Group > ServiceNow
- GCP > Compute Engine > Node Group > ServiceNow > Configuration Item
- GCP > Compute Engine > Node Group > ServiceNow > Table
- GCP > Compute Engine > Node Template > ServiceNow
- GCP > Compute Engine > Node Template > ServiceNow > Configuration Item
- GCP > Compute Engine > Node Template > ServiceNow > Table
- GCP > Compute Engine > Project > ServiceNow
- GCP > Compute Engine > Project > ServiceNow > Configuration Item
- GCP > Compute Engine > Project > ServiceNow > Table
- GCP > Compute Engine > Region Disk > ServiceNow
- GCP > Compute Engine > Region Disk > ServiceNow > Configuration Item
- GCP > Compute Engine > Region Disk > ServiceNow > Table
- GCP > Compute Engine > Region Health Check > ServiceNow
- GCP > Compute Engine > Region Health Check > ServiceNow > Configuration Item
- GCP > Compute Engine > Region Health Check > ServiceNow > Table
Policy Types:
- GCP > Compute Engine > HTTP Health Check > ServiceNow
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Configuration Item
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Table
- GCP > Compute Engine > HTTP Health Check > ServiceNow > Table > Definition
- GCP > Compute Engine > HTTPS Health Check > ServiceNow
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Configuration Item
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Table
- GCP > Compute Engine > HTTPS Health Check > ServiceNow > Table > Definition
- GCP > Compute Engine > Health Check > ServiceNow
- GCP > Compute Engine > Health Check > ServiceNow > Configuration Item
- GCP > Compute Engine > Health Check > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > Health Check > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > Health Check > ServiceNow > Table
- GCP > Compute Engine > Health Check > ServiceNow > Table > Definition
- GCP > Compute Engine > Instance Template > ServiceNow
- GCP > Compute Engine > Instance Template > ServiceNow > Configuration Item
- GCP > Compute Engine > Instance Template > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > Instance Template > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > Instance Template > ServiceNow > Table
- GCP > Compute Engine > Instance Template > ServiceNow > Table > Definition
- GCP > Compute Engine > Node Group > ServiceNow
- GCP > Compute Engine > Node Group > ServiceNow > Configuration Item
- GCP > Compute Engine > Node Group > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > Node Group > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > Node Group > ServiceNow > Table
- GCP > Compute Engine > Node Group > ServiceNow > Table > Definition
- GCP > Compute Engine > Node Template > ServiceNow
- GCP > Compute Engine > Node Template > ServiceNow > Configuration Item
- GCP > Compute Engine > Node Template > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > Node Template > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > Node Template > ServiceNow > Table
- GCP > Compute Engine > Node Template > ServiceNow > Table > Definition
- GCP > Compute Engine > Project > ServiceNow
- GCP > Compute Engine > Project > ServiceNow > Configuration Item
- GCP > Compute Engine > Project > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > Project > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > Project > ServiceNow > Table
- GCP > Compute Engine > Project > ServiceNow > Table > Definition
- GCP > Compute Engine > Region Disk > ServiceNow
- GCP > Compute Engine > Region Disk > ServiceNow > Configuration Item
- GCP > Compute Engine > Region Disk > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > Region Disk > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > Region Disk > ServiceNow > Table
- GCP > Compute Engine > Region Disk > ServiceNow > Table > Definition
- GCP > Compute Engine > Region Health Check > ServiceNow
- GCP > Compute Engine > Region Health Check > ServiceNow > Configuration Item
- GCP > Compute Engine > Region Health Check > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > Region Health Check > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > Region Health Check > ServiceNow > Table
- GCP > Compute Engine > Region Health Check > ServiceNow > Table > Definition
What's new?
- Policy Types:
- Turbot > Stack > Native Stack Version [Default]
Requirements
- TE: 5.35.4
What's new?
Control Types:
- GCP > SQL > Backup > ServiceNow
- GCP > SQL > Backup > ServiceNow > Configuration Item
- GCP > SQL > Backup > ServiceNow > Table
- GCP > SQL > Database > ServiceNow
- GCP > SQL > Database > ServiceNow > Configuration Item
- GCP > SQL > Database > ServiceNow > Table
Policy Types:
- GCP > SQL > Backup > ServiceNow
- GCP > SQL > Backup > ServiceNow > Configuration Item
- GCP > SQL > Backup > ServiceNow > Configuration Item > Record
- GCP > SQL > Backup > ServiceNow > Configuration Item > Table Definition
- GCP > SQL > Backup > ServiceNow > Table
- GCP > SQL > Backup > ServiceNow > Table > Definition
- GCP > SQL > Database > ServiceNow
- GCP > SQL > Database > ServiceNow > Configuration Item
- GCP > SQL > Database > ServiceNow > Configuration Item > Record
- GCP > SQL > Database > ServiceNow > Configuration Item > Table Definition
- GCP > SQL > Database > ServiceNow > Table
- GCP > SQL > Database > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > KMS > Crypto Key > ServiceNow
- GCP > KMS > Crypto Key > ServiceNow > Configuration Item
- GCP > KMS > Crypto Key > ServiceNow > Table
- GCP > KMS > Key Ring > ServiceNow
- GCP > KMS > Key Ring > ServiceNow > Configuration Item
- GCP > KMS > Key Ring > ServiceNow > Table
Policy Types:
- GCP > KMS > Crypto Key > ServiceNow
- GCP > KMS > Crypto Key > ServiceNow > Configuration Item
- GCP > KMS > Crypto Key > ServiceNow > Configuration Item > Record
- GCP > KMS > Crypto Key > ServiceNow > Configuration Item > Table Definition
- GCP > KMS > Crypto Key > ServiceNow > Table
- GCP > KMS > Crypto Key > ServiceNow > Table > Definition
- GCP > KMS > Key Ring > ServiceNow
- GCP > KMS > Key Ring > ServiceNow > Configuration Item
- GCP > KMS > Key Ring > ServiceNow > Configuration Item > Record
- GCP > KMS > Key Ring > ServiceNow > Configuration Item > Table Definition
- GCP > KMS > Key Ring > ServiceNow > Table
- GCP > KMS > Key Ring > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > BigQuery > Dataset > ServiceNow
- GCP > BigQuery > Dataset > ServiceNow > Configuration Item
- GCP > BigQuery > Dataset > ServiceNow > Table
- GCP > BigQuery > Table > ServiceNow
- GCP > BigQuery > Table > ServiceNow > Configuration Item
- GCP > BigQuery > Table > ServiceNow > Table
Policy Types:
- GCP > BigQuery > Dataset > ServiceNow
- GCP > BigQuery > Dataset > ServiceNow > Configuration Item
- GCP > BigQuery > Dataset > ServiceNow > Configuration Item > Record
- GCP > BigQuery > Dataset > ServiceNow > Configuration Item > Table Definition
- GCP > BigQuery > Dataset > ServiceNow > Table
- GCP > BigQuery > Dataset > ServiceNow > Table > Definition
- GCP > BigQuery > Table > ServiceNow
- GCP > BigQuery > Table > ServiceNow > Configuration Item
- GCP > BigQuery > Table > ServiceNow > Configuration Item > Record
- GCP > BigQuery > Table > ServiceNow > Configuration Item > Table Definition
- GCP > BigQuery > Table > ServiceNow > Table
- GCP > BigQuery > Table > ServiceNow > Table > Definition
Bug fixes
- Server
- Updated: Enhanced IAM policy for tighter access around custom Lambda.
- Fixed: Turbot > Workspace > Health Control should not break if there is no input.
Requirements
- TEF: 1.55.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
- GCP > Bigtable > Cluster > ServiceNow
- GCP > Bigtable > Cluster > ServiceNow > Configuration Item
- GCP > Bigtable > Cluster > ServiceNow > Table
- GCP > Bigtable > Instance > ServiceNow
- GCP > Bigtable > Instance > ServiceNow > Configuration Item
- GCP > Bigtable > Instance > ServiceNow > Table
- GCP > Bigtable > Table > ServiceNow
- GCP > Bigtable > Table > ServiceNow > Configuration Item
- GCP > Bigtable > Table > ServiceNow > Table
Policy Types:
- GCP > Bigtable > Cluster > ServiceNow
- GCP > Bigtable > Cluster > ServiceNow > Configuration Item
- GCP > Bigtable > Cluster > ServiceNow > Configuration Item > Record
- GCP > Bigtable > Cluster > ServiceNow > Configuration Item > Table Definition
- GCP > Bigtable > Cluster > ServiceNow > Table
- GCP > Bigtable > Cluster > ServiceNow > Table > Definition
- GCP > Bigtable > Instance > ServiceNow
- GCP > Bigtable > Instance > ServiceNow > Configuration Item
- GCP > Bigtable > Instance > ServiceNow > Configuration Item > Record
- GCP > Bigtable > Instance > ServiceNow > Configuration Item > Table Definition
- GCP > Bigtable > Instance > ServiceNow > Table
- GCP > Bigtable > Instance > ServiceNow > Table > Definition
- GCP > Bigtable > Table > ServiceNow
- GCP > Bigtable > Table > ServiceNow > Configuration Item
- GCP > Bigtable > Table > ServiceNow > Configuration Item > Record
- GCP > Bigtable > Table > ServiceNow > Configuration Item > Table Definition
- GCP > Bigtable > Table > ServiceNow > Table
- GCP > Bigtable > Table > ServiceNow > Table > Definition
What's new?
Control Types:
- GCP > App Engine > Application > ServiceNow
- GCP > App Engine > Application > ServiceNow > Configuration Item
- GCP > App Engine > Application > ServiceNow > Table
- GCP > App Engine > Firewall Rule > ServiceNow
- GCP > App Engine > Firewall Rule > ServiceNow > Configuration Item
- GCP > App Engine > Firewall Rule > ServiceNow > Table
- GCP > App Engine > Instance > ServiceNow
- GCP > App Engine > Instance > ServiceNow > Configuration Item
- GCP > App Engine > Instance > ServiceNow > Table
- GCP > App Engine > Service > ServiceNow
- GCP > App Engine > Service > ServiceNow > Configuration Item
- GCP > App Engine > Service > ServiceNow > Table
- GCP > App Engine > Version > ServiceNow
- GCP > App Engine > Version > ServiceNow > Configuration Item
- GCP > App Engine > Version > ServiceNow > Table
Policy Types:
- GCP > App Engine > Application > ServiceNow
- GCP > App Engine > Application > ServiceNow > Configuration Item
- GCP > App Engine > Application > ServiceNow > Configuration Item > Record
- GCP > App Engine > Application > ServiceNow > Configuration Item > Table Definition
- GCP > App Engine > Application > ServiceNow > Table
- GCP > App Engine > Application > ServiceNow > Table > Definition
- GCP > App Engine > Firewall Rule > ServiceNow
- GCP > App Engine > Firewall Rule > ServiceNow > Configuration Item
- GCP > App Engine > Firewall Rule > ServiceNow > Configuration Item > Record
- GCP > App Engine > Firewall Rule > ServiceNow > Configuration Item > Table Definition
- GCP > App Engine > Firewall Rule > ServiceNow > Table
- GCP > App Engine > Firewall Rule > ServiceNow > Table > Definition
- GCP > App Engine > Instance > ServiceNow
- GCP > App Engine > Instance > ServiceNow > Configuration Item
- GCP > App Engine > Instance > ServiceNow > Configuration Item > Record
- GCP > App Engine > Instance > ServiceNow > Configuration Item > Table Definition
- GCP > App Engine > Instance > ServiceNow > Table
- GCP > App Engine > Instance > ServiceNow > Table > Definition
- GCP > App Engine > Service > ServiceNow
- GCP > App Engine > Service > ServiceNow > Configuration Item
- GCP > App Engine > Service > ServiceNow > Configuration Item > Record
- GCP > App Engine > Service > ServiceNow > Configuration Item > Table Definition
- GCP > App Engine > Service > ServiceNow > Table
- GCP > App Engine > Service > ServiceNow > Table > Definition
- GCP > App Engine > Version > ServiceNow
- GCP > App Engine > Version > ServiceNow > Configuration Item
- GCP > App Engine > Version > ServiceNow > Configuration Item > Record
- GCP > App Engine > Version > ServiceNow > Configuration Item > Table Definition
- GCP > App Engine > Version > ServiceNow > Table
- GCP > App Engine > Version > ServiceNow > Table > Definition
Bug fixes
- The
GCP > Turbot > Event Pollercontrol now includes a precheck condition to avoid running GraphQL input queries when theGCP > Turbot > Event Pollerpolicy is set toDisabled. You won’t notice any difference and the control should run lighter and quicker than before.
Bug fixes
- The
Azure > Turbot > Event PollerandAzure > Turbot > Management Group Event Pollercontrols now include a precheck condition to avoid running GraphQL input queries when theAzure > Turbot > Event PollerandAzure > Turbot > Management Group Event Pollerpolicies are set toDisabledrespectively. You won’t notice any difference and the controls should run lighter and quicker than before.
Bug fixes
- The
Azure > Turbot > Directory Event Pollercontrol now includes a precheck condition to avoid running GraphQL input queries when theAzure > Turbot > Directory Event Pollerpolicy is set toDisabled. You won’t notice any difference and the control should run lighter and quicker than before.
Bug fixes
- The
AWS > Turbot > Event Pollercontrol now includes a precheck condition to avoid running GraphQL input queries when theAWS > Turbot > Event Pollerpolicy is set toDisabled. You won’t notice any difference and the control should run lighter and quicker than before.
What's new?
Resource Types:
- AWS > OpenSearch
Policy Types:
- AWS > OpenSearch > API Enabled
- AWS > OpenSearch > Approved Regions [Default]
- AWS > OpenSearch > Enabled
- AWS > OpenSearch > Permissions
- AWS > OpenSearch > Permissions > Levels
- AWS > OpenSearch > Permissions > Levels > Modifiers
- AWS > OpenSearch > Permissions > Lockdown
- AWS > OpenSearch > Permissions > Lockdown > API Boundary
- AWS > OpenSearch > Regions
- AWS > OpenSearch > Tags Template [Default]
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-opensearch
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-opensearch
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-opensearch
What's new?
- Added the input variables to the following services to allow different thresholds to be passed in:
DropletDatabaseBlock StorageKubernetes
To get started, please see [Digitalocean Thrifty Configuration] (https://hub.steampipe.io/mods/turbot/digitalocean_thrifty#configuration). For a list of variables and their default values, please see steampipe.spvars. (#36)
What's new?
- New tables added
Note : Table aws_sns_topic_subscription will be changing behaviours in a future release to return results from ListSubscriptionsByTopic instead of ListSubscriptions.
What's new?
Control Types:
- Azure > Resource Group > ServiceNow
- Azure > Resource Group > ServiceNow > Configuration Item
- Azure > Resource Group > ServiceNow > Table
- Azure > Subscription > ServiceNow
- Azure > Subscription > ServiceNow > Configuration Item
- Azure > Subscription > ServiceNow > Table
- Azure > Tenant > ServiceNow
- Azure > Tenant > ServiceNow > Configuration Item
- Azure > Tenant > ServiceNow > Table
Policy Types:
- Azure > Resource Group > ServiceNow
- Azure > Resource Group > ServiceNow > Configuration Item
- Azure > Resource Group > ServiceNow > Configuration Item > Record
- Azure > Resource Group > ServiceNow > Configuration Item > Table Definition
- Azure > Resource Group > ServiceNow > Table
- Azure > Resource Group > ServiceNow > Table > Definition
- Azure > Subscription > ServiceNow
- Azure > Subscription > ServiceNow > Configuration Item
- Azure > Subscription > ServiceNow > Configuration Item > Record
- Azure > Subscription > ServiceNow > Configuration Item > Table Definition
- Azure > Subscription > ServiceNow > Table
- Azure > Subscription > ServiceNow > Table > Definition
- Azure > Tenant > ServiceNow
- Azure > Tenant > ServiceNow > Configuration Item
- Azure > Tenant > ServiceNow > Configuration Item > Record
- Azure > Tenant > ServiceNow > Configuration Item > Table Definition
- Azure > Tenant > ServiceNow > Table
- Azure > Tenant > ServiceNow > Table > Definition
Bug fixes
- Updated the tags to use
riskinstead ofseverityto eliminate duplicate column names in output files. (#41)
What's new?
Control Types:
- Azure > Network > Private Endpoints > ServiceNow
- Azure > Network > Private Endpoints > ServiceNow > Configuration Item
- Azure > Network > Private Endpoints > ServiceNow > Table
Policy Types:
- Azure > Network > Private Endpoints > ServiceNow
- Azure > Network > Private Endpoints > ServiceNow > Configuration Item
- Azure > Network > Private Endpoints > ServiceNow > Configuration Item > Record
- Azure > Network > Private Endpoints > ServiceNow > Configuration Item > Table Definition
- Azure > Network > Private Endpoints > ServiceNow > Table
- Azure > Network > Private Endpoints > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Automation > Automation Account > ServiceNow
- Azure > Automation > Automation Account > ServiceNow > Configuration Item
- Azure > Automation > Automation Account > ServiceNow > Table
- Azure > Automation > Runbook > ServiceNow
- Azure > Automation > Runbook > ServiceNow > Configuration Item
- Azure > Automation > Runbook > ServiceNow > Table
Policy Types:
- Azure > Automation > Automation Account > ServiceNow
- Azure > Automation > Automation Account > ServiceNow > Configuration Item
- Azure > Automation > Automation Account > ServiceNow > Configuration Item > Record
- Azure > Automation > Automation Account > ServiceNow > Configuration Item > Table Definition
- Azure > Automation > Automation Account > ServiceNow > Table
- Azure > Automation > Automation Account > ServiceNow > Table > Definition
- Azure > Automation > Runbook > ServiceNow
- Azure > Automation > Runbook > ServiceNow > Configuration Item
- Azure > Automation > Runbook > ServiceNow > Configuration Item > Record
- Azure > Automation > Runbook > ServiceNow > Configuration Item > Table Definition
- Azure > Automation > Runbook > ServiceNow > Table
- Azure > Automation > Runbook > ServiceNow > Table > Definition
What's new?
- Added support for
aws_network_interface_sg_attachmentTerraform resource forAWS > EC2 > Network Interface.
Bug fixes
- The
AWS > EC2 > Instance > CMDBcontrol would sometimes trigger multiple times ifEnclaveOptionswas not set as part of theAWS > EC2 > Instance > CMDB > Attributespolicy. This would result in unnecessary Lambda runs for the control. TheEnclaveOptionsattribute is now available in the CMDB data by default and theEnclaveOptionspolicy value inAWS > EC2 > Instance > CMDB > Attributespolicy has now been deprecated, and will be removed in the next major version.
Bug fixes
- Updated the credential section of README to use
api_keyinstead oftoken. (#7)
What's new?
- Updated: Launch Template to prevent association of Network Interface with public IPs.
What's new?
Control Types:
- Azure > Storage > Container > ServiceNow
- Azure > Storage > Container > ServiceNow > Configuration Item
- Azure > Storage > Container > ServiceNow > Table
- Azure > Storage > FileShare > ServiceNow
- Azure > Storage > FileShare > ServiceNow > Configuration Item
- Azure > Storage > FileShare > ServiceNow > Table
- Azure > Storage > Queue > ServiceNow
- Azure > Storage > Queue > ServiceNow > Configuration Item
- Azure > Storage > Queue > ServiceNow > Table
Policy Types:
- Azure > Storage > Container > ServiceNow
- Azure > Storage > Container > ServiceNow > Configuration Item
- Azure > Storage > Container > ServiceNow > Configuration Item > Record
- Azure > Storage > Container > ServiceNow > Configuration Item > Table Definition
- Azure > Storage > Container > ServiceNow > Table
- Azure > Storage > Container > ServiceNow > Table > Definition
- Azure > Storage > FileShare > ServiceNow
- Azure > Storage > FileShare > ServiceNow > Configuration Item
- Azure > Storage > FileShare > ServiceNow > Configuration Item > Record
- Azure > Storage > FileShare > ServiceNow > Configuration Item > Table Definition
- Azure > Storage > FileShare > ServiceNow > Table
- Azure > Storage > FileShare > ServiceNow > Table > Definition
- Azure > Storage > Queue > ServiceNow
- Azure > Storage > Queue > ServiceNow > Configuration Item
- Azure > Storage > Queue > ServiceNow > Configuration Item > Record
- Azure > Storage > Queue > ServiceNow > Configuration Item > Table Definition
- Azure > Storage > Queue > ServiceNow > Table
- Azure > Storage > Queue > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Recovery Service > Backup > ServiceNow
- Azure > Recovery Service > Backup > ServiceNow > Configuration Item
- Azure > Recovery Service > Backup > ServiceNow > Table
- Azure > Recovery Service > Vault > ServiceNow
- Azure > Recovery Service > Vault > ServiceNow > Configuration Item
- Azure > Recovery Service > Vault > ServiceNow > Table
Policy Types:
- Azure > Recovery Service > Backup > ServiceNow
- Azure > Recovery Service > Backup > ServiceNow > Configuration Item
- Azure > Recovery Service > Backup > ServiceNow > Configuration Item > Record
- Azure > Recovery Service > Backup > ServiceNow > Configuration Item > Table Definition
- Azure > Recovery Service > Backup > ServiceNow > Table
- Azure > Recovery Service > Backup > ServiceNow > Table > Definition
- Azure > Recovery Service > Vault > ServiceNow
- Azure > Recovery Service > Vault > ServiceNow > Configuration Item
- Azure > Recovery Service > Vault > ServiceNow > Configuration Item > Record
- Azure > Recovery Service > Vault > ServiceNow > Configuration Item > Table Definition
- Azure > Recovery Service > Vault > ServiceNow > Table
- Azure > Recovery Service > Vault > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Monitor > Action Group > ServiceNow
- Azure > Monitor > Action Group > ServiceNow > Configuration Item
- Azure > Monitor > Action Group > ServiceNow > Table
- Azure > Monitor > Alerts > ServiceNow
- Azure > Monitor > Alerts > ServiceNow > Configuration Item
- Azure > Monitor > Alerts > ServiceNow > Table
- Azure > Monitor > Log Profile > ServiceNow
- Azure > Monitor > Log Profile > ServiceNow > Configuration Item
- Azure > Monitor > Log Profile > ServiceNow > Table
Policy Types:
- Azure > Monitor > Action Group > ServiceNow
- Azure > Monitor > Action Group > ServiceNow > Configuration Item
- Azure > Monitor > Action Group > ServiceNow > Configuration Item > Record
- Azure > Monitor > Action Group > ServiceNow > Configuration Item > Table Definition
- Azure > Monitor > Action Group > ServiceNow > Table
- Azure > Monitor > Action Group > ServiceNow > Table > Definition
- Azure > Monitor > Alerts > ServiceNow
- Azure > Monitor > Alerts > ServiceNow > Configuration Item
- Azure > Monitor > Alerts > ServiceNow > Configuration Item > Record
- Azure > Monitor > Alerts > ServiceNow > Configuration Item > Table Definition
- Azure > Monitor > Alerts > ServiceNow > Table
- Azure > Monitor > Alerts > ServiceNow > Table > Definition
- Azure > Monitor > Log Profile > ServiceNow
- Azure > Monitor > Log Profile > ServiceNow > Configuration Item
- Azure > Monitor > Log Profile > ServiceNow > Configuration Item > Record
- Azure > Monitor > Log Profile > ServiceNow > Configuration Item > Table Definition
- Azure > Monitor > Log Profile > ServiceNow > Table
- Azure > Monitor > Log Profile > ServiceNow > Table > Definition
What's new?
- Added the following controls across the benchmarks: (#51)
container_instance_container_group_secure_environment_variablecontainer_registry_zone_redundant_enabled
What's new?
- New tables added
Enhancements
- Added
storage_throughputcolumn toaws_rds_db_instancetable. (#2010) (Thanks @toddwh50 for the contribution!) - Added
layerscolumn toaws_lambda_functiontable. (#2008) (Thanks @icaliskanoglu for the contribution!) - Added
tagscolumn toaws_backup_recovery_pointandaws_backup_vaulttables. (#2033)
Bug fixes
Bug fixes
- Removed inaccurate SQL Query string validation to check for arguments. (#516)
What's new?
Control Types:
- GCP > Kubernetes Engine > Region Cluster > ServiceNow
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Configuration Item
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Table
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Configuration Item
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Table
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Configuration Item
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Table
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Configuration Item
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Table
Policy Types:
- GCP > Kubernetes Engine > Region Cluster > ServiceNow
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Configuration Item
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Configuration Item > Record
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Configuration Item > Table Definition
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Table
- GCP > Kubernetes Engine > Region Cluster > ServiceNow > Table > Definition
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Configuration Item
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Configuration Item > Record
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Configuration Item > Table Definition
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Table
- GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Table > Definition
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Configuration Item
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Configuration Item > Record
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Configuration Item > Table Definition
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Table
- GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Table > Definition
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Configuration Item
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Configuration Item > Record
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Configuration Item > Table Definition
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Table
- GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > IAM > Role Assignment > ServiceNow
- Azure > IAM > Role Assignment > ServiceNow > Configuration Item
- Azure > IAM > Role Assignment > ServiceNow > Table
- Azure > IAM > Role Definition > ServiceNow
- Azure > IAM > Role Definition > ServiceNow > Configuration Item
- Azure > IAM > Role Definition > ServiceNow > Table
Policy Types:
- Azure > IAM > Role Assignment > ServiceNow
- Azure > IAM > Role Assignment > ServiceNow > Configuration Item
- Azure > IAM > Role Assignment > ServiceNow > Configuration Item > Record
- Azure > IAM > Role Assignment > ServiceNow > Configuration Item > Table Definition
- Azure > IAM > Role Assignment > ServiceNow > Table
- Azure > IAM > Role Assignment > ServiceNow > Table > Definition
- Azure > IAM > Role Definition > ServiceNow
- Azure > IAM > Role Definition > ServiceNow > Configuration Item
- Azure > IAM > Role Definition > ServiceNow > Configuration Item > Record
- Azure > IAM > Role Definition > ServiceNow > Configuration Item > Table Definition
- Azure > IAM > Role Definition > ServiceNow > Table
- Azure > IAM > Role Definition > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Data Factory > Dataset > ServiceNow
- Azure > Data Factory > Dataset > ServiceNow > Configuration Item
- Azure > Data Factory > Dataset > ServiceNow > Table
- Azure > Data Factory > Factory > ServiceNow
- Azure > Data Factory > Factory > ServiceNow > Configuration Item
- Azure > Data Factory > Factory > ServiceNow > Table
- Azure > Data Factory > Pipeline > ServiceNow
- Azure > Data Factory > Pipeline > ServiceNow > Configuration Item
- Azure > Data Factory > Pipeline > ServiceNow > Table
Policy Types:
- Azure > Data Factory > Dataset > ServiceNow
- Azure > Data Factory > Dataset > ServiceNow > Configuration Item
- Azure > Data Factory > Dataset > ServiceNow > Configuration Item > Record
- Azure > Data Factory > Dataset > ServiceNow > Configuration Item > Table Definition
- Azure > Data Factory > Dataset > ServiceNow > Table
- Azure > Data Factory > Dataset > ServiceNow > Table > Definition
- Azure > Data Factory > Factory > ServiceNow
- Azure > Data Factory > Factory > ServiceNow > Configuration Item
- Azure > Data Factory > Factory > ServiceNow > Configuration Item > Record
- Azure > Data Factory > Factory > ServiceNow > Configuration Item > Table Definition
- Azure > Data Factory > Factory > ServiceNow > Table
- Azure > Data Factory > Factory > ServiceNow > Table > Definition
- Azure > Data Factory > Pipeline > ServiceNow
- Azure > Data Factory > Pipeline > ServiceNow > Configuration Item
- Azure > Data Factory > Pipeline > ServiceNow > Configuration Item > Record
- Azure > Data Factory > Pipeline > ServiceNow > Configuration Item > Table Definition
- Azure > Data Factory > Pipeline > ServiceNow > Table
- Azure > Data Factory > Pipeline > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Databricks > Workspace > ServiceNow
- Azure > Databricks > Workspace > ServiceNow > Configuration Item
- Azure > Databricks > Workspace > ServiceNow > Table
Policy Types:
- Azure > Databricks > Workspace > ServiceNow
- Azure > Databricks > Workspace > ServiceNow > Configuration Item
- Azure > Databricks > Workspace > ServiceNow > Configuration Item > Record
- Azure > Databricks > Workspace > ServiceNow > Configuration Item > Table Definition
- Azure > Databricks > Workspace > ServiceNow > Table
- Azure > Databricks > Workspace > ServiceNow > Table > Definition
Bug fixes
- Server
- Minor internal improvements.
Requirements
- TEF: 1.51.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhancements
- Updated the controls to reference their query using
query =rather thansql =. (#25)
Bug fixes
- Fixed the broken
network_subnet_to_network_virtual_networkedge of the relationship graph in thesql_server_detaildashboard page to correctly reference thenetwork_subnets_for_sql_serverquery. (#118)
Bug fixes
- Fixed the
kubernetes_cluster_upgraded_with_non_vulnerable_versionquery to correctly check if a Kubernetes cluster is using an outdated software version. (#235)
Bug fixes
- Server
- The scheduled actions would sometimes fail to work for the firehose-aws-sns mod due an inadvertent bug introduced in TE v5.42.10. This is now fixed.
Requirements
- TEF: 1.51.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
- Azure > Active Directory > Application > ServiceNow
- Azure > Active Directory > Application > ServiceNow > Configuration Item
- Azure > Active Directory > Application > ServiceNow > Table
- Azure > Active Directory > Client Secret > ServiceNow
- Azure > Active Directory > Client Secret > ServiceNow > Configuration Item
- Azure > Active Directory > Client Secret > ServiceNow > Table
- Azure > Active Directory > Custom Domain > ServiceNow
- Azure > Active Directory > Custom Domain > ServiceNow > Configuration Item
- Azure > Active Directory > Custom Domain > ServiceNow > Table
- Azure > Active Directory > Directory > ServiceNow
- Azure > Active Directory > Directory > ServiceNow > Configuration Item
- Azure > Active Directory > Directory > ServiceNow > Table
- Azure > Active Directory > Group > ServiceNow
- Azure > Active Directory > Group > ServiceNow > Configuration Item
- Azure > Active Directory > Group > ServiceNow > Table
- Azure > Active Directory > Service Principal > ServiceNow
- Azure > Active Directory > Service Principal > ServiceNow > Configuration Item
- Azure > Active Directory > Service Principal > ServiceNow > Table
- Azure > Active Directory > User > ServiceNow
- Azure > Active Directory > User > ServiceNow > Configuration Item
- Azure > Active Directory > User > ServiceNow > Table
Policy Types:
- Azure > Active Directory > Application > ServiceNow
- Azure > Active Directory > Application > ServiceNow > Configuration Item
- Azure > Active Directory > Application > ServiceNow > Configuration Item > Record
- Azure > Active Directory > Application > ServiceNow > Configuration Item > Table Definition
- Azure > Active Directory > Application > ServiceNow > Table
- Azure > Active Directory > Application > ServiceNow > Table > Definition
- Azure > Active Directory > Client Secret > ServiceNow
- Azure > Active Directory > Client Secret > ServiceNow > Configuration Item
- Azure > Active Directory > Client Secret > ServiceNow > Configuration Item > Record
- Azure > Active Directory > Client Secret > ServiceNow > Configuration Item > Table Definition
- Azure > Active Directory > Client Secret > ServiceNow > Table
- Azure > Active Directory > Client Secret > ServiceNow > Table > Definition
- Azure > Active Directory > Custom Domain > ServiceNow
- Azure > Active Directory > Custom Domain > ServiceNow > Configuration Item
- Azure > Active Directory > Custom Domain > ServiceNow > Configuration Item > Record
- Azure > Active Directory > Custom Domain > ServiceNow > Configuration Item > Table Definition
- Azure > Active Directory > Custom Domain > ServiceNow > Table
- Azure > Active Directory > Custom Domain > ServiceNow > Table > Definition
- Azure > Active Directory > Directory > ServiceNow
- Azure > Active Directory > Directory > ServiceNow > Configuration Item
- Azure > Active Directory > Directory > ServiceNow > Configuration Item > Record
- Azure > Active Directory > Directory > ServiceNow > Configuration Item > Table Definition
- Azure > Active Directory > Directory > ServiceNow > Table
- Azure > Active Directory > Directory > ServiceNow > Table > Definition
- Azure > Active Directory > Group > ServiceNow
- Azure > Active Directory > Group > ServiceNow > Configuration Item
- Azure > Active Directory > Group > ServiceNow > Configuration Item > Record
- Azure > Active Directory > Group > ServiceNow > Configuration Item > Table Definition
- Azure > Active Directory > Group > ServiceNow > Table
- Azure > Active Directory > Group > ServiceNow > Table > Definition
- Azure > Active Directory > Service Principal > ServiceNow
- Azure > Active Directory > Service Principal > ServiceNow > Configuration Item
- Azure > Active Directory > Service Principal > ServiceNow > Configuration Item > Record
- Azure > Active Directory > Service Principal > ServiceNow > Configuration Item > Table Definition
- Azure > Active Directory > Service Principal > ServiceNow > Table
- Azure > Active Directory > Service Principal > ServiceNow > Table > Definition
- Azure > Active Directory > User > ServiceNow
- Azure > Active Directory > User > ServiceNow > Configuration Item
- Azure > Active Directory > User > ServiceNow > Configuration Item > Record
- Azure > Active Directory > User > ServiceNow > Configuration Item > Table Definition
- Azure > Active Directory > User > ServiceNow > Table
- Azure > Active Directory > User > ServiceNow > Table > Definition
Bug fixes
- Fixed the plugin to return only static tables instead of an error when the
objectsconfig argument is not set or the plugin credentials are not set correctly. (#26)
What's new?
- New tables added
- reddit_my_saved_post (Thanks @mkell43 for the contribution!)
- reddit_my_saved_comment (Thanks @mkell43 for the contribution!)
What's new?
Control Types:
- GCP > Pub/Sub > Snapshot > ServiceNow
- GCP > Pub/Sub > Snapshot > ServiceNow > Configuration Item
- GCP > Pub/Sub > Snapshot > ServiceNow > Table
- GCP > Pub/Sub > Subscription > ServiceNow
- GCP > Pub/Sub > Subscription > ServiceNow > Configuration Item
- GCP > Pub/Sub > Subscription > ServiceNow > Table
- GCP > Pub/Sub > Topic > ServiceNow
- GCP > Pub/Sub > Topic > ServiceNow > Configuration Item
- GCP > Pub/Sub > Topic > ServiceNow > Table
Policy Types:
- GCP > Pub/Sub > Snapshot > ServiceNow
- GCP > Pub/Sub > Snapshot > ServiceNow > Configuration Item
- GCP > Pub/Sub > Snapshot > ServiceNow > Configuration Item > Record
- GCP > Pub/Sub > Snapshot > ServiceNow > Configuration Item > Table Definition
- GCP > Pub/Sub > Snapshot > ServiceNow > Table
- GCP > Pub/Sub > Snapshot > ServiceNow > Table > Definition
- GCP > Pub/Sub > Subscription > ServiceNow
- GCP > Pub/Sub > Subscription > ServiceNow > Configuration Item
- GCP > Pub/Sub > Subscription > ServiceNow > Configuration Item > Record
- GCP > Pub/Sub > Subscription > ServiceNow > Configuration Item > Table Definition
- GCP > Pub/Sub > Subscription > ServiceNow > Table
- GCP > Pub/Sub > Subscription > ServiceNow > Table > Definition
- GCP > Pub/Sub > Topic > ServiceNow
- GCP > Pub/Sub > Topic > ServiceNow > Configuration Item
- GCP > Pub/Sub > Topic > ServiceNow > Configuration Item > Record
- GCP > Pub/Sub > Topic > ServiceNow > Configuration Item > Table Definition
- GCP > Pub/Sub > Topic > ServiceNow > Table
- GCP > Pub/Sub > Topic > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Synapse Analytics > SQL Pool > ServiceNow
- Azure > Synapse Analytics > SQL Pool > ServiceNow > Configuration Item
- Azure > Synapse Analytics > SQL Pool > ServiceNow > Table
- Azure > Synapse Analytics > Workspace > ServiceNow
- Azure > Synapse Analytics > Workspace > ServiceNow > Configuration Item
- Azure > Synapse Analytics > Workspace > ServiceNow > Table
Policy Types:
- Azure > Synapse Analytics > SQL Pool > ServiceNow
- Azure > Synapse Analytics > SQL Pool > ServiceNow > Configuration Item
- Azure > Synapse Analytics > SQL Pool > ServiceNow > Configuration Item > Record
- Azure > Synapse Analytics > SQL Pool > ServiceNow > Configuration Item > Table Definition
- Azure > Synapse Analytics > SQL Pool > ServiceNow > Table
- Azure > Synapse Analytics > SQL Pool > ServiceNow > Table > Definition
- Azure > Synapse Analytics > Workspace > ServiceNow
- Azure > Synapse Analytics > Workspace > ServiceNow > Configuration Item
- Azure > Synapse Analytics > Workspace > ServiceNow > Configuration Item > Record
- Azure > Synapse Analytics > Workspace > ServiceNow > Configuration Item > Table Definition
- Azure > Synapse Analytics > Workspace > ServiceNow > Table
- Azure > Synapse Analytics > Workspace > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Search Management > Search Service > ServiceNow
- Azure > Search Management > Search Service > ServiceNow > Configuration Item
- Azure > Search Management > Search Service > ServiceNow > Table
Policy Types:
- Azure > Search Management > Search Service > ServiceNow
- Azure > Search Management > Search Service > ServiceNow > Configuration Item
- Azure > Search Management > Search Service > ServiceNow > Configuration Item > Record
- Azure > Search Management > Search Service > ServiceNow > Configuration Item > Table Definition
- Azure > Search Management > Search Service > ServiceNow > Table
- Azure > Search Management > Search Service > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Service Bus > Namespace > ServiceNow
- Azure > Service Bus > Namespace > ServiceNow > Configuration Item
- Azure > Service Bus > Namespace > ServiceNow > Table
- Azure > Service Bus > Queue > ServiceNow
- Azure > Service Bus > Queue > ServiceNow > Configuration Item
- Azure > Service Bus > Queue > ServiceNow > Table
- Azure > Service Bus > Topic > ServiceNow
- Azure > Service Bus > Topic > ServiceNow > Configuration Item
- Azure > Service Bus > Topic > ServiceNow > Table
Policy Types:
- Azure > Service Bus > Namespace > ServiceNow
- Azure > Service Bus > Namespace > ServiceNow > Configuration Item
- Azure > Service Bus > Namespace > ServiceNow > Configuration Item > Record
- Azure > Service Bus > Namespace > ServiceNow > Configuration Item > Table Definition
- Azure > Service Bus > Namespace > ServiceNow > Table
- Azure > Service Bus > Namespace > ServiceNow > Table > Definition
- Azure > Service Bus > Queue > ServiceNow
- Azure > Service Bus > Queue > ServiceNow > Configuration Item
- Azure > Service Bus > Queue > ServiceNow > Configuration Item > Record
- Azure > Service Bus > Queue > ServiceNow > Configuration Item > Table Definition
- Azure > Service Bus > Queue > ServiceNow > Table
- Azure > Service Bus > Queue > ServiceNow > Table > Definition
- Azure > Service Bus > Topic > ServiceNow
- Azure > Service Bus > Topic > ServiceNow > Configuration Item
- Azure > Service Bus > Topic > ServiceNow > Configuration Item > Record
- Azure > Service Bus > Topic > ServiceNow > Configuration Item > Table Definition
- Azure > Service Bus > Topic > ServiceNow > Table
- Azure > Service Bus > Topic > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Load Balancer > Load Balance > ServiceNow
- Azure > Load Balancer > Load Balance > ServiceNow > Configuration Item
- Azure > Load Balancer > Load Balance > ServiceNow > Table
Policy Types:
- Azure > Load Balancer > Load Balance > ServiceNow
- Azure > Load Balancer > Load Balance > ServiceNow > Configuration Item
- Azure > Load Balancer > Load Balance > ServiceNow > Configuration Item > Record
- Azure > Load Balancer > Load Balance > ServiceNow > Configuration Item > Table Definition
- Azure > Load Balancer > Load Balance > ServiceNow > Table
- Azure > Load Balancer > Load Balance > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > DNS > Record Set > ServiceNow
- Azure > DNS > Record Set > ServiceNow > Configuration Item
- Azure > DNS > Record Set > ServiceNow > Table
- Azure > DNS > Zone > ServiceNow
- Azure > DNS > Zone > ServiceNow > Configuration Item
- Azure > DNS > Zone > ServiceNow > Table
Policy Types:
- Azure > DNS > Record Set > ServiceNow
- Azure > DNS > Record Set > ServiceNow > Configuration Item
- Azure > DNS > Record Set > ServiceNow > Configuration Item > Record
- Azure > DNS > Record Set > ServiceNow > Configuration Item > Table Definition
- Azure > DNS > Record Set > ServiceNow > Table
- Azure > DNS > Record Set > ServiceNow > Table > Definition
- Azure > DNS > Zone > ServiceNow
- Azure > DNS > Zone > ServiceNow > Configuration Item
- Azure > DNS > Zone > ServiceNow > Configuration Item > Record
- Azure > DNS > Zone > ServiceNow > Configuration Item > Table Definition
- Azure > DNS > Zone > ServiceNow > Table
- Azure > DNS > Zone > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Cosmos DB > Database Account > ServiceNow
- Azure > Cosmos DB > Database Account > ServiceNow > Configuration Item
- Azure > Cosmos DB > Database Account > ServiceNow > Table
- Azure > Cosmos DB > MongoDB Collection > ServiceNow
- Azure > Cosmos DB > MongoDB Collection > ServiceNow > Configuration Item
- Azure > Cosmos DB > MongoDB Collection > ServiceNow > Table
- Azure > Cosmos DB > MongoDB Database > ServiceNow
- Azure > Cosmos DB > MongoDB Database > ServiceNow > Configuration Item
- Azure > Cosmos DB > MongoDB Database > ServiceNow > Table
- Azure > Cosmos DB > SQL Container > ServiceNow
- Azure > Cosmos DB > SQL Container > ServiceNow > Configuration Item
- Azure > Cosmos DB > SQL Container > ServiceNow > Table
- Azure > Cosmos DB > SQL Database > ServiceNow
- Azure > Cosmos DB > SQL Database > ServiceNow > Configuration Item
- Azure > Cosmos DB > SQL Database > ServiceNow > Table
Policy Types:
- Azure > Cosmos DB > Database Account > ServiceNow
- Azure > Cosmos DB > Database Account > ServiceNow > Configuration Item
- Azure > Cosmos DB > Database Account > ServiceNow > Configuration Item > Record
- Azure > Cosmos DB > Database Account > ServiceNow > Configuration Item > Table Definition
- Azure > Cosmos DB > Database Account > ServiceNow > Table
- Azure > Cosmos DB > Database Account > ServiceNow > Table > Definition
- Azure > Cosmos DB > MongoDB Collection > ServiceNow
- Azure > Cosmos DB > MongoDB Collection > ServiceNow > Configuration Item
- Azure > Cosmos DB > MongoDB Collection > ServiceNow > Configuration Item > Record
- Azure > Cosmos DB > MongoDB Collection > ServiceNow > Configuration Item > Table Definition
- Azure > Cosmos DB > MongoDB Collection > ServiceNow > Table
- Azure > Cosmos DB > MongoDB Collection > ServiceNow > Table > Definition
- Azure > Cosmos DB > MongoDB Database > ServiceNow
- Azure > Cosmos DB > MongoDB Database > ServiceNow > Configuration Item
- Azure > Cosmos DB > MongoDB Database > ServiceNow > Configuration Item > Record
- Azure > Cosmos DB > MongoDB Database > ServiceNow > Configuration Item > Table Definition
- Azure > Cosmos DB > MongoDB Database > ServiceNow > Table
- Azure > Cosmos DB > MongoDB Database > ServiceNow > Table > Definition
- Azure > Cosmos DB > SQL Container > ServiceNow
- Azure > Cosmos DB > SQL Container > ServiceNow > Configuration Item
- Azure > Cosmos DB > SQL Container > ServiceNow > Configuration Item > Record
- Azure > Cosmos DB > SQL Container > ServiceNow > Configuration Item > Table Definition
- Azure > Cosmos DB > SQL Container > ServiceNow > Table
- Azure > Cosmos DB > SQL Container > ServiceNow > Table > Definition
- Azure > Cosmos DB > SQL Database > ServiceNow
- Azure > Cosmos DB > SQL Database > ServiceNow > Configuration Item
- Azure > Cosmos DB > SQL Database > ServiceNow > Configuration Item > Record
- Azure > Cosmos DB > SQL Database > ServiceNow > Configuration Item > Table Definition
- Azure > Cosmos DB > SQL Database > ServiceNow > Table
- Azure > Cosmos DB > SQL Database > ServiceNow > Table > Definition
Whats new
- Allow using pprof on FDW when STEAMPIPE_FDW_PPROF environment variable is set. (#368)
Bug fixes
v0.12.1 of the Terraform Provider for Pipes is now available.
Bug fixes
- Omitting the
PartPersetting for apipes_workspace_datatank_tableresource would have previously resulted in an error, meaning you had to passconnectionas the value. This field is now optional, allowing single part tables to be defined.
What's new?
- Server
- Updated: Enhanced IAM policy for tighter access around Mod Lambda SNS topic.
Requirements
- TEF: 1.51.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
- Azure > Search Management > Search Service > ServiceNow
- Azure > Search Management > Search Service > ServiceNow > Configuration Item
- Azure > Search Management > Search Service > ServiceNow > Table
Policy Types:
- Azure > Search Management > Search Service > ServiceNow
- Azure > Search Management > Search Service > ServiceNow > Configuration Item
- Azure > Search Management > Search Service > ServiceNow > Configuration Item > Record
- Azure > Search Management > Search Service > ServiceNow > Configuration Item > Table Definition
- Azure > Search Management > Search Service > ServiceNow > Table
- Azure > Search Management > Search Service > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Network Watcher > Flow Log > ServiceNow
- Azure > Network Watcher > Flow Log > ServiceNow > Configuration Item
- Azure > Network Watcher > Flow Log > ServiceNow > Table
- Azure > Network Watcher > Network Watcher > ServiceNow
- Azure > Network Watcher > Network Watcher > ServiceNow > Configuration Item
- Azure > Network Watcher > Network Watcher > ServiceNow > Table
Policy Types:
- Azure > Network Watcher > Flow Log > ServiceNow
- Azure > Network Watcher > Flow Log > ServiceNow > Configuration Item
- Azure > Network Watcher > Flow Log > ServiceNow > Configuration Item > Record
- Azure > Network Watcher > Flow Log > ServiceNow > Configuration Item > Table Definition
- Azure > Network Watcher > Flow Log > ServiceNow > Table
- Azure > Network Watcher > Flow Log > ServiceNow > Table > Definition
- Azure > Network Watcher > Network Watcher > ServiceNow
- Azure > Network Watcher > Network Watcher > ServiceNow > Configuration Item
- Azure > Network Watcher > Network Watcher > ServiceNow > Configuration Item > Record
- Azure > Network Watcher > Network Watcher > ServiceNow > Configuration Item > Table Definition
- Azure > Network Watcher > Network Watcher > ServiceNow > Table
- Azure > Network Watcher > Network Watcher > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Front Door > Front Door > ServiceNow
- Azure > Front Door > Front Door > ServiceNow > Configuration Item
- Azure > Front Door > Front Door > ServiceNow > Table
Policy Types:
- Azure > Front Door > Front Door > ServiceNow
- Azure > Front Door > Front Door > ServiceNow > Configuration Item
- Azure > Front Door > Front Door > ServiceNow > Configuration Item > Record
- Azure > Front Door > Front Door > ServiceNow > Configuration Item > Table Definition
- Azure > Front Door > Front Door > ServiceNow > Table
- Azure > Front Door > Front Door > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Application Insights > Application Insight > ServiceNow
- Azure > Application Insights > Application Insight > ServiceNow > Configuration Item
- Azure > Application Insights > Application Insight > ServiceNow > Table
Policy Types:
- Azure > Application Insights > Application Insight > ServiceNow
- Azure > Application Insights > Application Insight > ServiceNow > Configuration Item
- Azure > Application Insights > Application Insight > ServiceNow > Configuration Item > Record
- Azure > Application Insights > Application Insight > ServiceNow > Configuration Item > Table Definition
- Azure > Application Insights > Application Insight > ServiceNow > Table
- Azure > Application Insights > Application Insight > ServiceNow > Table > Definition
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Enhancements
- Added 61 new controls to the
All Controlsbenchmark across the following services: (#140)- CloudFunctions
- Compute
- KMS
- Kubernetes
- Project
- SQL
- Storage
Enhancements
- Added 50 new controls to the
All Controlsbenchmark across the following services: (#736)- ACM
- CloudFront
- CloudTrail
- Config
- DocumentDB
- EC2
- ECS
- EKS
- ElastiCache
- ELB
- EMR
- Kinesis
- RDS
- Redshift
- S3
- SNS
- SQS
- SSM
- VPC
What's new?
Control Types:
- Azure > Security Center > Security Center > ServiceNow
- Azure > Security Center > Security Center > ServiceNow > Configuration Item
- Azure > Security Center > Security Center > ServiceNow > Table
Policy Types:
- Azure > Security Center > Security Center > ServiceNow
- Azure > Security Center > Security Center > ServiceNow > Configuration Item
- Azure > Security Center > Security Center > ServiceNow > Configuration Item > Record
- Azure > Security Center > Security Center > ServiceNow > Configuration Item > Table Definition
- Azure > Security Center > Security Center > ServiceNow > Table
- Azure > Security Center > Security Center > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Firewall > Firewall > ServiceNow
- Azure > Firewall > Firewall > ServiceNow > Configuration Item
- Azure > Firewall > Firewall > ServiceNow > Table
Policy Types:
- Azure > Firewall > Firewall > ServiceNow
- Azure > Firewall > Firewall > ServiceNow > Configuration Item
- Azure > Firewall > Firewall > ServiceNow > Configuration Item > Record
- Azure > Firewall > Firewall > ServiceNow > Configuration Item > Table Definition
- Azure > Firewall > Firewall > ServiceNow > Table
- Azure > Firewall > Firewall > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Application Gateway Service > Application Gateway > ServiceNow
- Azure > Application Gateway Service > Application Gateway > ServiceNow > Configuration Item
- Azure > Application Gateway Service > Application Gateway > ServiceNow > Table
Policy Types:
- Azure > Application Gateway Service > Application Gateway > ServiceNow
- Azure > Application Gateway Service > Application Gateway > ServiceNow > Configuration Item
- Azure > Application Gateway Service > Application Gateway > ServiceNow > Configuration Item > Record
- Azure > Application Gateway Service > Application Gateway > ServiceNow > Configuration Item > Table Definition
- Azure > Application Gateway Service > Application Gateway > ServiceNow > Table
- Azure > Application Gateway Service > Application Gateway > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > API Management > API Management Service > ServiceNow
- Azure > API Management > API Management Service > ServiceNow > Configuration Item
- Azure > API Management > API Management Service > ServiceNow > Table
Policy Types:
- Azure > API Management > API Management Service > ServiceNow
- Azure > API Management > API Management Service > ServiceNow > Configuration Item
- Azure > API Management > API Management Service > ServiceNow > Configuration Item > Record
- Azure > API Management > API Management Service > ServiceNow > Configuration Item > Table Definition
- Azure > API Management > API Management Service > ServiceNow > Table
- Azure > API Management > API Management Service > ServiceNow > Table > Definition
What's new?
- New tables added: (Thanks @ajmaradiaga for the new plugin!)
What's new?
Server
- Updated: The directory API to support
Require Signed Assertion Response.
- Updated: The directory API to support
UI:
- Added: Introduced UI options for
Require Signed Assertion Responsefor enhanced security in SAML authentication.
- Added: Introduced UI options for
Requirements
- TEF: 1.51.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhanced Security and Compatibility Guide for SAML Authentication
Description:
The recent update to @node-saml/passport-saml mandates the signing of the assertion response. To ensure backward compatibility, we have introduced a new configuration option in the UI:
- Require Signed Assertion Response
By default, this option is set to Disabled to maintain compatibility with existing setups.
Recommendations: We recommend enabling this option as it adds an additional layer of security. However, please be aware that enabling this setting might impact the SAML login functionality.
What's new?
Control Types:
- Azure > Relay > Namespace > ServiceNow
- Azure > Relay > Namespace > ServiceNow > Configuration Item
- Azure > Relay > Namespace > ServiceNow > Table
Policy Types:
- Azure > Relay > Namespace > ServiceNow
- Azure > Relay > Namespace > ServiceNow > Configuration Item
- Azure > Relay > Namespace > ServiceNow > Configuration Item > Record
- Azure > Relay > Namespace > ServiceNow > Configuration Item > Table Definition
- Azure > Relay > Namespace > ServiceNow > Table
- Azure > Relay > Namespace > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Log Analytics > Log Analytics Workspace > ServiceNow
- Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Configuration Item
- Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Table
Policy Types:
- Azure > Log Analytics > Log Analytics Workspace > ServiceNow
- Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Configuration Item
- Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Configuration Item > Record
- Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Configuration Item > Table Definition
- Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Table
- Azure > Log Analytics > Log Analytics Workspace > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > App Service > App Service Plan > ServiceNow
- Azure > App Service > App Service Plan > ServiceNow > Configuration Item
- Azure > App Service > App Service Plan > ServiceNow > Table
- Azure > App Service > Function App > ServiceNow
- Azure > App Service > Function App > ServiceNow > Configuration Item
- Azure > App Service > Function App > ServiceNow > Table
- Azure > App Service > Web App > ServiceNow
- Azure > App Service > Web App > ServiceNow > Configuration Item
- Azure > App Service > Web App > ServiceNow > Table
Policy Types:
- Azure > App Service > App Service Plan > ServiceNow
- Azure > App Service > App Service Plan > ServiceNow > Configuration Item
- Azure > App Service > App Service Plan > ServiceNow > Configuration Item > Record
- Azure > App Service > App Service Plan > ServiceNow > Configuration Item > Table Definition
- Azure > App Service > App Service Plan > ServiceNow > Table
- Azure > App Service > App Service Plan > ServiceNow > Table > Definition
- Azure > App Service > Function App > ServiceNow
- Azure > App Service > Function App > ServiceNow > Configuration Item
- Azure > App Service > Function App > ServiceNow > Configuration Item > Record
- Azure > App Service > Function App > ServiceNow > Configuration Item > Table Definition
- Azure > App Service > Function App > ServiceNow > Table
- Azure > App Service > Function App > ServiceNow > Table > Definition
- Azure > App Service > Web App > ServiceNow
- Azure > App Service > Web App > ServiceNow > Configuration Item
- Azure > App Service > Web App > ServiceNow > Configuration Item > Record
- Azure > App Service > Web App > ServiceNow > Configuration Item > Table Definition
- Azure > App Service > Web App > ServiceNow > Table
- Azure > App Service > Web App > ServiceNow > Table > Definition
Enhancements
- Updated the plugin to use a shared, optimized HTTP client that enhances DNS management and reduces connection floods for more stable and efficient queries. (#2036)
What's new?
Control Types:
- Azure > SignalR Service > SignalR > ServiceNow
- Azure > SignalR Service > SignalR > ServiceNow > Configuration Item
- Azure > SignalR Service > SignalR > ServiceNow > Table
Policy Types:
- Azure > SignalR Service > SignalR > ServiceNow
- Azure > SignalR Service > SignalR > ServiceNow > Configuration Item
- Azure > SignalR Service > SignalR > ServiceNow > Configuration Item > Record
- Azure > SignalR Service > SignalR > ServiceNow > Configuration Item > Table Definition
- Azure > SignalR Service > SignalR > ServiceNow > Table
- Azure > SignalR Service > SignalR > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > AKS > Managed Cluster > ServiceNow
- Azure > AKS > Managed Cluster > ServiceNow > Configuration Item
- Azure > AKS > Managed Cluster > ServiceNow > Table
Policy Types:
- Azure > AKS > Managed Cluster > ServiceNow
- Azure > AKS > Managed Cluster > ServiceNow > Configuration Item
- Azure > AKS > Managed Cluster > ServiceNow > Configuration Item > Record
- Azure > AKS > Managed Cluster > ServiceNow > Configuration Item > Table Definition
- Azure > AKS > Managed Cluster > ServiceNow > Table
- Azure > AKS > Managed Cluster > ServiceNow > Table > Definition
Enhancements
- Updated the plugin's
.goreleaserfile to build the netgo package only for Darwin systems. (#2029)
What's new?
Control Types:
- Azure > SQL > Database > ServiceNow
- Azure > SQL > Database > ServiceNow > Configuration Item
- Azure > SQL > Database > ServiceNow > Table
- Azure > SQL > Elastic Pool > ServiceNow
- Azure > SQL > Elastic Pool > ServiceNow > Configuration Item
- Azure > SQL > Elastic Pool > ServiceNow > Table
Policy Types:
- Azure > SQL > Database > ServiceNow
- Azure > SQL > Database > ServiceNow > Configuration Item
- Azure > SQL > Database > ServiceNow > Configuration Item > Record
- Azure > SQL > Database > ServiceNow > Configuration Item > Table Definition
- Azure > SQL > Database > ServiceNow > Table
- Azure > SQL > Database > ServiceNow > Table > Definition
- Azure > SQL > Elastic Pool > ServiceNow
- Azure > SQL > Elastic Pool > ServiceNow > Configuration Item
- Azure > SQL > Elastic Pool > ServiceNow > Configuration Item > Record
- Azure > SQL > Elastic Pool > ServiceNow > Configuration Item > Table Definition
- Azure > SQL > Elastic Pool > ServiceNow > Table
- Azure > SQL > Elastic Pool > ServiceNow > Table > Definition
What's new?
- Control Types:
- Azure > Network > Application Security Group > ServiceNow
- Azure > Network > Application Security Group > ServiceNow > Configuration Item
- Azure > Network > Application Security Group > ServiceNow > Table
- Azure > Network > Express Route Circuits > ServiceNow
- Azure > Network > Express Route Circuits > ServiceNow > Configuration Item
- Azure > Network > Express Route Circuits > ServiceNow > Table
- Azure > Network > Network Interface > ServiceNow
- Azure > Network > Network Interface > ServiceNow > Configuration Item
- Azure > Network > Network Interface > ServiceNow > Table
- Azure > Network > Private DNS Zones > ServiceNow
- Azure > Network > Private DNS Zones > ServiceNow > Configuration Item
- Azure > Network > Private DNS Zones > ServiceNow > Table
- Azure > Network > Public IP Address > ServiceNow
- Azure > Network > Public IP Address > ServiceNow > Configuration Item
- Azure > Network > Public IP Address > ServiceNow > Table
- Azure > Network > Route Table > ServiceNow
- Azure > Network > Route Table > ServiceNow > Configuration Item
- Azure > Network > Route Table > ServiceNow > Table
- Azure > Network > Virtual Network Gateway > ServiceNow
- Azure > Network > Virtual Network Gateway > ServiceNow > Configuration Item
- Azure > Network > Virtual Network Gateway > ServiceNow > Table
- Policy Types:
- Azure > Network > Application Security Group > ServiceNow
- Azure > Network > Application Security Group > ServiceNow > Configuration Item
- Azure > Network > Application Security Group > ServiceNow > Configuration Item > Record
- Azure > Network > Application Security Group > ServiceNow > Configuration Item > Table Definition
- Azure > Network > Application Security Group > ServiceNow > Table
- Azure > Network > Application Security Group > ServiceNow > Table > Definition
- Azure > Network > Express Route Circuits > ServiceNow
- Azure > Network > Express Route Circuits > ServiceNow > Configuration Item
- Azure > Network > Express Route Circuits > ServiceNow > Configuration Item > Record
- Azure > Network > Express Route Circuits > ServiceNow > Configuration Item > Table Definition
- Azure > Network > Express Route Circuits > ServiceNow > Table
- Azure > Network > Express Route Circuits > ServiceNow > Table > Definition
- Azure > Network > Network Interface > ServiceNow
- Azure > Network > Network Interface > ServiceNow > Configuration Item
- Azure > Network > Network Interface > ServiceNow > Configuration Item > Record
- Azure > Network > Network Interface > ServiceNow > Configuration Item > Table Definition
- Azure > Network > Network Interface > ServiceNow > Table
- Azure > Network > Network Interface > ServiceNow > Table > Definition
- Azure > Network > Private DNS Zones > ServiceNow
- Azure > Network > Private DNS Zones > ServiceNow > Configuration Item
- Azure > Network > Private DNS Zones > ServiceNow > Configuration Item > Record
- Azure > Network > Private DNS Zones > ServiceNow > Configuration Item > Table Definition
- Azure > Network > Private DNS Zones > ServiceNow > Table
- Azure > Network > Private DNS Zones > ServiceNow > Table > Definition
- Azure > Network > Public IP Address > ServiceNow
- Azure > Network > Public IP Address > ServiceNow > Configuration Item
- Azure > Network > Public IP Address > ServiceNow > Configuration Item > Record
- Azure > Network > Public IP Address > ServiceNow > Configuration Item > Table Definition
- Azure > Network > Public IP Address > ServiceNow > Table
- Azure > Network > Public IP Address > ServiceNow > Table > Definition
- Azure > Network > Route Table > ServiceNow
- Azure > Network > Route Table > ServiceNow > Configuration Item
- Azure > Network > Route Table > ServiceNow > Configuration Item > Record
- Azure > Network > Route Table > ServiceNow > Configuration Item > Table Definition
- Azure > Network > Route Table > ServiceNow > Table
- Azure > Network > Route Table > ServiceNow > Table > Definition
- Azure > Network > Virtual Network Gateway > ServiceNow
- Azure > Network > Virtual Network Gateway > ServiceNow > Configuration Item
- Azure > Network > Virtual Network Gateway > ServiceNow > Configuration Item > Record
- Azure > Network > Virtual Network Gateway > ServiceNow > Configuration Item > Table Definition
- Azure > Network > Virtual Network Gateway > ServiceNow > Table
- Azure > Network > Virtual Network Gateway > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > Key Vault > Key > ServiceNow
- Azure > Key Vault > Key > ServiceNow > Configuration Item
- Azure > Key Vault > Key > ServiceNow > Table
- Azure > Key Vault > Secret > ServiceNow
- Azure > Key Vault > Secret > ServiceNow > Configuration Item
- Azure > Key Vault > Secret > ServiceNow > Table
- Azure > Key Vault > Vault > ServiceNow
- Azure > Key Vault > Vault > ServiceNow > Configuration Item
- Azure > Key Vault > Vault > ServiceNow > Table
Policy Types:
- Azure > Key Vault > Key > ServiceNow
- Azure > Key Vault > Key > ServiceNow > Configuration Item
- Azure > Key Vault > Key > ServiceNow > Configuration Item > Record
- Azure > Key Vault > Key > ServiceNow > Configuration Item > Table Definition
- Azure > Key Vault > Key > ServiceNow > Table
- Azure > Key Vault > Key > ServiceNow > Table > Definition
- Azure > Key Vault > Secret > ServiceNow
- Azure > Key Vault > Secret > ServiceNow > Configuration Item
- Azure > Key Vault > Secret > ServiceNow > Configuration Item > Record
- Azure > Key Vault > Secret > ServiceNow > Configuration Item > Table Definition
- Azure > Key Vault > Secret > ServiceNow > Table
- Azure > Key Vault > Secret > ServiceNow > Table > Definition
- Azure > Key Vault > Vault > ServiceNow
- Azure > Key Vault > Vault > ServiceNow > Configuration Item
- Azure > Key Vault > Vault > ServiceNow > Configuration Item > Record
- Azure > Key Vault > Vault > ServiceNow > Configuration Item > Table Definition
- Azure > Key Vault > Vault > ServiceNow > Table
- Azure > Key Vault > Vault > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > PostgreSQL > Flexible Server > ServiceNow
- Azure > PostgreSQL > Flexible Server > ServiceNow > Configuration Item
- Azure > PostgreSQL > Flexible Server > ServiceNow > Table
Policy Types:
- Azure > PostgreSQL > Flexible Server > ServiceNow
- Azure > PostgreSQL > Flexible Server > ServiceNow > Configuration Item
- Azure > PostgreSQL > Flexible Server > ServiceNow > Configuration Item > Record
- Azure > PostgreSQL > Flexible Server > ServiceNow > Configuration Item > Table Definition
- Azure > PostgreSQL > Flexible Server > ServiceNow > Table
- Azure > PostgreSQL > Flexible Server > ServiceNow > Table > Definition
What's new?
Control Types:
- Azure > MySQL > Flexible Server > ServiceNow
- Azure > MySQL > Flexible Server > ServiceNow > Configuration Item
- Azure > MySQL > Flexible Server > ServiceNow > Table
Policy Types:
- Azure > MySQL > Flexible Server > ServiceNow
- Azure > MySQL > Flexible Server > ServiceNow > Configuration Item
- Azure > MySQL > Flexible Server > ServiceNow > Configuration Item > Record
- Azure > MySQL > Flexible Server > ServiceNow > Configuration Item > Table Definition
- Azure > MySQL > Flexible Server > ServiceNow > Table
- Azure > MySQL > Flexible Server > ServiceNow > Table > Definition
What's new?
Control Types:
- AWS > KMS > Key > ServiceNow
- AWS > KMS > Key > ServiceNow > Configuration Item
- AWS > KMS > Key > ServiceNow > Table
Policy Types:
- AWS > KMS > Key > ServiceNow
- AWS > KMS > Key > ServiceNow > Configuration Item
- AWS > KMS > Key > ServiceNow > Configuration Item > Record
- AWS > KMS > Key > ServiceNow > Configuration Item > Table Definition
- AWS > KMS > Key > ServiceNow > Table
- AWS > KMS > Key > ServiceNow > Table > Definition
What's new?
Control Types:
- AWS > CloudWatch > Alarm > ServiceNow
- AWS > CloudWatch > Alarm > ServiceNow > Configuration Item
- AWS > CloudWatch > Alarm > ServiceNow > Table
Policy Types:
- AWS > CloudWatch > Alarm > ServiceNow
- AWS > CloudWatch > Alarm > ServiceNow > Configuration Item
- AWS > CloudWatch > Alarm > ServiceNow > Configuration Item > Record
- AWS > CloudWatch > Alarm > ServiceNow > Configuration Item > Table Definition
- AWS > CloudWatch > Alarm > ServiceNow > Table
- AWS > CloudWatch > Alarm > ServiceNow > Table > Definition
What's new?
Control Types:
- AWS > CloudTrail > Trail > ServiceNow
- AWS > CloudTrail > Trail > ServiceNow > Configuration Item
- AWS > CloudTrail > Trail > ServiceNow > Table
Policy Types:
- AWS > CloudTrail > Trail > ServiceNow
- AWS > CloudTrail > Trail > ServiceNow > Configuration Item
- AWS > CloudTrail > Trail > ServiceNow > Configuration Item > Record
- AWS > CloudTrail > Trail > ServiceNow > Configuration Item > Table Definition
- AWS > CloudTrail > Trail > ServiceNow > Table
- AWS > CloudTrail > Trail > ServiceNow > Table > Definition
Bug fixes
- The
AWS > RDS > DB Instance > Discoverycontrol would sometimes upsert DocumentDB Instances as RDS Instances in Guardrails CMDB. This is fixed and the control will now filter out DocumentDB Instances while upserting resources in CMDB.
Turbot Pipes Enterprise plan is now available.
The Enterprise tier expands on the Team tier’s features with enhanced collaboration, enterprise-grade security, and improved scalability, making it ideal for larger organizations:
- Organization-wide cloud intelligence & security: Enables tailored data management across business units and teams for sharing insights.
- SAML Authentication: Provides secure and seamless SSO user experience using your identity provider.
- Multi-Organization RBAC: Allows granular access permissions across organizations and workspaces to protect sensitive data.
- Trusted Login Domains: Significantly reduces unauthorized access by restricting logins to trusted domains.
- Consolidated Usage and Billing: Simplifies resource and financial tracking with tenant-level visibility plus per organization/workspace details.
Get started in a 14-day free trial then switch to flexible, usage based pricing.
For more information, see the launch post.
Turbot Pipes now officially supports billing for your organization Enterprise plan via the AWS Marketplace.
For more information, see the Pipes billing docs.
Our trademark policy & terms now clarify that while others are allowed to make their own distribution of Turbot open-source software, they cannot use any of the Turbot trademarks, cloud services, etc.
We now require a signed Contributor License Agreement for all contributions to our AGPL 3.0 and CC BY-NC-ND licensed repositories.
Learn more in our open source FAQ.
114 plugins have been updated to include the following changes:
What's new?
- Query tables directly in Postgres as a native Foreign Data Wrapper.
- Query tables directly in SQLite as a SQLite extension.
- Run as an Export CLI to extract data to files.
- SQLite examples added to table documentation.
- Expanded table documentation, especially to describe example queries.
- Docs license updated to match Steampipe CC BY-NC-ND license.
Dependencies
- Recompiled with steampipe-plugin-sdk v5.8.0 that includes plugin server encapsulation for in-process and GRPC usage, adding Steampipe Plugin SDK version to
_ctxcolumn, and fixing connection and potential divide-by-zero bugs.
35 new, ready-to-use Flowpipe sample mods are now available! These mods serve as practical examples, showcasing the patterns and applications of various library mods. Every mod comes with specific instructions for installation and use, enabling fast and easy setup.
A full list of sample mods can be found in the Flowpipe Hub and the source code is available at turbot/flowpipe-samples.
Introducing Flowpipe, a cloud scripting engine. Automation and workflow to connect your clouds to the people, systems and data that matter. Pipelines for DevOps written in HCL.
Initial support for:
- Pipeline execution
- Steps: container, email, function, http, pipeline, query, sleep, transform
- Triggers: schedule, http
- Credential management
- Mod composition
Learn more at:
- Website - https://flowpipe.io
- Docs - https://flowpipe.io/docs
- Hub - https://hub.flowpipe.io
- Introduction - https://flowpipe.io/blog/introducing-flowpipe
We're thrilled to announce the release of 28 new Flowpipe library mods, featuring versatile pipelines for common tasks. These include starting AWS EC2 instances, creating GitHub issues, sending Slack messages, generating Zendesk tickets, and much more!
A full list of library mods can be found in the Flowpipe Hub.
For more information on how you can get started incorporating these library mods into your own mods and pipelines, please see Introducing Flowpipe - Composable Mods.
What's new?
- Added support for latest lambda runtimes in the AWS > Lambda > Function > Allowed Runtime > Values policy.
What's new?
Control Types:
- AWS > IAM > Root > Approved
Policy Types:
- AWS > IAM > Root > Approved
- AWS > IAM > Root > Approved > Custom
- AWS > IAM > Root > Approved > Usage
Action Types:
- AWS > IAM > Root > Skip alarm for Approved control
- AWS > IAM > Root > Skip alarm for Approved control [90 days]
Bug fixes
- The
AWS > IAM > Account Password Policy > CMDBcontrol would incorrectly go into an Alarm state when Guardrails was denied access to fetch the Account Password Policy data. This is fixed and the control will now move to an Error state instead for such cases. - Guardrails stack controls would sometimes fail to update IAM resources if the Terraform plan in the stack's source policy was updated. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.0 or higher.
Bug fixes
- README.md file is now available for users to check details about resource types that the mod covers.
What's new?
AWS/CloudFront/AdminandAWS/CloudFront/Metadatawill now also include permissions for CloudFront KeyValueStore.
Bug fixes
- Server
- Guardrails will now process notifications correctly for a matching watch created via @turbot/sdk.
Requirements
- TEF: 1.51.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Policy Types:
- ServiceNow > Turbot > Watches > GCP
Control Types:
- ServiceNow > Turbot > Watches > GCP
Action Types:
- ServiceNow > Turbot > Watches > GCP Archive And Delete Record
What's new?
Policy Types:
- GCP > Storage > Bucket > ServiceNow
- GCP > Storage > Bucket > ServiceNow > Configuration Item
- GCP > Storage > Bucket > ServiceNow > Configuration Item > Record
- GCP > Storage > Bucket > ServiceNow > Configuration Item > Table Definition
- GCP > Storage > Bucket > ServiceNow > Table
- GCP > Storage > Bucket > ServiceNow > Table > Definition
Control Types:
- GCP > Storage > Bucket > ServiceNow
- GCP > Storage > Bucket > ServiceNow > Configuration Item
- GCP > Storage > Bucket > ServiceNow > Table
What's new?
Policy Types:
- GCP > SQL > Instance > ServiceNow
- GCP > SQL > Instance > ServiceNow > Configuration Item
- GCP > SQL > Instance > ServiceNow > Configuration Item > Record
- GCP > SQL > Instance > ServiceNow > Configuration Item > Table Definition
- GCP > SQL > Instance > ServiceNow > Table
- GCP > SQL > Instance > ServiceNow > Table > Definition
Control Types:
- GCP > SQL > Instance > ServiceNow
- GCP > SQL > Instance > ServiceNow > Configuration Item
- GCP > SQL > Instance > ServiceNow > Table
What's new?
Policy Types:
- GCP > Network > Network > ServiceNow
- GCP > Network > Network > ServiceNow > Configuration Item
- GCP > Network > Network > ServiceNow > Configuration Item > Record
- GCP > Network > Network > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Network > ServiceNow > Table
- GCP > Network > Network > ServiceNow > Table > Definition
- GCP > Network > Subnetwork > ServiceNow
- GCP > Network > Subnetwork > ServiceNow > Configuration Item
- GCP > Network > Subnetwork > ServiceNow > Configuration Item > Record
- GCP > Network > Subnetwork > ServiceNow > Configuration Item > Table Definition
- GCP > Network > Subnetwork > ServiceNow > Table
- GCP > Network > Subnetwork > ServiceNow > Table > Definition
Control Types:
- GCP > Network > Network > ServiceNow
- GCP > Network > Network > ServiceNow > Configuration Item
- GCP > Network > Network > ServiceNow > Table
- GCP > Network > Subnetwork > ServiceNow
- GCP > Network > Subnetwork > ServiceNow > Configuration Item
- GCP > Network > Subnetwork > ServiceNow > Table
What's new?
Policy Types:
- GCP > Compute Engine > Disk > ServiceNow
- GCP > Compute Engine > Disk > ServiceNow > Configuration Item
- GCP > Compute Engine > Disk > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > Disk > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > Disk > ServiceNow > Table
- GCP > Compute Engine > Disk > ServiceNow > Table > Definition
- GCP > Compute Engine > Image > ServiceNow
- GCP > Compute Engine > Image > ServiceNow > Configuration Item
- GCP > Compute Engine > Image > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > Image > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > Image > ServiceNow > Table
- GCP > Compute Engine > Image > ServiceNow > Table > Definition
- GCP > Compute Engine > Instance > ServiceNow
- GCP > Compute Engine > Instance > ServiceNow > Configuration Item
- GCP > Compute Engine > Instance > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > Instance > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > Instance > ServiceNow > Table
- GCP > Compute Engine > Instance > ServiceNow > Table > Definition
- GCP > Compute Engine > Snapshot > ServiceNow
- GCP > Compute Engine > Snapshot > ServiceNow > Configuration Item
- GCP > Compute Engine > Snapshot > ServiceNow > Configuration Item > Record
- GCP > Compute Engine > Snapshot > ServiceNow > Configuration Item > Table Definition
- GCP > Compute Engine > Snapshot > ServiceNow > Table
- GCP > Compute Engine > Snapshot > ServiceNow > Table > Definition
Control Types:
- GCP > Compute Engine > Disk > ServiceNow
- GCP > Compute Engine > Disk > ServiceNow > Configuration Item
- GCP > Compute Engine > Disk > ServiceNow > Table
- GCP > Compute Engine > Image > ServiceNow
- GCP > Compute Engine > Image > ServiceNow > Configuration Item
- GCP > Compute Engine > Image > ServiceNow > Table
- GCP > Compute Engine > Instance > ServiceNow
- GCP > Compute Engine > Instance > ServiceNow > Configuration Item
- GCP > Compute Engine > Instance > ServiceNow > Table
- GCP > Compute Engine > Snapshot > ServiceNow
- GCP > Compute Engine > Snapshot > ServiceNow > Configuration Item
- GCP > Compute Engine > Snapshot > ServiceNow > Table
What's new?
Policy Types:
- ServiceNow > Turbot > Watches > Azure
Control Types:
- ServiceNow > Turbot > Watches > Azure
Action Types:
- ServiceNow > Turbot > Watches > Azure Archive And Delete Record
What's new?
Policy Types:
- Azure > Storage > Storage Account > ServiceNow
- Azure > Storage > Storage Account > ServiceNow > Configuration Item
- Azure > Storage > Storage Account > ServiceNow > Configuration Item > Record
- Azure > Storage > Storage Account > ServiceNow > Configuration Item > Table Definition
- Azure > Storage > Storage Account > ServiceNow > Table
- Azure > Storage > Storage Account > ServiceNow > Table > Definition
Control Types:
- Azure > Storage > Storage Account > ServiceNow
- Azure > Storage > Storage Account > ServiceNow > Configuration Item
- Azure > Storage > Storage Account > ServiceNow > Table
What's new?
Policy Types:
- Azure > SQL > Server > ServiceNow
- Azure > SQL > Server > ServiceNow > Configuration Item
- Azure > SQL > Server > ServiceNow > Configuration Item > Record
- Azure > SQL > Server > ServiceNow > Configuration Item > Table Definition
- Azure > SQL > Server > ServiceNow > Table
- Azure > SQL > Server > ServiceNow > Table > Definition
Control Types:
- Azure > SQL > Server > ServiceNow
- Azure > SQL > Server > ServiceNow > Configuration Item
- Azure > SQL > Server > ServiceNow > Table
What's new?
Policy Types:
- Azure > PostgreSQL > Server > ServiceNow
- Azure > PostgreSQL > Server > ServiceNow > Configuration Item
- Azure > PostgreSQL > Server > ServiceNow > Configuration Item > Record
- Azure > PostgreSQL > Server > ServiceNow > Configuration Item > Table Definition
- Azure > PostgreSQL > Server > ServiceNow > Table
- Azure > PostgreSQL > Server > ServiceNow > Table > Definition
Control Types:
- Azure > PostgreSQL > Server > ServiceNow
- Azure > PostgreSQL > Server > ServiceNow > Configuration Item
- Azure > PostgreSQL > Server > ServiceNow > Table
What's new?
Policy Types:
- Azure > Network > Network Security Group > ServiceNow
- Azure > Network > Network Security Group > ServiceNow > Configuration Item
- Azure > Network > Network Security Group > ServiceNow > Configuration Item > Record
- Azure > Network > Network Security Group > ServiceNow > Configuration Item > Table Definition
- Azure > Network > Network Security Group > ServiceNow > Table
- Azure > Network > Network Security Group > ServiceNow > Table > Definition
- Azure > Network > Subnet > ServiceNow
- Azure > Network > Subnet > ServiceNow > Configuration Item
- Azure > Network > Subnet > ServiceNow > Configuration Item > Record
- Azure > Network > Subnet > ServiceNow > Configuration Item > Table Definition
- Azure > Network > Subnet > ServiceNow > Table
- Azure > Network > Subnet > ServiceNow > Table > Definition
- Azure > Network > Virtual Network > ServiceNow
- Azure > Network > Virtual Network > ServiceNow > Configuration Item
- Azure > Network > Virtual Network > ServiceNow > Configuration Item > Record
- Azure > Network > Virtual Network > ServiceNow > Configuration Item > Table Definition
- Azure > Network > Virtual Network > ServiceNow > Table
- Azure > Network > Virtual Network > ServiceNow > Table > Definition
Control Types:
- Azure > Network > Network Security Group > ServiceNow
- Azure > Network > Network Security Group > ServiceNow > Configuration Item
- Azure > Network > Network Security Group > ServiceNow > Table
- Azure > Network > Subnet > ServiceNow
- Azure > Network > Subnet > ServiceNow > Configuration Item
- Azure > Network > Subnet > ServiceNow > Table
- Azure > Network > Virtual Network > ServiceNow
- Azure > Network > Virtual Network > ServiceNow > Configuration Item
- Azure > Network > Virtual Network > ServiceNow > Table
What's new?
Policy Types:
- Azure > MySQL > Server > ServiceNow
- Azure > MySQL > Server > ServiceNow > Configuration Item
- Azure > MySQL > Server > ServiceNow > Configuration Item > Record
- Azure > MySQL > Server > ServiceNow > Configuration Item > Table Definition
- Azure > MySQL > Server > ServiceNow > Table
- Azure > MySQL > Server > ServiceNow > Table > Definition
Control Types:
- Azure > MySQL > Server > ServiceNow
- Azure > MySQL > Server > ServiceNow > Configuration Item
- Azure > MySQL > Server > ServiceNow > Table
What's new?
Policy Types:
- Azure > Compute > Availability Set > ServiceNow
- Azure > Compute > Availability Set > ServiceNow > Configuration Item
- Azure > Compute > Availability Set > ServiceNow > Configuration Item > Record
- Azure > Compute > Availability Set > ServiceNow > Configuration Item > Table Definition
- Azure > Compute > Availability Set > ServiceNow > Table
- Azure > Compute > Availability Set > ServiceNow > Table > Definition
- Azure > Compute > Disk > ServiceNow
- Azure > Compute > Disk > ServiceNow > Configuration Item
- Azure > Compute > Disk > ServiceNow > Configuration Item > Record
- Azure > Compute > Disk > ServiceNow > Configuration Item > Table Definition
- Azure > Compute > Disk > ServiceNow > Table
- Azure > Compute > Disk > ServiceNow > Table > Definition
- Azure > Compute > Disk Encryption Set > ServiceNow
- Azure > Compute > Disk Encryption Set > ServiceNow > Configuration Item
- Azure > Compute > Disk Encryption Set > ServiceNow > Configuration Item > Record
- Azure > Compute > Disk Encryption Set > ServiceNow > Configuration Item > Table Definition
- Azure > Compute > Disk Encryption Set > ServiceNow > Table
- Azure > Compute > Disk Encryption Set > ServiceNow > Table > Definition
- Azure > Compute > Image > ServiceNow
- Azure > Compute > Image > ServiceNow > Configuration Item
- Azure > Compute > Image > ServiceNow > Configuration Item > Record
- Azure > Compute > Image > ServiceNow > Configuration Item > Table Definition
- Azure > Compute > Image > ServiceNow > Table
- Azure > Compute > Image > ServiceNow > Table > Definition
- Azure > Compute > Snapshot > ServiceNow
- Azure > Compute > Snapshot > ServiceNow > Configuration Item
- Azure > Compute > Snapshot > ServiceNow > Configuration Item > Record
- Azure > Compute > Snapshot > ServiceNow > Configuration Item > Table Definition
- Azure > Compute > Snapshot > ServiceNow > Table
- Azure > Compute > Snapshot > ServiceNow > Table > Definition
- Azure > Compute > Ssh Public Key > ServiceNow
- Azure > Compute > Ssh Public Key > ServiceNow > Configuration Item
- Azure > Compute > Ssh Public Key > ServiceNow > Configuration Item > Record
- Azure > Compute > Ssh Public Key > ServiceNow > Configuration Item > Table Definition
- Azure > Compute > Ssh Public Key > ServiceNow > Table
- Azure > Compute > Ssh Public Key > ServiceNow > Table > Definition
- Azure > Compute > Virtual Machine > ServiceNow
- Azure > Compute > Virtual Machine > ServiceNow > Configuration Item
- Azure > Compute > Virtual Machine > ServiceNow > Configuration Item > Record
- Azure > Compute > Virtual Machine > ServiceNow > Configuration Item > Table Definition
- Azure > Compute > Virtual Machine > ServiceNow > Table
- Azure > Compute > Virtual Machine > ServiceNow > Table > Definition
- Azure > Compute > Virtual Machine Scale Set > ServiceNow
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Configuration Item
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Configuration Item > Record
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Configuration Item > Table Definition
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Table
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Table > Definition
Control Types:
- Azure > Compute > Availability Set > ServiceNow
- Azure > Compute > Availability Set > ServiceNow > Configuration Item
- Azure > Compute > Availability Set > ServiceNow > Table
- Azure > Compute > Disk > ServiceNow
- Azure > Compute > Disk > ServiceNow > Configuration Item
- Azure > Compute > Disk > ServiceNow > Table
- Azure > Compute > Disk Encryption Set > ServiceNow
- Azure > Compute > Disk Encryption Set > ServiceNow > Configuration Item
- Azure > Compute > Disk Encryption Set > ServiceNow > Table
- Azure > Compute > Image > ServiceNow
- Azure > Compute > Image > ServiceNow > Configuration Item
- Azure > Compute > Image > ServiceNow > Table
- Azure > Compute > Snapshot > ServiceNow
- Azure > Compute > Snapshot > ServiceNow > Configuration Item
- Azure > Compute > Snapshot > ServiceNow > Table
- Azure > Compute > Ssh Public Key > ServiceNow
- Azure > Compute > Ssh Public Key > ServiceNow > Configuration Item
- Azure > Compute > Ssh Public Key > ServiceNow > Table
- Azure > Compute > Virtual Machine > ServiceNow
- Azure > Compute > Virtual Machine > ServiceNow > Configuration Item
- Azure > Compute > Virtual Machine > ServiceNow > Table
- Azure > Compute > Virtual Machine Scale Set > ServiceNow
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Configuration Item
- Azure > Compute > Virtual Machine Scale Set > ServiceNow > Table
Bug fixes
- The
ServiceNow > Turbot > Watches > AWScontrol would fail to delete/archive records in ServiceNow. This is now fixed.
Bug fixes
- Server
- Updated TE stack to enable propagation of custom tags to ECS tasks.
- Updated @turbot/aws-sdk to 5.13.0, @turbot/fn to 5.21.0 and aws-sdk to 2.922.
Requirements
- TEF: 1.51.0
- TED: 1.9.1
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
- The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the
cmdb_ci*Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow. - The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
- The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
Bug fixes
- The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the
cmdb_ci*Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow. - The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
- The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
Bug fixes
- The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the
cmdb_ci*Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow. - The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
- The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
Bug fixes
- The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the
cmdb_ci*Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow. - The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
- The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
Bug fixes
- The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the
cmdb_ci*Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow. - The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
- The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
Bug fixes
- The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the
cmdb_ci*Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow. - The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
- The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
Bug fixes
- The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the
cmdb_ci*Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow. - The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
- The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
Bug fixes
- Fixed the plugin to correctly return results when environment variables are only used for authentication. (#21)
Bug fixes
- Fixed the invalid Go module path of the plugin. (#15)
Bug fixes
- The Discovery controls for Application, Cost Center and User would sometimes upsert resources with incorrect AKAs for a freshly imported ServiceNow Instance in Guardrails CMDB. This is fixed and the controls will now work as expected.
Bug fixes
- The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.
Bug fixes
- The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.
Bug fixes
- The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.
Bug fixes
- The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.
Bug fixes
- The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.
Bug fixes
- The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.
Bug fixes
- The ServiceNow Table control would sometimes fail to create tables correctly in ServiceNow. This is now fixed.
Bug fixes
- The
AWS > Turbot > Event Pollerpolicy will now be automatically set toDisabledif any of theAWS > Turbot > Event HandlersorAWS > Turbot > Event Handlers [Global]policies is set toEnforce: Configured.
Bug fixes
- Fixed the invalid Go module path of the plugin. (#20)
Bug fixes
- Fixed the invalid Go module path of the plugin. (#13)
Bug fixes
- Fixed the invalid Go module path of the plugin. (#43)
Bug fixes
- Fixed the invalid Go module path of the plugin. (#36)
Bug fixes
- Fixed the invalid Go module path of the plugin. (#20)
Bug fixes
- Fixed the invalid Go module path of the plugin. (#26)
What's new?
- New tables added
- github_repository_sbom (#353) (Thanks @lwakefield for the contribution!)
Enhancements
- Updated the following tables to include support for dynamic GraphQL queries:
github_my_star(#369)github_stargazer(#370)github_tag(#371)github_rate_limit(#368)github_community_profile(#367)github_license(#366)github_organization_member(#364)github_team_member(#364)github_user(#364)github_my_team(#363)github_team(#363)github_commit(#362)github_my_organization(#361)github_organization(#361)github_organization_external_identity(#361)github_branch(#360)github_branch_protection(#360)github_repository_collaborator(#365)github_repository_deployment(#365)github_repository_environment(#365)github_repository_vulnerability_alert(#365)github_issue(#359)github_issue_comment(#359)github_pull_request(#359)github_pull_request_comment(#359)github_pull_request_review(#359)
Bug fixes
- Fixed the invalid Go module path of the plugin. (#27)
Bug fixes
- Server
- ServiceNow Instance Client Secret and Password were processed incorrectly while fetching credentials for the Instance.
Bug fixes
- Server
- Create mutation for ServiceNow instance failed if no instances were available in a Guardrails workspace.
What's new?
Resource Types:
- ServiceNow
- ServiceNow > Application
- ServiceNow > Cost Center
- ServiceNow > Instance
- ServiceNow > User
Policy Types:
- ServiceNow > Application > Business Rule
- ServiceNow > Application > Business Rule > Name
- ServiceNow > Application > CMDB
- ServiceNow > Config
- ServiceNow > Config > Application Scope
- ServiceNow > Config > Client ID
- ServiceNow > Config > Client Secret
- ServiceNow > Config > Instance URL
- ServiceNow > Config > Password
- ServiceNow > Config > System Properties
- ServiceNow > Config > System Properties > Template
- ServiceNow > Config > Username
- ServiceNow > Cost Center > Business Rule
- ServiceNow > Cost Center > Business Rule > Name
- ServiceNow > Cost Center > CMDB
- ServiceNow > Instance > CMDB
- ServiceNow > Login Names
- ServiceNow > Turbot
- ServiceNow > Turbot > Watches
- ServiceNow > User > Business Rule
- ServiceNow > User > Business Rule > Name
- ServiceNow > User > CMDB
Control Types:
- ServiceNow > Application > Business Rule
- ServiceNow > Application > CMDB
- ServiceNow > Application > Discovery
- ServiceNow > Config
- ServiceNow > Config > System Properties
- ServiceNow > Cost Center > Business Rule
- ServiceNow > Cost Center > CMDB
- ServiceNow > Cost Center > Discovery
- ServiceNow > Instance > CMDB
- ServiceNow > Turbot
- ServiceNow > Turbot > Watches
- ServiceNow > User > Business Rule
- ServiceNow > User > CMDB
- ServiceNow > User > Discovery
Action Types:
- ServiceNow > Instance > Event Handler
- ServiceNow > Turbot
- ServiceNow > Turbot > Watches
What's new?
Policy Types:
- AWS > VPC > Network ACL > ServiceNow
- AWS > VPC > Network ACL > ServiceNow > Configuration Item
- AWS > VPC > Network ACL > ServiceNow > Configuration Item > Record
- AWS > VPC > Network ACL > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > Network ACL > ServiceNow > Table
- AWS > VPC > Network ACL > ServiceNow > Table > Definition
- AWS > VPC > Security Group > ServiceNow
- AWS > VPC > Security Group > ServiceNow > Configuration Item
- AWS > VPC > Security Group > ServiceNow > Configuration Item > Record
- AWS > VPC > Security Group > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > Security Group > ServiceNow > Table
- AWS > VPC > Security Group > ServiceNow > Table > Definition
Control Types:
- AWS > VPC > Network ACL > ServiceNow
- AWS > VPC > Network ACL > ServiceNow > Configuration Item
- AWS > VPC > Network ACL > ServiceNow > Table
- AWS > VPC > Security Group > ServiceNow
- AWS > VPC > Security Group > ServiceNow > Configuration Item
- AWS > VPC > Security Group > ServiceNow > Table
What's new?
Policy Types:
- AWS > VPC > Elastic IP > ServiceNow
- AWS > VPC > Elastic IP > ServiceNow > Configuration Item
- AWS > VPC > Elastic IP > ServiceNow > Configuration Item > Record
- AWS > VPC > Elastic IP > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > Elastic IP > ServiceNow > Table
- AWS > VPC > Elastic IP > ServiceNow > Table > Definition
Control Types:
- AWS > VPC > Elastic IP > ServiceNow
- AWS > VPC > Elastic IP > ServiceNow > Configuration Item
- AWS > VPC > Elastic IP > ServiceNow > Table
What's new?
Policy Types:
- AWS > VPC > Route Table > ServiceNow
- AWS > VPC > Route Table > ServiceNow > Configuration Item
- AWS > VPC > Route Table > ServiceNow > Configuration Item > Record
- AWS > VPC > Route Table > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > Route Table > ServiceNow > Table
- AWS > VPC > Route Table > ServiceNow > Table > Definition
- AWS > VPC > Subnet > ServiceNow
- AWS > VPC > Subnet > ServiceNow > Configuration Item
- AWS > VPC > Subnet > ServiceNow > Configuration Item > Record
- AWS > VPC > Subnet > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > Subnet > ServiceNow > Table
- AWS > VPC > Subnet > ServiceNow > Table > Definition
- AWS > VPC > VPC > ServiceNow
- AWS > VPC > VPC > ServiceNow > Configuration Item
- AWS > VPC > VPC > ServiceNow > Configuration Item > Record
- AWS > VPC > VPC > ServiceNow > Configuration Item > Table Definition
- AWS > VPC > VPC > ServiceNow > Table
- AWS > VPC > VPC > ServiceNow > Table > Definition
Control Types:
- AWS > VPC > Route Table > ServiceNow
- AWS > VPC > Route Table > ServiceNow > Configuration Item
- AWS > VPC > Route Table > ServiceNow > Table
- AWS > VPC > Subnet > ServiceNow
- AWS > VPC > Subnet > ServiceNow > Configuration Item
- AWS > VPC > Subnet > ServiceNow > Table
- AWS > VPC > VPC > ServiceNow
- AWS > VPC > VPC > ServiceNow > Configuration Item
- AWS > VPC > VPC > ServiceNow > Table
What's new?
Policy Types:
- ServiceNow > Turbot > Watches > AWS
Control Types:
- ServiceNow > Turbot > Watches > AWS
Action Types:
- ServiceNow > Turbot > Watches > AWS Archive And Delete Record
What's new?
Policy Types:
- AWS > S3 > Bucket > ServiceNow
- AWS > S3 > Bucket > ServiceNow > Configuration Item
- AWS > S3 > Bucket > ServiceNow > Configuration Item > Record
- AWS > S3 > Bucket > ServiceNow > Configuration Item > Table Definition
- AWS > S3 > Bucket > ServiceNow > Table
- AWS > S3 > Bucket > ServiceNow > Table > Definition
Control Types:
- AWS > S3 > Bucket > ServiceNow
- AWS > S3 > Bucket > ServiceNow > Configuration Item
- AWS > S3 > Bucket > ServiceNow > Table
What's new?
Policy Types:
- AWS > IAM > Group > ServiceNow
- AWS > IAM > Group > ServiceNow > Configuration Item
- AWS > IAM > Group > ServiceNow > Configuration Item > Record
- AWS > IAM > Group > ServiceNow > Configuration Item > Table Definition
- AWS > IAM > Group > ServiceNow > Table
- AWS > IAM > Group > ServiceNow > Table > Definition
- AWS > IAM > Role > ServiceNow
- AWS > IAM > Role > ServiceNow > Configuration Item
- AWS > IAM > Role > ServiceNow > Configuration Item > Record
- AWS > IAM > Role > ServiceNow > Configuration Item > Table Definition
- AWS > IAM > Role > ServiceNow > Table
- AWS > IAM > Role > ServiceNow > Table > Definition
- AWS > IAM > User > ServiceNow
- AWS > IAM > User > ServiceNow > Configuration Item
- AWS > IAM > User > ServiceNow > Configuration Item > Record
- AWS > IAM > User > ServiceNow > Configuration Item > Table Definition
- AWS > IAM > User > ServiceNow > Table
- AWS > IAM > User > ServiceNow > Table > Definition
Control Types:
- AWS > IAM > Group > ServiceNow
- AWS > IAM > Group > ServiceNow > Configuration Item
- AWS > IAM > Group > ServiceNow > Table
- AWS > IAM > Role > ServiceNow
- AWS > IAM > Role > ServiceNow > Configuration Item
- AWS > IAM > Role > ServiceNow > Table
- AWS > IAM > User > ServiceNow
- AWS > IAM > User > ServiceNow > Configuration Item
- AWS > IAM > User > ServiceNow > Table
What's new?
Policy Types:
- AWS > EC2 > Instance > ServiceNow
- AWS > EC2 > Instance > ServiceNow > Configuration Item
- AWS > EC2 > Instance > ServiceNow > Configuration Item > Record
- AWS > EC2 > Instance > ServiceNow > Configuration Item > Table Definition
- AWS > EC2 > Instance > ServiceNow > Table
- AWS > EC2 > Instance > ServiceNow > Table > Definition
- AWS > EC2 > Snapshot > ServiceNow
- AWS > EC2 > Snapshot > ServiceNow > Configuration Item
- AWS > EC2 > Snapshot > ServiceNow > Configuration Item > Record
- AWS > EC2 > Snapshot > ServiceNow > Configuration Item > Table Definition
- AWS > EC2 > Snapshot > ServiceNow > Table
- AWS > EC2 > Snapshot > ServiceNow > Table > Definition
- AWS > EC2 > Volume > ServiceNow
- AWS > EC2 > Volume > ServiceNow > Configuration Item
- AWS > EC2 > Volume > ServiceNow > Configuration Item > Record
- AWS > EC2 > Volume > ServiceNow > Configuration Item > Table Definition
- AWS > EC2 > Volume > ServiceNow > Table
- AWS > EC2 > Volume > ServiceNow > Table > Definition
Control Types:
- AWS > EC2 > Instance > ServiceNow
- AWS > EC2 > Instance > ServiceNow > Configuration Item
- AWS > EC2 > Instance > ServiceNow > Table
- AWS > EC2 > Snapshot > ServiceNow
- AWS > EC2 > Snapshot > ServiceNow > Configuration Item
- AWS > EC2 > Snapshot > ServiceNow > Table
- AWS > EC2 > Volume > ServiceNow
- AWS > EC2 > Volume > ServiceNow > Configuration Item
- AWS > EC2 > Volume > ServiceNow > Table
What's new?
- New tables added: (Thanks @gabrielsoltz for the new plugin!)
Turbot Pipes now officially supports billing for your organization team plan via AWS Marketplace.
For more information, see the Pipes billing docs.
What's new?
Server
- Added: Support for creating and deleting watches using @turbot/sdk.
- Updated: @turbot/fn, @turbot/aws-sdk, aws-sdk, @turbot/utils, @turbot/errors, @turbot/log, @turbot/responses packages.
- Added: Support for ServiceNow credentials.
UI:
- Added: Support to import ServiceNow Instance in Guardrails.
What's new?
- Control Category Types:
- CMDB > External
- Cloud > Integration
What's new?
- Added the following controls across the benchmarks: (#49)
bigquery_table_deletion_protection_enabledbigtable_instance_deletion_protection_enabledspanner_database_deletion_protection_enabledspanner_database_drop_protection_enabled
What's new?
- Added the following controls across the benchmarks: (#47)
appservice_environment_zone_redundant_enabledappservice_function_app_public_access_disabledappservice_plan_zone_redundantappservice_web_app_public_access_disabledeventhub_namespace_uses_latest_tls_versioneventhub_namespace_zone_redundantkubernetes_cluster_critical_pods_on_system_nodeskubernetes_cluster_os_disk_ephemeralredis_cache_standard_replication_enabledsql_database_ledger_enabledsql_database_zone_redundant_enabled
What's new?
- Added the following controls across the benchmarks: (#98)
docdb_cluster_backup_retention_period_7lambda_permission_restricted_service_permissionneptune_cluster_backup_retention_period_7neptune_cluster_copy_tags_to_snapshot_enabledneptune_cluster_iam_authentication_enabled
Bug fixes
- Fixed the index doc by removing unsupported images. (#334)
Enhancements
- Added the following controls to the
All Controlsbenchmark: (#733)api_gateway_rest_api_public_endpoint_with_authorizerdlm_ebs_snapshot_lifecycle_policy_enableddocdb_cluster_instance_encryption_at_rest_enabledebs_volume_snapshot_existselasticache_cluster_no_public_subnetiam_role_no_administrator_access_policy_attachediam_user_access_key_unused_45iam_user_console_access_unused_45neptune_db_cluster_no_public_subnet
Bug fixes
- Fixed missing closing tag in index doc. (#331)
What's new?
Resource Types:
- AWS > Kendra
Policy Types:
- AWS > Kendra > API Enabled
- AWS > Kendra > Approved Regions [Default]
- AWS > Kendra > Enabled
- AWS > Kendra > Permissions
- AWS > Kendra > Permissions > Levels
- AWS > Kendra > Permissions > Levels > Modifiers
- AWS > Kendra > Permissions > Lockdown
- AWS > Kendra > Permissions > Lockdown > API Boundary
- AWS > Kendra > Regions
- AWS > Kendra > Tags Template [Default]
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-kendra
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-kendra
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-kendra
Bug fixes
- Fixed
ad_guest_user_reviewed_monthly,iam_deprecated_account_with_owner_roles,iam_external_user_with_read_permission,iam_external_user_with_write_permission,iam_user_not_allowed_to_create_security_groupandiam_user_not_allowed_to_register_applicationqueries to remove duplicate benchmark results. (#228)
What's new?
- Category Types:
- Turbot > Resource > Category > Business Application
- Turbot > Resource > Category > Cloud > Api
- Turbot > Resource > Category > Cloud > Provider
- Turbot > Resource > Category > Cloud > Resource Group
- Turbot > Resource > Category > Container
- Turbot > Resource > Category > Cost Management
- Turbot > Resource > Category > End User Computing
- Turbot > Resource > Category > Migration
- Turbot > Resource > Category > Robotics
What's new?
- Added support to process enable and disable real-time events for Firebase Management APIs.
What's new?
You can now Enable/Disable Firebase Management API via Guardrails. To get started, set the
GCP > Firebase > API Enabledpolicy.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Control Types:
- GCP > Firebase > API Enabled
Policy Types:
- GCP > Firebase > API Enabled
- GCP > Firebase > Android App > Approved > Custom
- GCP > Firebase > Web App > Approved > Custom
- GCP > Firebase > iOS App > Approved > Custom
Action Types:
- GCP > Firebase > Set API Enabled
What's new?
Added support for newer US, Europe, India and US Government regions in the
Azure > Synapse Analytics > Regionspolicy.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- Azure > Synapse Analytics > SQL Pool > Approved > Custom
- Azure > Synapse Analytics > SQL Pool > Regions
- Azure > Synapse Analytics > Workspace > Approved > Custom
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- Azure > API Management > API Management Service > Approved > Custom
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- Azure > AKS > Managed Cluster > Approved > Custom
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- Azure > Network Watcher > Flow Log > Approved > Custom
- Azure > Network Watcher > Network Watcher > Approved > Custom
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- Azure > Data Factory > Dataset > Approved > Custom
- Azure > Data Factory > Factory > Approved > Custom
- Azure > Data Factory > Pipeline > Approved > Custom
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- Azure > Firewall > Firewall > Approved > Custom
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- Azure > Front Door > Front Door > Approved > Custom
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- Azure > Databricks > Workspace > Approved > Custom
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
- Policy Types:
- GCP > Compute Engine > Image > Policy > Trusted Access > All Authenticated
- GCP > Compute Engine > Image > Policy > Trusted Access > All Users
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- Azure > SignalR Service > SignalR > Approved > Custom
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- Azure > Relay > Namespace > Approved > Custom
Bug fixes
- Fixed the plugin brand colour.
What's new?
- Policy Types:
- GCP > Functions > Function > Policy > Trusted Access > All Authenticated
- GCP > Functions > Function > Policy > Trusted Access > All Users
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- Azure > Search Management > Search Service > Approved > Custom
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- Azure > Recovery Service > Vault > Approved > Custom
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > SWF > Domain > Approved > Custom
Action Types:
- AWS > SWF > Domain > Set Tags
- AWS > SWF > Domain > Skip alarm for Active control
- AWS > SWF > Domain > Skip alarm for Active control [90 days]
- AWS > SWF > Domain > Skip alarm for Approved control
- AWS > SWF > Domain > Skip alarm for Approved control [90 days]
- AWS > SWF > Domain > Skip alarm for Tags control
- AWS > SWF > Domain > Skip alarm for Tags control [90 days]
What's new?
- New tables added
Bug fixes
- Fixed the
retention_policycolumn ofgcp_storage_buckettable to correctly return data instead of null. (#502)
What's new?
- New tables added
- aws_lambda_event_source_mapping (#1874) (Thanks @nickman for the contribution!)
Enhancements
What's new?
- New tables added
Enhancements
- Added the
propertiescolumn tojira_projecttable. (#105)
Bug fixes
What's new?
- Added CIS v3.0.0 benchmark (
steampipe check benchmark.cis_v300). (#57)
Breaking Changes
- Removed the following tables using the search API that no longer work due to API limitations. These tables will be added back if functionality can be restored.
linkedin_company_employeelinkedin_company_past_employeelinkedin_connectionlinkedin_search_companylinkedin_search_profile
Bug fixes
- Fixed the
compute_firewall_allow_tcp_connections_proxied_by_iapquery to correctly include all the ports and source IP ranges. (#128) (Thanks @saisirishreddy for the contribution!)
What's new?
- Encapsulate plugin server so it is possible to use it in-process as well as via GRPC. (#719)
- Add
steampipefield to_ctxcolumn, containing sdk version. (#712)
Bug fixes
- Remove
plugin has no connectionserror when deleting and then re-adding a connection. (#725) - Fix potential divide by zero bug when setting cache size
What's new?
- New tables added
- aws_fms_policy (#1851)
- aws_fms_app_list (#1851)
- aws_transfer_server (#1909) (Thanks @jramosf for the contribution!)
Enhancements
- Added the
featurescolumn toaws_guardduty_detectortable. (#1958)
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
- AWS > QLDB > Ledger > Approved > Custom
Action Types:
- AWS > QLDB > Ledger > Delete from AWS
- AWS > QLDB > Ledger > Set Tags
- AWS > QLDB > Ledger > Skip alarm for Active control
- AWS > QLDB > Ledger > Skip alarm for Active control [90 days]
- AWS > QLDB > Ledger > Skip alarm for Approved control
- AWS > QLDB > Ledger > Skip alarm for Approved control [90 days]
- AWS > QLDB > Ledger > Skip alarm for Tags control
- AWS > QLDB > Ledger > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Neptune > DB Cluster > Approved > Custom
- AWS > Neptune > DB Instance > Approved > Custom
Action Types:
- AWS > Neptune > DB Cluster > Delete from AWS
- AWS > Neptune > DB Cluster > Set Tags
- AWS > Neptune > DB Cluster > Skip alarm for Active control
- AWS > Neptune > DB Cluster > Skip alarm for Active control [90 days]
- AWS > Neptune > DB Cluster > Skip alarm for Approved control
- AWS > Neptune > DB Cluster > Skip alarm for Approved control [90 days]
- AWS > Neptune > DB Cluster > Skip alarm for Tags control
- AWS > Neptune > DB Cluster > Skip alarm for Tags control [90 days]
- AWS > Neptune > DB Instance > Delete from AWS
- AWS > Neptune > DB Instance > Set Tags
- AWS > Neptune > DB Instance > Skip alarm for Active control
- AWS > Neptune > DB Instance > Skip alarm for Active control [90 days]
- AWS > Neptune > DB Instance > Skip alarm for Approved control
- AWS > Neptune > DB Instance > Skip alarm for Approved control [90 days]
- AWS > Neptune > DB Instance > Skip alarm for Tags control
- AWS > Neptune > DB Instance > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Inspector > Assessment Target > Approved > Custom
- AWS > Inspector > Assessment Template > Approved > Custom
Action Types:
- AWS > Inspector > Assessment Target > Delete from AWS
- AWS > Inspector > Assessment Target > Skip alarm for Active control
- AWS > Inspector > Assessment Target > Skip alarm for Active control [90 days]
- AWS > Inspector > Assessment Target > Skip alarm for Approved control
- AWS > Inspector > Assessment Target > Skip alarm for Approved control [90 days]
- AWS > Inspector > Assessment Template > Delete from AWS
- AWS > Inspector > Assessment Template > Set Tags
- AWS > Inspector > Assessment Template > Skip alarm for Active control
- AWS > Inspector > Assessment Template > Skip alarm for Active control [90 days]
- AWS > Inspector > Assessment Template > Skip alarm for Approved control
- AWS > Inspector > Assessment Template > Skip alarm for Approved control [90 days]
- AWS > Inspector > Assessment Template > Skip alarm for Tags control
- AWS > Inspector > Assessment Template > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > DAX > Cluster > Approved > Custom
Action Types:
- AWS > DAX > Cluster > Delete from AWS
- AWS > DAX > Cluster > Set Tags
- AWS > DAX > Cluster > Skip alarm for Active control
- AWS > DAX > Cluster > Skip alarm for Active control [90 days]
- AWS > DAX > Cluster > Skip alarm for Approved control
- AWS > DAX > Cluster > Skip alarm for Approved control [90 days]
- AWS > DAX > Cluster > Skip alarm for Tags control
- AWS > DAX > Cluster > Skip alarm for Tags control [90 days]
What's new?_
- Added the new
All Controlsbenchmark (steampipe check benchmark.all_controls). This new benchmark includes 109 service-specific controls. (#127)
What's new?
Server
- Updated: Updated the package
passport-samlto@node-saml/passport-saml: 4.0.4 - Updated: The directory API to support
Require Signed Authentication ResponseandStrict Audience Validation.
- Updated: Updated the package
UI:
- Added: Introduced UI options for
Require Signed Authentication ResponseandStrict Audience Validationfor enhanced security in SAML authentication.
- Added: Introduced UI options for
Enhanced Security and Compatibility Guide for SAML Authentication
Description
The recent package change for @node-saml/passport-saml has made it mandatory to sign the audience response and perform audience validation. To maintain backward compatibility, we have introduced two new options in the UI:
- Require Signed Authentication Response
- Strict Audience Validation
To make it backward compatible, both of these options are initially set to Disabled by default.
Important Note: This change ensures that the audience response is signed and audience validation is enforced. These checks were not available in earlier versions of the package.
Recommendations
We recommend customers enable both of these properties as they add an additional layer of security. However, it's important to be aware that enabling these properties might potentially break SAML login functionality. Therefore, certain steps need to be taken before enabling them.
Here are specific recommendations for popular Identity Providers (IDPs):
Okta
- Strict Audience Validation: If enabled, ensure that the "Issuer ID" matches the "Audience Restriction."
OneLogin
- Require Signed Authentication Response: This feature should be disabled in OneLogin, as OneLogin does not support it.
- Strict Audience Validation: If enabled, ensure that the "Issuer ID" matches the "Audience".
Azure Entra ID (Previously Known as Azure AD)
- Require Signed Authentication Response: If enabled, make sure you choose the
Signing optionto be "SIGN SAML response and assertion". TheSigning optionis available on the Signing Certificate page of Entra ID
Please follow these recommendations carefully to make sure you're able to transition smoothly to the updated SAML package.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
- AWS > Lightsail > Instance > Approved > Custom
- AWS > Lightsail > Load Balancer > Approved > Custom
- AWS > Lightsail > Relational Database > Approved > Custom
Action Types:
- AWS > Lightsail > Instance > Delete from AWS
- AWS > Lightsail > Instance > Set Tags
- AWS > Lightsail > Instance > Skip alarm for Active control
- AWS > Lightsail > Instance > Skip alarm for Active control [90 days]
- AWS > Lightsail > Instance > Skip alarm for Approved control
- AWS > Lightsail > Instance > Skip alarm for Approved control [90 days]
- AWS > Lightsail > Instance > Skip alarm for Tags control
- AWS > Lightsail > Instance > Skip alarm for Tags control [90 days]
- AWS > Lightsail > Load Balancer > Delete from AWS
- AWS > Lightsail > Load Balancer > Set Tags
- AWS > Lightsail > Load Balancer > Skip alarm for Active control
- AWS > Lightsail > Load Balancer > Skip alarm for Active control [90 days]
- AWS > Lightsail > Load Balancer > Skip alarm for Approved control
- AWS > Lightsail > Load Balancer > Skip alarm for Approved control [90 days]
- AWS > Lightsail > Load Balancer > Skip alarm for Tags control
- AWS > Lightsail > Load Balancer > Skip alarm for Tags control [90 days]
- AWS > Lightsail > Relational Database > Delete from AWS
- AWS > Lightsail > Relational Database > Set Tags
- AWS > Lightsail > Relational Database > Skip alarm for Active control
- AWS > Lightsail > Relational Database > Skip alarm for Active control [90 days]
- AWS > Lightsail > Relational Database > Skip alarm for Approved control
- AWS > Lightsail > Relational Database > Skip alarm for Approved control [90 days]
- AWS > Lightsail > Relational Database > Skip alarm for Tags control
- AWS > Lightsail > Relational Database > Skip alarm for Tags control [90 days]
What's new?
Resource Types:
- AWS > Bedrock
Policy Types:
- AWS > Bedrock > API Enabled
- AWS > Bedrock > Approved Regions [Default]
- AWS > Bedrock > Enabled
- AWS > Bedrock > Permissions
- AWS > Bedrock > Permissions > Levels
- AWS > Bedrock > Permissions > Levels > Modifiers
- AWS > Bedrock > Permissions > Lockdown
- AWS > Bedrock > Permissions > Lockdown > API Boundary
- AWS > Bedrock > Regions
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-bedrock
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-bedrock
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-bedrock
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > App Mesh > Mesh > Approved > Custom
Action Types:
- AWS > App Mesh > Mesh > Delete from AWS
- AWS > App Mesh > Mesh > Set Tags
- AWS > App Mesh > Mesh > Skip alarm for Active control
- AWS > App Mesh > Mesh > Skip alarm for Active control [90 days]
- AWS > App Mesh > Mesh > Skip alarm for Approved control
- AWS > App Mesh > Mesh > Skip alarm for Approved control [90 days]
- AWS > App Mesh > Mesh > Skip alarm for Tags control
- AWS > App Mesh > Mesh > Skip alarm for Tags control [90 days]
- Updated the plugin dependency section of the following mods to use
min_versioninstead ofversion:- Alicloud Insights
- AWS Insights
- AWS Tags
- Azure Insights
- Digitalocean Insights
- Docker Compliance
- GCP Insights
- GCP Labels
- Github Compliance
- Github Insights
- Gitlab Insights
- Hackernews Insights
- IBM Insights
- Kubernetes Insights
- Microsoft 365 Compliance
- OCI Compliance
- OCI Insights
- OCI Thrifty
- Snowflake Compliance
- Tailscale Compliance
- Terraform AWS Compliance
- Terraform Azure Compliance
- Terraform GCP Compliance
- Terraform OCI Compliance
- Turbot Guardrails Insights
Breaking changes
- Updated the plugin dependency section of the mod to use min_version instead of version. (#82)
Bug fixes
- Updated the docs to include the correct links for the nsa_cisa_v1 benchmark. (#80) (Thanks @aniketh-varma for the contribution!)
- Fixed the following queries to cast the data to boolean format. (#79)
- cronjob_container_privilege_disabled
- cronjob_host_network_access_disabled
- cronjob_hostpid_hostipc_sharing_disabled
- cronjob_immutable_container_filesystem
- cronjob_non_root_container
- daemonset_container_privilege_disabled
- daemonset_host_network_access_disabled
- daemonset_hostpid_hostipc_sharing_disabled
- daemonset_immutable_container_filesystem
- daemonset_non_root_container
- deployment_container_privilege_disabled
- deployment_host_network_access_disabled
- deployment_hostpid_hostipc_sharing_disabled
- deployment_immutable_container_filesystem
- deployment_non_root_container
- job_container_privilege_disabled
- job_host_network_access_disabled
- job_hostpid_hostipc_sharing_disabled
- job_immutable_container_filesystem
- job_non_root_container
- pod_container_privilege_disabled
- pod_immutable_container_filesystem
- pod_non_root_container
- pod_service_account_token_enabled
- pod_template_container_privilege_disabled
- pod_template_immutable_container_filesystem
- replicaset_container_privilege_disabled
- replicaset_host_network_access_disabled
- replicaset_hostpid_hostipc_sharing_disabled
- replicaset_immutable_container_filesystem
- replicaset_non_root_container
- replication_controller_container_privilege_disabled
- replication_controller_host_network_access_disabled
- replication_controller_hostpid_hostipc_sharing_disabled
- replication_controller_immutable_container_filesystem
- replication_controller_non_root_container
- statefulset_container_privilege_disabled
- statefulset_host_network_access_disabled
- statefulset_hostpid_hostipc_sharing_disabled
- statefulset_immutable_container_filesystem
- statefulset_non_root_container
Breaking changes
- Updated the plugin dependency section of the mod to use
min_versioninstead ofversion. (#161) - Renamed the control
lambda_function_with_graviton2tolambda_function_with_gravitonin order to maintain consistency. (#158) (Thanks @bluedoors for the contribution!)
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
Bug fixes
- The
AWS > ElastiCache > Snapshot > CMDBcontrol would go into an error state due to a bad internal build. This is fixed and the control will now work correctly as expected.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > Glue > Crawler > Delete from AWS
- AWS > Glue > Crawler > Set Tags
- AWS > Glue > Crawler > Skip alarm for Active control
- AWS > Glue > Crawler > Skip alarm for Active control [90 days]
- AWS > Glue > Crawler > Skip alarm for Approved control
- AWS > Glue > Crawler > Skip alarm for Approved control [90 days]
- AWS > Glue > Crawler > Skip alarm for Tags control
- AWS > Glue > Crawler > Skip alarm for Tags control [90 days]
- AWS > Glue > Data Catalog > Skip alarm for Encryption at Rest control
- AWS > Glue > Data Catalog > Skip alarm for Encryption at Rest control [90 days]
- AWS > Glue > Database > Delete from AWS
- AWS > Glue > Database > Skip alarm for Active control
- AWS > Glue > Database > Skip alarm for Active control [90 days]
- AWS > Glue > Database > Skip alarm for Approved control
- AWS > Glue > Database > Skip alarm for Approved control [90 days]
- AWS > Glue > Development Endpoint [Deprecated] > Delete from AWS
- AWS > Glue > Development Endpoint [Deprecated] > Set Tags
- AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Active control
- AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Active control [90 days]
- AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Approved control
- AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Approved control [90 days]
- AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Tags control
- AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Tags control [90 days]
- AWS > Glue > Job > Delete from AWS
- AWS > Glue > Job > Set Tags
- AWS > Glue > Job > Skip alarm for Active control
- AWS > Glue > Job > Skip alarm for Active control [90 days]
- AWS > Glue > Job > Skip alarm for Approved control
- AWS > Glue > Job > Skip alarm for Approved control [90 days]
- AWS > Glue > Job > Skip alarm for Tags control
- AWS > Glue > Job > Skip alarm for Tags control [90 days]
- AWS > Glue > ML Transform > Delete from AWS
- AWS > Glue > ML Transform > Set Tags
- AWS > Glue > ML Transform > Skip alarm for Active control
- AWS > Glue > ML Transform > Skip alarm for Active control [90 days]
- AWS > Glue > ML Transform > Skip alarm for Approved control
- AWS > Glue > ML Transform > Skip alarm for Approved control [90 days]
- AWS > Glue > ML Transform > Skip alarm for Tags control
- AWS > Glue > ML Transform > Skip alarm for Tags control [90 days]
- AWS > Glue > Security Configuration > Delete from AWS
- AWS > Glue > Security Configuration > Skip alarm for Active control
- AWS > Glue > Security Configuration > Skip alarm for Active control [90 days]
- AWS > Glue > Security Configuration > Skip alarm for Approved control
- AWS > Glue > Security Configuration > Skip alarm for Approved control [90 days]
- AWS > Glue > Table > Delete from AWS
- AWS > Glue > Table > Skip alarm for Active control
- AWS > Glue > Table > Skip alarm for Active control [90 days]
- AWS > Glue > Table > Skip alarm for Approved control
- AWS > Glue > Table > Skip alarm for Approved control [90 days]
- AWS > Glue > Trigger > Delete from AWS
- AWS > Glue > Trigger > Set Tags
- AWS > Glue > Trigger > Skip alarm for Active control
- AWS > Glue > Trigger > Skip alarm for Active control [90 days]
- AWS > Glue > Trigger > Skip alarm for Approved control
- AWS > Glue > Trigger > Skip alarm for Approved control [90 days]
- AWS > Glue > Trigger > Skip alarm for Tags control
- AWS > Glue > Trigger > Skip alarm for Tags control [90 days]
- AWS > Glue > Workflow > Delete from AWS
- AWS > Glue > Workflow > Set Tags
- AWS > Glue > Workflow > Skip alarm for Active control
- AWS > Glue > Workflow > Skip alarm for Active control [90 days]
- AWS > Glue > Workflow > Skip alarm for Approved control
- AWS > Glue > Workflow > Skip alarm for Approved control [90 days]
- AWS > Glue > Workflow > Skip alarm for Tags control
- AWS > Glue > Workflow > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > CodeCommit > Repository > Approved > Custom
Action Types:
- AWS > CodeCommit > Repository > Delete from AWS
- AWS > CodeCommit > Repository > Set Tags
- AWS > CodeCommit > Repository > Skip alarm for Active control
- AWS > CodeCommit > Repository > Skip alarm for Active control [90 days]
- AWS > CodeCommit > Repository > Skip alarm for Approved control
- AWS > CodeCommit > Repository > Skip alarm for Approved control [90 days]
- AWS > CodeCommit > Repository > Skip alarm for Tags control
- AWS > CodeCommit > Repository > Skip alarm for Tags control [90 days]
Bug fixes
- Fixed the description of the
namecolumn inaws_organizations_accounttable. (#1947) (Thanks @badideasforsale for the contribution!)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.6.3 which addresses the issue of expired credentials being intermittently retained in the connection cache. (#1956)
Bug fixes
- Fixed expired credentials sometimes being left in the connection cache. Update connection cache to use a backing store per connection, rather than a shared backing store. (#699)
v0.12.0 of the Terraform Provider for Pipes is now available.
What's new?
- Resource
pipes_workspace_datatank. - Resource
pipes_workspace_datatank_table.
Enhancements
- Resource
pipes_workspacenow supportsinstance_type.
The Google Workspace plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The Google Sheets plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The Google Directory plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The crt.sh plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The query API timeout has been increased from 1 minute to 2 minutes, allowing for greater flexibility in how you query your data.
What's new?
- Users can now set a Unique Writer Identity for Logging Sink created via the
GCP > Turbot > Event Handlersstack. To get started, set theGCP > Turbot > Event Handlers > Logging > Unique Writer Identitypolicy.
Bug fixes
- Guardrails stack controls would sometimes fail to update Pub/Sub Topic resources if the Terraform plan in the stack's source policy was updated. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.0 or higher.
Bug fixes
- Guardrails stack controls would sometimes fail to update Logging Sink resources if the Terraform plan in the stack's source policy was updated. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.0 or higher.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Well-Architected Tool > Workload > Approved > Custom
Action Types:
- AWS > Well-Architected Tool > Workload > Delete from AWS
- AWS > Well-Architected Tool > Workload > Set Tags
- AWS > Well-Architected Tool > Workload > Skip alarm for Active control
- AWS > Well-Architected Tool > Workload > Skip alarm for Active control [90 days]
- AWS > Well-Architected Tool > Workload > Skip alarm for Approved control
- AWS > Well-Architected Tool > Workload > Skip alarm for Approved control [90 days]
- AWS > Well-Architected Tool > Workload > Skip alarm for Tags control
- AWS > Well-Architected Tool > Workload > Skip alarm for Tags control [90 days]
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Secrets Manager > Secret > Approved > Custom
Action Types:
- AWS > Secrets Manager > Secret > Delete from AWS
- AWS > Secrets Manager > Secret > Set Tags
- AWS > Secrets Manager > Secret > Skip alarm for Active control
- AWS > Secrets Manager > Secret > Skip alarm for Active control [90 days]
- AWS > Secrets Manager > Secret > Skip alarm for Approved control
- AWS > Secrets Manager > Secret > Skip alarm for Approved control [90 days]
- AWS > Secrets Manager > Secret > Skip alarm for Encryption at Rest control
- AWS > Secrets Manager > Secret > Skip alarm for Encryption at Rest control [90 days]
- AWS > Secrets Manager > Secret > Skip alarm for Tags control
- AWS > Secrets Manager > Secret > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Glacier > Vault > Approved > Custom
Action Types:
- AWS > Glacier > Vault > Delete from AWS
- AWS > Glacier > Vault > Set Tags
- AWS > Glacier > Vault > Skip alarm for Active control
- AWS > Glacier > Vault > Skip alarm for Active control [90 days]
- AWS > Glacier > Vault > Skip alarm for Approved control
- AWS > Glacier > Vault > Skip alarm for Approved control [90 days]
- AWS > Glacier > Vault > Skip alarm for Tags control
- AWS > Glacier > Vault > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Elastic Beanstalk > Application > Approved > Custom
Action Types:
- AWS > Elastic Beanstalk > Application > Delete from AWS
- AWS > Elastic Beanstalk > Application > Set Tags
- AWS > Elastic Beanstalk > Application > Skip alarm for Active control
- AWS > Elastic Beanstalk > Application > Skip alarm for Active control [90 days]
- AWS > Elastic Beanstalk > Application > Skip alarm for Approved control
- AWS > Elastic Beanstalk > Application > Skip alarm for Approved control [90 days]
- AWS > Elastic Beanstalk > Application > Skip alarm for Tags control
- AWS > Elastic Beanstalk > Application > Skip alarm for Tags control [90 days]
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include
createdBydetails in Turbot CMDB.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > WAF Regional > Rule > Approved > Custom
Action Types:
- AWS > WAF Regional > Rule > Delete from AWS
- AWS > WAF Regional > Rule > Skip alarm for Active control
- AWS > WAF Regional > Rule > Skip alarm for Active control [90 days]
- AWS > WAF Regional > Rule > Skip alarm for Approved control
- AWS > WAF Regional > Rule > Skip alarm for Approved control [90 days]
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
- AWS > VPC > Egress Only Internet Gateway > Delete from AWS
- AWS > VPC > Egress Only Internet Gateway > Set Tags
- AWS > VPC > Egress Only Internet Gateway > Skip alarm for Active control
- AWS > VPC > Egress Only Internet Gateway > Skip alarm for Active control [90 days]
- AWS > VPC > Egress Only Internet Gateway > Skip alarm for Approved control
- AWS > VPC > Egress Only Internet Gateway > Skip alarm for Approved control [90 days]
- AWS > VPC > Egress Only Internet Gateway > Skip alarm for Tags control
- AWS > VPC > Egress Only Internet Gateway > Skip alarm for Tags control [90 days]
- AWS > VPC > Elastic IP > Delete from AWS
- AWS > VPC > Elastic IP > Set Tags
- AWS > VPC > Elastic IP > Skip alarm for Active control
- AWS > VPC > Elastic IP > Skip alarm for Active control [90 days]
- AWS > VPC > Elastic IP > Skip alarm for Approved control
- AWS > VPC > Elastic IP > Skip alarm for Approved control [90 days]
- AWS > VPC > Elastic IP > Skip alarm for Tags control
- AWS > VPC > Elastic IP > Skip alarm for Tags control [90 days]
- AWS > VPC > Endpoint > Delete from AWS
- AWS > VPC > Endpoint > Set Tags
- AWS > VPC > Endpoint > Skip alarm for Active control
- AWS > VPC > Endpoint > Skip alarm for Active control [90 days]
- AWS > VPC > Endpoint > Skip alarm for Approved control
- AWS > VPC > Endpoint > Skip alarm for Approved control [90 days]
- AWS > VPC > Endpoint > Skip alarm for Tags control
- AWS > VPC > Endpoint > Skip alarm for Tags control [90 days]
- AWS > VPC > Endpoint Service > Delete from AWS
- AWS > VPC > Endpoint Service > Set Tags
- AWS > VPC > Endpoint Service > Skip alarm for Active control
- AWS > VPC > Endpoint Service > Skip alarm for Active control [90 days]
- AWS > VPC > Endpoint Service > Skip alarm for Approved control
- AWS > VPC > Endpoint Service > Skip alarm for Approved control [90 days]
- AWS > VPC > Endpoint Service > Skip alarm for Tags control
- AWS > VPC > Endpoint Service > Skip alarm for Tags control [90 days]
- AWS > VPC > Internet Gateway > Delete from AWS
- AWS > VPC > Internet Gateway > Set Tags
- AWS > VPC > Internet Gateway > Skip alarm for Active control
- AWS > VPC > Internet Gateway > Skip alarm for Active control [90 days]
- AWS > VPC > Internet Gateway > Skip alarm for Approved control
- AWS > VPC > Internet Gateway > Skip alarm for Approved control [90 days]
- AWS > VPC > Internet Gateway > Skip alarm for Tags control
- AWS > VPC > Internet Gateway > Skip alarm for Tags control [90 days]
- AWS > VPC > NAT Gateway > Delete from AWS
- AWS > VPC > NAT Gateway > Set Tags
- AWS > VPC > NAT Gateway > Skip alarm for Active control
- AWS > VPC > NAT Gateway > Skip alarm for Active control [90 days]
- AWS > VPC > NAT Gateway > Skip alarm for Approved control
- AWS > VPC > NAT Gateway > Skip alarm for Approved control [90 days]
- AWS > VPC > NAT Gateway > Skip alarm for Tags control
- AWS > VPC > NAT Gateway > Skip alarm for Tags control [90 days]
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
- AWS > VPC > DHCP Options > Delete from AWS
- AWS > VPC > DHCP Options > Set Tags
- AWS > VPC > DHCP Options > Skip alarm for Active control
- AWS > VPC > DHCP Options > Skip alarm for Active control [90 days]
- AWS > VPC > DHCP Options > Skip alarm for Tags control
- AWS > VPC > DHCP Options > Skip alarm for Tags control [90 days]
- AWS > VPC > Route Table > Delete from AWS
- AWS > VPC > Route Table > Set Tags
- AWS > VPC > Route Table > Skip alarm for Active control
- AWS > VPC > Route Table > Skip alarm for Active control [90 days]
- AWS > VPC > Route Table > Skip alarm for Tags control
- AWS > VPC > Route Table > Skip alarm for Tags control [90 days]
- AWS > VPC > Subnet > Delete from AWS
- AWS > VPC > Subnet > Set Tags
- AWS > VPC > Subnet > Skip alarm for Active control
- AWS > VPC > Subnet > Skip alarm for Active control [90 days]
- AWS > VPC > Subnet > Skip alarm for Tags control
- AWS > VPC > Subnet > Skip alarm for Tags control [90 days]
- AWS > VPC > VPC > Delete from AWS
- AWS > VPC > VPC > Set Tags
- AWS > VPC > VPC > Skip alarm for Active control
- AWS > VPC > VPC > Skip alarm for Active control [90 days]
- AWS > VPC > VPC > Skip alarm for Tags control
- AWS > VPC > VPC > Skip alarm for Tags control [90 days]
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Elasticsearch > Domain > Approved > Custom
Action Types:
- AWS > Elasticsearch > Domain > Delete from AWS
- AWS > Elasticsearch > Domain > Set Tags
- AWS > Elasticsearch > Domain > Skip alarm for Active control
- AWS > Elasticsearch > Domain > Skip alarm for Active control [90 days]
- AWS > Elasticsearch > Domain > Skip alarm for Approved control
- AWS > Elasticsearch > Domain > Skip alarm for Approved control [90 days]
- AWS > Elasticsearch > Domain > Skip alarm for Tags control
- AWS > Elasticsearch > Domain > Skip alarm for Tags control [90 days]
Bug fixes
- The
AWS > EC2 > Account Attributes > CMDBcontrol would go into an error state due to a bad internal build. This is fixed and the control will now work correctly as expected.
What's new?
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Resource's metadata will now also include createdBy details in Turbot CMDB.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > ElastiCache > Cache Cluster > Delete from AWS
- AWS > ElastiCache > Cache Cluster > Set Tags
- AWS > ElastiCache > Cache Cluster > Skip alarm for Active control
- AWS > ElastiCache > Cache Cluster > Skip alarm for Active control [90 days]
- AWS > ElastiCache > Cache Cluster > Skip alarm for Tags control
- AWS > ElastiCache > Cache Cluster > Skip alarm for Tags control [90 days]
- AWS > ElastiCache > Cache Parameter Group > Delete from AWS
- AWS > ElastiCache > Cache Parameter Group > Skip alarm for Active control
- AWS > ElastiCache > Cache Parameter Group > Skip alarm for Active control [90 days]
- AWS > ElastiCache > Replication Group > Delete from AWS
- AWS > ElastiCache > Replication Group > Skip alarm for Active control
- AWS > ElastiCache > Replication Group > Skip alarm for Active control [90 days]
- AWS > ElastiCache > Snapshot > Delete from AWS
- AWS > ElastiCache > Snapshot > Set Tags
- AWS > ElastiCache > Snapshot > Skip alarm for Active control
- AWS > ElastiCache > Snapshot > Skip alarm for Active control [90 days]
- AWS > ElastiCache > Snapshot > Skip alarm for Tags control
- AWS > ElastiCache > Snapshot > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Data Pipeline > Pipeline > Approved > Custom
Action Types:
- AWS > Data Pipeline > Pipeline > Delete from AWS
- AWS > Data Pipeline > Pipeline > Set Tags
- AWS > Data Pipeline > Pipeline > Skip alarm for Active control
- AWS > Data Pipeline > Pipeline > Skip alarm for Active control [90 days]
- AWS > Data Pipeline > Pipeline > Skip alarm for Approved control
- AWS > Data Pipeline > Pipeline > Skip alarm for Approved control [90 days]
- AWS > Data Pipeline > Pipeline > Skip alarm for Tags control
- AWS > Data Pipeline > Pipeline > Skip alarm for Tags control [90 days]
Bug fixes
- Recovery Points deleted in AWS were not cleaned up automatically via real-time events in Guardrails. This is now fixed.
Enhancements
- Added the
contact_infocolumn tolinkedin_profiletable. (#5)
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Added support for
ap-northeast-3andus-gov-east-1regions in theAWS > SageMaker > Regionspolicy.Policy Types:
- AWS > SageMaker > Code Repository > Approved > Custom
- AWS > SageMaker > Endpoint > Approved > Custom
- AWS > SageMaker > Endpoint Configuration > Approved > Custom
- AWS > SageMaker > Lifecycle Configuration > Approved > Custom
- AWS > SageMaker > Model > Approved > Custom
- AWS > SageMaker > Training Job > Approved > Custom
Action Types:
- AWS > SageMaker > Code Repository > Delete from AWS
- AWS > SageMaker > Code Repository > Skip alarm for Active control
- AWS > SageMaker > Code Repository > Skip alarm for Active control [90 days]
- AWS > SageMaker > Code Repository > Skip alarm for Approved control
- AWS > SageMaker > Code Repository > Skip alarm for Approved control [90 days]
- AWS > SageMaker > Domain > Delete from AWS
- AWS > SageMaker > Endpoint > Delete from AWS
- AWS > SageMaker > Endpoint > Set Tags
- AWS > SageMaker > Endpoint > Skip alarm for Active control
- AWS > SageMaker > Endpoint > Skip alarm for Active control [90 days]
- AWS > SageMaker > Endpoint > Skip alarm for Approved control
- AWS > SageMaker > Endpoint > Skip alarm for Approved control [90 days]
- AWS > SageMaker > Endpoint > Skip alarm for Tags control
- AWS > SageMaker > Endpoint > Skip alarm for Tags control [90 days]
- AWS > SageMaker > Endpoint Configuration > Delete from AWS
- AWS > SageMaker > Endpoint Configuration > Set Tags
- AWS > SageMaker > Endpoint Configuration > Skip alarm for Active control
- AWS > SageMaker > Endpoint Configuration > Skip alarm for Active control [90 days]
- AWS > SageMaker > Endpoint Configuration > Skip alarm for Approved control
- AWS > SageMaker > Endpoint Configuration > Skip alarm for Approved control [90 days]
- AWS > SageMaker > Endpoint Configuration > Skip alarm for Tags control
- AWS > SageMaker > Endpoint Configuration > Skip alarm for Tags control [90 days]
- AWS > SageMaker > Lifecycle Configuration > Delete from AWS
- AWS > SageMaker > Lifecycle Configuration > Skip alarm for Active control
- AWS > SageMaker > Lifecycle Configuration > Skip alarm for Active control [90 days]
- AWS > SageMaker > Lifecycle Configuration > Skip alarm for Approved control
- AWS > SageMaker > Lifecycle Configuration > Skip alarm for Approved control [90 days]
- AWS > SageMaker > Model > Delete from AWS
- AWS > SageMaker > Model > Set Tags
- AWS > SageMaker > Model > Skip alarm for Active control
- AWS > SageMaker > Model > Skip alarm for Active control [90 days]
- AWS > SageMaker > Model > Skip alarm for Approved control
- AWS > SageMaker > Model > Skip alarm for Approved control [90 days]
- AWS > SageMaker > Model > Skip alarm for Tags control
- AWS > SageMaker > Model > Skip alarm for Tags control [90 days]
- AWS > SageMaker > Notebook Instance > Delete from AWS
- AWS > SageMaker > Notebook Instance > Set Tags
- AWS > SageMaker > Notebook Instance > Skip alarm for Active control
- AWS > SageMaker > Notebook Instance > Skip alarm for Active control [90 days]
- AWS > SageMaker > Notebook Instance > Skip alarm for Approved control
- AWS > SageMaker > Notebook Instance > Skip alarm for Approved control [90 days]
- AWS > SageMaker > Notebook Instance > Skip alarm for Tags control
- AWS > SageMaker > Notebook Instance > Skip alarm for Tags control [90 days]
- AWS > SageMaker > Training Job > Set Tags
- AWS > SageMaker > Training Job > Skip alarm for Active control
- AWS > SageMaker > Training Job > Skip alarm for Active control [90 days]
- AWS > SageMaker > Training Job > Skip alarm for Approved control
- AWS > SageMaker > Training Job > Skip alarm for Approved control [90 days]
- AWS > SageMaker > Training Job > Skip alarm for Tags control
- AWS > SageMaker > Training Job > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Route 53 Resolver > Resolver Endpoint > Approved > Custom
- AWS > Route 53 Resolver > Resolver Rule > Approved > Custom
Action Types:
- AWS > Route 53 Resolver > Resolver Endpoint > Delete from AWS
- AWS > Route 53 Resolver > Resolver Endpoint > Set Tags
- AWS > Route 53 Resolver > Resolver Endpoint > Skip alarm for Active control
- AWS > Route 53 Resolver > Resolver Endpoint > Skip alarm for Active control [90 days]
- AWS > Route 53 Resolver > Resolver Endpoint > Skip alarm for Approved control
- AWS > Route 53 Resolver > Resolver Endpoint > Skip alarm for Approved control [90 days]
- AWS > Route 53 Resolver > Resolver Endpoint > Skip alarm for Tags control
- AWS > Route 53 Resolver > Resolver Endpoint > Skip alarm for Tags control [90 days]
- AWS > Route 53 Resolver > Resolver Rule > Delete from AWS
- AWS > Route 53 Resolver > Resolver Rule > Set Tags
- AWS > Route 53 Resolver > Resolver Rule > Skip alarm for Active control
- AWS > Route 53 Resolver > Resolver Rule > Skip alarm for Active control [90 days]
- AWS > Route 53 Resolver > Resolver Rule > Skip alarm for Approved control
- AWS > Route 53 Resolver > Resolver Rule > Skip alarm for Approved control [90 days]
- AWS > Route 53 Resolver > Resolver Rule > Skip alarm for Tags control
- AWS > Route 53 Resolver > Resolver Rule > Skip alarm for Tags control [90 days]
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
- AWS > Events > Rule > Skip alarm for Approved control
- AWS > Events > Rule > Skip alarm for Approved control [90 days]
- AWS > Events > Target > Skip alarm for Active control
- AWS > Events > Target > Skip alarm for Active control [90 days]
- AWS > Events > Target > Skip alarm for Approved control
- AWS > Events > Target > Skip alarm for Approved control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > WAF > IP Set > Delete from AWS
- AWS > WAF > IP Set > Skip alarm for Active control
- AWS > WAF > IP Set > Skip alarm for Active control [90 days]
- AWS > WAF > IP Set > Skip alarm for Approved control
- AWS > WAF > IP Set > Skip alarm for Approved control [90 days]
- AWS > WAF > IP Set v2 Global > Delete from AWS
- AWS > WAF > IP Set v2 Global > Set Tags
- AWS > WAF > IP Set v2 Global > Skip alarm for Active control
- AWS > WAF > IP Set v2 Global > Skip alarm for Active control [90 days]
- AWS > WAF > IP Set v2 Global > Skip alarm for Approved control
- AWS > WAF > IP Set v2 Global > Skip alarm for Approved control [90 days]
- AWS > WAF > IP Set v2 Global > Skip alarm for Tags control
- AWS > WAF > IP Set v2 Global > Skip alarm for Tags control [90 days]
- AWS > WAF > IP Set v2 Regional > Delete from AWS
- AWS > WAF > IP Set v2 Regional > Set Tags
- AWS > WAF > IP Set v2 Regional > Skip alarm for Active control
- AWS > WAF > IP Set v2 Regional > Skip alarm for Active control [90 days]
- AWS > WAF > IP Set v2 Regional > Skip alarm for Approved control
- AWS > WAF > IP Set v2 Regional > Skip alarm for Approved control [90 days]
- AWS > WAF > IP Set v2 Regional > Skip alarm for Tags control
- AWS > WAF > IP Set v2 Regional > Skip alarm for Tags control [90 days]
- AWS > WAF > Rate Based Rule > Delete from AWS
- AWS > WAF > Rate Based Rule > Skip alarm for Active control
- AWS > WAF > Rate Based Rule > Skip alarm for Active control [90 days]
- AWS > WAF > Rate Based Rule > Skip alarm for Approved control
- AWS > WAF > Rate Based Rule > Skip alarm for Approved control [90 days]
- AWS > WAF > Regex Pattern Set v2 Global > Delete from AWS
- AWS > WAF > Regex Pattern Set v2 Global > Set Tags
- AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Active control
- AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Active control [90 days]
- AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Approved control
- AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Approved control [90 days]
- AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Tags control
- AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Tags control [90 days]
- AWS > WAF > Regex Pattern Set v2 Regional > Delete from AWS
- AWS > WAF > Regex Pattern Set v2 Regional > Set Tags
- AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Active control
- AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Active control [90 days]
- AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Approved control
- AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Approved control [90 days]
- AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Tags control
- AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Tags control [90 days]
- AWS > WAF > Rule > Delete from AWS
- AWS > WAF > Rule > Skip alarm for Active control
- AWS > WAF > Rule > Skip alarm for Active control [90 days]
- AWS > WAF > Rule > Skip alarm for Approved control
- AWS > WAF > Rule > Skip alarm for Approved control [90 days]
- AWS > WAF > Rule Group v2 Global > Delete from AWS
- AWS > WAF > Rule Group v2 Global > Set Tags
- AWS > WAF > Rule Group v2 Global > Skip alarm for Active control
- AWS > WAF > Rule Group v2 Global > Skip alarm for Active control [90 days]
- AWS > WAF > Rule Group v2 Global > Skip alarm for Approved control
- AWS > WAF > Rule Group v2 Global > Skip alarm for Approved control [90 days]
- AWS > WAF > Rule Group v2 Global > Skip alarm for Tags control
- AWS > WAF > Rule Group v2 Global > Skip alarm for Tags control [90 days]
- AWS > WAF > Rule Group v2 Regional > Delete from AWS
- AWS > WAF > Rule Group v2 Regional > Set Tags
- AWS > WAF > Rule Group v2 Regional > Skip alarm for Active control
- AWS > WAF > Rule Group v2 Regional > Skip alarm for Active control [90 days]
- AWS > WAF > Rule Group v2 Regional > Skip alarm for Approved control
- AWS > WAF > Rule Group v2 Regional > Skip alarm for Approved control [90 days]
- AWS > WAF > Rule Group v2 Regional > Skip alarm for Tags control
- AWS > WAF > Rule Group v2 Regional > Skip alarm for Tags control [90 days]
- AWS > WAF > Web ACL > Delete from AWS
- AWS > WAF > Web ACL > Set Tags
- AWS > WAF > Web ACL > Skip alarm for Active control
- AWS > WAF > Web ACL > Skip alarm for Active control [90 days]
- AWS > WAF > Web ACL > Skip alarm for Approved control
- AWS > WAF > Web ACL > Skip alarm for Approved control [90 days]
- AWS > WAF > Web ACL > Skip alarm for Tags control
- AWS > WAF > Web ACL > Skip alarm for Tags control [90 days]
- AWS > WAF > Web ACL v2 Global > Delete from AWS
- AWS > WAF > Web ACL v2 Global > Set Tags
- AWS > WAF > Web ACL v2 Global > Skip alarm for Active control
- AWS > WAF > Web ACL v2 Global > Skip alarm for Active control [90 days]
- AWS > WAF > Web ACL v2 Global > Skip alarm for Approved control
- AWS > WAF > Web ACL v2 Global > Skip alarm for Approved control [90 days]
- AWS > WAF > Web ACL v2 Global > Skip alarm for Tags control
- AWS > WAF > Web ACL v2 Global > Skip alarm for Tags control [90 days]
- AWS > WAF > Web ACL v2 Regional > Delete from AWS
- AWS > WAF > Web ACL v2 Regional > Set Tags
- AWS > WAF > Web ACL v2 Regional > Skip alarm for Active control
- AWS > WAF > Web ACL v2 Regional > Skip alarm for Active control [90 days]
- AWS > WAF > Web ACL v2 Regional > Skip alarm for Approved control
- AWS > WAF > Web ACL v2 Regional > Skip alarm for Approved control [90 days]
- AWS > WAF > Web ACL v2 Regional > Skip alarm for Tags control
- AWS > WAF > Web ACL v2 Regional > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
- AWS > Backup > Backup Plan > Delete from AWS
- AWS > Backup > Backup Plan > Set Tags
- AWS > Backup > Backup Plan > Skip alarm for Active control
- AWS > Backup > Backup Plan > Skip alarm for Active control [90 days]
- AWS > Backup > Backup Plan > Skip alarm for Tags control
- AWS > Backup > Backup Plan > Skip alarm for Tags control [90 days]
- AWS > Backup > Backup Selection > Delete from AWS
- AWS > Backup > Backup Selection > Skip alarm for Active control
- AWS > Backup > Backup Selection > Skip alarm for Active control [90 days]
- AWS > Backup > Backup Vault > Delete from AWS
- AWS > Backup > Backup Vault > Set Tags
- AWS > Backup > Backup Vault > Skip alarm for Active control
- AWS > Backup > Backup Vault > Skip alarm for Active control [90 days]
- AWS > Backup > Backup Vault > Skip alarm for Tags control
- AWS > Backup > Backup Vault > Skip alarm for Tags control [90 days]
- AWS > Backup > Recovery Point > Delete from AWS
- AWS > Backup > Recovery Point > Set Tags
- AWS > Backup > Recovery Point > Skip alarm for Active control
- AWS > Backup > Recovery Point > Skip alarm for Active control [90 days]
- AWS > Backup > Recovery Point > Skip alarm for Tags control
- AWS > Backup > Recovery Point > Skip alarm for Tags control [90 days]
Bug fixes
- Fixed the required quals of
github_issueandgithub_pull_requesttables to correctly return data instead of an error. (#355)
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.Added support for
ap-south-1,af-south-1,cn-north-1andus-gov-east-1regions in theAWS > WorkSpaces > Regionspolicy.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > WorkSpaces > WorkSpace > Approved > Custom
Action Types:
- AWS > WorkSpaces > WorkSpace > Delete from AWS
- AWS > WorkSpaces > WorkSpace > Set Tags
- AWS > WorkSpaces > WorkSpace > Skip alarm for Active control
- AWS > WorkSpaces > WorkSpace > Skip alarm for Active control [90 days]
- AWS > WorkSpaces > WorkSpace > Skip alarm for Approved control
- AWS > WorkSpaces > WorkSpace > Skip alarm for Approved control [90 days]
- AWS > WorkSpaces > WorkSpace > Skip alarm for Tags control
- AWS > WorkSpaces > WorkSpace > Skip alarm for Tags control [90 days]
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.Added support for
cn-north-1,cn-northwest-1,us-gov-east-1andus-gov-west-1regions in theAWS > MQ > Regionspolicy.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Amazon MQ > Broker > Approved > Custom
Action Types:
- AWS > Amazon MQ > Broker > Delete from AWS
- AWS > Amazon MQ > Broker > Set Tags
- AWS > Amazon MQ > Broker > Skip alarm for Active control
- AWS > Amazon MQ > Broker > Skip alarm for Active control [90 days]
- AWS > Amazon MQ > Broker > Skip alarm for Approved control
- AWS > Amazon MQ > Broker > Skip alarm for Approved control [90 days]
- AWS > Amazon MQ > Broker > Skip alarm for Tags control
- AWS > Amazon MQ > Broker > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > Logs > Log Group > Delete from AWS
- AWS > Logs > Log Group > Set Tags
- AWS > Logs > Log Group > Skip alarm for Active control
- AWS > Logs > Log Group > Skip alarm for Active control [90 days]
- AWS > Logs > Log Group > Skip alarm for Approved control
- AWS > Logs > Log Group > Skip alarm for Approved control [90 days]
- AWS > Logs > Log Group > Skip alarm for Encryption at Rest control
- AWS > Logs > Log Group > Skip alarm for Encryption at Rest control [90 days]
- AWS > Logs > Log Group > Skip alarm for Tags control
- AWS > Logs > Log Group > Skip alarm for Tags control [90 days]
- AWS > Logs > Log Stream > Delete from AWS
- AWS > Logs > Log Stream > Skip alarm for Active control
- AWS > Logs > Log Stream > Skip alarm for Active control [90 days]
- AWS > Logs > Log Stream > Skip alarm for Approved control
- AWS > Logs > Log Stream > Skip alarm for Approved control [90 days]
- AWS > Logs > Metric Filter > Delete from AWS
- AWS > Logs > Metric Filter > Skip alarm for Active control
- AWS > Logs > Metric Filter > Skip alarm for Active control [90 days]
- AWS > Logs > Metric Filter > Skip alarm for Approved control
- AWS > Logs > Metric Filter > Skip alarm for Approved control [90 days]
- AWS > Logs > Resource Policy > Delete from AWS
- AWS > Logs > Resource Policy > Skip alarm for Active control
- AWS > Logs > Resource Policy > Skip alarm for Active control [90 days]
- AWS > Logs > Resource Policy > Skip alarm for Approved control
- AWS > Logs > Resource Policy > Skip alarm for Approved control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.Added support for
cn-north-1,cn-northwest-1,us-gov-east-1andus-gov-west-1regions in theAWS > FSx > Regionspolicy.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > FSx > Backup > Approved > Custom
- AWS > FSx > File System > Approved > Custom
Action Types:
- AWS > FSx > Backup > Delete from AWS
- AWS > FSx > Backup > Set Tags
- AWS > FSx > Backup > Skip alarm for Active control
- AWS > FSx > Backup > Skip alarm for Active control [90 days]
- AWS > FSx > Backup > Skip alarm for Approved control
- AWS > FSx > Backup > Skip alarm for Approved control [90 days]
- AWS > FSx > Backup > Skip alarm for Tags control
- AWS > FSx > Backup > Skip alarm for Tags control [90 days]
- AWS > FSx > File System > Delete from AWS
- AWS > FSx > File System > Set Tags
- AWS > FSx > File System > Skip alarm for Active control
- AWS > FSx > File System > Skip alarm for Active control [90 days]
- AWS > FSx > File System > Skip alarm for Approved control
- AWS > FSx > File System > Skip alarm for Approved control [90 days]
- AWS > FSx > File System > Skip alarm for Tags control
- AWS > FSx > File System > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
- AWS > CloudWatch > Alarm > Delete from AWS
- AWS > CloudWatch > Alarm > Set Tags
- AWS > CloudWatch > Alarm > Skip alarm for Active control
- AWS > CloudWatch > Alarm > Skip alarm for Active control [90 days]
- AWS > CloudWatch > Alarm > Skip alarm for Approved control
- AWS > CloudWatch > Alarm > Skip alarm for Approved control [90 days]
- AWS > CloudWatch > Alarm > Skip alarm for Tags control
- AWS > CloudWatch > Alarm > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.Added support for
ca-central-1,eu-west-2,sa-east-1,us-east-2andus-gov-east-1regions in theAWS > AppStream > Regionspolicy.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > AppStream > Fleet > Approved > Custom
- AWS > AppStream > Image > Approved > Custom
- AWS > AppStream > Image Builder > Approved > Custom
- AWS > AppStream > User > Approved > Custom
Action Types:
- AWS > AppStream > Fleet > Delete from AWS
- AWS > AppStream > Fleet > Set Tags
- AWS > AppStream > Fleet > Skip alarm for Active control
- AWS > AppStream > Fleet > Skip alarm for Active control [90 days]
- AWS > AppStream > Fleet > Skip alarm for Approved control
- AWS > AppStream > Fleet > Skip alarm for Approved control [90 days]
- AWS > AppStream > Fleet > Skip alarm for Tags control
- AWS > AppStream > Fleet > Skip alarm for Tags control [90 days]
- AWS > AppStream > Image > Delete from AWS
- AWS > AppStream > Image > Set Tags
- AWS > AppStream > Image > Skip alarm for Active control
- AWS > AppStream > Image > Skip alarm for Active control [90 days]
- AWS > AppStream > Image > Skip alarm for Approved control
- AWS > AppStream > Image > Skip alarm for Approved control [90 days]
- AWS > AppStream > Image > Skip alarm for Tags control
- AWS > AppStream > Image > Skip alarm for Tags control [90 days]
- AWS > AppStream > Image Builder > Delete from AWS
- AWS > AppStream > Image Builder > Set Tags
- AWS > AppStream > Image Builder > Skip alarm for Active control
- AWS > AppStream > Image Builder > Skip alarm for Active control [90 days]
- AWS > AppStream > Image Builder > Skip alarm for Approved control
- AWS > AppStream > Image Builder > Skip alarm for Approved control [90 days]
- AWS > AppStream > Image Builder > Skip alarm for Tags control
- AWS > AppStream > Image Builder > Skip alarm for Tags control [90 days]
- AWS > AppStream > User > Delete from AWS
- AWS > AppStream > User > Skip alarm for Active control
- AWS > AppStream > User > Skip alarm for Active control [90 days]
- AWS > AppStream > User > Skip alarm for Approved control
- AWS > AppStream > User > Skip alarm for Approved control [90 days]
What's new?
- Server:
- Updated: Downgrade passport-saml Node package to 1.3.5.
What's new
- Updated
github_issue,github_my_issue,github_pull_request,github_search_issue, andgithub_search_pull_requesttables to only include nested and user permission columns in GraphQL request when requested. This should result in faster queries and large scale queries completing more consistently. (#342)
Enhancements
- Added the following controls to the
All Controlsbenchmark: (#722)athena_workgroup_enforce_configuration_enablediam_inline_policy_no_administrative_privileges
Bug fixes
Bug fixes
- The
AWS > EC2 > Volume > Discoverycontrol would go into an error state because of an unintended GraphQL query bug. This is fixed and the control will now work correctly as expected.
Enhancements
- Added additional dashboard and query docs and updated metadata descriptions in docs. (#323)
What's new?
- Updated: Hive manager code to include the new certificate.
What's new?
- Added: parameter for RDS certificate for commercial cloud.
What's new?
Server:
- Updated: RDS CA Certificate to use the latest bundled certificate.
- Updated: Updated the package passport-saml to @node-saml/passport-saml: 4.0.4
- Updated: Steampipe query in developer section now points to the correct table.
UI:
- Added: Option to view Changelogs in the Help dropdown menu.
Bug fixes
- Server:
- Fixed: Stack control failed to run when a large number of resources were being managed by a stack control.
All Pipes workspaces have now been upgraded to Steampipe v0.21.1.
For more information on this Steampipe release, see the release notes.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > GuardDuty > Detector > Delete from AWS
- AWS > GuardDuty > Detector > Set Tags
- AWS > GuardDuty > Detector > Skip alarm for Active control
- AWS > GuardDuty > Detector > Skip alarm for Active control [90 days]
- AWS > GuardDuty > Detector > Skip alarm for Approved control
- AWS > GuardDuty > Detector > Skip alarm for Approved control [90 days]
- AWS > GuardDuty > Detector > Skip alarm for Tags control
- AWS > GuardDuty > Detector > Skip alarm for Tags control [90 days]
- AWS > GuardDuty > IPSet > Delete from AWS
- AWS > GuardDuty > IPSet > Set Tags
- AWS > GuardDuty > IPSet > Skip alarm for Active control
- AWS > GuardDuty > IPSet > Skip alarm for Active control [90 days]
- AWS > GuardDuty > IPSet > Skip alarm for Approved control
- AWS > GuardDuty > IPSet > Skip alarm for Approved control [90 days]
- AWS > GuardDuty > IPSet > Skip alarm for Tags control
- AWS > GuardDuty > IPSet > Skip alarm for Tags control [90 days]
- AWS > GuardDuty > ThreatIntelSet > Delete from AWS
- AWS > GuardDuty > ThreatIntelSet > Set Tags
- AWS > GuardDuty > ThreatIntelSet > Skip alarm for Active control
- AWS > GuardDuty > ThreatIntelSet > Skip alarm for Active control [90 days]
- AWS > GuardDuty > ThreatIntelSet > Skip alarm for Approved control
- AWS > GuardDuty > ThreatIntelSet > Skip alarm for Approved control [90 days]
- AWS > GuardDuty > ThreatIntelSet > Skip alarm for Tags control
- AWS > GuardDuty > ThreatIntelSet > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > EMR > Cluster > Delete from AWS
- AWS > EMR > Cluster > Set Tags
- AWS > EMR > Cluster > Skip alarm for Active control
- AWS > EMR > Cluster > Skip alarm for Active control [90 days]
- AWS > EMR > Cluster > Skip alarm for Approved control
- AWS > EMR > Cluster > Skip alarm for Approved control [90 days]
- AWS > EMR > Cluster > Skip alarm for Tags control
- AWS > EMR > Cluster > Skip alarm for Tags control [90 days]
- AWS > EMR > Security Configuration > Delete from AWS
- AWS > EMR > Security Configuration > Skip alarm for Active control
- AWS > EMR > Security Configuration > Skip alarm for Active control [90 days]
- AWS > EMR > Security Configuration > Skip alarm for Approved control
- AWS > EMR > Security Configuration > Skip alarm for Approved control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > ECS > Cluster > Delete from AWS
- AWS > ECS > Cluster > Set Tags
- AWS > ECS > Cluster > Skip alarm for Active control
- AWS > ECS > Cluster > Skip alarm for Active control [90 days]
- AWS > ECS > Cluster > Skip alarm for Approved control
- AWS > ECS > Cluster > Skip alarm for Approved control [90 days]
- AWS > ECS > Cluster > Skip alarm for Tags control
- AWS > ECS > Cluster > Skip alarm for Tags control [90 days]
- AWS > ECS > Container Instance > Delete from AWS
- AWS > ECS > Container Instance > Skip alarm for Active control
- AWS > ECS > Container Instance > Skip alarm for Active control [90 days]
- AWS > ECS > Container Instance > Skip alarm for Approved control
- AWS > ECS > Container Instance > Skip alarm for Approved control [90 days]
- AWS > ECS > Service > Delete from AWS
- AWS > ECS > Service > Set Tags
- AWS > ECS > Service > Skip alarm for Active control
- AWS > ECS > Service > Skip alarm for Active control [90 days]
- AWS > ECS > Service > Skip alarm for Approved control
- AWS > ECS > Service > Skip alarm for Approved control [90 days]
- AWS > ECS > Service > Skip alarm for Tags control
- AWS > ECS > Service > Skip alarm for Tags control [90 days]
- AWS > ECS > Task Definition > Delete from AWS
- AWS > ECS > Task Definition > Set Tags
- AWS > ECS > Task Definition > Skip alarm for Active control
- AWS > ECS > Task Definition > Skip alarm for Active control [90 days]
- AWS > ECS > Task Definition > Skip alarm for Approved control
- AWS > ECS > Task Definition > Skip alarm for Approved control [90 days]
- AWS > ECS > Task Definition > Skip alarm for Tags control
- AWS > ECS > Task Definition > Skip alarm for Tags control [90 days]
What's new?
You can now configure Block Public Access for AMIs. To get started, set the
AWS > EC2 > Account Attributes > Block Public Access for AMIspolicy toEnforce: Enable Block Public Access for AMIs.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Control Types:
- AWS > EC2 > Account Attributes > Block Public Access for AMIs
Policy Types:
- AWS > EC2 > Account Attributes > Block Public Access for AMIs
Action Types:
- AWS > EC2 > Account Attributes > Update Block Public Access for AMIs
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > DMS > Endpoint > Approved > Custom
- AWS > DMS > Replication Instance > Approved > Custom
Action Types:
- AWS > DMS > Endpoint > Delete from AWS
- AWS > DMS > Endpoint > Set Tags
- AWS > DMS > Endpoint > Skip alarm for Active control
- AWS > DMS > Endpoint > Skip alarm for Active control [90 days]
- AWS > DMS > Endpoint > Skip alarm for Approved control
- AWS > DMS > Endpoint > Skip alarm for Approved control [90 days]
- AWS > DMS > Endpoint > Skip alarm for Tags control
- AWS > DMS > Endpoint > Skip alarm for Tags control [90 days]
- AWS > DMS > Replication Instance > Delete from AWS
- AWS > DMS > Replication Instance > Set Tags
- AWS > DMS > Replication Instance > Skip alarm for Active control
- AWS > DMS > Replication Instance > Skip alarm for Active control [90 days]
- AWS > DMS > Replication Instance > Skip alarm for Approved control
- AWS > DMS > Replication Instance > Skip alarm for Approved control [90 days]
- AWS > DMS > Replication Instance > Skip alarm for Tags control
- AWS > DMS > Replication Instance > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > SES > Identity > Delete from AWS
- AWS > SES > Identity > Skip alarm for Active control
- AWS > SES > Identity > Skip alarm for Active control [90 days]
- AWS > SES > Identity > Skip alarm for Approved control
- AWS > SES > Identity > Skip alarm for Approved control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Security Hub > Hub > Approved > Custom
Action Types:
- AWS > Security Hub > Hub > Delete from AWS
- AWS > Security Hub > Hub > Set Tags
- AWS > Security Hub > Hub > Skip alarm for Approved control
- AWS > Security Hub > Hub > Skip alarm for Approved control [90 days]
- AWS > Security Hub > Hub > Skip alarm for Tags control
- AWS > Security Hub > Hub > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > Kinesis > Consumer > Delete from AWS
- AWS > Kinesis > Consumer > Skip alarm for Active control
- AWS > Kinesis > Consumer > Skip alarm for Active control [90 days]
- AWS > Kinesis > Consumer > Skip alarm for Approved control
- AWS > Kinesis > Consumer > Skip alarm for Approved control [90 days]
- AWS > Kinesis > Stream > Delete from AWS
- AWS > Kinesis > Stream > Set Tags
- AWS > Kinesis > Stream > Skip alarm for Active control
- AWS > Kinesis > Stream > Skip alarm for Active control [90 days]
- AWS > Kinesis > Stream > Skip alarm for Approved control
- AWS > Kinesis > Stream > Skip alarm for Approved control [90 days]
- AWS > Kinesis > Stream > Skip alarm for Encryption at Rest control
- AWS > Kinesis > Stream > Skip alarm for Encryption at Rest control [90 days]
- AWS > Kinesis > Stream > Skip alarm for Tags control
- AWS > Kinesis > Stream > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > DynamoDB > Backup > Delete from AWS
- AWS > DynamoDB > Backup > Skip alarm for Active control
- AWS > DynamoDB > Backup > Skip alarm for Active control [90 days]
- AWS > DynamoDB > Backup > Skip alarm for Approved control
- AWS > DynamoDB > Backup > Skip alarm for Approved control [90 days]
- AWS > DynamoDB > Global Table > Delete from AWS
- AWS > DynamoDB > Global Table > Skip alarm for Active control
- AWS > DynamoDB > Global Table > Skip alarm for Active control [90 days]
- AWS > DynamoDB > Global Table > Skip alarm for Approved control
- AWS > DynamoDB > Global Table > Skip alarm for Approved control [90 days]
- AWS > DynamoDB > Table > Delete from AWS
- AWS > DynamoDB > Table > Set Tags
- AWS > DynamoDB > Table > Skip alarm for Active control
- AWS > DynamoDB > Table > Skip alarm for Active control [90 days]
- AWS > DynamoDB > Table > Skip alarm for Approved control
- AWS > DynamoDB > Table > Skip alarm for Approved control [90 days]
- AWS > DynamoDB > Table > Skip alarm for Encryption at Rest control
- AWS > DynamoDB > Table > Skip alarm for Encryption at Rest control [90 days]
- AWS > DynamoDB > Table > Skip alarm for Tags control
- AWS > DynamoDB > Table > Skip alarm for Tags control [90 days]
What's new?
- Added 11 new controls across the benchmarks for the following services: (#39)
- Application Gateway
- Automation
- Cognitive Search
- Compute
- Frontdoor
- Network
- PostgreSQL
The Turbot Pipes app for Zapier, announced today, opens the world of DevOps data to Zap developers.
For more information, see the launch post.
Turbot Pipes plans & pricing are now available.
Free for Developers! Free trial & usage-based for Teams. Start immediately & cancel anytime.
For more information, see the launch post.
Datatank is now available in Turbot Pipes workspaces. Blow past API speed limits with scheduled data sync.
For more information, see the launch post.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Step Functions > State Machine > Approved > Custom
Action Types:
- AWS > Step Functions > State Machine > Delete from AWS
- AWS > Step Functions > State Machine > Set Tags
- AWS > Step Functions > State Machine > Skip alarm for Active control
- AWS > Step Functions > State Machine > Skip alarm for Active control [90 days]
- AWS > Step Functions > State Machine > Skip alarm for Approved control
- AWS > Step Functions > State Machine > Skip alarm for Approved control [90 days]
- AWS > Step Functions > State Machine > Skip alarm for Tags control
- AWS > Step Functions > State Machine > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Shield > Protection > Approved > Custom
Action Types:
- AWS > Shield > Protection > Delete from AWS
- AWS > Shield > Protection > Skip alarm for Active control
- AWS > Shield > Protection > Skip alarm for Active control [90 days]
- AWS > Shield > Protection > Skip alarm for Approved control
- AWS > Shield > Protection > Skip alarm for Approved control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Directory Service > Directory > Approved > Custom
Action Types:
- AWS > Directory Service > Directory > Delete from AWS
- AWS > Directory Service > Directory > Skip alarm for Active control
- AWS > Directory Service > Directory > Skip alarm for Active control [90 days]
- AWS > Directory Service > Directory > Skip alarm for Approved control
- AWS > Directory Service > Directory > Skip alarm for Approved control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > CodeBuild > Build > Delete from AWS
- AWS > CodeBuild > Build > Skip alarm for Active control
- AWS > CodeBuild > Build > Skip alarm for Active control [90 days]
- AWS > CodeBuild > Build > Skip alarm for Approved control
- AWS > CodeBuild > Build > Skip alarm for Approved control [90 days]
- AWS > CodeBuild > Project > Delete from AWS
- AWS > CodeBuild > Project > Set Tags
- AWS > CodeBuild > Project > Skip alarm for Active control
- AWS > CodeBuild > Project > Skip alarm for Active control [90 days]
- AWS > CodeBuild > Project > Skip alarm for Approved control
- AWS > CodeBuild > Project > Skip alarm for Approved control [90 days]
- AWS > CodeBuild > Project > Skip alarm for Tags control
- AWS > CodeBuild > Project > Skip alarm for Tags control [90 days]
- AWS > CodeBuild > Source Credential > Delete from AWS
- AWS > CodeBuild > Source Credential > Skip alarm for Active control
- AWS > CodeBuild > Source Credential > Skip alarm for Active control [90 days]
- AWS > CodeBuild > Source Credential > Skip alarm for Approved control
- AWS > CodeBuild > Source Credential > Skip alarm for Approved control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > CloudFormation > Stack > Approved > Custom
- AWS > CloudFormation > StackSet > Approved > Custom
Action Types:
- AWS > CloudFormation > Stack > Delete from AWS
- AWS > CloudFormation > Stack > Set Tags
- AWS > CloudFormation > Stack > Skip alarm for Active control
- AWS > CloudFormation > Stack > Skip alarm for Active control [90 days]
- AWS > CloudFormation > Stack > Skip alarm for Approved control
- AWS > CloudFormation > Stack > Skip alarm for Approved control [90 days]
- AWS > CloudFormation > Stack > Skip alarm for Tags control
- AWS > CloudFormation > Stack > Skip alarm for Tags control [90 days]
- AWS > CloudFormation > StackSet > Delete from AWS
- AWS > CloudFormation > StackSet > Set Tags
- AWS > CloudFormation > StackSet > Skip alarm for Active control
- AWS > CloudFormation > StackSet > Skip alarm for Active control [90 days]
- AWS > CloudFormation > StackSet > Skip alarm for Approved control
- AWS > CloudFormation > StackSet > Skip alarm for Approved control [90 days]
- AWS > CloudFormation > StackSet > Skip alarm for Tags control
- AWS > CloudFormation > StackSet > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Athena > NamedQuery > Approved > Custom
- AWS > Athena > Workgroup > Approved > Custom
Action Types:
- AWS > Athena > NamedQuery > Delete from AWS
- AWS > Athena > NamedQuery > Set Tags
- AWS > Athena > NamedQuery > Skip alarm for Active control
- AWS > Athena > NamedQuery > Skip alarm for Active control [90 days]
- AWS > Athena > NamedQuery > Skip alarm for Approved control
- AWS > Athena > NamedQuery > Skip alarm for Approved control [90 days]
- AWS > Athena > NamedQuery > Skip alarm for Tags control
- AWS > Athena > NamedQuery > Skip alarm for Tags control [90 days]
- AWS > Athena > Workgroup > Delete from AWS
- AWS > Athena > Workgroup > Set Tags
- AWS > Athena > Workgroup > Skip alarm for Active control
- AWS > Athena > Workgroup > Skip alarm for Active control [90 days]
- AWS > Athena > Workgroup > Skip alarm for Approved control
- AWS > Athena > Workgroup > Skip alarm for Approved control [90 days]
- AWS > Athena > Workgroup > Skip alarm for Tags control
- AWS > Athena > Workgroup > Skip alarm for Tags control [90 days]
The remaining 94 Turbot Steampipe plugins have been updated to use steampipe-plugin-sdk v5.6.2, which prevents nil pointer reference errors for implicit hydrate configs.
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > CloudSearch > Domain > Skip alarm for Active control
- AWS > CloudSearch > Domain > Skip alarm for Active control [90 days]
- AWS > CloudSearch > Domain > Skip alarm for Approved control
- AWS > CloudSearch > Domain > Skip alarm for Approved control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > CloudFront > CloudFront Origin Access Identity > Approved > Custom
- AWS > CloudFront > Distribution > Approved > Custom
- AWS > CloudFront > Streaming Distribution > Approved > Custom
Action Types:
- AWS > CloudFront > CloudFront Origin Access Identity > Skip alarm for Active control
- AWS > CloudFront > CloudFront Origin Access Identity > Skip alarm for Active control [90 days]
- AWS > CloudFront > CloudFront Origin Access Identity > Skip alarm for Approved control
- AWS > CloudFront > CloudFront Origin Access Identity > Skip alarm for Approved control [90 days]
- AWS > CloudFront > Distribution > Set Tags
- AWS > CloudFront > Distribution > Skip alarm for Active control
- AWS > CloudFront > Distribution > Skip alarm for Active control [90 days]
- AWS > CloudFront > Distribution > Skip alarm for Approved control
- AWS > CloudFront > Distribution > Skip alarm for Approved control [90 days]
- AWS > CloudFront > Distribution > Skip alarm for Tags control
- AWS > CloudFront > Distribution > Skip alarm for Tags control [90 days]
- AWS > CloudFront > Streaming Distribution > Set Tags
- AWS > CloudFront > Streaming Distribution > Skip alarm for Active control
- AWS > CloudFront > Streaming Distribution > Skip alarm for Active control [90 days]
- AWS > CloudFront > Streaming Distribution > Skip alarm for Approved control
- AWS > CloudFront > Streaming Distribution > Skip alarm for Approved control [90 days]
- AWS > CloudFront > Streaming Distribution > Skip alarm for Tags control
- AWS > CloudFront > Streaming Distribution > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Action Types:
- AWS > API Gateway > API > Delete from AWS
- AWS > API Gateway > API > Set Tags
- AWS > API Gateway > API > Skip alarm for Active control
- AWS > API Gateway > API > Skip alarm for Active control [90 days]
- AWS > API Gateway > API > Skip alarm for Approved control
- AWS > API Gateway > API > Skip alarm for Approved control [90 days]
- AWS > API Gateway > API > Skip alarm for Tags control
- AWS > API Gateway > API > Skip alarm for Tags control [90 days]
- AWS > API Gateway > API Key > Delete from AWS
- AWS > API Gateway > API Key > Set Tags
- AWS > API Gateway > API Key > Skip alarm for Active control
- AWS > API Gateway > API Key > Skip alarm for Active control [90 days]
- AWS > API Gateway > API Key > Skip alarm for Approved control
- AWS > API Gateway > API Key > Skip alarm for Approved control [90 days]
- AWS > API Gateway > API Key > Skip alarm for Tags control
- AWS > API Gateway > API Key > Skip alarm for Tags control [90 days]
- AWS > API Gateway > API V2 > Delete from AWS
- AWS > API Gateway > API V2 > Set Tags
- AWS > API Gateway > API V2 > Skip alarm for Active control
- AWS > API Gateway > API V2 > Skip alarm for Active control [90 days]
- AWS > API Gateway > API V2 > Skip alarm for Approved control
- AWS > API Gateway > API V2 > Skip alarm for Approved control [90 days]
- AWS > API Gateway > API V2 > Skip alarm for Tags control
- AWS > API Gateway > API V2 > Skip alarm for Tags control [90 days]
- AWS > API Gateway > Authorizer > Delete from AWS
- AWS > API Gateway > Authorizer > Skip alarm for Active control
- AWS > API Gateway > Authorizer > Skip alarm for Active control [90 days]
- AWS > API Gateway > Authorizer > Skip alarm for Approved control
- AWS > API Gateway > Authorizer > Skip alarm for Approved control [90 days]
- AWS > API Gateway > Authorizer V2 > Delete from AWS
- AWS > API Gateway > Authorizer V2 > Skip alarm for Active control
- AWS > API Gateway > Authorizer V2 > Skip alarm for Active control [90 days]
- AWS > API Gateway > Authorizer V2 > Skip alarm for Approved control
- AWS > API Gateway > Authorizer V2 > Skip alarm for Approved control [90 days]
- AWS > API Gateway > Domain Name V2 > Delete from AWS
- AWS > API Gateway > Domain Name V2 > Set Tags
- AWS > API Gateway > Domain Name V2 > Skip alarm for Active control
- AWS > API Gateway > Domain Name V2 > Skip alarm for Active control [90 days]
- AWS > API Gateway > Domain Name V2 > Skip alarm for Approved control
- AWS > API Gateway > Domain Name V2 > Skip alarm for Approved control [90 days]
- AWS > API Gateway > Domain Name V2 > Skip alarm for Tags control
- AWS > API Gateway > Domain Name V2 > Skip alarm for Tags control [90 days]
- AWS > API Gateway > Integration V2 > Delete from AWS
- AWS > API Gateway > Integration V2 > Skip alarm for Active control
- AWS > API Gateway > Integration V2 > Skip alarm for Active control [90 days]
- AWS > API Gateway > Integration V2 > Skip alarm for Approved control
- AWS > API Gateway > Integration V2 > Skip alarm for Approved control [90 days]
- AWS > API Gateway > Resource > Delete from AWS
- AWS > API Gateway > Resource > Skip alarm for Active control
- AWS > API Gateway > Resource > Skip alarm for Active control [90 days]
- AWS > API Gateway > Resource > Skip alarm for Approved control
- AWS > API Gateway > Resource > Skip alarm for Approved control [90 days]
- AWS > API Gateway > Stage > Delete from AWS
- AWS > API Gateway > Stage > Set Tags
- AWS > API Gateway > Stage > Skip alarm for Active control
- AWS > API Gateway > Stage > Skip alarm for Active control [90 days]
- AWS > API Gateway > Stage > Skip alarm for Approved control
- AWS > API Gateway > Stage > Skip alarm for Approved control [90 days]
- AWS > API Gateway > Stage > Skip alarm for Tags control
- AWS > API Gateway > Stage > Skip alarm for Tags control [90 days]
- AWS > API Gateway > Stage v2 > Delete from AWS
- AWS > API Gateway > Stage v2 > Set Tags
- AWS > API Gateway > Stage v2 > Skip alarm for Active control
- AWS > API Gateway > Stage v2 > Skip alarm for Active control [90 days]
- AWS > API Gateway > Stage v2 > Skip alarm for Approved control
- AWS > API Gateway > Stage v2 > Skip alarm for Approved control [90 days]
- AWS > API Gateway > Stage v2 > Skip alarm for Tags control
- AWS > API Gateway > Stage v2 > Skip alarm for Tags control [90 days]
- AWS > API Gateway > Usage Plan > Delete from AWS
- AWS > API Gateway > Usage Plan > Set Tags
- AWS > API Gateway > Usage Plan > Skip alarm for Active control
- AWS > API Gateway > Usage Plan > Skip alarm for Active control [90 days]
- AWS > API Gateway > Usage Plan > Skip alarm for Approved control
- AWS > API Gateway > Usage Plan > Skip alarm for Approved control [90 days]
- AWS > API Gateway > Usage Plan > Skip alarm for Tags control
- AWS > API Gateway > Usage Plan > Skip alarm for Tags control [90 days]
What's new?
AWS/Amplify/AdminandAWS/Amplify/Metadatanow also include permissions for Deployment, WebHook and Artifacts.Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > Amplify > App > Approved > Custom
Action Types:
- AWS > Amplify > App > Delete from AWS
- AWS > Amplify > App > Set Tags
- AWS > Amplify > App > Skip alarm for Active control
- AWS > Amplify > App > Skip alarm for Active control [90 days]
- AWS > Amplify > App > Skip alarm for Approved control
- AWS > Amplify > App > Skip alarm for Approved control [90 days]
- AWS > Amplify > App > Skip alarm for Tags control
- AWS > Amplify > App > Skip alarm for Tags control [90 days]
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the
Actionsbutton, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Policy Types:
- AWS > ACM > Certificate > Approved > Custom
Action Types:
- AWS > ACM > Certificate > Delete from AWS
- AWS > ACM > Certificate > Set Tags
- AWS > ACM > Certificate > Skip alarm for Active control
- AWS > ACM > Certificate > Skip alarm for Active control [90 days]
- AWS > ACM > Certificate > Skip alarm for Approved control
- AWS > ACM > Certificate > Skip alarm for Approved control [90 days]
- AWS > ACM > Certificate > Skip alarm for Tags control
- AWS > ACM > Certificate > Skip alarm for Tags control [90 days]
Bug fixes
- Fixed queries to correctly return data for
connection_nameandtagsdimensions instead of an error. (#73)
Enhancements
- Updated the following queries to use
urlas the resource column: (#35)default_branch_all_build_steps_as_codedefault_branch_pipeline_locks_external_dependencies_for_build_processdefault_branch_pipeline_must_have_jobs_with_sbom_generationdefault_branch_pipelines_scan_for_vulnerabilitiesdefault_branch_pipelines_scanners_set_to_prevent_sensitive_dataorg_member_mfa_enabledrepo_inactive_members_reviewrepo_deletion_limited_to_trusted_usersrepo_issue_deletion_limited_to_trusted_usersrepo_webhook_package_registery_security_settings_enabled
What's new?
- New tables added
The following 21 Turbot Steampipe plugins have been updated to use steampipe-plugin-sdk v5.6.2, which prevents nil pointer reference errors for implicit hydrate configs:
- Alibaba Cloud
- AWS CloudFormation
- Azure
- Azure Active Directory
- CSV
- DigitalOcean
- Docker
- Docker Hub
- Exec
- GCP
- GitHub
- IBM Cloud
- Jira
- Microsoft 365
- Net
- Okta
- OpenShift
- Oracle Cloud Infrastructure
- Salesforce
- Turbot Pipes
- Zoom
All new Pipes workspaces will be running Steampipe v0.21.1 and existing workspaces will be upgraded by Monday 9th October 2023.
For more information on this Steampipe release, see the launch post or release notes.
Bug fixes
- Fixed the plugin to prevent crashes when
source_typesconfig argument containsmanifestbutmanifest_file_pathsis not defined. (#177)
What's new?
- Added 39 new controls for the
ClusterRoleBinding,CronJob,DaemonSet,Ingress,Job,Podresource types to theall_controlsbenchmark. (#68)
Bug fixes
- Fixed the
source_account_idcolumn ofaws_securityhub_findingtable to correctly return data instead ofnull. (#1927) (Thanks @gabrielsoltz for the contribution!) - Fixed the
memberscolumn ofaws_rds_db_clustertable to correctly return data instead ofnull. (#1926)
Bug fixes
- Added support for the missing
mod-locationflag to thesteampipe variable listcommand. (#3942)
Bug fixes
- The
initialisefunction is now being called for implicit hydrate configs (i.e. hydrate functions without explicit config), thereby preventing nil pointer reference errors when the hydrate function returns an error. (#683)
Whats new?
- Define rate and concurrency limits for plugin execution. (#3746)
- Define multiple instances of a plugin version using a
pluginconnection config block. (#3807) - The maximum memory used by plugins and the CLI can now be specified either in
plugininstance definitions or the newpluginoptions block. (#3807) - New introspection tables
steampipe_pluginandsteampipe_plugin_limitercontaining all configured plugin instances and limiters. (#3746) - New introspection table
steampipe_server_settingspopulated with server settings data during service startup. (#3462) - Running
plugin installwith no arguments installs all referenced plugins. (#3451) - New
--outputflag forplugin listcmd allows selection betweenjsonandtableoutput. (#3368) - Each plugin directory ncontains a
version.jsonwhich can be used to recompose the global pluginversions.jsonif it is missing or corrupt. (#3492) - Typing
.cachein interactive prompt shows the current value of cache. (#2439) - Steampipe commands bypass plugin requirement check if installed plugin is locally built. (#3643)
- New
skip-configflag disables writing of default plugin config during plugin installation. (#3531, #2206) - Logs are now written to file instead of console. (#2916)
- When plugin startup fails, report useful message in the CLI. (#3732)
- Users are warned to not have mod.sp files in home directory. (#2321)
- Updated messaging when service is started on an unavailable port. (#623)
- Log files are rotated if the process is active across date boundaries. (#125, #3825)
- Listen hosts may be selected when starting steampipe service. (#3505)
- Initialisation behaviour for the sample options has been changed: always copy a sample file (
default.spc.sample), but only overwrite thedefault.spcfile with the sample content if the existing file has not been modified. (#3431) - Validation for the workspace profile
cachesettings. (#3646) - Support OCI registries requiring authentication. (#2819)
- Compiled with Go 1.21. (#3763)
Bug fixes
- Plugin manager shutdown stalling intermittently due to deadlocks. (#3818)
- Temporary tables dropped in interactive prompt when pool connections recycled. (#3781,#3543)
service startwas not listening onnetworkby default. (#3593)- Multi line logs from plugins not rendered correctly in plugin logs. (#3678)
.inspectpanicking for long column descriptions. (#3709)- Interactive prompt crashing when there is a code panic. (#3713)
- Incorrect zsh completion instructions.
- Steampipe should not create export files for cancelled control runs. (#3578)
BuildFullResourceNamenot validating non empty arguments. (#3601)- Spinner not showing when exporting check results. (#3577)
stdinwas consumed byquerycommand even if there are arguments. (#1985)- When exporting multiple benchmarks, results now merged the results into a single export. (#2380)
- Raise warning when pseudo-resources are ignored because of named HCL resources. (#1328)
- Database reinstalled unnecessarily if any FDW files were missing. (#2040)
- Improved error message when steampipe fails to parse a mod definition file because mod block does not exist. (#1198)
- Only
install-dirandworkspaceflags should be global flags. All other flags should only apply to specific command. (#3542) - Passing an empty list for list variables was not working. (#2094)
- Show deprecation warning for
versionfield inrequireblock of mod definition. - Temporary directories were not always being cleaned up after plugin commands.
plugin listreturned nothing if no plugins were installed. (#3927)
Deprecations and migrations
- Table
steampipe_connection_staterenamed tosteampipe_connection - Removed migration and backward compatibility of data files from v0.13.0. (#3517)
- Removed deprecated
workspace-chdirflag. (#3925) - Migrated from
cloud.steampipe.iotopipes.turbot.com. (#3724) - Removed support for plugins which do not support multiple connections (i.e. using SDK < v4.0.0).
- Deprecated
terminal options.
All 115 Turbot Steampipe plugins have been updated to use steampipe-plugin-sdk v5.6.1, which adds support for rate and concurrency limiters.
Limiters provide a simple, flexible interface to implement client-site rate limiting and concurrency thresholds at compile time or run time. You can use limiters to:
- Smooth the request rate from Steampipe to reduce load on the remote API or service
- Limit the number of parallel requests to reduce contention for client and network resources
- Avoid hitting server limits and throttling
For more information on getting started, please see Concurrency and Rate Limiting.
What's new?
- Added: t4g, m7g, m6gd, r7g, r6gd, c6g and c6gd to instance type parameter for RDS.
- Added: new hive parameter group for Postgres 14 and 15.
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
Deprecated
- The
source_typeconfig argument has been deprecated and will be removed in the next major version. Please use thesource_typesconfig argument instead. If both config arguments are set,source_typeswill take precedence. For backward compatibility, please see below for old and new value equivalents: (#167)source_type = 'all':source_types = ["deployed", "helm", "manifest"]source_type = 'deployed':source_types = ["deployed"]source_type = 'helm':source_types = ["helm"]source_type = 'manifest':source_types = ["manifest"]
What's new?
- Added the
source_typesconfig argument, which allows specifying a combination of source types to load per connection. (#167)
What's new?
- Added 350+ new controls across all resource types to the
all_controlsbenchmark. (#64)
Enhancements
- Added
pathto default set ofcommon_dimensions, so now any file paths will appear by default in the additional dimensions in control results. (#63) - Added
iaccategory to mod definition.
Dependencies
- Kubernetes plugin
v0.23.0or higher is now required.
Breaking changes
- Removed the
outputcolumn in theexec_commandtable. This column has been replaced by thestdout_outputandstderr_outputcolumns. (#13)
What's new?
- Added
stdout_outputandstderr_outputcolumns to theexec_commandtable. (#13) - Added
streamcolumn to theexec_command_linetable. (#13) - Added plugin limiter
exec_globalwithMaxConcurrencyset to 15 in an effort to reduce abuse reports due to large number of concurrent remote connections. (#13)
Bug fixes
- Results from the
exec_commandtable should now be consistent when using local and remote connections. (#13)
Dependencies
- Recompiled plugin with steampipe-plugin-sdk v5.6.0 which adds support for rate limiters. (#13)
- Recompiled plugin with Go 1.21. (#13)
What's new?
- Added CIS v1.6.0 benchmark (
steampipe check docker_compliance.benchmark.cis_v160). (#4)
What's new?
SetConnectionCacheOptions, a new GRPC endpoint to clear connection cache. (#678)
What's new?
Resource Types:
- AWS > Route 53 > Record
Control Types:
- AWS > Route 53 > Record > Active
- AWS > Route 53 > Record > Approved
- AWS > Route 53 > Record > CMDB
- AWS > Route 53 > Record > Discovery
Policy Types:
- AWS > Route 53 > Record > Active
- AWS > Route 53 > Record > Active > Age
- AWS > Route 53 > Record > Active > Budget
- AWS > Route 53 > Record > Active > Last Modified
- AWS > Route 53 > Record > Approved
- AWS > Route 53 > Record > Approved > Budget
- AWS > Route 53 > Record > Approved > Custom
- AWS > Route 53 > Record > Approved > Usage
- AWS > Route 53 > Record > CMDB
Action Types:
- AWS > Route 53 > Record > Delete
- AWS > Route 53 > Record > Delete from AWS
- AWS > Route 53 > Record > Router
- AWS > Route 53 > Record > Skip alarm for Active control
- AWS > Route 53 > Record > Skip alarm for Active control [90 days]
- AWS > Route 53 > Record > Skip alarm for Approved control
- AWS > Route 53 > Record > Skip alarm for Approved control [90 days]
Enhancements
- Added the
last_successful_login_timecolumn tooci_identity_usertable. (#547)
What's new?
- Define rate and concurrency limits for plugin execution. (#623)
- Diagnostics property added to
_ctxcolumn, containing information on hydrate calls and rate limiting (enabled by setting env varSTEAMPIPE_DIAGNOSTIC_LEVEL=all) - Support for JSONB operators in
Listhydrate functions. (#594) Typeproperty added toConnectionConfigprotobuf definition to determine if a connection is an aggregator. (#590)- When plugin startup fails, write a specially formatted string to stdout so plugin manager can parse the output and display a useful message. (#619)
- Support for multi-line log entries. (#612)
- Added
Equalsfunction forQualValue. (#646)
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Control Types:
- AWS > Organizations > Organization Root > Active
- AWS > Organizations > Organization Root > Approved
- AWS > Organizations > Organizational Account > Active
- AWS > Organizations > Organizational Account > Approved
Policy Types:
- AWS > Organizations > Organization Root > Active
- AWS > Organizations > Organization Root > Active > Age
- AWS > Organizations > Organization Root > Active > Last Modified
- AWS > Organizations > Organization Root > Approved
- AWS > Organizations > Organization Root > Approved > Custom
- AWS > Organizations > Organization Root > Approved > Usage
- AWS > Organizations > Organizational Account > Active
- AWS > Organizations > Organizational Account > Active > Age
- AWS > Organizations > Organizational Account > Active > Last Modified
- AWS > Organizations > Organizational Account > Approved
- AWS > Organizations > Organizational Account > Approved > Custom
- AWS > Organizations > Organizational Account > Approved > Usage
Action Types:
- AWS > Organizations > Organization Root > Skip alarm for Active control
- AWS > Organizations > Organization Root > Skip alarm for Active control [90 days]
- AWS > Organizations > Organization Root > Skip alarm for Approved control
- AWS > Organizations > Organization Root > Skip alarm for Approved control [90 days]
- AWS > Organizations > Organizational Account > Skip alarm for Active control
- AWS > Organizations > Organizational Account > Skip alarm for Active control [90 days]
- AWS > Organizations > Organizational Account > Skip alarm for Approved control
- AWS > Organizations > Organizational Account > Skip alarm for Approved control [90 days]
What's new?
AWS/MSK/Admin,AWS/MSK/MetadataandAWS/MSK/Operatornow also include permissions for Cluster V2, Scram Secrets and Kafka VPC Connections.We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include
createdBydetails in Turbot CMDB.Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
Policy Types:
- AWS > MSK > Cluster > Approved > Custom
- AWS > MSK > Cluster > Approved > Instance Types
Action Types:
- AWS > MSK > Cluster > Delete from AWS
- AWS > MSK > Cluster > Set Tags
- AWS > MSK > Cluster > Skip alarm for Active control
- AWS > MSK > Cluster > Skip alarm for Active control [90 days]
- AWS > MSK > Cluster > Skip alarm for Approved control
- AWS > MSK > Cluster > Skip alarm for Approved control [90 days]
- AWS > MSK > Cluster > Skip alarm for Tags control
- AWS > MSK > Cluster > Skip alarm for Tags control [90 days]
Bug fixes
- Guardrails would sometimes fail to upsert clusters correctly in CMDB. This is now fixed.
What's new?
Control Types:
- AWS > ElastiCache > Replication Group > Backup
Policy Types:
- AWS > ElastiCache > Replication Group > Backup
- AWS > ElastiCache > Replication Group > Backup > Retention Period
- AWS > ElastiCache > Replication Group > Backup > Window
Action Types:
- AWS > ElastiCache > Cache Cluster > Skip alarm for approved control
- AWS > ElastiCache > Cache Cluster > Skip alarm for approved control [90 days]
- AWS > ElastiCache > Cache Parameter Group > Skip alarm for approved control
- AWS > ElastiCache > Cache Parameter Group > Skip alarm for approved control [90 days]
- AWS > ElastiCache > Replication Group > Skip alarm for approved control
- AWS > ElastiCache > Replication Group > Skip alarm for approved control [90 days]
- AWS > ElastiCache > Replication Group > Update Backup
- AWS > ElastiCache > Snapshot > Skip alarm for approved control
- AWS > ElastiCache > Snapshot > Skip alarm for approved control [90 days]
What's new?
- New tables added
All Pipes workspaces have now been upgraded to Steampipe v0.20.12.
For more information on this Steampipe release, see the release notes.
Enhancements
- Added 112 new controls to the
All Controlsbenchmark for the following services: (#59)CronJobDaemonSetDeploymentJobPodReplicaSetReplicationControllerStatefulSet
All new Pipes workspaces will be running Steampipe v0.20.12 and existing workspaces will be upgraded by Monday 25th September 2023.
For more information on this Steampipe release, see the release notes.
The ServiceNow plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
Added support for Global Event Handlers. This release contains new Guardrails policies and controls to support deployment of Global Event Handlers for AWS.
Control Types:
- AWS > Turbot > Event Handlers [Global]
Policy Types:
- AWS > Turbot > Event Handlers [Global]
- AWS > Turbot > Event Handlers [Global] > Events
- AWS > Turbot > Event Handlers [Global] > Events > Rules
- AWS > Turbot > Event Handlers [Global] > Events > Rules > Name Prefix
- AWS > Turbot > Event Handlers [Global] > Events > Rules > Tags
- AWS > Turbot > Event Handlers [Global] > Events > Target
- AWS > Turbot > Event Handlers [Global] > Events > Target > IAM Role ARN
- AWS > Turbot > Event Handlers [Global] > Primary Region
- AWS > Turbot > Event Handlers [Global] > SNS
- AWS > Turbot > Event Handlers [Global] > SNS > Topic
- AWS > Turbot > Event Handlers [Global] > SNS > Topic > Customer Managed Key
- AWS > Turbot > Event Handlers [Global] > SNS > Topic > Name Prefix
- AWS > Turbot > Event Handlers [Global] > SNS > Topic > Tags
- AWS > Turbot > Event Handlers [Global] > Source
- AWS > Turbot > Event Handlers [Global] > Terraform Version
- AWS > Turbot > Service Roles > Event Handlers [Global]
- AWS > Turbot > Service Roles > Event Handlers [Global] > Name
What's new?
AWS/RDS/Admin,AWS/RDS/MetadataandAWS/RDS/Operatornow include permissions for Performance Insights.- Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
What's new?
Added support for new multi-regions
NAM8,NAM9,NAM10,NAM11,NAM12,NAM13,NAM14,NAM15,NAM-EUR-ASIA1,NAM-EUR-ASIA3,IN,EUR5,EUR6,EUROPEandEMEAin theGCP > Project > Regionspolicy.Policy Types Removed:
- GCP > Project > Multi-Regions [Deprecated]
Bug fixes
- Fixed
github_search_repositorytable queries failing when selecting thehas_downloads,has_pages,hooks,network_count,subscribers_count, ortopicscolumns. (#337)
All Pipes workspaces have now been upgraded to Steampipe v0.20.11.
For more information on this Steampipe release, see the release notes.
Bug fixes
- The
AWS > VPC > Security Group > CMDBcontrol would sometimes go into an error state if the TE version installed on the workspace was 5.42.1 or lower. This is fixed and the control will now work as expected.
What's new?
- Added: m7g instance types for Elasticache.
Bug fixes
- User group name for hive names with _ in it.
- Hive manager code to add access grant to public schema for postgres 15.
Requirements
- TEF: 1.52.0
What's new?
- Added support for new
europe-west10region in theGCP > Project > Regionspolicy. - Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
What's new?
- Added support for new
asia-northeast3,asia-south2,asia-southeast2,australia-southeast2,europe-central2,europe-southwest1,europe-west10,europe-west12,europe-west8,europe-west9,me-central1,me-west1,northamerica-northeast2,southamerica-west1,us-east5,us-south1,us-west3andus-west4regions in theGCP > Compute Engine > Regionspolicy. - Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
Bug fixes
- The real-time Event Handlers would sometimes fail to upsert data disks attached to instances in Guardrails CMDB. This is now fixed.
Bug fixes
- Guardrails stack controls would fail to claim any existing Security Group if the Security Group was available in Guardrails CMDB and the stack's Source policy included the Terraform plan for the Security Group. This is fixed and stack control will now be able to claim existing Security Groups correctly. Please note that this fix will only work for workspaces on TE v5.42.2 or higher.
- Guardrails stack controls would sometimes fail to update Security Groups and Security Group Rules if the Terraform plan in the stack's source policy included changes to attributes which force replaced the resource. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.2 or higher.
What's new?
- Policy Types:
- AWS > EC2 > Instance > Schedule Tag > Name
Bug fixes
- After starting/stopping an instance successfully, the
AWS > EC2 > Instance > Schedulecontrol would try and perform the same start/stop action again if the state of the instance was changed outside of the control within 1 hour of the successful start/stop run. This is fixed and the control will now not trigger a start/stop action again for a minimum of 1 hour of the previous successful run.
Bug fixes
- Fixed the
invalid memory address or nil pointer dereferenceerrors when querying Terraform configuration or plan or state files that includednullvalued arguments. (#56)
Bug fixes
- Fixed the plugin to return
nilinstead of anerrorwhen the file/path specified indockerfile_pathsordocker_compose_file_pathsconfig arguments does not exist. (#38)
Bug fixes
- Added the missing
resourcecolumn in the queries ofglue_data_catalog_encryption_settings_metadata_encryption_enabledandglue_data_catalog_encryption_settings_password_encryption_enabledcontrols. (#715)
What's new?
- Updated: Hive manager code to include access grant for public schema for postgres 15.
What's new?
- Server:
- Updated: Now supports creating multiple AKAs starting with arn, azure, and gcp via APIs.
- Updated: Add mod version check for workspace upgrade.
Bug fixes
- Server:
- Fixed: Ensure successful workspace creation on fresh PostgreSQL 15 installations.
- Fixed: The stack should claim the Security Group (SG) or Security Group Rule (SGR) if the resource already exists.
- Removed: vm2 node package.
What's new?
Resource Types:
- Azure > Network > Express Route Circuits
Control Types:
- Azure > Network > Express Route Circuits > Active
- Azure > Network > Express Route Circuits > Approved
- Azure > Network > Express Route Circuits > CMDB
- Azure > Network > Express Route Circuits > Discovery
- Azure > Network > Express Route Circuits > Tags
Policy Types:
- Azure > Network > Express Route Circuits > Active
- Azure > Network > Express Route Circuits > Active > Age
- Azure > Network > Express Route Circuits > Active > Last Modified
- Azure > Network > Express Route Circuits > Approved
- Azure > Network > Express Route Circuits > Approved > Custom
- Azure > Network > Express Route Circuits > Approved > Regions
- Azure > Network > Express Route Circuits > Approved > Usage
- Azure > Network > Express Route Circuits > CMDB
- Azure > Network > Express Route Circuits > Regions
- Azure > Network > Express Route Circuits > Tags
- Azure > Network > Express Route Circuits > Tags > Template
Action Types:
- Azure > Network > Express Route Circuits > Delete
- Azure > Network > Express Route Circuits > Router
- Azure > Network > Express Route Circuits > Set Tags
Enhancements
- Added the
resource_objectandobjectcolumns toguardrails_notificationandguardrails_resourcetables respectively. (#7)
Bug fixes
- Added the missing S3 go-getter examples in the
docs/index.mdfile.
Bug fixes
- Fixed the data type of
capacity_reservation_specificationcolumn ofaws_ec2_instancetable to be ofJSONtype instead ofSTRING. (#1903)
Enhancements
- Added the
iam_workload_identity_restrictedcontrol to theIAMbenchmark. (#38)
All new Pipes workspaces will be running Steampipe v0.20.11 and existing workspaces will be upgraded by Monday 18th September 2023.
For more information on this Steampipe release, see the release notes.
Deprecations
- Deprecated
domaincolumn innet_certificatetable, which has been replaced by theaddresscolumn. Please note that theaddresscolumn requires a port, e.g.,github.com:443. This column will be removed in a future version. (#50)
What's new?
- Added
addresscolumn to thenet_certificatetable to allow specifying a port with the domain name. (#50)
What's new?
Users can now delete Login Profiles for IAM Users.
Control Types:
- AWS > IAM > User > Login Profile
Policy Types:
- AWS > IAM > User > Login Profile
Action Types:
- AWS > IAM > User > Delete Login Profile
Bug fixes
- Updated the
bitbucket.spcandindex.mdfiles to include details ofBITBUCKET_USERNAME,BITBUCKET_PASSWORD, andBITBUCKET_API_BASE_URLenvironment variables. (#77)
What's new?
Resource Types:
- Azure > Network > Private DNS Zones
- Azure > Network > Private Endpoints
Control Types:
- Azure > Network > Private DNS Zones > Active
- Azure > Network > Private DNS Zones > Approved
- Azure > Network > Private DNS Zones > CMDB
- Azure > Network > Private DNS Zones > Discovery
- Azure > Network > Private DNS Zones > Tags
- Azure > Network > Private Endpoints > Active
- Azure > Network > Private Endpoints > Approved
- Azure > Network > Private Endpoints > CMDB
- Azure > Network > Private Endpoints > Discovery
- Azure > Network > Private Endpoints > Tags
Policy Types:
- Azure > Network > Private DNS Zones > Active
- Azure > Network > Private DNS Zones > Active > Age
- Azure > Network > Private DNS Zones > Active > Last Modified
- Azure > Network > Private DNS Zones > Approved
- Azure > Network > Private DNS Zones > Approved > Custom
- Azure > Network > Private DNS Zones > Approved > Usage
- Azure > Network > Private DNS Zones > CMDB
- Azure > Network > Private DNS Zones > Tags
- Azure > Network > Private DNS Zones > Tags > Template
- Azure > Network > Private Endpoints > Active
- Azure > Network > Private Endpoints > Active > Age
- Azure > Network > Private Endpoints > Active > Last Modified
- Azure > Network > Private Endpoints > Approved
- Azure > Network > Private Endpoints > Approved > Custom
- Azure > Network > Private Endpoints > Approved > Regions
- Azure > Network > Private Endpoints > Approved > Usage
- Azure > Network > Private Endpoints > CMDB
- Azure > Network > Private Endpoints > Regions
- Azure > Network > Private Endpoints > Tags
- Azure > Network > Private Endpoints > Tags > Template
Action Types:
- Azure > Network > Private DNS Zones > Delete
- Azure > Network > Private DNS Zones > Router
- Azure > Network > Private DNS Zones > Set Tags
- Azure > Network > Private Endpoints > Delete
- Azure > Network > Private Endpoints > Router
- Azure > Network > Private Endpoints > Set Tags
Bug fixes
- A few policy values would sometimes fail to evaluate correctly if the mod was installed on TE v5.42.1. We've fixed this issue and such policy values will now be evaluated correctly.
Bug fixes
- The
AWS > Turbot > Event Handlersnow support real-time events for AWS S3 Multi-Region Access Point.
What's new?
Resource Types:
- AWS > S3 > Multi-Region Access Point
Control Types:
- AWS > S3 > Multi-Region Access Point > Active
- AWS > S3 > Multi-Region Access Point > Approved
- AWS > S3 > Multi-Region Access Point > CMDB
- AWS > S3 > Multi-Region Access Point > Discovery
- AWS > S3 > Multi-Region Access Point > Usage
Policy Types:
- AWS > S3 > Multi-Region Access Point > Active
- AWS > S3 > Multi-Region Access Point > Active > Age
- AWS > S3 > Multi-Region Access Point > Active > Budget
- AWS > S3 > Multi-Region Access Point > Active > Last Modified
- AWS > S3 > Multi-Region Access Point > Approved
- AWS > S3 > Multi-Region Access Point > Approved > Budget
- AWS > S3 > Multi-Region Access Point > Approved > Custom
- AWS > S3 > Multi-Region Access Point > Approved > Usage
- AWS > S3 > Multi-Region Access Point > CMDB
- AWS > S3 > Multi-Region Access Point > Usage
- AWS > S3 > Multi-Region Access Point > Usage > Limit
- AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-s3multiregionaccesspoint
Action Types:
- AWS > S3 > Multi-Region Access Point > Delete
- AWS > S3 > Multi-Region Access Point > Delete from AWS
- AWS > S3 > Multi-Region Access Point > Router
- AWS > S3 > Multi-Region Access Point > Skip alarm for Active control
- AWS > S3 > Multi-Region Access Point > Skip alarm for Active control [90 days]
- AWS > S3 > Multi-Region Access Point > Skip alarm for Approved control
- AWS > S3 > Multi-Region Access Point > Skip alarm for Approved control [90 days]
What's new?
AWS/S3/AdminandAWS/S3/Metadatanow include permissions for Multi-Region Access Point Routes.
The Shopify plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The Sentry plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The LaunchDarkly plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
- We've updated the runtime for lambda functions in the aws-efs mod to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
- Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
What's new?
We've updated the runtime for lambda functions in the aws-config mod to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
- AWS > Config > Configuration Recorder > Approved > Custom
- AWS > Config > Delivery Channel > Approved > Custom
- AWS > Config > Rule > Approved > Custom
Action Types
- AWS > Config > Configuration Recorder > Skip alarm for Active control
- AWS > Config > Configuration Recorder > Skip alarm for Active control [90 days]
- AWS > Config > Configuration Recorder > Skip alarm for Approved control
- AWS > Config > Configuration Recorder > Skip alarm for Approved control [90 days]
- AWS > Config > Delivery Channel > Skip alarm for Active control
- AWS > Config > Delivery Channel > Skip alarm for Active control [90 days]
- AWS > Config > Delivery Channel > Skip alarm for Approved control
- AWS > Config > Delivery Channel > Skip alarm for Approved control [90 days]
- AWS > Config > Rule > Skip alarm for Active control
- AWS > Config > Rule > Skip alarm for Active control [90 days]
- AWS > Config > Rule > Skip alarm for Approved control
- AWS > Config > Rule > Skip alarm for Approved control [90 days]
What's new?
- We've updated the runtime for lambda functions in the aws-cloudtrail mod to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
The WorkOS plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The UptimeRobot plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The New Relic plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The Turbot Guardrails plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The CohereAI plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
What's new?
Resource Types:
- AWS > Elastic Inference
Policy Types:
- AWS > Elastic Inference > API Enabled
- AWS > Elastic Inference > Approved Regions [Default]
- AWS > Elastic Inference > Enabled
- AWS > Elastic Inference > Permissions
- AWS > Elastic Inference > Permissions > Levels
- AWS > Elastic Inference > Permissions > Levels > Modifiers
- AWS > Elastic Inference > Permissions > Lockdown
- AWS > Elastic Inference > Permissions > Lockdown > API Boundary
- AWS > Elastic Inference > Regions
- AWS > Elastic Inference > Tags Template [Default]
- AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-elasticinference
- AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-elasticinference
- AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-elasticinference
- AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-elasticinference
What's new?
- Server:
- Cloudwatch dashboard query for View AWS External Messages by AWS Account ID and Events to exclude restriction on AWS.
- Allow sending notifications for same state change.
- Replaced vm2 with eval for inline and trustedInline execution of policies, controls, and actions.
What's new?
GCP/OAuth/AdminandGCP/OAuth/Metadatanow also includeoauthconfig:*permissions. Click here for more details.
The Turbot Pipes plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The GoDaddy plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
The Docker Hub plugin is now available in all Pipes workspaces.
To get started, create a connection and add it to your workspace.
All Pipes workspaces have now been upgraded to Steampipe v0.20.10.
For more information on this Steampipe release, see the release notes.
All new Pipes workspaces will be running Steampipe v0.20.10 and existing workspaces will be upgraded by Monday 21st August 2023.
For more information on this Steampipe release, see the release notes.
What's new?
- Added: Parameter for restricting untrusted code upload to Turbot Guardrails.
- Removed: Alb Waf support.
What's new?
- Server:
- Added: worker, sqs queue, sns topic for factory.
- Updated: Allow upload of mod based on the value of TURBOT_CUSTOM_MOD_UPLOAD.
- Added: Environment variable for custom mod upload.
- Removed: Support for ALB WAF.
Bug fixes
- Server:
- Stack will not fail to delete and recreate resources.
Requirements
- TEF: 1.51.0
What's new?
- Added: Postgres version 11.19, 11.20, 12.14, 12.15, 13.10, 13.11, 14.8, 15.2 and 15.3.
What's new?
- UI
- Added: Inactive Users report.
Bug fixes
- Server:
- The actor information for attach and detach smart folder.
- Disable notification feature if Redis is not being used.
What's new?
- Added: Support for Factory worker.
- Updated: Descriptions and names to Turbot Guardrails Enterprise Foundation from Turbot Enterprise Foundation.
What's new?
- Updated: descriptions and names from Turbot Enterprise Database to Turbot Guardrails Enterprise Database.
What's new?
Server:
- Added: Added support for control/action update notifications.
- Added: Support for interface in control types.
- Added: Turbot Installation Type environment variable.
- Added: SES SendEmail permission to Worker Lambda Role.
- Added: Add notification index to improve performance of notifications.
- Updated: Improve policy value create/update with a more efficient database design.
- Updated: Description of TE stack from Turbot Enterprise to Turbot Guardrails Enterprise.
- Updated: @slack/web-api to 6.8.1. @wry/equality to 0.5.6. anymatch to 3.1.3. archiver to 5.3.1. body-parser to 1.20.2. chai to 4.3.7. chokidar to 3.5.3. classnames to 2.3.2. cli-progress to 3.12.0. copy-to-clipboard to 3.3.3. dataloader to 2.2.2. diff to 5.1.0. express to 4.18.2. generate-password to 1.7.0. graphql-2-json-schema to 0.10.0. http-status-codes to 2.2.0. lodash-match-pattern to 2.3.1. micromatch to 4.0.5. mockserver-client to 5.15.0. moment-timezone to 0.5.43. nconf to 0.12.0. nodemailer to 6.9.2. nunjucks to 3.2.4. passport to 0.6.0. pg to 8.10.0. performant-array-to-tree to 1.11.0. prismjs to 1.29.0. prompt to 1.3.0. prompts to 2.4.2. recursive-readdir to 2.2.3. redux to 4.2.1. resolve to 1.22.2. semver to 7.5.1. simple-git to 3.18.0. unzipper to 0.10.14. uri-js to 4.4.1. vm2 to 3.9.19 and other dev dependencies. Removed aws-appsync and aws-xray-sdk. ioredis to 5.3.1.
UI
- Updated: Updated new login logo and home page logo.
- Updated: Turbot directory should be created in guardrails.turbot.com.
- Updated: Turbot directory SSO login should be redirected to there respective guardrails domain.
Note
IAM change in this release:
- Updated worker lambda to include SES SendEmail permissions.
What's new?
- Rebrand to Turbot Guardrails CLI. We recommend using the new guardrails registries
guardrails.turbot.com,guardrails.turbot-stg.comorguardrails.turbot-dev.comto publish a guardrails mod. To maintain compatibility, none of the existing commands have changed, your existing configuration and commands will continue to work as before.
What's new?
Policy Types:
- Turbot > Workspace > Retention > Process Cache Retention.
Resource Types:
Smart Foldersare now calledPolicy Packs.
Requirements
- TE: 5.35.4
v1.10.0 of the Terraform Provider for Guardrails is now available.
Documentation
Rebrand to Turbot Guardrails provider. Resource and data source names in this provider have not changed to maintain compatibility. Existing templates will continue to work as-is without need to change anything.
What's new?
- Fixed: Resource details are now correctly included when doing a csv download of the
Resources Deleted by Turbotreport.
Requires
Container Info
- Ubuntu:
22.04,jammy-20230425 - Alpine:
3.17.3
Bug fixes
- Policy Types:
- Improved pattern validation for
slackWebhookUrlinTurbot > Notifications > Rule-Based Routingpolicy.
- Improved pattern validation for
Requirements
- TE: 5.35.4
What's new?
- Added: Tagging details now included in CSV download for GCP Compute Engine VM Instances, Azure Compute Virtual Machines, Azure Compute Disks and EBS Volumes report.
- Added: New filters for Turbot Files and Smart Folders in the resource browser.
- Updated: Editing a Turbot File via the UI no longer requires the resource AKA to be specified.
- Fixed: Resource deletion will no longer trigger an increase the count of active controls.
Requires
- TEF v1.49.0
Container Info
- Ubuntu:
22.04,jammy-20230425 - Alpine:
3.17.3
What's new?
- Added: Quick actions are now available for users that only have permission at the account level.
- Fixed: The resource import page will now function correctly if the AWS mod is not installed.
- Fixed: Resource deletion will no longer trigger an increase the count of active controls.
Requires
- TEF v1.49.0
Container Info
- Ubuntu:
22.04,jammy-20230425 - Alpine:
3.17.3
What's new?
- Added: Postgres version 14.6 and 14.7.
What's new?
- Policy Types:
- Turbot > Workspace > Outbound CIDR Ranges
Requirements
- TE: 5.35.4
What's new?
- Added: Ability to specify AKA when creating Turbot File.
- Updated: Turbot explorer search will show results for Smart Folders and Turbot Files.
- Fixed: Terraform stack control should not end in error if the data size for command is too large.
- Fixed: Turbot actions will now be visible for users with grants at the cloud account level.
Enterprise
- Updated: Added debug statements for createGrant mutations.
Requires
- TEF v1.49.0
Container Info
- Ubuntu:
22.04,jammy-20230425 - Alpine:
3.17.3
Enterprise
- Changed: Removed long debug statements from stack controls to improve performance of large stacks.
- Added: Additional logging information emmited while preparing stack container.
Requires
- TEF v1.49.0
Container Info
- Ubuntu:
22.04,jammy-20230425 - Alpine:
3.17.3
What's new?
- Fixed: Smart retention controls are now a bit smarter.
Enterprise
- Updated: Resource policy of Events SQS queues now require encryption in transit.
- Updated: Resource policy of Events SNS topics now require encryption in transit.
Requires
- TEF v1.49.0
Container Info
- Ubuntu
22.04,jammy-20230425 - Alpine:
3.18.0
What's new?
- Added: debug statement for Smart Retention control.
Requires
- TEF v1.49.0
Server
What's new?
- Added support for version
v5.10.0of the Turbot IAM mod. - Fixed: Adding grants to group profile now works as expected.
Requires
- TEF v1.49.0
What's new?
- Added: New parameter that allows selection of the TLS policy for application load balancers.
What's new?
- Added: Parameter to manage KMS Key for RDS Performance Insights.
What's new?
- Updated: Accounts Summary Report now includes resource AKA(s) in the CSV output.
- Updated: The Turbot auth token cookie
SameSiteconfiguration tostrict. - Updated: The policy setting page to now render HTML content as string.
Enterprise
- Added: Parameter for TLS Policy for ALB HTTPS Listener.
- Added: Rate limits to the login directories APIs.
Requires
- TEF v1.49.0
What's new?
- Updated: Moved management of the Elasticache user group to CloudFormation instead of the Hive Manager lambda. It is no longer necessary to update the Redis access control groups after making changes to the Redis cluster.
What's new?
- Added: AWS Lambda Functions report.
- Updated: Turbot will now use AWS Terraform provider version
3.75.0whenTurbot > Stack Terraform Version [Default]is set to0.15.*
Bug fixes
- Fixed: Timestamp display in the console now updates correctly for recently deleted mods.
- Fixed: When an
Actionfails due to cloud provider throttling, Turbot will now reschedule the control that triggered the action, those actions should now be more consistently applied under heavy loads.
Note AWS IAM permissions change in this release:
- Updated: Worker Lambda to include Elasticache permissions to support the
Turbot > Cache > Health Checkcontrol. - Updated: Hive Manager no longer manages the authentication configuration for ElastiCache. This responsibility has shifted to Turbot Guardrails Enterprise Database.
What's new?
- Added: Parameter to modify Lambda trigger concurrency.
What's new?
- Control Types:
- Unused
Turbot > Type Installed > Background Tasksis now removed
- Unused
Requirements
- TE: 5.35.4
What's new?
- Added: New parameter for attaching a custom security group to each ECS host.
- Added: New parameter for attaching a custom security group to the TE ALB. Requires TE >
v5.40.0. - Added: Option added to enable IMDSv2 for ECS hosts.
- Added: New parameters to specify the size and type of EBS volumes attached to ECS Hosts.
- Added: New parameter to specify a port for outbound SMTP (if needed).
- Updated: The
db_pairsecurity group now includes Elasticache rules, when Elasticache is enabled.
Deprecation
- As a result of this change to the
db_pairsecurity group, the Elasticachecache_pairsecurity group is no longer required. It will be removed in a future release.
Bug fixes
- Fixed: Improved handling of HTTP "Too Many Requests" (429) errors.
Enterprise
- Updated: TE Management Lambdas, and ECS Containers will be deployed with the NodeJS 16.x runtime. This change is independent of Mod Lambda runtime versions.
- Added: If specified in TEF, a custom security group may be assigned to the TE ALB.
Requires
- TEF v1.47.0
What's new?
- Added: Parameter to modify Lambda trigger concurrency
Enterprise
- Added: Parameter for Lambda trigger concurrency.
Requires TEF: v1.46.0 TED: v1.9.1
What's new?
- Added: SSM parameter for events DLQ and worker retry reserved concurrency.
Bug fixes
- Fixed: Issue that could prevent indexes from being recreated after being dropped.
- Fixed: Issue with safeGet() function that could prevent reports from rendering in the UI.
- Fixed: Ansible task and service now created correctly created for Ansible
version
2.10.7.
Enterprise
- Added: Support for trigger concurrency in worker and events lamda functions.
Requires TEF: v1.45.0 TED: v1.9.1
What's new?
- New: Turbot's autoscale group configuration has switched from
launch templatestolaunch configurations. - Added: Parameter to select Lambda function runtime version.
- Added: Encryption in transit policy for SNS topics and SQS queues.
- Updated: Changed EBS volume storage type to
gp3.
What's new?
- Fixed: Activity page should display
alternatePersonain the actor field if available.
Bug fixes
- Fixed: AWS EC2 Instance report now runs more reliably.
- Updated: Improved the performance of the Activity page.
Enterprise
- Added: Encryption in transit policy for SNS topics and SQS queues in the Turbot Master account.
- Updated: Removed the deleted control historical records from control_usage table.
- Updated:
vm2package to 3.9.11 in the ECS containers.
What's new?
- Added: Support to import Azure China Cloud subscriptions.
- Added: Support for Azure China Cloud endpoints.
Bug fixes
- Updated: Increased reliability of policy value application when attaching a smartfolder.
Enterprise
- Updated: Removed Xray configuration from Postgres pool, as it was not being used.
- Updated: vm2 in main package.json updated to 3.9.11.
- Updated: Maintenance container base image to node:14-alpine3.17.
Requires TEF: v1.42.1 TED: v1.9.1
What's new?
- Added: Support for Postgres versions: 13.8, 14.1, 14.2, 14.3, 14.4, 14.5.
- Added: Support for Redis 7.0.
- Added: Support for RDS gp3 disk types.
Bug fixes
- Add role as a valid level to generate temporary credentials for roles.
Bug fixes
- Updated: Query for resource notifications to improve performance when using
the
Activitysub-tab on the resource page. - Updated: Improved logic used to determine when to run maintenance control for stale policy values.
- Updated: Mod install controlls will now use the standard worker queue instead of worker_priority queue to allow other actions to take priority during mod installs.
Enterprise
- Updated: Updated Ubuntu vm2 package to version 3.9.11. to resolve CVE-2022-36067.
- Updated: Message retetion period of events priority queue changed to 96 hours.
Requires TEF: v1.42.1 TED: v1.9.1
What's new?
- Added: support for TLS 1.2 for API Gateway
Bug fixes
- Added: Btree aka index for akas_history and akas table. The Activity Tab should show improved performance.
Requires TEF: v1.42.1 TED: v1.9.1
Bug fixes
- Fixed: Downloading the csv for EC2 > Instance > Report should not fail.
Enterprise
- Added: ability to run async/callback in control's
inline. - Added: Ability to move control to priority queue.
- Updated: mute noisy log if unable to get process log data from S3.
Requires TEF: v1.42.1 TED: v1.9.1
What's new?
- Added: Postgres version 13.7 to RDS engine parameter.
- Added: Tags to elasticache resources.
Bug fixes
- Updated: Local Profiles and Group Profiles filter now use free text search instead of akas matches.
- Updated: Installing a mod using the CLI now runs faster, reducing the likelyhood of a timeout.
- Fixed: Quick actions menu will no longer show actions from child resources.
Enterprise
- Added: Support for workspace URL in Turbot > Workspace > Workspace URL policy.
Requires TEF: v1.42.1 TED: v1.9.1
What's new?
- Added: SSM parameter for Process Log Fallback Bucket.
Bug fixes
- Fixed: Resolved issue where EC2 instance report would fail to run.
- Fixed: Permissions summary report now works for users without permissions at the root level.
Enterprise
- Added: allow an alternative process log bucket to be provided to read from an older bucket.
- Updated: Ansible container base image to Ubuntu 22.10 (Kinetic Kudu)
- Updated: Ansible version to 2.10.7
- Updated: Docker base images of API and Factory to ubuntu 22.
Requires TEF: v1.42.1 TED: v1.9.1
Bug fixes
- Fixed: Apollo UI behaves properly when setting backoff interval of an action.
- Fixed: Actor display information will now fallback to
unidentifiedif persona and identity are not available. - Updated: UI will now use the actor information of the process (if supplied) for Policy Setting CRUD operations.
- Updated: Action runs now carry the identity of its launcher. This changes the
way notifications are presented. Previously notifications from an action
showed as
Unidentified, now they will carry the identity of the launcher, most of the time this will be the Turbot identity unless the action is launched by a user from Turbot UI.
Enterprise
- Updated: Linux Environment control to support version 3 of SELinux Python bindings
Enterprise
- Updated: Improved Ansible container error handling
UI
- Added: Mutation resolver for quick action and steampipe query in the developer tab.
- Added: Add support to execute quick action via URL.
Enterprise
- Fixed: Control type should only trigger the control if there is a change in graphql/inline/function.
What's new?
- New Feature: Quick Actions
- Updated: graphiql to 1.4.5
Quick Actions Quick Actions is a new feature that allows Turbot users to initaite specific (one time) control enforcements on their cloud environment via the Turbot UI. Cloud operations teams can use Quick Actions to remediate cloud configuration issues (e.g. enable encryption on a resource) or snooze Turbot alarms for issues that we want to come back to later. More details in the documentation. Quick actions will be rolling out across all supported cloud services in the coming months (based on your feedback); this initial release covers resources in the following AWS mods:
- cloudtrail
- ec2
- kms
- lambda
- rds
- s3
- sns
- sqs
- vpc
Disabling the Quick Actions feature
Quick Actions use the permissions granted to the Turbot service user or cross-account role used to import your cloud service account into Turbot. Execution of quick actions will fail if the underlying role prevents those actions from occuring.
The Quick Actions feature is disabled by default, but can easily be enabled via the
Turbot > Quick Actions > Enabledpolicy. If you would like to prevent lower level Turbot administrators from enabling Quick Actions for their cloud service accounts, then make sure you setTurbot > Quick Actions > EnabledtoDisabledat the Turbot level using theRequiredoption.The policy
Turbot > Quick Actions > Permission Levelsoffers fine-grained control over which Turbot permission levels are required to execute specific quick actions. These permission limits can be set globally and specific exceptions can be managed down to the individual cloud service account level.
Enterprise
- Split package dependencies between Server and UI so they can use independent versions of GraphQL.
Bug fixes
- CLI failed to download latest mod versions automatically for mods with version < 5.0.0.
turbot completioncommand was displayed twice on runningturbot help.
Bug fixes
- CLI failed to install dependencies for a mod with more than 26 dependencies.
What's new?
- Added: new IAM permissions for Mod Lambda to publish messages to the Priority Events queue.
- Added: parameter for Worker Priority and Events Tick Lambda Reserved Concurrency.
- Added: EC2 ECS host recycling using parameter.
Bug fixes
- Fixed: ECS Rolling update.
- Fixed: Condition of Foundation Key to prevent its creation if TEFKmsKey parameter value is specified.
There are IAM changes in this release:
- New IAM permissions for Mod Lambda to publish messages to the Priority Events queue.
- New IAM roles for ECS Rolling Update.
What's new?
- Updated: GovCloud certificate to rds-ca-rsa4096-g1.
What's new?
- Added: Parameter to limit the URL where the API Gateway Lambda can forward to. This should be a regular expression of valid workspace URLs.
- Updated:
TEF KMS Keyparameter name changed toTEF KMS Key Arn. - Updated: Enforce HTTPS access for S3 buckets created by TEF.
What's new?
- Updated: Enforce HTTPS access for S3 buckets created by TED.
- Added: Postgres versions 11.12, 11.13, 11.14, 11.15, 12.7, 12.8, 12.9, 12.10, 13.3, 13.4, 13.5 and 13.6.
What's new?
- Added: Parameter for Alb WAF option. (Default is disabled)
- Added: Parameter for Mods Cleanup.
What's new?
- Updated: Moved management of the Elasticache user group to CloudFormation instead of the Hive Manager lambda. It is no longer necessary to update the Redis access control groups after making changes to the Redis cluster.
1.30.0 [2022-03-01]
What's new?
- Updated: Elasticache now uses the
db_pairsecurity group from TEF 1.47.0. - Fixed: The Cloudformation Hive custom resource used to depend on Elasticache when it shouldn't have in environments without Elasticache deployed.
Deprecation
- As a result of this change to the
db_pairsecurity group, the Elasticachecache_pairsecurity group is no longer required. It will be removed in a future release.
Requirements
- TEF v1.47.0
What's new?
- Added: Parameters for Api and Events Container Scaling metrics, and threshold values for CPU Utilization.
- Added: Parameter to allow import of Foundation KMS Key.
- Updated: Set DeletionPolicy of FoundationKey to Retain.
What's new?
- Added: Parameters for ECS Factory Task hard limit and soft limit on memory.
Warning
- There are IAM changes in this release.
What's new?
- Updated: Condition for HiveManagerExecutionRole.
- Updated: TurbotParameters and TurbotSnsSqsPolicyParameterLambda to include variables for Proxy setting.
- Removed: MskManagerExecutionRole role from custom iam role template.
What's new?
- Added: Postgres version 13.5 to RDS engine parameter.
- Fixed: Replication group setting to enable Data Tiering for r6gd node type.
What's new?
- Added: Postgres version 12.11 and 12.12.
- Updated: PerformanceInsights description.
- Updated: Default storage type to
gp3. More info on using gp3 - Updated: Hive custom resource depends on to include Elasticache cluster and parameter group and add ParameterDeploymentTrigger.
What's new?
- Added: r6gd node type option for Elasticache.
What's new?
- Updated: Backup Service Role to include kms Grant permissions for CopyDBSnapshot operation.
What's new?
- Updated: Backup Service Role to include kms permissions.
What's new?
- Added: VPC Endpoint for s3 to reduce NAT Gateway cost.
- Updated: API and Events container scaling by replacing hardcoded values with parameters.
- Updated: Outbound, Api and Database security groups so that they are created for Predefined VPC if custom security groups are not mentioned.
- Updated: default value of LogRetentionDays parameter changed to 180.
What's new?
- Added: Postgres version 13.3, 13.4 to RDS engine parameter.
- Fixed: Cloudwatch alarms to use correct db identifier when hive name has _ in it.
- Updated: Default database system backup to 7 days.
- Updated: AWS Backup Service role to allow copying of RDS snapshots.
- Updated: Cloudwatch alarms for ElastiCache SwapUsage and DatabaseMemoryUsagePercentage for multi-node architectures.
- Updated: Dashboard to move read-replica stats to right axis and that of primary to the left.
- Updated: Dashboard to add Total IOPS metrics.
Warning
- There are IAM changes in this release for the
turbot_policy_parameter.
Bug fixes
- TE Build ID was misconfigured causing TEF to build unsuccessfully, this has now been corrected and TEF builds as expected.
What's new?
- Minimum DB size is now 50GB, default size is 200GB.
Requirements
- TEF v1.31.2
Warning
- There are IAM changes in this release for the
turbot_policy_parameter.
What's new?
- Turbot Security Group is added and includes rules for Ansible and LDAP. The security group is intended for additional rules to be added under feature flags. Note: the existing LDAP and Ansible security groups will remain for older TE versions.
- Dashboard for ECS Cluster metrics is now added.
- Autoscaling parameters were added for the Events Service.
- ElastiCache Security Groups and Subnet Groups are now added to the overrides template.
- TEF Workspace Manager now prevents users from changing the workspace name.
- OSGuardrail parameter location from Advanced - OS Guardrails to Advanced - Deployment Group.
turbot_parametersandturbot_policy_parameterlambda functions now include VPC config.turbot_policy_parameterIAM Role now includes EC2 network interfaces policy.- Improved input validation to not allow blank values.
What's new?
- CloudWatch Alarms and Dashboards are added for ElastiCache SwapUsage and DatabaseMemoryUsagePercentage.
- ElastiCache Instance Type can now be specified in the template.
- Read replica parameter default is now set to false.
Requirements
- TEF v1.31.2
What's new?
- DB parameter group support for 11.10, 11.11, 12.6 and 13.2.
- Postgres version 13.2 is now the default selection.
Requirements
- TEF v1.31.2
What's new?
- Shared_buffers parameter added for DB parameter group.
- Postgres version 13.1 is now the default selection.
- Postgres wal_keep_size default size is now 2048 (RDS Postgres default).
- Turbot database default size is now 250GB.
- Storage autoscale threshold default is now 1TB. For new TED installations only!
Requirements
- TEF v1.31.2
Bug fixes
- Invalid module reference fixed - this was causing
turbot template buildto fail.
Bug fixes
template buildwas loading the lock-file from the base branch to determine the current template version. When using a work-in-progress (wip) branch, this could lead to identifying an incorrect current version, leading to rebasing errors. Fix by loading the lock file from the wip branch.
What's new?
- S3 bucket lifecycle rule added to the mods processing log bucket.
- Optional AWS Security Group added to be used for connecting to LDAP server.
- S3 inventory reports will no longer generate in the TEF Process Logs bucket.
- Updated process log bucket lifecycle configurations to remove /debug/ rules.
- Runtime has been updated to Node 14 for all Turbot Core deployed Lambda functions.
What's new?
- Postgres version 13.1. For new TED installations only!
- ElastiCache replication groups now support multi nodes.cluster mode.
Bug fixes
- Hive Log Bucket lifecycle configurations now delete all objects.
Requirements
- TEF v1.31.2
Bug fixes
- Dependency issue with the HiveKey.
Requirements
- TEF v1.31.2
What's new?
- OSGuardrails feature flag, adding security groups and SSM parameters as required.
- HealthCheckProxyLambda runtime updated from 2.7 to 3.8.
What's new?
- Postgres version 12.5. For new TED installations only!
- Parameter Group support for both 11.x and 12.x.
Bug fixes
- Cache cluster parameter passed to Hive Manager should also convert underscore to hyphen.
- Allow default encryption for ElastiCache for use in GovCloud (which does not support CMK).
Requirements
- TEF v1.31.2
Bug fixes
- Fixed CLI packaging error required for proper v1.28.0 installation.
Bug fixes
turbot template buildnow cleans up branches after a rebase failure.
Warning
- IAM permissions updated in v1.31.0.
Bug fixes
- Fix and republish a corrupt portfolio build artifact.
Bug fixes
- AWS Backup Vault name format issue.
Requirements
- TEF v1.31.2
Warning
- IAM permissions updated in v1.31.0.
Bug fixes
- Hive Manager should convert underscore to hyphen when creating Redis group (from TE).
Warning
- IAM permissions updated in v1.31.0.
Bug fixes
- Hive Manager should convert underscore to hyphen when creating Redis user (from TE).
Bug fixes
- ElastiCache Redis cluster name should convert underscores to hyphens.
Requirements
- TEF v1.31.2
Warning
- IAM permissions updated.
What's new?
- ElastiCache Redis is now enabled by default.
- Parameters - Mod Lambda function limits.
- Parameters - Worker Lambda configuration, allowing reuse across TE versions.
- CloudWatch Alarms for SQS ApproximateAgeOfOldestMessage.
What's new?
- ElastiCache Redis is now enabled by default.
Bug fixes
- Postgres 11.9 is now available for the read replica as well.
- ElastiCache Redis cluster should be created with the hive name rather than just resource name prefix.
- AWS Backup Vault deletion policy is now set to retain.
Requirements
- TEF v1.31.2
What's new?
turbot template build --rebasecommand now cleans up the work in progress branch if the template render fails.
Bug fixes
turbot template build --rebasecommand was failing to re-apply manual changes.turbot template build --fleet-modewould stop building all branches if a single one failed.
Bug fixes
- Fixed: Code of s3BucketArnLambda to fix s3 permission.
What's new?
- Hive Manager and Workspace Manager runtime updated to node 12.
Bug fixes
- Install Hive Manager in all regions, not just the Alpha region.
What's new?
- Added latest RDS DB instance types.
- Experimental ElastiCache: Configure use of Redis 6.x Access Control Lists.
- Experimental ElastiCache: Also install Hive Manager in the replica region, for Redis management.
Requirements
- TEF v1.30.0
Warning
- IAM permissions updated.
What's new?
- New
turbot_transientKMS key specifically used for encryption of transient data (e.g. SNS, SQS). - Tightened IAM access policies to Turbot's own S3 buckets.
- Hive Manager is now permitted IAM access to manage ElastiCache.
- Added ListBucket permission to WorkspaceManager role so head object calls will return 404 instead of 403.
Bug fixes
- Event Proxy Lambda must be installed in the subnet where Load Balancers are installed (by TE).
What's new?
turbot compose(used by all CLI commands that compose mods) now omits thereleaseNotesfield fromturbot.head.json. It is still included inturbot.dist.json.turbot templatehas a new--unchanged-issue <issue_id>argument. When a template build operation commits changes to git, if no files have actually changed then the commit message will use this issue instead of the normal--issue <issue_id>field. The commit message will also specify "no changes".
What's new?
turbot publishhas a new--timeout <secs>argument to customize the publish timeout. The default has been increased to 2 minutes.- Use
turbot template build --issue 1234 --close-issuewill set the commit message to close the issue.
Bug fixes
turbot testshould not fail with the the errorTypeError: tmod.parse is not a function.
Warning
- IAM permissions updated.
What's new?
- Further refined our IAM permissions for S3 bucket access, with a focus on removing more wildcards. It was already good, but now it's better.
Bug fixes
- Made the ElastiCache network infrastructure optional through
Development Mode. It was harmless, but not necessary unless ElastiCache is enabled in TED. - Moved policy parameter role into the IAM stacks, where it belongs.
Bug fixes
- Databases should never automatically upgrade their minor or major versions. Doing so takes the database out of sync with the CloudFormation stack, leading to upgrade rollbacks. We've deliberately removed these options and set the auto-update to false.
Requirements
- TEF v1.25.0
Bug fixes
turbot template build --patch --push-instance-rootcommand failed to push changes to the wip branch.
What's new?
- Changes to the Turbot audit trail log group in v1.14.0 forced a name change, which is difficult for customers with integrations. This version removes that requirement, so existing installs keep their original log group name.
Bug fixes
- Required TEF version dropped back down to TEF v1.25.0. v1.27.0 is only required if you are setting up the experimental ElastiCache features.
Requirements
- TEF v1.25.0
What's new?
- Reclaimed the
ECSDesiredInstanceCountparameter, which now defaults to usingECSMinInstanceCountinstead. This frees up a precious parameter slot for other options. - Added the
DevelopmentModeparameter for internal use, which groups options like using the latest container image (instead of cached). - For environments with ElastiCache enabled in TED, cache subnet group and security groups have been added.
What's new?
- The deletion policy for the DB Parameter Group is now set to Retain.
- New installations will now add the stack ID to the audit trail log group, making it easier to re-install TED multiple times in testing / setup.
- New
ExperimentalFeaturesflag, allowing gradual introduction of new capabilities. The first one is installation of ElastiCache preparing for future use in TE.
Requirements
- TEF v1.27.0
Bug fixes
turbot packandturbot publishwere failing to run pre-pack script when--dirarg is used.
Bug fixes
turbot inspectshould give a clear error message for invalid templates.
Bug fixes
turbot inspect --format changelogshould properly escape CSV fields with commas.
Bug fixes
- Error handling in workspace pre-install checker.
Bug fixes
- Error handling in workspace pre-install checker.
Bug fixes
- ECS Agent should attempt to use the locally cached image, which dramatically reduces disk IO and download bandwidth.
- Upgrade via CloudFormation had a race condition in our custom resource Lambda functions that could be triggered when doing a large number of upgrades or rollbacks in parallel.
Bug fixes
- When a custom outbound access security group is specified in the TEF template do not create the {prefix}_outbound_internet_security_group or the {prefix}_{version}_outbound_internet_security_group.
What's new?
- Ability to restrict SNS topic and SQS queue access based on Organization Id.
- Added: support to restrict access to SNS topic and SQS queue based on the Organization Id.
Requirements
- TEF v1.25.0
What's new?
- Added: Encryption to SNS Topic for Dashboard.
- Updated: TED Stack - changed R/W IOPS metrics from line to stacked area, changed Transaction ID Wraparound Monitor threshold to 2 billion.
- Fixed: Description and Typo (Duraction to Duration, Actiond to Action).
Requirements
- TEF v1.22.1
What's new?
turbot install- checks if a compatible version of each dependency is already installed. If so, it is does not install from the registry unless there is a newer version available.turbot template build --rebaserebuilds templates while using rebase to better merge and preserve custom changes to the rendered files since the last build.
What's new?
- Show a progress bar during long running operations.
Warning
- IAM permissions updated.
Bug fixes
- The (optional) API Gateway to proxy external events to the internal Turbot load balancer was returning error codes (5xx) all queries even though it worked successfully. This could lead to retries of the message (which were not processed due to our duplicate detection). Errors in both the event handler and the health check have been cleared.
What's new?
- Improved error messages for failed queries like authentication, network connectivity, etc.
- Update credentials precedence to prioritise specific credentials (key, secretKey and workspace) over profile.
Bug fixes
turbot configurefails when no command line credentials arguments are given but they set in environmentturbot workspace listshould ignoreTURBOT_PROFILEenv var and only filter profiles if one is given in command line.turbot downloadshould fall back to use the production registry if the user is not logged in.
Bug fixes
- Exceptions from the pre-pack script in
turbot packwere not caught and reported correctly.
What's new?
- Improved error messages for
turbot pack,turbot upandturbot publishfor faster troubleshooting.
Bug fixes
turbot graphqlqueries forcontrol,policy-value, etc were not properly handling the--resource-idand--resource-akaarguments.
Bug fixes
turbot configurewas failing for some Windows users when used in interactive mode.
What's new?
- Updated Workspace Manager permissions for SSM policy lookups and reading S3 data for access to the TE workspace manager Lambda results.
Bug fixes
turbot configurewas always failing validation when using interactive mode to enter credentials.
Bug fixes
turbot install [mod]was not working. You can now install specific mods as expected.
What's new?
- Use
turbot install [mod[@version]]to install a specific mod as a local dependency. - Credentials passed to
turbot workspace configureare now validated before saving, so you can be confident they are good to go.
What's new?
- Use
turbot workspace listto see a list of your currently configured workspaces. turbot workspace configureadded, with the same behavior asturbot configure.
Bug fixes
turbot testwas failing for some GCP controls due to an update in the GCP auth library package. This has been fixed.
See v1.18.1
Bug fixes
- As part of preparing for connection pooling, the hive manager included steps to initialize multiple database roles. These are not yet in use so have been removed.
What's new?
- As part of preparing for connection pooling, the hive manager included steps to initialize multiple database roles. These are not yet in use so have been removed.
Requirements
- TEF v1.22.1
What's new?
- The default browser facing security group (used by the load balancer) is now open on port 80, so HTTP traffic can be automatically redirected to HTTPS at the load balancer level.
- Expanded EC2 instance type options, and changed the default to
t3.medium. - Changed the default maximum limit for ECS hosts from 64 to a more sensible, but still generous, 8.
- Further restricted permissions to EC2 hosts, limiting the accessible resources as much as possible.
What's new?
- Introducing a new parameter model in TEF, allowing parameter "overrides" to be optionally set in SSM. Turbot creates default parameters, but will automatically detect any overrides you create during the stack run. This allows us to expand beyond the 60 parameter limit of CloudFormation.
- Each Turbot version installs minimal IAM policies and roles specific to its requirements. Some customers prefer more control over IAM management, so we now support BYO-IAM with parameters for all IAM entities required in the Turbot primary account.
- Added parameters to optionally set the
ALB Log PrefixandALB Idle Timeout. - TEF will now perform a rolling update of the EC2 hosts if required due to launch configuration changes, ensuring no downtime during upgrades.
- Allow preinstall check Lambda function to use VPC from non-VPC setting.
What's new?
- Parameter groups created in GovCloud do not support newer parameters, unless a new parameter group is created (Note: AWS Commerical accounts were not affected by this). This blocks some existing customers from upgrading their TED stack. Because parameter group changes require a reboot (downtime), and most customers do not require this change, we've made it an optional parameter in the stack to force the change as required.
- Default storage allocation for new installs is now 1TB (up from 100GB).
Requirements
- TEF v1.19.1
What's new?
- Added
169.254.170.2to the defaultNO_PROXYparameter. This is required for stack containers to execute in some proxy environments.
Bug fixes
turbot installwas attempting to install the latest version, which would fail if that version was not available or recommended. It will now install the latest recommended version, or if none are recommended, the latest available version.
Bug fixes
- Network Interface permissions added in v1.19.0 are low risk, but have been tightened further to only be granted in environments running Lambda inside the VPC.
Bug fixes
- v1.9.0 introduced a mix of names between
preinstallandpreinstallationwhich felt messy. This patch release brought to you by our clean up crew.
Requirements
- TEF v1.19.1
What's new?
- TED and TE are being enhanced to automatically check that their required versions of TEF and TED are installed. The Lambda function they use for that check (custom resource during the CloudFormation stack run) is deployed in TEF, and added in this release.
- Turbot Guardrails Enterprise uses a lot of Lambda functions to execute mod code. For organizations who prefer more visibility into network traffic, we're adding support to run these functions inside the VPC. This version of TEF expands the IAM permissions granted to Lambda functions with the minimum required to attach Network Interface cards.
What's new?
- TED now automatically checks the required TEF version is installed. If not, the TED stack will automatically rollback allowing you to upgrade TEF first.
Requirements
- TEF v1.19.1
What's new?
Flagsparameter now has validation rules and defaults toNONE(CloudFormation does not like empty string defaults for SSM parameters).
What's new?
Flagsparameter will allow features to be enabled or disabled at the installation level giving us more flexibility to innovate and gradually deploy features.
Warning
- The default for
TrackFunctionsin v1.7.0 waspl. Consider changing this tonone(the new, more common, default in v1.8.0) if you don't require that tracking.
What's new?
- Process log data collected by Turbot is being moved into TED level management. This better aligns with our model of data separation and encryption. This version adds S3 buckets with encryption and lifecycle rules to start accepting that (and other future) data.
- If the master password is an empty string then Turbot will reset it automatically when required. The default was previously blank, requiring the parameter to be set (even if to empty string). This was difficult to understand and implement for those automating TED configuration. We now default to the empty string.
- Added new DB instance size option of
m5.8xlarge.
Bug fixes
- Resource names related to metric collection, alarms and dashboards have been updated to use the ResourceName prefix. This aligns them with all other TED resources and makes it easier to track or target them with local rules.
What's new?
- Moved to ECS optimized Amazon Linux 2 as our host OS for containers. (Previously we used ECS optimized Amazon Linux 1.)
- Expanded proxy server support, particularly through the ECS bootstrap sequence.
We now support HTTP and HTTPS requests being routed to a
http://proxy for all traffic - no need for endpoints or similar in any case. (We do not yet support custom certificates andhttps://proxies.) - TEF now publishes an SSM parameter with the currently installed version, which will be used in the future to check version compatibility during TED and TE upgrades.
Bug fixes
- The build of v1.17.1 was not properly published, leading to confusion and mixed installs. This release is identical, but properly distributed.
Bug fixes
- Remove the explicit default value for
force-recommendedas this causes issues when using the yargsconflictsparameter.
What's new?
- Mod authors often want to set their new version as
RECOMMENDEDin the registry, telling users it's the best choice. Useturbot publish --force-recommendedandturbot modify --force-recommendedto mark this version asRECOMMENDEDand set all currently recommended versions toAVAILABLE.
Bug fixes
turbot testwas showing incorrect test data validation errors, due to a graphql schema change that had not been handled by the CLI.
What's new?
Allow Self-Signed Certificateparameter, instructing Turbot to ignore certificate errors when connecting to external services - for example - enterprise environments with an outbound internet proxy.- S3 bucket inventory has been enabled, setting us up for future batch operations on collections of log files.
- Updated lifecycle rules to clean deleted versions of debug logs and match changes to the prefix of log files.
What's new?
- Added a "connectivity test" lambda function, making it easier to verify that
an environment has the necessary network setup. Run
${ResourceNamePrefix}_connectivity_checkermanually to test. - Improved descriptions for the Installation Domain and Turbot Certificate ARN parameters.
What's new?
turbot inspectnow enforces valid semantic versions in mod version numbers. We admire your creativity, but encourage you to express it elsewhere.
Bug fixes
- Fixed
turbot up --zip, which broke during a dependency update.
What's new?
- Turbot License Key has been added as a (currently optional) parameter.
Bug fixes
turbot loginwas failing if the~/.configfolder did not exist.turbot template buildwas always expecting awip-*instance branch to exist. It's now correctly limited to runs where--use-instance-root-branchis passed.
What's new?
- Proxy support via the
HTTPS_PROXYenvironment variable. Login, install mods and publish to our registry all via your favorite proxy. (Provided it's ahttp://proxy, we don't supporthttps://yet.)
What's new?
- Updates Hive Manager, which includes the ability to convert ownership of database schemas. This is part of a longer term effort to move database ownership to specific turbot roles, reducing our use of the master account.
What's new?
- Parameters to set
rds.force_admin_logging_levelandtrack_functions, - Add CloudWatch alarms for DB connections, CPU utilization and free storage alerts.
- Added t2.medium and t2.large instance class options, useful in test or dev environments.
What's new?
- Manage published mods in the registry from the CLI, including their status and
description. For example
turbot registry modify --mod "@turbot/aws" --mod-version "5.0.0" --status RECOMMENDED --description "updated description". - Usually a newly published version should be the recommended one. So now you
can do that automatically during
turbot publishusing the--status RECOMMENDEDflag. turbot template buildnow supports instance root branch names with a random suffix, following the naming convention:wip/<instance root name>/*. We've found scheme much more effective at scale.- We now automatically include
RELEASE_NOTES.mdas well asCHANGELOG.mdwhen building a mod. Release notes are intended for users while a changelog is intended for developers or others obsessed over details. turbot testvalidates input query, but only works for a single query (not for the more advanced array of queries syntax). Previously the test would always fail for an array of queries, so we're now skipping the test in these cases until it can be fully supported.
Bug fixes
turbot publish --dir <mod folder>did not work if run outside the mod folder - the function zips were not correctly created.
What's new?_
- Registry login using
turbot login(and similar) now requires both--usernameand--passwordor neither. They just can't live without each other.
Bug fixes
turbot template build --patchcommand was failing without running the git command.
Bug fixes
- EC2 instances used for ECS should have AssociatePublicIpAddress set to false. This is a defence improvement since our EC2 instances are run in a private VPC so were not publically accessible anyway.
What's new?
- Cleanup IAM roles to use
_consistently in names (instead of mixing_and-together).
What's new?
- Some organizations need to use a self-signed certificate for their ALB. This would
fail a certificate check when also using our API Gateway proxy. Use the
Self Signed Certificate In ALBparameter to ignore these certificate errors.
Bug fixes
- The IAM role used for ECS EC2 instances is now named consistently with our other IAM roles.
Warning
- Existing TEF installations must install v1.9.0 before upgrading to v1.10.0. This sequence will automatically preserve and transition parameter settings for S3 bucket names as we move from fixed names to randomized names by default for new installations.
What's new?
- Log and process buckets now use a partly random name by default, making new installations smoother and easier to troubleshoot.
What's new?
- Optionally use a random name for log and process log buckets, making repeated install and uninstall easier.
- Log buckets will now be retained on deletion of the TEF stack.
Bug fixes
- The SNS topic name for CPU alarms was not consistent with our other resources. Now it is.
What's new?
- Setup an S3 bucket to store process logs, including lifecycle rules to cleanup debug logs.
What's new?
- Alarm levels defined in the dashboard for CPU utilization and free storage, making problem levels clearer.
- Dashboard charts are now zero based, as any statistician will tell you they should be.
- SNS topic publishing CPU alarms, making it easy to subscribe for alerts.
What's new?
- In
turbot composethe+schemadirective can now map from openApi format schema to valid JSON schema.
Bug fixes
turbot template buildfleet operations were failing due to an error displaying the summary. This has been fixed.
What's new?
- Turbot Hive Manager lambda now has permission to create encrypted SSM parameters, required by TED v1.5.0.
Warning
- Requires TEF v1.7.0 or later.
What's new?
- Parameter to set the maintenance window.
- Parameter to set a Customer Managed Key for encryption.
- Parameter to set the turbot master password. If blank, the master password is automatically reset.
Bug fixes
- Auto scaling of storage for the read replicas outside the primary region.
What's new?
- Use
turbot testto check GraphQL mutations (e.g.updatePolicySetting) are called as expected from controls. turbot composeno longer errors when a glob matches no source files.
Warning
Security access from the load balancer to ECS has changed from requiring port 8443 to requiring the full high port range of 32768-65535. This allows us to run ECS in bridge mode and efficiently reuse IP addresses across Turbot core containers.
The outbound security group now allows port 80 outbound by default. This makes cloud-init in the ECS optimized image run much faster than only providing port 443 outbound.
If you are upgrading from a previous TEF version, you will need to make the modifications listed below:
Add ports 32768-65535 to the
Load Balancer Security GroupOUTBOUND to theAPI Security GroupAdd ports 32768-65535 to the
API Security GroupINBOUND from theLoad Balancer Security GroupAdd port 80 to the
Outbound Internet Security GroupOUTBOUND to0.0.0.0/0
What's new?
- Use ECS on EC2 (instead of Fargate) to accelerate container startup time (particularly for stacks), increase cost efficiency at scale, and prepare for wider container use at the core level.
What's new?
- Workspace manager creation of turbot.com directories updated to use a server name (instead of a phase).
What's new?
- Use
turbot testto check GraphQL mutations (e.g.updatePolicySetting) are called as expected from controls. turbot composeno longer errors when a glob matches no source files.
What's new?
- A new directive,
+schemahas been added forturbot compose. This allows you to include a specific item from a schema file, including all definitions which are referenced. turbot template buildwill now run even if there are changes on the local branch, if neither the--use-fleet-branchor--use-instance-root-brancharguments are set. This is useful when running building templates for the first time with local config updated but not committed.
What's new?
turbot inspect --format changelognow includes the uri of each control, policy, resource and action item.
Bug fixes
turbot upwas broken in 1.7.0. This has been fixed.turbot packandturbot publishhad to be run out of the target mod directory. They can now be run out of any directory by passing the--dirflag.
What's new?
turbot aws credentialsnow supports--aws-profile <aws_profile>,--profile <turbot_profile>and--access-key <turbot_access_key> --secret-key <turbot_secret_key>combinations.
Bug fixes
turbot testwas doing type coercion of input data before validation. It now expects correct types to be passed, matching the behavior of the Turbot server.
Bug fixes
- Auto scaling of storage for the primary read replica.
What's new?
- Use
--no-colorto simplify the output of any command. Sometimes less is more. turbot template build --git --branch <branch-name>allows you to specify the branch the build operations will be committed onto.turbot template buildno longer supports the--configflag. Usetemplate.ymlfiles instead.
Bug fixes
turbot installwas not downloading files. Now it does.turbot template buildwas creatingtemplate.ymlfiles for every template instance. This is noisy and defeats the value of template inheritence, so has been stopped.
Bug fixes
turbot template build --gitshould checkout the original git branch at the end of the build. Broken in v1.5.0
What's new?
turbot template build --gitnow skips instances without a template-lock file, which cannot be resolved anyway.
Bug fixes
turbot upandturbot publishwere stalling for large mods.
Bug fixes
turbot template build --gitshould checkout the original git branch at the end of the build. Broken in v1.4.0.
What’s new?
- Clearer reporting of errors when running
turbot template build. turbot template build --fleet-modenow defaults toupdate, which is almost always the right choice.- When running
turbot template build --gitit is no longer necessary to specify a base git branch, it sensibly assumes you want to use the current branch. - Use
turbot pack --zip-file awesome.zipto output mods with any name you prefer.
Bug fixes
turbot template outdatedfixed to work with specific template definition directories.- Only save successful template operations to the branch when using
turbot template build --git. Previously we were polluting that goodness with failures as well. - Limit
template-lock.ymlto data that is absolutely necessary, removing noise from change logs. - Disabled
turbot template update. Please useturbot template buildinstead, as you probably already were.
What's new?
turbot inspect --output-formatwill now accept either a file path to the template or the template string directly.- Clearer output of the actions taken when running
turbot template build. - Automatic code merging when doing updates with
turbot template buildwill now merge successful changes onto a single branch and write failed patches to the filesystem for easier review.
What's new?
- Support customization of parameters for
max_connections,deadlock_timeout,idle_in_transaction_session_timeoutandstatement_timeout.
What's new?
- Added a lifecycle rule to automatically delete temporary data from S3.
What's new?
- Reduced scope of permissions granted to custom mod Lambda functions. These add extra levels of protection and take effect as mods are installed or updated in Turbot v5.5.0 or later.
Bug fixes
turbot template buildhas a special case "provider" field in the render context. Long term it will be removed. Short term, it should not break for vendor level mods like @turbot/aws or @turbot/linux.
What's new?
Instance Type for Replica DBwill now default toSame as Primary DB, which is a lot easier than having to set and maintain it manually when most of the time they are the same anyway.- Choose a custom master username during install.
What's new?
- View and confirm
turbot template buildactions before they happen. (Add--yesto keep the previous behavior.) - Easily review success and failure after running
turbot template buildacross many instances.
Bug fixes
turbot downloadwill now give up gracefully on failed downloads, relieving it of an eternity of failed retries.
What's new?
- Option to configure AWS Backup with daily, weekly and/or monthly snapshots of the primary database.
- Add Postgres v11.9 to supported versions list.
- CloudWatch Alarms added for freeable memory, read replica CPU and queue depth.
- RDS disk burst balance metrics added to TED dashboard.
- Elasticache metrics added to TED dashboard.
- Improve text and limit for Transaction ID Wraparound in TED dashboard.
Requirements
- TEF v1.30.0
What's new?
- Publish the alpha region as an SSM parameter so it can be used as a default in other areas - like TED's default location for the primary DB.
Warning
- Requires TEF v1.2.0 or later.
- The parameter
Instance Type for Replica DBis new and must be set during upgrade. (Note: Fixed in v1.3.0 to useSame as Primary DBby default.)
What's new?
- The Turbot Audit Trail is stored in a CloudWatch Log group managed in TED. It will now be retained if the TED stack is deleted, avoiding loss of audit trail data in that rare scenario.
- Easily configure auto-scaling of the database storage up to a maximum value.
- Read replicas can now have a different instance class to the primary. Typically they have a lower load level, so we've added flexibility to optimize costs.
- Default to using the alpha region (as defined in TEF) for primary DB install.
Bug fixes
- Fix
turbot template buildcrash added by v1.1.0.
What’s new?
- Use
turbot aws credentials --account 123456789012 --profile my-accountto generate and save temporary AWS credentials into your local AWS profile. Easily work across many AWS accounts using your single Turbot profile. - Filter
turbot template buildto target all instances of a specific template, which is great when you are in the process of converting code to use the template (some code in template management, some still custom).
Bug fixes
turbot testwas broken in v1.0.4 due to a missing dependency. Life is better with friends.
Bug fixes
- The Hive Manager and Workspace Manager lambda functions used during the workspace upgrade process were not properly connecting to the database using SSL during initial workspace creation (they were during upgrades). Our change to force SSL on the database in TED revealed this issue, which is now fixed.
Bug fixes
- Expanded the list of database instance classes available during install to include older generations (e.g. m3) which are required for AWS us-gov-west-1.
- Added the AWS RDS 2017 certificate as an option, since it's uniquely used and required in Gov Cloud installs.
What's new?
- TEF version is now published as an output parameter in CloudFormation. (We'd rather that Service Catalog showed this automatically, but there is an AWS quirk that breaks that feature when Service Catalog versions are published using CloudFormation.)
- Workspace upgrades may now take up to 15 minutes before timing out. This allows us to run larger data migration jobs during the upgrade process. (Don't worry, we design these to be background tasks that don't affect availability during the upgrade.)
- Custom security groups are published as SSM parameters allowing them to be leveraged by the Turbot Guardrails Enterprise CloudFormation stacks to override per-version default security groups.
Bug fixes
- GovCloud installations require conditions in IAM to match the correct
partition
arn:aws-us-gov:.
Warning
- The AWS RDS certificate change requires a database reboot. This may cause a brief impact on availability. Please schedule this change for a suitable window.
What's new?
- SSL is now required by default for all connections to the database. We used SSL anyway, but now we enforce it at the DB level as an extra precaution.
- Upgrade database instances to the AWS RDS 2019 root certificate (their 2015 certificate is expiring soon).
Bug fixes
turbot templateshould allow rendering of the filename as well as folder names, e.g.src/{{instance}}/resource/types/{{instance}}.yml.
Bug fixes
test.optionsare useful, but not required, soturbot testshould not crash if they are not set for a test.
Bug fixes
- Registry name validation should work for valid registries like turbot.com.
turbot testhas atest.awsProfilefield to set the AWS profile to use when running tests locally. This has been moved into the generic, customizabletest.options.awsProilelocation since it's relevant to AWS mods specifically rather than a core feature of Turbot.
What's new?
- Initial version.
- CloudFormation design for deployment via Service Catalog.
- Foundation components: KMS keys, IAM roles, Log groups & buckets.
- Network configuration with up to 3 tiers (public, turbot, database) across 3 availability zones in 3 regions.
- Automated VPC peering setup across regions.
- Subnet Groups and Security Groups for database and cache services.
- Optional gateway proxy for external event handling with an internal installation.
- Optional BYO network parameters for complex or pre-existing environments.
Bug fixes
- The default registry is now turbot.com. Other development registries have been cleaned up to reduce noise.
- Cleaned up available commands and their descriptions.
What's new?
- Easily manage Turbot credentials and profiles.
- Run graphql commands in scripts.
- Install and inspect mods.
- Build, compose & test Turbot mods.
- Upload mods to Turbot for internal testing or use.
- Publish mods to the Turbot registry for public sharing.
- Use templates to accelerate the development of mods.
What's new?
- Initial version.
- CloudFormation design for deployment via Service Catalog.
- CloudFormation stack per hive (physical shard).
- Postgres design with primary, failover and regional read replicas.
- Encryption at rest for all data.
- Custom Resource for automatic database hive configuration.