The Turbot > Notifications > CC > Tag policy is no longer checked; resource tags previously specified in Turbot > Notifications > CC > Tag > Name are now associated with the Account/CC policy instead of being evaluated independently.
Bug fixes
Server
Policy settings now return results correctly for policies inside Policy Packs when you have valid access.
Requirements
Upgrade to 5.52.4 requires your workspace to be on 5.51.x
You can now configure and manage project role bindings for service accounts. To get started, set the GCP > IAM > Service Account > Project Role Bindings > * policies.
Control Types
GCP > IAM > Service Account > Project Role Bindings
GCP > IAM > Service Account > Project Role Bindings > Approved
Policy Types
GCP > IAM > Service Account > Project Role Bindings
GCP > IAM > Service Account > Project Role Bindings > Approved
GCP > IAM > Service Account > Project Role Bindings > Approved > Rules
Action Types
GCP > IAM > Service Account > Update Project Role Bindings
The Azure > Data Factory > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Fix issue where the database argument from a query resource was not respected. (#829)
Fix issue where the default config path was not resolved correctly. The default is the mod-location, followed by the $POWERPIPE_INSTALL_DIR/config. Also the POWERPIPE_CONFIG_PATH environment variable was not respected. (#898)
Fix issue where pie/donut charts were not rendering correctly on boolean values. (#433)
Dependencies
Upgrade hashicorp/go-getter, sha.js and cipher-base to remediate critical and high vulnerabilities.
CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to Skip. This issue has been resolved; such controls will now correctly transition to a skipped state.
CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to Skip. This issue has been resolved; such controls will now correctly transition to a skipped state.
You can now configure boot diagnostics for virtual machines. To get started, set the Azure > Compute > Virtual Machine > Update Boot Diagnostics policy.
Optimized the Azure > Active Directory > Directory > Discovery control to run more efficiently and prevent unnecessary resource updates, thereby reducing CMDB churn.
You can now configure organization restrictions for AWS Lambda function policies. To get started, configure the AWS > Lambda > Function > Policy > Trusted Access > Organization Restrictions policy accordingly.
Fixed the example query in the plugin documentation to use the correct column name exec_output instead of output. (#63) (Thanks @pdecat for the contribution!!)
Dependencies
Recompiled plugin with Go version 1.24.
Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages.
The AWS > EC2 > Target Group > Discovery control could previously enter an error state when upserting a target group whose parent load balancer was not available in CMDB. We have improved this process so that all target groups are now upserted under a region, ensuring better consistency and reliability. Existing target groups under load balancers will also be moved under their respective regions automatically.
You can now configure soft delete for file shares in storage accounts. To get started, configure the Azure > Storage > Storage Account > Data Protection > Soft Delete > File Shares > * policies accordingly.
Delete retention policy details for file share will now be available in CMDB for Storage Accounts.
The Azure > Recovery Service > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
The Azure > Synapse Analytics > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
The Azure > SQL Virtual Machine Service > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
The Azure > SignalR Service > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
The Azure > Network > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
The Azure > Network > Bastion Host > Discovery control previously could inadvertently upsert bastion hosts under incorrect resource groups. This issue has been resolved, and the control now upserts bastion hosts more reliably and consistently.
The Azure > Log Analytics > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
The AWS > Backup > Recovery Point > CMDB control previously ran every minute if a recovery point’s CalculatedLifecycle.DeleteAt timestamp was already in the past. It now deletes expired recovery points and no longer re-runs automatically when the next tick is also in the past.
The plugin configuration format has changed to support the REST API.
You must now configure either OAuth client credentials or an access token for authentication. Please refer to the Configuration section for additional information.
API Migration
Migrated from Vanta's deprecated GraphQL API to the new REST API.
Queries, dashboards, and benchmarks that reference removed columns (listed below) will fail until updated.
Removed Columns
vanta_computer
agent_version
hostname
host_identifier
last_ping
num_browser_extensions
endpoint_applications
installed_av_programs
installed_password_managers
unsupported_reasons
organization_name
vanta_evidence
title
evidence_request_id
category
uid
app_upload_enabled
restricted
dismissed_status
renewal_metadata
organization_name
vanta_group
checklist
embedded_idp_group
organization_name
vanta_integration
description
application_url
installation_url
logo_slug_id
credentials
integration_categories
service_categories
organization_name
vanta_monitor
controls
organization_name
vanta_policy
policy_type
created_at
updated_at
employee_acceptance_test_id
num_users
num_users_accepted
source
acceptance_controls
approver
standards
uploaded_doc
uploader
organization_name
vanta_user
is_from_scan
needs_employee_digest_reminder
is_not_human
vanta_vendor
vendor_risk_locked
owner
risk_profile
organization_name
Migration Notes
Reason for change: Vanta has ended GraphQL API support; the REST API is now the only supported interface.
Action required:
Update SQL queries to remove or replace references to removed columns.
Review table documentation for updated field availability.
The GCP > Turbot > Event Handlers > Pub/Sub > Source policy could previously evaluate incorrectly immediately after a GCP Project import if the Project CMDB data was not up to date. The policy now checks the GCP > Project > CMDB control and evaluates only when that control has run successfully and is in an OK state, preventing incorrect results and improving clarity.
Event Poller controls now display improved help messages when the API used to fetch events returns an error, instead of only logging the errors under Activities.
We have updated the internal GraphQL queries for the AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed control to improve performance when evaluating the control’s outcome. There are no visible changes, but things will run smoother and faster than before.
Note: We recommend updating the @turbot/aws-ec2 mod to v5.46.2 for proper functionality.
Policy Types
AWS > PCI v3.2.1 > EC2
AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed
Updated all top-level benchmark titles to include AWS for clearer cloud provider identification. (#924)
Added database variable to configure the Steampipe database connection string, defaulting to connection.steampipe.default. (#926)
Added new automated query implementations for the following CIS controls: (#927)
cis_v120_1_19
cis_v130_1_18
cis_v140_1_18
cis_v150_1_18
cis_v200_1_18
cis_v300_1_18
cis_v400_1_18
cis_v500_1_17
Added ec2_instance_using_iam_instance_role and iam_root_user_account_console_access_mfa_enabled queries to the All AWS Compliance Controls benchmark. (#927)
Added extra attributes to Connection to support Status, LastErrorAt, LastErrorProcessId, LastSuccessfulUpdateAt, LastSuccessfulUpdateProcessId, LastUpdateAttemptAt and LastUpdateAttemptProcessId to track the connection status and last update attempts.
Added extra attributes to WorkspaceConnection to support Status, LastErrorAt, LastErrorProcessId, LastSuccessfulUpdateAt, LastSuccessfulUpdateProcessId, LastUpdateAttemptAt and LastUpdateAttemptProcessId to track the connection status and last update attempts.
Added ConnectionId attribute to SpProcess to track the connection associated with a process.
Added TokenMinIssuedAt attribute to Tenant to determine the time after which tokens will be accepted for this tenant.
Added extra attributes to TenantSettings to support MaxTokenExpiration, CliSessionTimeout, ConsoleSessionTimeout and PostgresEnabled to manage tenant settings around timeouts, tokens and direct database access.
Added extra attributes to Token to support CreatedBy, CreatedById, UpdatedBy, UpdatedById, ExpiresAt, Title, Description and TokenType to provide more context and control over tokens.
Added BillingMode attribute to UsageMetric to denote the billing mode for the metric.
What's new?
Added ConnectionStatus enum to represent the status of a connection.
Added PostgresEndpointState enum to represent the state of the Postgres endpoint.
Added UsageBillingModeType enum to represent the billing mode for usage metrics.
Guardrails stack controls would fail to claim any existing OpenID Connect provider if the OpenID Connect provider was available in Guardrails CMDB and the stack's Source policy included the Terraform plan for the OpenID Connect provider. This is fixed and stack control will now be able to claim existing OpenID Connect providers correctly.
Users can now create up to five tokens. You can also set an expiration for each token and optionally add a title to make them easier to identify in your token list.
For enterprise plan customers, we've introduced a new Maximum Token Expiration tenant setting. This lets you control the maximum lifespan of tokens created within your tenant.
Turbot > Workspace > Background Tasks now ignore deleted resources.
Resolved an issue where the worker could crash while processing errors.
Addressed a cleanup script bug that was incorrectly removing active Lambda version aliases and associated topics. The script now deletes only unused resources.
UI
Saving in the calculated policy editor is now prevented if there is an error.
Alignment of Note in the policy tab is now consistent across all entries.
Multi-step queries in the calculated policy editor are now displayed correctly as separate steps.
Policy packs no longer show a blank page when the description is missing.
Policy Pack details screen should not show summary when AI summary is disabled.
Note
Upgrade to 5.52.2 requires your workspace to be on 5.51.x; direct upgrades from older versions (e.g., 5.49.x) will fail.
The Azure > Storage > Storage Account > CMDB control previously encountered errors with Premium storage accounts when attempting to access unsupported Table services. This has now been resolved.
Users can now create and manage cloud resources using Terraform 1.x via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.
Bug fixes
The Azure > Storage > Storage Account > CMDB control now stores details of API calls that fail due to insufficient permissions granted to Guardrails' service principal. This enables Guardrails to mark controls that depend on the respective data as invalid, rather than enforcing settings unnecessarily.
Users can now create and manage cloud resources using Terraform 1.x via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.
Fixed invalid CMDB references for the Zone, Region, Multi-Region, and Global Region resource types that caused the Relationships and Import Set controls to enter an error state. The controls now run reliably without errors.
The AWS > Account > Budget > Budget control previously reran unnecessarily in workspaces with Turbot > Notifications enabled. This issue has been resolved, and the control now runs as expected.
Fixed an issue in the turbot_file resource where removed keys in the content field were incorrectly sent as "key": null in the update payload. The provider now sends the content exactly as specified in the Terraform configuration, ensuring that only the intended keys appear in the Turbot console.
You can now configure cross-tenant replication for storage accounts. To get started, set the Azure > Storage > Storage Account > Cross-Tenant Replication policy.
Guardrails previously failed to delete Azure > SQL > * resources due to limitations in the internal Node SDK package version. This issue has now been resolved, and the resources will be deleted as expected.
The Azure > SQL > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
Renamed the following controls to align with their focus on classic logging for the respective service types: (#322)
storage_account_blobs_logging_enabled to storage_account_blob_service_classic_logging_enabled
storage_account_queues_logging_enabled to storage_account_queue_service_classic_logging_enabled
storage_account_tables_logging_enabled to storage_account_table_service_classic_logging_enabled
Dependencies
Azure plugin v1.5.1 or higher is now required.
Enhancements
Added new automated queries for the following CIS controls: (#323)
cis_v150_3_3
cis_v200_3_3
cis_v200_5_1_7
cis_v210_5_1_6
cis_v300_4_3
cis_v300_6_1_6
cis_v400_10_3_1_1
cis_v400_7_1_1_6
Added appservice_web_app_diagnostic_log_category_http_log_enabled and storage_account_key_rotation_reminder_enabled controls to the All Controls benchmark. (#323)
Bug fixes
Fixed keyvault_logging_enabled query to correctly verify logging for Azure Key Vaults. (#320)
In the previous version, an issue was introduced in the CMDB control for Azure > Storage > Storage Account that prevented the retrieval of diagnostic settings. This has now been resolved, and the control successfully processes diagnostic settings for all storage services, including Blob, Table, Queue, and the primary account.
Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis
Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure User consent for applications is set to Do not allow user consent
Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist
Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment
Azure > CIS v3.0 > 03 - Security
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM)
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.01 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.02 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.02 - Defender Plan APIs
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage > 03.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan - App Service
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan - App Service > 03.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault > 03.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager > 03.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.14 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT
Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault
Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.07 - Ensure that Private Endpoints are Used for Azure Key Vault
Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
Azure > CIS v3.0 > 04 - Storage Accounts
Azure > CIS v3.0 > 04 - Storage Accounts > 04.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
Azure > CIS v3.0 > 04 - Storage Accounts > 04.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
Azure > CIS v3.0 > 04 - Storage Accounts > 04.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour
Azure > CIS v3.0 > 04 - Storage Accounts > 04.06 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
Azure > CIS v3.0 > 04 - Storage Accounts > 04.07 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Azure > CIS v3.0 > 04 - Storage Accounts > 04.08 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
Azure > CIS v3.0 > 04 - Storage Accounts > 04.09 - Ensure Private Endpoints are used to access Storage Accounts
Azure > CIS v3.0 > 04 - Storage Accounts > 04.10 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
Azure > CIS v3.0 > 04 - Storage Accounts > 04.12 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
Azure > CIS v3.0 > 04 - Storage Accounts > 04.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
Azure > CIS v3.0 > 04 - Storage Accounts > 04.14 - Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
Azure > CIS v3.0 > 04 - Storage Accounts > 04.15 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
Azure > CIS v3.0 > 04 - Storage Accounts > 04.16 - Ensure 'Cross Tenant Replication' is not enabled
Azure > CIS v3.0 > 04 - Storage Accounts > 04.17 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.06 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'
Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL
Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible
Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
Azure > CIS v3.0 > 07 - Networking
Azure > CIS v3.0 > 07 - Networking > 07.01 - Ensure that RDP access from the Internet is evaluated and restricted
Azure > CIS v3.0 > 07 - Networking > 07.02 - Ensure that SSH access from the Internet is evaluated and restricted
Azure > CIS v3.0 > 07 - Networking > 07.03 - Ensure that UDP access from the Internet is evaluated and restricted
Azure > CIS v3.0 > 07 - Networking > 07.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
Azure > CIS v3.0 > 07 - Networking > 07.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
Azure > CIS v3.0 > 07 - Networking > 07.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
Azure > CIS v3.0 > 07 - Networking > 07.07 - Ensure that Public IP addresses are evaluated on a periodic basis
Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis
Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure User consent for applications is set to Do not allow user consent
Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure User consent for applications is set to Do not allow user consent > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist
Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one' > Attestation
Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM)
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.01 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.02 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.02 - Defender Plan APIs
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' > Attestation
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' > Attestation
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' > Attestation
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On' > Attestation
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On' > Attestation
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage > 03.01.05.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan App - Service
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan App - Service > 03.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault > 03.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager > 03.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' > Attestation
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.14 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled > Attestation
Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT
Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > Attestation
Azure > CIS v3.0 > 04 - Storage Accounts > 04.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
Azure > CIS v3.0 > 04 - Storage Accounts > 04.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
Azure > CIS v3.0 > 04 - Storage Accounts > 04.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour
Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation
Azure > CIS v3.0 > 04 - Storage Accounts > 04.06 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
Azure > CIS v3.0 > 04 - Storage Accounts > 04.07 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Azure > CIS v3.0 > 04 - Storage Accounts > 04.08 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
Azure > CIS v3.0 > 04 - Storage Accounts > 04.09 - Ensure Private Endpoints are used to access Storage Accounts
Azure > CIS v3.0 > 04 - Storage Accounts > 04.10 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
Azure > CIS v3.0 > 04 - Storage Accounts > 04.12 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
Azure > CIS v3.0 > 04 - Storage Accounts > 04.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
Azure > CIS v3.0 > 04 - Storage Accounts > 04.14 - Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
Azure > CIS v3.0 > 04 - Storage Accounts > 04.15 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
Azure > CIS v3.0 > 04 - Storage Accounts > 04.16 - Ensure 'Cross Tenant Replication' is not enabled
Azure > CIS v3.0 > 04 - Storage Accounts > 04.17 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'
Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 5.2.6 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL
Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server
Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible
Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible > Attestation
Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation
Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
Added rate-limiter tags to all tables which can be used to smooth request rates and limit the number of parallel requests to avoid hitting API rate limits. (#904)
Added diagnostic_settings column to azure_app_service_web_app table. (#921)
Added default_blob_diagnostic_settings, default_file_diagnostic_settings, default_table_diagnostic_settings and default_queue_diagnostic_settings columns to azure_storage_account table. (#918)
Added key_policy column to azure_storage_account table. (#922)
Bug fixes
Fixed the azure_storage_account table to correctly handle the no such host error for premium type storage account. (#922)
Fixed the diagnostic_settings column in azure_key_vault table to correctly return data instead of null. (#915)
Fixed azure_data_protection_backup_vault and azure_security_center_contact tables to correctly return data instead of an error. (#917)
Fixed the azure_security_center_contact table to correctly return data instead of null. (#902)
Guardrails previously failed to fetch all diagnosticSettings details for storage accounts control due to limitations in the internal Node SDK package version. This has now been resolved, and the CMDB control will successfully fetch all details as expected.
Guardrails previously failed to fetch all diagnosticSettings details for vaults control due to limitations in the internal Node SDK package version. This has now been resolved, and the CMDB control will successfully fetch all details as expected.
Guardrails previously failed to fetch all diagnosticSettings details for web apps control due to limitations in the internal Node SDK package version. This has now been resolved, and the CMDB control will successfully fetch all details as expected.
Diagnostic Settings for blob, queue, and table will now be available in CMDB for storage accounts.
Users can now update access tier to cold for storage accounts. To get started, set the Azure > Storage > Storage Account > Access Tier policy to Enforce: Cold.
Bug fixes
The Azure > Storage > Storage Account > Tags control will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
You can now configure guest configuration extension for virtual machines. To get started, set the Azure > Compute > Virtual Machine > Extensions > Guest Configuration policy.
CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to Skip. This issue has been resolved; such controls will now correctly transition to a skipped state.
The CMDB data for buckets did not refresh automatically when intelligent tiering configurations were removed from the buckets. This issue has now been fixed.
Fixed the containers_resources_limits_std and containers_resources_requests_std columns in the kubernetes_pod table to correctly return data when pod resource limits or requests are expressed in scientific notation, preventing errors. (#315)
Dependencies
Recompiled plugin with Go version 1.24.
Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages.
Fixed the account_alternate_contact_security_registered query to correctly list all the available accounts. (#917)
Fixed the iam_user_access_key_age_90 query to skip the inactive access keys. (#912)
Fixed config_enabled_all_regions, iam_access_analyzer_enabled_without_findings and securityhub_enabled queries to skip regions not defined in the aws.spc file. (#908)
Added export column to the aws_acm_certificate table. (#2571)
Added ignore_error_messages config arg to provide users the ability to set a list of additional AWS error messages to ignore while running queries. For more information, please see AWS plugin configuration (#2560)
Dependencies
Recompiled plugin with Go version 1.24.
Recompiled plugin with steampipe-plugin-sdk v5.13.0 that addresses critical and high vulnerabilities in dependent packages.
Resolved a bug where destroying a policy pack via Terraform did not delete the policy pack if it was still attached to resources. The terraform destroy command now provides a clear and meaningful error message when such attachments exist.
In previous versions, apigateway:CreateDeployment events were processed without validating the required stageName parameter, which could result in invalid stage resources in the CMDB. This issue is now fixed.
Recompiled plugin with steampipe-plugin-sdk v5.11.7 which resolves an issue where rate limiters were not being applied to hydrate functions correctly. (#87)
Resolved an issue with real-time event handling for AWS > API Gateway > Stage resources. Specifically, Guardrails was previously not receiving events when a Web ACL was attached to an API Gateway stage. This has now been fixed, and events for such actions are processed as expected.
Fixed the control column of wiz_cloud_config_rule table to correctly return data instead of an error. (#61)
Dependencies
Recompiled plugin with steampipe-plugin-sdk v5.11.7 which resolves an issue where rate limiters were not being applied to hydrate functions correctly. (#58)
Added destination, destination_branch_name and source columns to the bitbucket_pull_request table. (#119)
Bug fixes
Renamed the incorrectly named branch_name column to source_branch_name in the bitbucket_pull_request table to reflect the correct source branch of the pull request. (#119)
Dependencies
Recompiled plugin with steampipe-plugin-sdk v5.11.7 which resolves an issue where rate limiters were not being applied to hydrate functions correctly. (#115)
Users can now configure the private google access settings for subnetworks. To get started, set the GCP > Network > Subnetwork > Private Google Access policy.
Control Types
GCP > Network > Subnetwork > Private Google Access
Policy Types
GCP > Network > Subnetwork > Private Google Access
Action Types
GCP > Network > Subnetwork > Set Private Google Access
Previously, GCP > DNS > Managed Zone > Labels control would fail when attempting to update labels on private DNS zones that were linked to a Service Directory namespace. This was caused by the control attempting to modify the serviceDirectoryConfig field, which is not allowed by the Google Cloud DNS API and resulted in an error. This issue has now been resolved.
The versioning mechanism has been changed to use GoReleaser for automated version management during the build process.
Breaking changes
The version package, which was previously used to control CLI versioning, has been removed in this version. This change only affects users who were importing the Steampipe version package in their Go code. Regular CLI usage is not impacted.
The AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-ec2 policy previously depended on the Turbot > Workspace > Workspace Version policy, causing Event Handlers to run after a TE update. This dependency has been safely removed, improving the overall efficiency of the workspace.
You can now use the Intelligent Assessment control, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
Azure > PostgreSQL > Flexible Server > Intelligent Assessment
Policy Types
Azure > PostgreSQL > Flexible Server > Intelligent Assessment
Add --to flag for collect, allowing collection of standalone time ranges. (#238)
Add --overwrite flag for collect, allowing recollection of existing data. (#454)
Bug fixes
Fix issue where collection state end-objects are cleared when collection is complete,
meaning no further data will be collected for that day. (#250)
Behaviour Change
When passing a from time to a collection, the existing partition data is no longer cleared before the collection starts. This means that data will not, by default, be recollected for time ranges that have already been collected. To recollect data for a time range, pass the new --overwrite flag to the collect command.
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
GCP > Folder > Intelligent Assessment
GCP > Organization > Intelligent Assessment
GCP > Project > Intelligent Assessment
Policy Types
GCP > Folder > Intelligent Assessment
GCP > Folder > Intelligent Assessment > Context
GCP > Folder > Intelligent Assessment > User Prompt
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
Azure > SQL > Database > Intelligent Assessment
Azure > SQL > Elastic Pool > Intelligent Assessment
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
Azure > Network > Application Security Group > Intelligent Assessment
You can now use the Intelligent Assessment control, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
Azure > MySQL > Flexible Server > Intelligent Assessment
Policy Types
Azure > MySQL > Flexible Server > Intelligent Assessment
Azure > MySQL > Flexible Server > Intelligent Assessment > Context
Azure > MySQL > Flexible Server > Intelligent Assessment > User Prompt
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
Azure > Monitor > Action Group > Intelligent Assessment
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
AWS > Redshift > Cluster > Intelligent Assessment
AWS > Redshift > Cluster Parameter Group > Intelligent Assessment
AWS > Redshift > Cluster Subnet Group > Intelligent Assessment
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
AWS > RDS > DB Cluster > Intelligent Assessment
AWS > RDS > DB Cluster Parameter Group > Intelligent Assessment
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
AWS > IAM > Access Analyzer > Intelligent Assessment
AWS > IAM > Access Key > Intelligent Assessment
AWS > IAM > Account Password Policy > Intelligent Assessment
AWS > IAM > Account Summary > Intelligent Assessment
AWS > IAM > Credential Report > Intelligent Assessment
AWS > IAM > Group > Group Policy Attachments > Intelligent Assessment
AWS > IAM > Group > Inline Policy > Intelligent Assessment
AWS > IAM > Group > Intelligent Assessment
AWS > IAM > Instance Profile > Intelligent Assessment
AWS > IAM > MFA Virtual > Intelligent Assessment
AWS > IAM > OpenID Connect > Intelligent Assessment
AWS > IAM > Policy > Intelligent Assessment
AWS > IAM > Role > Inline Policy > Intelligent Assessment
AWS > IAM > Role > Intelligent Assessment
AWS > IAM > Role > Role Policy Attachments > Intelligent Assessment
AWS > IAM > Root > Intelligent Assessment
AWS > IAM > Server Certificate > Intelligent Assessment
AWS > IAM > User > Group Memberships > Intelligent Assessment
AWS > IAM > User > Inline Policy > Intelligent Assessment
AWS > IAM > User > Intelligent Assessment
AWS > IAM > User > User Policy Attachments > Intelligent Assessment
Policy Types
AWS > IAM > Access Analyzer > Intelligent Assessment
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
AWS > Glue > Crawler > Intelligent Assessment
AWS > Glue > Data Catalog > Intelligent Assessment
AWS > Glue > Database > Intelligent Assessment
AWS > Glue > Job > Intelligent Assessment
AWS > Glue > ML Transform > Intelligent Assessment
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
Azure > Management Group > Intelligent Assessment
Azure > Resource Group > Intelligent Assessment
Azure > Subscription > Intelligent Assessment
Azure > Tenant > Intelligent Assessment
Policy Types
Azure > Management Group > Intelligent Assessment
Azure > Management Group > Intelligent Assessment > Context
Azure > Management Group > Intelligent Assessment > User Prompt
Azure > Resource Group > Intelligent Assessment
Azure > Resource Group > Intelligent Assessment > Context
Azure > Resource Group > Intelligent Assessment > User Prompt
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
AWS > Account > Intelligent Assessment
AWS > Organization > Intelligent Assessment
AWS > Organization Root > Intelligent Assessment
AWS > Organizational Unit > Intelligent Assessment
Policy Types
AWS > Account > Intelligent Assessment
AWS > Account > Intelligent Assessment > Context
AWS > Account > Intelligent Assessment > User Prompt
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
AWS > API Gateway > API > Intelligent Assessment
AWS > API Gateway > API Key > Intelligent Assessment
AWS > API Gateway > API V2 > Intelligent Assessment
AWS > API Gateway > Account > Intelligent Assessment
AWS > API Gateway > Authorizer > Intelligent Assessment
AWS > API Gateway > Authorizer V2 > Intelligent Assessment
AWS > API Gateway > Domain Name V2 > Intelligent Assessment
AWS > API Gateway > Integration V2 > Intelligent Assessment
AWS > API Gateway > Resource > Intelligent Assessment
AWS > API Gateway > Stage > Intelligent Assessment
AWS > API Gateway > Stage v2 > Intelligent Assessment
AWS > API Gateway > Usage Plan > Intelligent Assessment
Policy Types
AWS > API Gateway > API > Intelligent Assessment
AWS > API Gateway > API > Intelligent Assessment > Context
AWS > API Gateway > API > Intelligent Assessment > User Prompt
AWS > API Gateway > API Key > Intelligent Assessment
AWS > API Gateway > API Key > Intelligent Assessment > Context
AWS > API Gateway > API Key > Intelligent Assessment > User Prompt
AWS > API Gateway > API V2 > Intelligent Assessment
AWS > API Gateway > API V2 > Intelligent Assessment > Context
AWS > API Gateway > API V2 > Intelligent Assessment > User Prompt
AWS > API Gateway > Account > Intelligent Assessment
Workspace Manager can now access log buckets encrypted with customer-managed KMS keys, improving support for secure logging setups.
The initial setup for PgBouncer support is now available. When enabled, the stack automatically creates the networking and discovery components—like Security Groups and CloudMap—needed for PgBouncer to work.
Support for Valkey has been introduced, offering a simpler and more cost-effective option than Redis.
PgBouncer
PgBouncer support has been introduced to improve database connection efficiency through lightweight connection pooling. This enhancement benefits high-throughput environments by reducing the overhead of frequent PostgreSQL connections.
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Bug fixes
We have improved the internal handling of user prompts to ensure better and more consistent evaluations for the Intelligent Assessment control(s).
Control Types
GCP > IAM > API Key > Intelligent Assessment
GCP > IAM > Project Role > Intelligent Assessment
GCP > IAM > Project User > Intelligent Assessment
GCP > IAM > Service Account > Intelligent Assessment
GCP > IAM > Service Account Key > Intelligent Assessment
GCP > Project > Policy > Intelligent Assessment
Policy Types
GCP > IAM > API Key > Intelligent Assessment
GCP > IAM > API Key > Intelligent Assessment > Context
GCP > IAM > API Key > Intelligent Assessment > User Prompt
GCP > IAM > Project Role > Intelligent Assessment
GCP > IAM > Project Role > Intelligent Assessment > Context
GCP > IAM > Project Role > Intelligent Assessment > User Prompt
GCP > IAM > Project User > Intelligent Assessment
GCP > IAM > Project User > Intelligent Assessment > Context
GCP > IAM > Project User > Intelligent Assessment > User Prompt
GCP > IAM > Service Account > Intelligent Assessment
GCP > IAM > Service Account > Intelligent Assessment > Context
GCP > IAM > Service Account > Intelligent Assessment > User Prompt
GCP > IAM > Service Account Key > Intelligent Assessment
GCP > IAM > Service Account Key > Intelligent Assessment > Context
GCP > IAM > Service Account Key > Intelligent Assessment > User Prompt
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
GCP > Compute Engine > Disk > Intelligent Assessment
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
Azure > IAM > Role Assignment > Intelligent Assessment
Azure > IAM > Role Definition > Intelligent Assessment
Policy Types
Azure > IAM > Role Assignment > Intelligent Assessment
Azure > IAM > Role Assignment > Intelligent Assessment > Context
Azure > IAM > Role Assignment > Intelligent Assessment > User Prompt
Azure > IAM > Role Definition > Intelligent Assessment
Azure > IAM > Role Definition > Intelligent Assessment > Context
Azure > IAM > Role Definition > Intelligent Assessment > User Prompt
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
Azure > Compute > Availability Set > Intelligent Assessment
Azure > Compute > Disk > Intelligent Assessment
Azure > Compute > Disk Encryption Set > Intelligent Assessment
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
AWS > VPC > Flow Log > Intelligent Assessment
AWS > VPC > Network ACL > Intelligent Assessment
AWS > VPC > Security Group > Intelligent Assessment
AWS > VPC > Security Group Rule > Intelligent Assessment
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Control Types
AWS > VPC > Egress Only Internet Gateway > Intelligent Assessment
AWS > VPC > Elastic IP > Intelligent Assessment
AWS > VPC > Endpoint > Intelligent Assessment
AWS > VPC > Endpoint Service > Intelligent Assessment
AWS > VPC > Internet Gateway > Intelligent Assessment
AWS > VPC > NAT Gateway > Intelligent Assessment
Policy Types
AWS > VPC > Egress Only Internet Gateway > Intelligent Assessment
AWS > VPC > Egress Only Internet Gateway > Intelligent Assessment > Context
AWS > VPC > Egress Only Internet Gateway > Intelligent Assessment > User Prompt
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Users can now create and manage tags for VPC transit gateway attachments. To get started, set the AWS > VPC > Transit Gateway Attachment > Tags > * policies.
You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
Fixed an issue where SAML directory certificate updates applied via Terraform appeared successful but did not persist in the backend. These updates are now correctly processed and retained.
Resolved an issue where the log message for policySetting resources was unclear when attempting to create policy settings for non-existent or uninstalled policy types. The log output is now more informative and precise.
The following 15 mods now have the Intelligent Assessment control(s), which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts.
Added support for five optional EC2 Launch Template tags (LaunchTemplateTag1–LaunchTemplateTag5) via SSM parameters. These tags are automatically applied to EC2 instances, EBS volumes, and network interfaces for improved resource classification and automation.
Introduced the AmiKmsKeyArn parameter to allow specifying a custom AWS KMS Key ARN for encrypting EBS volumes attached to EC2 instances. This enables support for custom encrypted AMIs.
Added a new EC2InstanceCustomUserData parameter that appends additional UserData from SSM. This allows for dynamic EC2 initialization without needing changes to the CloudFormation template.
Optimized the aws_s3_bucket table to reduce query time by improving how bucket regions are handled. (#2519)
Bug fixes
Fixed the policy column of aws_iam_policy table to correctly return data instead of an error when the policy document contains trailing tab characters. (#2529)
Dependencies
Recompiled plugin with steampipe-plugin-sdk v5.12.0, which introduces support for the UnmarshalJSON transform function, ensuring robust handling of IAM policy JSON columns. (#2529)
The AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket control previously failed to evaluate correctly when there were more than one FieldSelectors present under AdvancedEventSelectors. This issue is now fixed.
The AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket control has been enhanced to evaluate both EventSelectors and AdvancedEventSelectors when determining whether object-level logging is enabled. Previously, the control evaluated only EventSelectors, which could result in false alarms when logging was configured using AdvancedEventSelectors.
The AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket control previously failed to evaluate correctly when there were more than one FieldSelectors present under AdvancedEventSelectors. This issue is now fixed.
The AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket control has been enhanced to evaluate both EventSelectors and AdvancedEventSelectors when determining whether object-level logging is enabled. Previously, the control evaluated only EventSelectors, which could result in false alarms when logging was configured using AdvancedEventSelectors.
The AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated) control previously failed to evaluate correctly when there were more than one FieldSelectors present under AdvancedEventSelectors. This issue is now fixed.
The AWS > CIS v1.4 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket (Automated) control has been enhanced to evaluate both EventSelectors and AdvancedEventSelectors when determining whether object-level logging is enabled. Previously, the control evaluated only EventSelectors, which could result in false alarms when logging was configured using AdvancedEventSelectors.
Added support for Fine-grained personal access token via the token config argument, with each table’s documentation updated to specify the required permissions. Refer to the plugin's Credentials section for additional information. (#497)
Dependencies
Recompiled plugin with steampipe-plugin-sdk v5.11.7 which resolves an issue where rate limiters were not being applied to hydrate functions correctly. (#499)
The AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket control has been enhanced to evaluate both EventSelectors and AdvancedEventSelectors when determining whether object-level logging is enabled. Previously, the control evaluated only EventSelectors, which could result in false alarms when logging was configured using AdvancedEventSelectors.
Fixed an issue where importing a GCP Organization via the UI did not automatically create the required Private Key setting.
Security Updates
Fixed access issue in policy pack management
In version 5.51.3, a security issue was introduced that mistakenly allowed users with any Turbot/* permissions — at the Turbot level, when using the API — to:
Create or update policy associations within a policy pack
Delete a policy pack if it was not attached to any resource
This has now been fixed, and the correct permission model has been restored — only users with Turbot/Admin permissions can perform these operations.
The AWS > CloudTrail > Trail > CMDB control has been updated to correctly refresh the EventSelectors and AdvancedEventSelectors details when these settings are removed in AWS. This update ensures that the CMDB data accurately reflects the current state of the trail configuration.
The AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket control has been enhanced to evaluate both EventSelectors and AdvancedEventSelectors when determining whether object-level logging is enabled. Previously, the control evaluated only EventSelectors, which could result in false alarms when logging was configured using AdvancedEventSelectors.
The AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated) control has been enhanced to evaluate both EventSelectors and AdvancedEventSelectors when determining whether object-level logging is enabled. Previously, the control evaluated only EventSelectors, which could result in false alarms when logging was configured using AdvancedEventSelectors.
Increased the minimum required glibc version to 2.34 for the FDW, due to the upgrade of the Linux build environment from Ubuntu 20.04 to Ubuntu 22.04 GitHub runners. As a result, Steampipe no longer supports older Linux distributions such as Ubuntu 20.04 and Amazon Linux 2.
Bug fixes
Fix issue where the FDW did not correctly provide planning cost information for key-columns with an any-of requirement. This led the Postgres planner to choose query plans that do not include filters on those columns, even when filters were present in the query. (#558)
Fix issue where Steampipe was returning a 0 exit code even when a wrong sub-command was run. (#4563)
Optimized the aws_ecr_image_scan_finding table to reduce the query timing by removing the listAwsEcrImageTags parent hydrate and by adding the image_tag as an optional qual. (#2492)
Added column ephemeral_storage to aws_lambda_function table. (#2505)
Added connection and config-dir flags to the plugin's Export tool.
Dependencies
Recompiled plugin with steampipe-plugin-sdk v5.11.7 which resolves an issue where rate limiters were not being applied to hydrate functions correctly, and ensures that errors during data streaming are now properly surfaced by the Export CLI.
Load Balancer listeners upserted in Guardrails along with their parent Load Balancers occasionally lacked createTimestamp and createdBy metadata. This omission caused the AWS > EC2 > Load Balancer Listener > Approved control to evaluate incorrectly. We have enhanced our real-time event handling to ensure metadata is accurately populated in such scenarios.
Fixed infinite loop issues in several tables by ensuring queries stop when no more rows are returned by the API. (#508) (Thanks @QiXingchuan for the contribution!)
The AWS > SNS > Subscription > CMDB control previously entered an error state for cross-account subscriptions upserted in Guardrails CMDB. These subscriptions will no longer be upserted into CMDB, preventing the control from entering an error state.
The AWS > SNS > Subscription > CMDB control did not automatically re-run when a subscription was in the PendingConfirmation state. This issue has now been resolved.
Added rate-limiter tags to all tables which can be used to smooth request rates and limit the number of parallel requests to avoid hitting API rate limits. (#563)
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
The Azure > Compute > Virtual Machine > CMDB control previously triggered the Azure > Compute > Disk > Discovery control on the VM's resource group, resulting in unnecessary control re-runs within the workspace. We've now improved the VM's CMDB control to prevent such unnecessary re-runs.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
The tp_index column for the aws_cost_and_usage_focus, aws_cost_and_usage_report, and aws_cost_optimization_recommendation tables is now always set to the value default instead of an AWS account ID to improve query times. (#179)
Dependencies
Bumped github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.17.73 to 1.17.75. (#171)
Bumped github.com/aws/aws-sdk-go-v2/service/guardduty from 1.54.1 to 1.54.5. (#170)
Bumped github.com/aws/aws-sdk-go-v2/service/s3 from 1.79.2 to 1.79.3. (#167)
Bumped github.com/turbot/pipe-fittings/v2 from 2.3.4 to 2.4.1. (#176)
Bumped golang.org/x/sync from 0.13.0 to 0.14.0. (#172)
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added period_start and period_end as optional qualifiers to all aws_cost_* tables to enable custom date range filtering and reduce API usage costs. (#2168)
Updated all aws_* tables to use AWS Go SDK v2 instead of v1, enabling support for newer AWS regions like ap-southeast-5. (#2370)
Dependencies
Recompiled plugin with AWS Go SDK v2.1.36.3. (#2495)
Deprecations
Deprecated search_start_time and search_end_time columns in the aws_cost_usage table. Please use period_start and period_end instead. (#2168)
Switch between different workspace instance types to adjust your workspace configuration to better match your workload requirements. Whether you're optimizing for performance or cost, you can choose the instance type that best fits your needs.
Persistent workspaces now support a new instance type: db1.medium. This instance type is ideal for larger workloads, including datatanks with multiple tables containing hundreds of partitions.
We've also improved the workspace creation experience. You can now view all available instance types more easily and set the DB volume size during creation, with clear limits outlined for each type.
Custom tenant settings now allow owners to manage personal workspaces for users. This includes the ability to enable or disable the creation of personal workspaces.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
Added allowedToCreateTenants field under default_user_role_permissions column of azuread_authorization_policy table. (#243) (Thanks @MarkusGnigler for the contribution!)
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
You can now configure the AWS > IAM > MFA Virtual > Active control for virtual MFA devices based on their age. To get started, set the AWS > IAM > MFA Virtual > Active > Age policy. As part of this enhancement, a new value of 45 days has been applied to all relevant Active policies.
Fixed the sagemaker_notebook_instance_encryption_at_rest_enabled query to correctly return SageMaker notebook instances with encryption at rest disabled. (#897)
Fixed a syntax error in the iam_user_one_active_key query. (#895)
Fixed the lambda_function_dead_letter_queue_configured query to properly check for Lambda functions with a DLQ (Dead Letter Queue) configured. (#893)
Fixed the kms_cmk_policy_prohibit_public_access, sns_topic_policy_prohibit_public_access, and sns_topic_policy_prohibit_cross_account_access queries to correctly assess whether the associated IAM policies allow public access or cross-account access. (#858, #887)
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
The Azure > Subscription > Event Poller control previously processed some real-time events multiple times, resulting in unnecessary Lambda churn. The event processing logic has been improved to ensure each event is handled only once, enhancing overall efficiency.
The Azure > Subscription > CMDB control previously ran unnecessarily when Guardrails received real-time Microsoft.Resources/tags/write events for resources other than subscriptions or resource groups. These events will no longer be processed, preventing unnecessary CMDB control runs.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Resource Types
Fixed the self_link column of gcp_artifact_registry_repository, gcp_cloud_run_job and gcp_cloud_run_service tables to reflect the correct resource links. (#731) (Thanks @pdecat for the contribution!)
Resolved an issue where parent updates in resource_turbot_file were silently ignored. These updates are now processed correctly to ensure changes are properly applied.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Web ACL resource type is now deprecated and will be removed in the next major version. Please refer Migrate workloads from AWS WAF Classic for more information.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Resource Types
Renamed
AWS > WAF > Web ACL to AWS > WAF > Web ACL [Deprecated]
Control Types
Renamed
AWS > WAF > Web ACL > Active to AWS > WAF > Web ACL [Deprecated] > Active
AWS > WAF > Web ACL > Approved to AWS > WAF > Web ACL [Deprecated] > Approved
AWS > WAF > Web ACL > CMDB to AWS > WAF > Web ACL [Deprecated] > CMDB
AWS > WAF > Web ACL > Discovery to AWS > WAF > Web ACL [Deprecated] > Discovery
AWS > WAF > Web ACL > Tags to AWS > WAF > Web ACL [Deprecated] > Tags
AWS > WAF > Web ACL > Usage to AWS > WAF > Web ACL [Deprecated] > Usage
Policy Types
Renamed
AWS > WAF > Web ACL > Active to AWS > WAF > Web ACL [Deprecated] > Active
AWS > WAF > Web ACL > Active > Age to AWS > WAF > Web ACL [Deprecated] > Active > Age
AWS > WAF > Web ACL > Active > Budget to AWS > WAF > Web ACL [Deprecated] > Active > Budget
AWS > WAF > Web ACL > Active > Last Modified to AWS > WAF > Web ACL [Deprecated] > Active > Last Modified
AWS > WAF > Web ACL > Approved to AWS > WAF > Web ACL [Deprecated] > Approved
AWS > WAF > Web ACL > Approved > Budget to AWS > WAF > Web ACL [Deprecated] > Approved > Budget
AWS > WAF > Web ACL > Approved > Custom to AWS > WAF > Web ACL [Deprecated] > Approved > Custom
AWS > WAF > Web ACL > Approved > Usage to AWS > WAF > Web ACL [Deprecated] > Approved > Usage
AWS > WAF > Web ACL > CMDB to AWS > WAF > Web ACL [Deprecated] > CMDB
AWS > WAF > Web ACL > Tags to AWS > WAF > Web ACL [Deprecated] > Tags
AWS > WAF > Web ACL > Tags > Template to AWS > WAF > Web ACL [Deprecated] > Tags > Template
AWS > WAF > Web ACL > Usage to AWS > WAF > Web ACL [Deprecated] > Usage
AWS > WAF > Web ACL > Usage > Limit to AWS > WAF > Web ACL [Deprecated] > Usage > Limit
Action Types
Renamed
AWS > WAF > Web ACL > Delete to AWS > WAF > Web ACL [Deprecated] > Delete
AWS > WAF > Web ACL > Delete from AWS to AWS > WAF > Web ACL [Deprecated] > Delete from AWS
AWS > WAF > Web ACL > Router to AWS > WAF > Web ACL [Deprecated] > Router
AWS > WAF > Web ACL > Set Tags to AWS > WAF > Web ACL [Deprecated] > Set Tags
AWS > WAF > Web ACL > Skip alarm for Active control to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Active control
AWS > WAF > Web ACL > Skip alarm for Active control [90 days] to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Active control [90 days]
AWS > WAF > Web ACL > Skip alarm for Approved control to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Approved control
AWS > WAF > Web ACL > Skip alarm for Approved control [90 days] to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Approved control [90 days]
AWS > WAF > Web ACL > Skip alarm for Tags control to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Tags control
AWS > WAF > Web ACL > Skip alarm for Tags control [90 days] to AWS > WAF > Web ACL [Deprecated] > Skip alarm for Tags control [90 days]
AWS > WAF > Web ACL > Update Tags to AWS > WAF > Web ACL [Deprecated] > Update Tags
The AWS > Secrets Manager > Secret > Stack [Native] control previously failed to import and manage resources outside the us-east-1 region. This issue has now been resolved.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Pipeline resource type is now deprecated and will be removed in the next major version. Please refer Migrate workloads from AWS Data Pipeline for more information.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Resource Types
Renamed
AWS > Data Pipeline > Pipeline to AWS > Data Pipeline > Pipeline [Deprecated]
Control Types
Renamed
AWS > Data Pipeline > Pipeline > Active to AWS > Data Pipeline > Pipeline [Deprecated] > Active
AWS > Data Pipeline > Pipeline > Approved to AWS > Data Pipeline > Pipeline [Deprecated] > Approved
AWS > Data Pipeline > Pipeline > CMDB to AWS > Data Pipeline > Pipeline [Deprecated] > CMDB
AWS > Data Pipeline > Pipeline > Discovery to AWS > Data Pipeline > Pipeline [Deprecated] > Discovery
AWS > Data Pipeline > Pipeline > Tags to AWS > Data Pipeline > Pipeline [Deprecated] > Tags
Policy Types
Renamed
AWS > Data Pipeline > Pipeline > Active to AWS > Data Pipeline > Pipeline [Deprecated] > Active
AWS > Data Pipeline > Pipeline > Active > Age to AWS > Data Pipeline > Pipeline [Deprecated] > Active > Age
AWS > Data Pipeline > Pipeline > Active > Last Modified to AWS > Data Pipeline > Pipeline [Deprecated] > Active > Last Modified
AWS > Data Pipeline > Pipeline > Approved to AWS > Data Pipeline > Pipeline [Deprecated] > Approved
AWS > Data Pipeline > Pipeline > Approved > Custom to AWS > Data Pipeline > Pipeline [Deprecated] > Approved > Custom
AWS > Data Pipeline > Pipeline > Approved > Regions to AWS > Data Pipeline > Pipeline [Deprecated] > Approved > Regions
AWS > Data Pipeline > Pipeline > Approved > Usage to AWS > Data Pipeline > Pipeline [Deprecated] > Approved > Usage
AWS > Data Pipeline > Pipeline > CMDB to AWS > Data Pipeline > Pipeline [Deprecated] > CMDB
AWS > Data Pipeline > Pipeline > Regions to AWS > Data Pipeline > Pipeline [Deprecated] > Regions
AWS > Data Pipeline > Pipeline > Tags to AWS > Data Pipeline > Pipeline [Deprecated] > Tags
AWS > Data Pipeline > Pipeline > Tags > Template to AWS > Data Pipeline > Pipeline [Deprecated] > Tags > Template
Action Types
Renamed
AWS > Data Pipeline > Pipeline > Delete to AWS > Data Pipeline > Pipeline [Deprecated] > Delete
AWS > Data Pipeline > Pipeline > Delete from AWS to AWS > Data Pipeline > Pipeline [Deprecated] > Delete from AWS
AWS > Data Pipeline > Pipeline > Router to AWS > Data Pipeline > Pipeline [Deprecated] > Router
AWS > Data Pipeline > Pipeline > Set Tags to AWS > Data Pipeline > Pipeline [Deprecated] > Set Tags
AWS > Data Pipeline > Pipeline > Skip alarm for Active control to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Active control
AWS > Data Pipeline > Pipeline > Skip alarm for Active control [90 days] to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Active control [90 days]
AWS > Data Pipeline > Pipeline > Skip alarm for Approved control to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Approved control
AWS > Data Pipeline > Pipeline > Skip alarm for Approved control [90 days] to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Approved control [90 days]
AWS > Data Pipeline > Pipeline > Skip alarm for Tags control to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Tags control
AWS > Data Pipeline > Pipeline > Skip alarm for Tags control [90 days] to AWS > Data Pipeline > Pipeline [Deprecated] > Skip alarm for Tags control [90 days]
AWS > Data Pipeline > Pipeline > Update Tags to AWS > Data Pipeline > Pipeline [Deprecated] > Update Tags
AWS plugin v1.12.0 or higher is now required. (#882)
What's new?
Added iam_user_access_key_age_365 and secretsmanager_secret_rotation_enabled controls to all_controls_iam and all_controls_secretsmanager benchmarks respectively. (#886)
Refactored GuardDuty queries to skip regions where GuardDuty is not available. (#882)
Bug fixes
Fixed eks_cluster_secrets_encrypted query to automatically return ok instead of an alarm for EKS clusters with version greater than 1.27 since they are automatically encrypted by AWS owned KMS keys. (#883)
Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.
Control Types
Azure > Resource Group > Stack [Native]
Policy Types
Azure > Resource Group > Stack [Native]
Azure > Resource Group > Stack [Native] > Drift Detection
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
EventBridge rules configured via Event Handlers have been improved to exclude real-time events containing errors from being sent to the Guardrails endpoint. This prevents Guardrails from processing unnecessary error events.
The default value for the AWS > Region > Connection Region policy did not evaluate correctly for AWS GovCloud accounts. This issue has been resolved.
Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Users can now select the default region when logging in to AWS accounts via Guardrails using Role mode. To get started, set the AWS > Account > Permissions > Default Region policy.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Users can now manage endpoint access for clusters. To get started, set the AWS > EKS > Cluster > Endpoint Access > * policies.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Previously, modifying instance identifiers to use different casing while retaining the same name caused Guardrails to incorrectly update the DBInstanceIdentifier and the AKA for the resource. Guardrails will now be smarter to avoid updating these details in CMDB data in such scenarios.
The AWS > EC2 > AMI > Discovery control previously failed to fetch all resources, due to the lack of pagination support. This issue has been fixed, and the control will now correctly fetch all available AMIs.
Removed unnecessary attributes from the default value of the Kubernetes > Pod > osquery > Configuration > Columns policy, which previously caused churn by unnecessarily triggering the Kubernetes > Pod > CMDB control.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Added CIS v5.0.0 benchmark (powerpipe benchmark run aws_compliance.benchmark.cis_v500). (#881)
Added lambda_function_logging_config_enabled control to all_controls_lambda benchmark.
Bug fixes
Fixed eks_cluster_secrets_encrypted query to automatically return ok instead of an alarm for EKS clusters with version greater than 1.27 since they are automatically encrypted by AWS owned KMS keys. (#883)
Fix issue where query batch mode outputs(json, csv, line) were not printing the rows received to stdout when any of the other rows returned an API error. (#4516)
Fix issue where query batch mode table output always returned a 0 row count when timing was enabled. (#4520)
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.
CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to Skip. This issue has been resolved; such controls will now correctly transition to a skipped state.
The Azure > Storage > Storage Account > Tags control previously failed to update tags for storage accounts of type StandardV2_LRS. This issue has been resolved, and the control now correctly updates tags for this storage account type.
The Azure > Storage > Queue > Discovery control previously entered an error state for storage accounts of kind FileStorage. This issue has been resolved, and the control will now be skipped for such storage accounts.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Reduced the time taken to collect and process data in Account > Statistics, resulting in noticeably faster and a smoother experience.
Enhanced the reliability of Turbot > Mod > Runnable Monitor and Turbot > Mod Event Monitor by improving how they handle temporary lock conflicts, ensuring more consistent operation.
Fixed an issue where moving a resource between parents could create an incorrect path.
Policy packs can now only be attached to resources where it is feasible to attach.
UI
Resolved a layout issue where long resource names could break the detail headers on the Control, Process, and Policy pages.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Guardrails previously upserted DB parameter groups into the CMDB with incorrect casing when they were created using uppercase letters in AWS. This occasionally caused the AWS > RDS > DB Parameter Group > CMDB control to enter an error state due to duplicate AKAs. We have improved the handling of create and copy real-time events for parameter groups to ensure they are now upserted correctly and more reliably.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
The AWS > VPC > Transit Gateway Attachment > CMDB control would sometimes go into an error state when ResourceOwnerId for the resource was not available in the CMDB data. This is fixed and the control will now work correctly, as expected.
Guardrails stack controls that created or claimed IAM roles would sometimes run unnecessarily due to a mismatch in the default value for force_detach_policies in the Terraform mapping for the resource type. We have now removed the conflicting default to prevent such unnecessary executions. You now need to explicitly define force_detach_policies to override the existing Terraform default value (if required by your use case).
Updated file_layout arguments in documentation to wrap values in backticks instead of double quotes to align with Tailpipe CLI v0.2.0 changes. (#140)
Bug fixes
The aws_vpc_flow_log table no longer skips collecting records with log status SKIPPED or NODATA.
Updated aws_cost_and_usage_focus, aws_cost_and_usage_report and aws_cost_optimization_recommendation tables to store missing column values as null. (#139)
Fixed typo for file_layout in aws_s3_bucket source doc.
Dependencies
Bumped github.com/turbot/pipe-fittings/v2 from 2.3.0 to 2.3.1. (#143)
Bumped github.com/turbot/tailpipe-plugin-sdk from v0.1.1 to v0.2.0. (#136)
Added support for multiple input queries (with ability to use Nunjucks template functionality) in the calculated policy editor allowing teams to create complex calculated policies involving a pipeline of GraphQL queries.
Bug fixes
Server
Turbot/ReadOnly permission is now sufficient to create, delete, and update favorites.
Resolved an issue that was blocking users from running quick actions due to incorrect permission checks.
Tightened permissions for smart folder attachments and detachments to prevent unauthorized access.
Account/ReadOnly users can now successfully manage favorites, including creation, deletion, and updates.
UI
Policy settings can now be created by users with Account/Admin permission, as intended, instead of incorrectly requiring Account/Owner.
Quick action runs no longer fail for users with a single grant due to a UI permission check issue.
Turbot Pipes' latest update enhances its built-in query editor with improved schema navigation, integrated documentation, pre-built query examples, and powerful search, making it faster and easier for teams to explore and query cloud data.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Users can now create and manage cloud resources using Terraform 1.x via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.
The GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-iam rendered the real-time events filter for Project User resource type incorrectly, which caused the GCP > Logging > Sink > Configured control for Logging sinks created via Event Handlers to go into an error state. This issue is now fixed.
The GCP > IAM > Project User > CMDB control entered an error state due to incorrect internal references introduced in the previous version of the mod (v5.17.0). This issue has been fixed, and the control now works as expected.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
The GCP > Project > Labels control failed to apply labels to projects according to the GCP > Project > Labels > Template policy. This issue has been fixed.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated internal definitions for Quick Actions on the AWS > S3 > Bucket > Public Access Block control type. All functionality will continue to work smoothly as before.
The AWS > EC2 > Target Group > Discovery control sometimes failed to upsert target groups under gateway load balancers that were not present in the CMDB. This occurred because Guardrails was unable to discover those gateway load balancers due to an outdated list of supported regions. The list has been refreshed for the AWS > EC2 > Gateway Load Balancer resource type, enabling Guardrails to discover and manage these resources across all supported AWS regions.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for Contactable interface in various resource types.
Bug fixes
We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
Added support to process real-time events for ServiceNow custom tables and their records.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
The AWS > Region > Discovery > Connection Region policy has been deprecated and will be removed in the next major version of the mod (v6.0.0). Two new policies, AWS > Account > Connection Region [Default] and AWS > Region > Connection Region, have been introduced. These policies streamline connection region management across all global resource types in various services. For the deprecated AWS > Region > Discovery > Connection Region policy, we recommend migrating existing settings to the AWS > Region > Connection Region policy if you intend to define a connection region for discovering Region resources. Alternatively, you may configure the AWS > Account > Connection Region [Default] policy, which serves as the default region for discovering all global resources across services in your account.
Policy Types
AWS > Account > Connection Region [Default]
AWS > Region > Connection Region
Renamed
AWS > Region > Discovery > Connection Region to AWS > Region > Discovery > Connection Region [Deprecated]
You can now configure a connection region to allow Guardrails to fetch details for S3 accounts in CMDB. To get started, set the AWS > S3 > Connection Region policy. This policy defaults to the value of the AWS > Account > Connection Region [Default] policy, which can be used to define a default connection region for all global resources in an account.
The schema list view in the Steampipe query editor now hides aggregated connections by default. This change helps highlight the key schemas whilst also improving readability of the list, especially in workspaces with a large number of aggregated connections.
You can still view the aggregated connections by clicking the Show Aggregated Connections option via the schema list settings button. This will expand the list to show all connections, including the aggregated ones.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Guardrails previously processed the organizations:MoveAccount real-time event incorrectly for individually imported management accounts, inadvertently deleting them from the CMDB. We have tightened the validation checks to prevent such deletions in these cases.
Discovery controls for various SageMaker resources previously attempted to fetch a maximum of 10 resources per API call, which occasionally led to throttling when a high number of resources existed in the account. This limit has now been increased to 100 (the maximum supported by the APIs) to enable the Discovery controls to retrieve all resources without errors and upsert them into the CMDB.
Removed the projects_total_count column from the github_organization and github_my_organization tables. This property was removed from the GitHub GraphQL API as of April 1, 2025, which caused queries using it to fail. We recommend using projects_v2_total_count column instead. Please check GitHub GraphQL API changelog for additional details. (#488)
Enhancements
Added run_attempt column as an optional qual to the GetConfig of github_actions_repository_workflow_run table. (#464) (Thanks @tsibley for the contribution!!)
Added run_attempt and previous_attempt_url columns to github_actions_repository_workflow_run table. (#463) (Thanks @tsibley for the contribution!!)
Added workflow_id column as an optional qual to the ListConfig of github_actions_repository_workflow_run table. (#465) (Thanks @tsibley for the contribution!!)
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We have improved event handling configuration to filter AWS Organization events that Guardrails listens for, based on the CMDB policies for resource types. If the CMDB policy for a resource type is not set to Enforce: Enabled, the EventBridge rule for Organizations will exclude events for that resource type.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Introducing scoped Account/* permissions to help application teams manage their own accounts.
Notifications routing based on permissions.
Bug fixes
Server
Controls no longer crashes when there's a parsing issue in rule-based notifications. Instead, it logs the error gracefully and continues running.
Fixed a problem where certain operations could trigger a "callback already called" error, improving overall reliability of caching.
The Type Installed control now spreads events over time to reduce the likelihood of API throttling during large-scale installations or updates.
Guardrails now skips storing resource tags larger than 1 KB to ensure only valid tags are saved and to avoid potential issues later.
The osquery worker now correctly uses the TURBOT_RDS_SSL_FILE environment variable to point to the right certificate file, fixing an issue where it previously referenced the wrong path.
To improve reliability and performance, Guardrails prioritizes events in the order Type Installed > Policies > Scheduled Actions > Controls.
Resolved an issue where authenticated users without the appropriate permissions were able to access process logs.
UI
Switching between self and descendant modes no longer clears existing filter configurations — your selections will now persist as expected.
Account Permissions
Introduced a new category of permissions — Account/ — designed specifically for application teams who need limited visibility and control over resources within their own accounts. These are distinct from the Turbot/ permissions used by governance teams.
Account levels:
Account/Owner
Account/Admin
Account/Operator
Account/ReadOnly
These levels are now explained alongside Turbot/* levels, with clear usage guidance:
Turbot/* — for managing the Guardrails platform
Account/* — for managing resources and notifications within cloud accounts
Notification Routing to Guardrails Profiles
You can now route notifications to Guardrails user profiles dynamically based on resource permissions — a major upgrade from static email/webhook targeting. This allows for context-aware delivery to users like Account Owners or Admins.
Supported formats:
Specific roles like Account/Owner, Turbot/Owner
Wildcards like Account/*
Special role Account/CC for tagging-based routing
Use case:
Automatically notify account teams responsible for a resource, based on their assigned permission
Access Controls Refined for Process Logs
Access to process logs is now restricted to users with appropriate permissions, specifically those with Turbot/Metadata or higher.
Previously, any authenticated user could retrieve process logs via the API. This behavior has been corrected to align with expected permission boundaries and prevent overexposure of operational data.
Add support for plugins with custom formats.
A format block can be defined in config and plugins can provide formats types and presets . Format are supported by the new Nginx and Apache plugins.
(#264).
The GCP > IAM > Service Account > CMDB control would sometimes enter a skipped state for newly imported projects if certain required attributes were missing from the IAM service's CMDB data. The control will now go into a TBD state instead and rerun after five minutes to allow the IAM service's CMDB data to populate correctly for newly imported projects.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Guardrails would sometimes ignore the GCP > BigQuery > Table > CMDB policy set to Enforce: Disabled and still upsert table resources via real-time events in CMDB. These resources were subsequently cleaned up by the CMDB control. This issue has been resolved, and the CMDB policy will now be correctly respected before upserting resources.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Persistent workspaces now support high-performance SSD storage. This allows you to run your workloads on faster storage, which can be especially useful for queries that require high IOPS or low latency.
Any new persistent workspaces created will automatically use SSD storage. We'll gradually migrate existing persistent workspaces to SSD storage over the next few weeks. This change is included in the current pricing model and will not incur any additional cost.
The default retention period for activity has been updated to 90 days (previously unlimited)
Storing too much historical activity data can slow down the system and increase storage costs. By setting a 90-day default, we ensure:
Faster queries and improved UI performance
A better balance between data retention and storage efficiency
Need more or less retention? You can adjust based on your needs:
Retention Period
Ideal For
30 days
High-performance environments
60 days
Balanced usage, recommended for most users
90 days
New default — standard compliance needs
180 / 365 days
Long-term auditing or retention policies
For self-hosted environments, the 90-day default will apply when upgrading to @turbot/turbot version 5.51.0 or higher, unless a custom retention policy is set.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Added support for af-south-1, ap-east-1, ap-southeast-3, ap-southeast-5, ap-southeast-7, ca-west-1, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1 and me-south-1 regions in the AWS > Lambda > Regions policy.
Corrected the region in the AWS > Lambda > Function Alias > Regions policy by updating us-west-3 to the correct region, us-west-2.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated internal dependencies and now use newer Azure SDK versions to discover and manage Security Center resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing settings to refer to the updated attributes as mentioned below:
Added:
policy.enforcementMode
policy.nonComplianceMessages
policy.systemData
Removed:
policy.sku
Renamed:
settings[*].properties.enabled to settings[*].enabled
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
Added PCI DSS v4.0 benchmark (powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40). (#871)
Bug fixes
Fixed the iam_user_one_active_key query to correctly evaluate IAM access keys across multiple AWS accounts. (#867) (Thanks @adrianstanislaus for the contribution!!)
Real-time delete events for topics would sometimes result in the deletion of subscriptions under a different topic in the CMDB. This issue has been fixed, and subscriptions are now cleaned up more reliably than before.
The AWS > MySQL > Server > CMDB policy will now be set to Skip by default because the resource type has been deprecated and will be removed in the next major version. Please check Single Server retirement for more information.
Resource Types
Renamed
Azure > MySQL > Server to Azure > MySQL > Server [Deprecated]
Control Types
Renamed
Azure > MySQL > Server > Active to Azure > MySQL > Server [Deprecated] > Active
Azure > MySQL > Server > Approved to Azure > MySQL > Server [Deprecated] > Approved
Azure > MySQL > Server > CMDB to Azure > MySQL > Server [Deprecated] > CMDB
Azure > MySQL > Server > Discovery to Azure > MySQL > Server [Deprecated] > Discovery
Azure > MySQL > Server > Encryption in Transit to Azure > MySQL > Server [Deprecated] > Encryption in Transit
Azure > MySQL > Server > Tags to Azure > MySQL > Server [Deprecated] > Tags
Policy Types
Renamed
Azure > MySQL > Server > Active to Azure > MySQL > Server [Deprecated] > Active
Azure > MySQL > Server > Active > Age to Azure > MySQL > Server [Deprecated] > Active > Age
Azure > MySQL > Server > Active > Last Modified to Azure > MySQL > Server [Deprecated] > Active > Last Modified
Azure > MySQL > Server > Approved to Azure > MySQL > Server [Deprecated] > Approved
Azure > MySQL > Server > Approved > Custom to Azure > MySQL > Server [Deprecated] > Approved > Custom
Azure > MySQL > Server > Approved > Regions to Azure > MySQL > Server [Deprecated] > Approved > Regions
Azure > MySQL > Server > Approved > Usage to Azure > MySQL > Server [Deprecated] > Approved > Usage
Azure > MySQL > Server > CMDB to Azure > MySQL > Server [Deprecated] > CMDB
Azure > MySQL > Server > Encryption in Transit to Azure > MySQL > Server [Deprecated] > Encryption in Transit
Azure > MySQL > Server > Regions to Azure > MySQL > Server [Deprecated] > Regions
Azure > MySQL > Server > Tags to Azure > MySQL > Server [Deprecated] > Tags
Azure > MySQL > Server > Tags > Template to Azure > MySQL > Server [Deprecated] > Tags > Template
Action Types
Removed
Azure > MySQL > Server > Delete
Azure > MySQL > Server > Router
Azure > MySQL > Server > Set Tags
Azure > MySQL > Server > Update Encryption in Transit
We have improved our event handling configuration to filter AWS SQS events that Guardrails listens for based on the AWS > SQS > Queue > CMDB policy. If the CMDB policy is not set to Enforce: Enabled, the EventBridge rule for SQS will not be configured, preventing events for that resource type. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.
The AWS > Turbot > IAM stack control occasionally encountered an error while attaching tags with special characters to Guardrails-managed users and roles. This issue is now fixed.
Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
Added support for Contactable interface in various resource types.
Bug fixes
The Azure > Compute > Disk > Discovery control occasionally encountered an error while upserting attached disks under VMs that were not available in Guardrails CMDB. Now, all disks will be upserted under their respective resource groups, ensuring the Discovery control functions more smoothly and reliably than before.
Added parameter to manage ALB timeout, allowing better control over request handling.
Added parameter to customize API Gateway domain name. For backward compatibility, the default value remains gateway.
Added parameter to control message rate in the queue, enabling better queue message management.
S3 Lifecycle Rules now automatically enable ‘Expired Object Delete Markers’ for cleanup and remove incomplete multipart uploads after 7 days to prevent storage waste.
HOP limit increased to 2 for improved request forwarding.
Route53 Record for API Gateway now includes the GatewayPrefix to enhance routing accuracy.
Added changelog column to jira_issue table. (#149) (Thanks @mariusgrigaitis for the contribution!)
Added updated column as an optional qual to the jira_issue_worklog table. (#151) (Thanks @mariusgrigaitis for the contribution!)
Optimized the jira_issue_comment table to avoid unnecessary API calls when issue_id is passed in as an optional qual when querying the table. (#143)
Bug fixes
Fixed the jira_issue table to correctly return data instead of an error when resolution_date and status columns are passed in as the query parameters. (#152) (Thanks @mariusgrigaitis for the contribution!)
Added optional config arguments max_error_retry_attempts and min_error_retry_delay to allow customization of the error retry timings. For more information please see Azure plugin configuration. (#873)
Bug fixes
Fixed the scope column of the azure_role_assignment table to correctly return data instead of nil. (#868)
Dependencies
Recompiled plugin with Go version 1.23.1.
Recompiled plugin with steampipe-plugin-sdk v5.11.3 that addresses critical and high vulnerabilities in dependent packages.
Updated aws_acm_*, aws_sns_*, aws_sqs_*, aws_cloudtrail_*, and aws_guardduty_* tables to use AWS Go SDK V2, enabling dynamic region listing for all AWS partitions. (#2440)
Guardrails would fail to process real-time delete events for subscriptions. This is now fixed.
Fixed pagination for Azure > Turbot > Event Poller control.
Real-time Microsoft.Resources tagging events will now be processed only for subscriptions and resource groups, and will be ignored for other resource types. This will avoid unnecessary triggers for subscription & resource group router actions.
Added support for sse_customer_algorithm, sse_customer_key and sse_customer_key_md5 optional key quals in the aws_s3_object table to list objects encrypted with SSE-C. (#2409)
Added parent hydrate support in the aws_ecr_image_scan_finding table to manage the complex join queries. (#2376)
Added pending_modified_values column to the aws_rds_db_instance table. (#2411)
Added tags to aws_glue_* tables. (#2402) (Thanks @pdecat for the contribution!)
Added tag retrieval example to aws_ses_domain_identity table documentation. (#2432)
Added logging_config column to the aws_lambda_function table. (#2423)
Bug fixes
Fixed the nil pointer dereference error when querying AWS RDS custom instances. (#2436)
Fixed the region column of aws_wafregional_rule table to correctly return the resource region instead of global. (#2429)
Fixed the arn column in aws_vpc_eip table to use the correct format. (#2415) (Thanks @thomasklemm for the contribution!)
Fixed not found errors in aws_kinesis_consumer and aws_lightsail_instance tables. (#2408)
Fixed the InvalidParameterException error in aws_ecs_service tables when listing tags for older ECS services. (#2410)
Refactored IAM and Route 53 queries to use global dimension qualifiers. (#865)
Fixed cloudfront_distribution_no_non_existent_s3_origin query to correctly check if the distributions are associated with S3 buckets. (#864)
Fixed the eks_cluster_control_plane_audit_logging_enabled query to correctly check if audit logging is enabled or not. (#856)
Fixed the resource column of vpc_peering_connection_route_table_least_privilege and vpc_peering_connection_no_cross_account_access queries to use arn instead of id. (#860)
Fixed typo in iam_user_hardware_mfa_enabled query. (#851) (Thanks to @ramses999 for the contribution!)
Added multi region KMS encryption for Tenant Master Key.
Guardrails now provides an override parameter at the TE level to configure API and Event container memory reservations, improving ECS task scaling and resource flexibility.
Multi Region KMS Key
Starting from TEF v1.65.0 and TE v5.49.0, a new multi-region KMS key is created at the TEF level.
When workspaces are upgraded to TE v5.49.0, Guardrails use this new key to re-encrypt the existing Tenant Master Key within the workspaces. The Tenant Master Key itself remains unchanged-only its encryption is updated. The previous version, encrypted with a regional KMS key, remains available.
If a workspace is downgraded to TE v5.48.0, the multi-region encryption persists. Upon re-upgrading to TE v5.49.0, re-encryption does not occur again.
This process works seamlessly unless TEF is downgraded to a version earlier than v1.65.0.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
You can now filter ServiceNow records using encoded query strings and discover them in Guardrails. To get started, set the CMDB > Query policy for various resource types. For more details, refer to the ServiceNow documentation on encoded query strings.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
The maximum amount of rows that can be fetched via the query API has been increased from 5,000 to 25,000, allowing users to retrieve more data in a single request.
Any query executed via the API that ran for 2 minutes prior to this change would be timed out and no data would be returned. The query API will now return all data fetched up to that point if the 2 minute limit is reached.
Any timed out query API responses that contain data will now have a 206 (Partial Content) status, with 408 (Request Timeout) still being the status for any requests that have timed out with no data.
The GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-storage policy now respects CMDB policy settings for resource types and filters out real-time events when the policies are set to Skip or Enforce: Disabled. We recommend upgrading the gcp mod to v5.30.2 or higher in order to process real-time events correctly.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
Mute controls if you want to ignore them. The turbot_control_mute allows muting a control to help streamline operations without compromising security policies.
Bug fixes
Fixed typo in an error message while calling Guardrails APIs.
Documentation
Updated example for turbot_policy_pack resource.
Fixed spacing in turbot_turbot_directory documentation.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
Users can now select permissions (ReadOnly + Global Event Handlers or Full Remediation) to apply to the IAM role in the CFN template when importing an AWS Organization or Account.
Bug fixes
UI
Fixed an issue where the terminate process call sometimes received an empty input when terminating a queued process.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Bug fixes
Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.
The AWS > VPC > Transit Gateway Attachment > Discovery [Cross-Account] control would sometimes upsert transit gateway attachments in a deleted or deleting state. This issue is now fixed.
The AWS > VPC > Transit Gateway Attachment > CMDB control previously, in some cases, inadvertently deleted cross-account transit gateway attachments from Guardrails CMDB. This issue has now been fixed.
You can now configure a custom tag name to start/stop DB clusters via the AWS > RDS > DB Cluster > Schedule control. To get started, set the AWS > RDS > DB Cluster > Schedule Tag > Name policy.
The aws_s3_server_access_log table index is now based on the source bucket's name instead of the destination bucket's AWS account ID. We recommend deleting existing aws_s3_server_access_log partition data (e.g., tailpipe partition delete aws_s3_server_access_log.my_partition) and recollecting your data. (#89)
In version 5.35.0, we added support for importing an AWS organization into Guardrails but inadvertently introduced a bug that prevented real-time events for the aws-organizations mod from being processed correctly. This issue has now been fixed.
The GCP > Storage > Bucket > Policy > Trusted Access control previously failed to evaluate results correctly and caused internal process timeouts when Guardrails was denied access to fetch IAM policy bindings for buckets. This issue has been resolved, ensuring that the control now evaluates results and terminates correctly as expected.
The AWS > S3 > Bucket > Discovery control incorrectly went into a skipped state when the AWS > S3 > Bucket > CMDB policy was set to Enforce: Enabled but ignore permission errors. This is fixed and control will now work as expected.
Attribute github_installation_id for resource pipes_tenant_integration is now of type int instead of string.
Attribute github_installation_id for resource pipes_organization_integration is now of type int instead of string.
Attribute github_installation_id for resource pipes_user_integration is now of type int instead of string.
What's new?
Data Source pipes_organization_integration.
Data Source pipes_tenant_integration.
Data Source pipes_user_integration.
Data Source pipes_workspace.
Data Source pipes_workspace_flowpipe_pipeline.
Resource pipes_tenant_notifier.
Resource pipes_organization_notifier.
Resource pipes_user_notifier.
Resource pipes_workspace_notifier.
Resource pipes_workspace_flowpipe_mod.
Resource pipes_workspace_flowpipe_mod_variable.
Resource pipes_workspace_flowpipe_trigger.
Enhancements
Add last_activity_at attribute to the pipes_tenant_member resource to track the last time a user performed an activity in the tenant.
Add last_activity_at attribute to the pipes_organization_member resource to track the last time a user performed an activity in the organization.
Add last_activity_at attribute to the pipes_organization_workspace_member resource to track the last time a user performed an activity in the workspace.
Integrate your developer account, team or custom tenant with GitLab, enabling you to install custom Powerpipe or Flowpipe mods from public or private projects. Push changes for instant deploys and live updates.
The Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) control sometimes failed to evaluate the control state correctly. This issue is now fixed.
You can now configure a custom tag name to start/stop DB instances via the AWS > RDS > DB Instance > Schedule control. To get started, set the AWS > RDS > DB Instance > Schedule Tag > Name policy.
The AWS > CloudSearch > Domain > CMDB policy will now be set to Skip by default because the resource type has been deprecated and will be removed in the next major version. Please check end of support for more information.
Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.
We are excited to announce the release of five new Tailpipe plugins that make it easy to collect logs from various sources, e.g., AWS CloudTrail logs from S3 buckets, and then query the data with familiar SQL syntax.
In the previous version, we introduced support for fetching AWS tags on accounts imported as part of an organization. However, this inadvertently caused a bug that removed tags added via the Guardrails API or Terraform on existing account resources. This issue has now been fixed, ensuring that tags added via Guardrails are preserved for individual accounts that are not part of any organization.
Fixed pattern validation for AWS > Turbot > Event Handlers [Global] > Events > Target > IAM Role ARN policy.
The real-time event handlers did not process account level events if the associated organization was imported using a delegated account. This is now fixed.
Guardrails now supports configurable soft limits for API and Event container memory reservations in TEF, improving ECS task scaling and resource flexibility.
Added Guardrails KMS key, a multi-region KMS key for encrypting internal Turbot Guardrails data.
Added support for Node.js 22 in the Lambda runtime.
Deprecation Notice: The SmartFolder API has been deprecated and replaced with a new Policy Pack API:
createSmartFolder → Use createPolicyPack instead.
deleteSmartFolders → Use deletePolicyPacks instead.
attachSmartFolders → Use attachPolicyPacks instead.
putSmartFolderAttachments → Use putPolicyPackAttachments instead.
updateSmartFolders → Use updatePolicyPacks instead.
detachSmartFolders → Use detachPolicyPacks instead.
The new Policy Pack API introduces targeted resource types, allowing policy packs to be associated only with specific resource types. This is an optional feature, providing more control over policy pack applicability.
Added Mute/Un-mute Controls, an alternative to policy setting exceptions. When a control is muted, it will still run in the background but will not affect compliance or trigger alerts.
Introduced the Daily Stats API, which tracks daily statistics for each account, helping users monitor trends and activity over time.
Added two new policies:
Policy Setting Levels: Defines where policy settings can be created.
Policy Pack Levels: Specifies where policy packs can be attached.
UI
Added support for muting/un-muting controls directly from the interface.
The Import Page UI has been redesigned and now supports:
AWS organization import
GitHub organization import
GCP organization import using service-account-impersonation
Added new metrics with separate charts for resources, controls, and actions, making it easier to track compliance and trends.
Bug fixes
Server
Fixed native stack (OpenTofu) and stack (Terraform) log order.
UI
Fixed log message indentation issues for improved readability.
Users can now exclude subscriptions that they do not wish to import while importing a tenant in Guardrails. To get started, set the Azure > Tenant > CMDB > Exclude policy.
Users can now create and manage tags for subscriptions. To get started, set the Azure > Subscription > Tags > * policies.
The Azure > SQL > Server > CMDB control occasionally deleted servers from Guardrails CMDB when they used the SQL authentication method. This issue has been fixed, and such resources will no longer be removed from the CMDB.
Custom tenant, organization and workspace people pages now show the last activity date for each member, allowing owners to track usage of their environments.
Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.
Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.
Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.
Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.
Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.
Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.
Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.
Added pipelines to run CIS v3.0.0 benchmark. These pipelines can be used to identify Azure resources that are non-compliant with CIS recommendations and also remediate them according to CIS remediation suggestions. For usage information and a full list of pipelines, please see Azure CIS Mod.
Added 109 new 'detect and correct' pipelines to identify Azure resources that are non-compliant with common security and compliance checks. These pipelines can also remediate non-compliant automatically or with approval steps. For usage information and a full list of pipelines, please see Azure Compliance Mod.
The AWS > VPC > VPC > Flow Logging control previously attempted to destroy and recreate flow logs with CloudWatch log groups as the destination on successive runs due to an incorrect ARN reference to the log destination. This issue is now fixed, and the control will no longer unnecessarily destroy and recreate flow logs in such cases.
We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.
We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.
We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.
In a previous version, we resolved an issue in the Azure > Compute > Virtual Machine Scale Set > Tags control to ensure tags were updated correctly for Scale Sets launched via the Azure Marketplace. However, the control occasionally failed to update tags for Scale Sets on certain purchase plans. This issue has now been addressed, and the control will update tags correctly and reliably for all types of Scale Sets.
We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.
We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.
We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.
Updated the filter logic on the Reports page for more accurate results.
Resolved an issue where resource links in the Permissions section redirected to the profile page instead of the resource page when grouped by resources.
Users can now define a list of events to filter out while polling for events using the Azure > Turbot > Event Poller. To get started, set the Azure > Turbot > Event Poller > Excluded Events policy.
Users can now check and enforce SQS SSE for queue encryption. To get started, configure the AWS > SQS > Queue > Encryption at Rest policy to one of the following values: Check: SQS SSE, Check: SQS SSE or higher, Enforce: SQS SSE or Enforce: SQS SSE or higher.
The GCP > Compute Engine > Instance > Serial Port Access and GCP > Compute Engine > Instance > Block Project Wide SSH Keys controls would sometimes go into an error state due to incorrect references to CMDB attributes. This is fixed and the controls will now work as expected.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
Bug fixes
Guardrails would fail to delete unapproved ingress rules when the Azure > Network > Network Security Group > Ingress Rules > Approved policy was set to Enforce: Delete unapproved. This is now fixed.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
Bug fixes
Guardrails would sometimes update the createTimestamp for Web Apps and Function Apps incorrectly when processing update events for these resources. We have updated the internal logic to ensure the createTimestamp is now updated correctly and more reliably than before.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
Bug fixes
Disks created alongside VMs sometimes lacked createdBy details in their metadata. The internal logic has been updated to ensure createdBy details are added more reliably for these disks.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
The GCP > IAM > Service Account Key > Active control has been updated to use validAfterTime instead of metadata.createTimestamp to accurately evaluate the age of the resource.
The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.
Users can now check and delete DB clusters that are not approved for use if they lack encryption at rest. To get started, set the AWS > RDS > DB Cluster > Approved > Encryption at Rest > * policies.
Policy Types
AWS > RDS > DB Cluster > Approved > Encryption at Rest
AWS > RDS > DB Cluster > Approved > Encryption at Rest > Customer Managed Key
Users can now check if their account spend is On Target per Budget. To get started, set the AWS > Account > Budget > Enabled policy to Check: Budget > State is On Target.
Resolved an issue where actor information was not being passed correctly during the process execution, ensuring accurate tracking and processing of actor-related data.
The AWS > VPC > Route > CMDB control would go into an error state due to an incorrect use of a function from an internal node package. This is now fixed.
Guardrails would sometimes update the createdBy details for storage accounts due to mishandled real-time update events. This issue has been fixed, and createdBy details will now be stored more reliably and consistently than before.
In a previous version, we inadvertently introduced a bug that prevented the createTimestamp details from being stored in the metadata of new storage accounts upserted in Guardrails CMDB. This issue has now been resolved, and createTimestamp details are now stored correctly and reliably.
Added error, is_public, resource_owner_account and resource_type optional quals for aws_accessanalyzer_finding table. (#2331) (Thanks @dbermuehler for the contribution!)
Updated the aws_s3_object table to use the HeadObject API to retrieve object metadata. (#2312) (Thanks @JonMerlevede for the contribution!)
Bug fixes
Fixed the aws_s3_bucket table to correctly return data by ignoring the not found error in getBucketTagging and getBucketWebsite hydrate functions. (#2335)
The AWS > VPC > VPC > Flow Logging control would sometimes fail to update flow logs if the Max Aggregation Interval in the stack's source policy was updated. This is fixed and the stack control will now update such resources correctly, as expected.
Users can now configure the maximum aggregation interval in the AWS > VPC > VPC > Flow Logging control. To get started, set the AWS > VPC > VPC > Flow Logging > Cloud Watch > Maximum Aggregation Interval policy and/or AWS > VPC > VPC > Flow Logging > S3 > Maximum Aggregation Interval policy.
Added multi_region and multi_region_configuration columns to aws_kms_key table. (#2338) (Thanks @pdecat for the contribution!)
Bug fixes
Fixed the comparison operator (<= or >=) for number and date filter in aws_inspector2_finding table. (#2332) (Thanks @dbermuehler for the contribution!)
Added labels and tags columns to the gcp_compute_global_forwarding_rule table. (#678) (Thanks @pdecat for the contribution!)
Added database_installed_version and maintenance_version columns to the gcp_sql_database_instance table. (#677) (Thanks @pdecat for the contribution!)
Bug fixes
Fixed the gcp_compute_instance_group table to correctly return data for regional instance groups' instances column. (#670) (Thanks @pdecat for the contribution!)
Fixed the kubernetes_node_pool table to correctly return data instead of an error for node pools with auto-pilot disabled. (#668) (Thanks @multani for the contribution!)
Controls previously targeting the AWS > IAM > Credential Report resource type have now been updated to target either the AWS > IAM > Root or AWS > IAM > User resource types, depending on the specific control requirements. This adjustment more accurately aligns each control with the relevant resources, enabling more precise and targeted checks.
Fixed the elb_application_lb_waf_enabled query to correctly flag ELB application load balancers as alarm when the associated WAF is disabled. (#840)
Fixed the cloudfront_distribution_custom_origins_encryption_in_transit_enabled query to remove duplicate AWS CloudFront distributions from the result. (#829) (Thanks to @sbldevnet for the contribution!)
Fixed the where clause of the cloudfront_distribution_use_secure_cipher query to correctly check if the CloudFront distributions have insecure cipher protocols. (#827) (Thanks to @sbldevnet for the contribution!)
The Azure > Security Center > Security Center > Auto Provisioning control is now deprecated and will now move to an Invalid state if enforcements are applied. This follows the deprecation plan announcement from Azure. The control will be removed in a future mod version.
Control Types
Renamed
Azure > Security Center > Security Center > Auto Provisioning to Azure > Security Center > Security Center > Auto Provisioning [Deprecated]
Policy Types
Renamed
Azure > Security Center > Security Center > Auto Provisioning to Azure > Security Center > Security Center > Auto Provisioning [Deprecated]
Action Types
Removed
Azure > Security Center > Security Center > Update Auto Provisioning
Cleaned up documentation and standardized the file naming conventions of *.ppvars.example files across the following 24 mods to ensure alignment with the Powerpipe v1.0.0 release:
Added ebs_encryption_by_default_enabled and vpc_security_group_restrict_ingress_cifs_port_all controls to the All Controls benchmark. (#835)
Enhancements
Added the ebs_encryption_by_default_enabled control to the rbi_cyber_security_annex_i_1_3 benchmark. (#835)
Set python3.8 as deprecated Lambda runtime in lambda_function_use_latest_runtime control. (#833) (Thanks to @sbldevnet for the contribution!)
Updated iam_access_analyzer_enabled_without_findings and ssm_document_prohibit_public_access controls to use latest columns and tables from the AWS plugin. (#835)
Bug fixes
VPC security group rule controls that check for restricted port access now correctly detect rules with ports in a port range instead of only exact port matches. (#835)
Fixed the 2.2.1 control in CIS v1.5.0, v2.0.0, v3.0.0 benchmarks to check if EBS encryption by default is enabled instead of individual volume encryption settings. (#835)
Fixed the fedramp_moderate_rev_4_sc_28 benchmark to check if EBS encryption by default is enabled instead of individual volume encryption settings. (#835)
Deprecated
Deprecated the ec2_ebs_default_encryption_enabled control and query. Please use the ebs_encryption_by_default control and query instead.
In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
In version 5.5.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing Security Center resources in Guardrails. However, this caused controls to enter an error state for US Gov cloud subscriptions because the APIs did not work as expected. We have now updated dependencies that are compatible with both commercial and US Gov cloud subscriptions, ensuring that controls in both environments will work as expected.
The Azure > Security Center > Security Center > CMDB control would go into an error state if it was not able to fetch policy assignment details correctly. This issue has now been fixed.
In version 5.8.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing Monitor resources in Guardrails. However, this caused controls to enter an error state for US Gov cloud subscriptions because the APIs did not work as expected. We have now updated dependencies that are compatible with both commercial and US Gov cloud subscriptions, ensuring that controls in both environments will work as expected.
In version 5.9.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing DNS resources in Guardrails. However, this caused controls to enter an error state due to the inadvertent use of incorrect endpoints. This issue has been fixed, and the controls will now work as expected.
In version 5.18.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing Compute resources in Guardrails. However, this caused controls to enter an error state due to the inadvertent use of incorrect endpoints. This issue has been fixed, and the controls will now work as expected.
In version 5.4.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing API Management resources in Guardrails. However, this caused controls to enter an error state due to the inadvertent use of incorrect endpoints. This issue has been fixed, and the controls will now work as expected.
Added 84 new 'detect and correct' pipelines to identify AWS resources that are non-compliant with common security and compliance checks. These pipelines can also remediate non-compliant automatically or with approval steps. For usage information and a full list of pipelines, please see AWS Compliance Mod.
Added pipelines to run CIS v3.0.0 and v4.0.0 benchmarks. These pipelines can be used to identify AWS resources that are non-compliant with CIS recommendations and also remediate them according to CIS remediation suggestions. For usage information and a full list of pipelines, please see AWS CIS Mod.
In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
We’re excited to announce the v1.0.0 release of 116 Steampipe plugins!
While there are no significant changes in the new plugin versions, this release aligns with Steampipe's v1.0.0 launch. The plugins now adhere to semantic versioning, ensuring backward compatibility within each major version.
In v5.3.1, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Key Vault resources in Guardrails. This release includes breaking changes in the CMDB data for key, and secret. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below:
KeyVault > Vault
Added :
enableSoftDelete
publicNetworkAccess
enableRbacAuthorization
KeyVault > Key
Added :
hsmPlatform
Removed:
key.e
key.n
KeyVault > Secret
Modified :
ID property does not contain the secret version.
Removed:
expires
updated
created
Bug fixes
The Azure > Key Vault > Key > CMDB control would go into an error state while fetching key rotation policy details for managed keys. The control will no longer attempt to fetch the key rotation policy details for such keys and will work as expected.
Improved descriptions for various resource types to ensure they are clearer and more helpful.
You can now check if flexible servers have a TLS version setting of 1.2 or higher enabled. To get started, set the Azure > MySQL > Flexible Server > Set Minimum TLS Version policy to Check: TLS 1.2 or higher.
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage resources in Guardrails. This release includes breaking changes in the CMDB data for Azure. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Azure > Management Group
Modified :
The value of type property is updated as type: Microsoft.Management/managementGroups, earlier it was /providers/Microsoft.Management/managementGroups
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage SQL resources in Guardrails. This release includes breaking changes in the CMDB data for server, database, and elasticpool. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below:
Renamed:
transparentDataEncryption.status to transparentDataEncryption.state
databaseThreatDetectionPolicy to databaseSecurityAlertPolicy
The value of the attribute serverAzureADAdministrator.name has been changed from string (activeDirectory) to string (ActiveDirectory).
The data type of the attribute databaseThreatDetectionPolicy.disabledAlerts has been changed from string ("") to object ([]).
The data type of the attribute databaseThreatDetectionPolicy.emailAddresses has been changed from string ("") to object ([]).
The data type of the attribute databaseThreatDetectionPolicy.emailAccountAdmins has been changed from string (Disabled/Enabled) to boolean (false/true).
The data type of the attribute disabledAlerts has been changed from string ("") to object ([]).
Removed:
databaseThreatDetectionPolicy.useServerDefault
Bug fixes
Improved descriptions for various resource types to ensure they are clearer and more helpful.
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Monitor resources in Guardrails. This release includes changes in the CMDB data for action groups.
Added:
tags
kind
Resource Types
Azure > Monitor > Metric Alert
Control Types
Azure > Monitor > Action Group > Tags
Azure > Monitor > Metric Alert > Active
Azure > Monitor > Metric Alert > Approved
Azure > Monitor > Metric Alert > CMDB
Azure > Monitor > Metric Alert > Discovery
Azure > Monitor > Metric Alert > Tags
Policy Types
Azure > Monitor > Action Group > Tags
Azure > Monitor > Action Group > Tags > Template
Azure > Monitor > Metric Alert > Active
Azure > Monitor > Metric Alert > Active > Age
Azure > Monitor > Metric Alert > Active > Last Modified
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Managed Identity resources in Guardrails. This release includes changes in the CMDB data as below.
The AWS > Account > Budget > Budget control would enter an error state for US Gov cloud accounts because the budget APIs are not supported for these accounts. We have updated the control to avoid making these API calls and instead rely on the AWS > Account > Budget > State policy being updated periodically, allowing the control to evaluate the outcome correctly.
You can now configure and manage CI Relationships for various Kubernetes resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.
You can now configure and manage CI Relationships for projects in ServiceNow. To get started, set the GCP > Project > ServiceNow > Relationships > * policies.
You can now configure and manage CI Relationships for subscriptions in ServiceNow. To get started, set the Azure > Subscription > ServiceNow > Relationships > * policies.
You can now configure and manage CI Relationships for accounts in ServiceNow. To get started, set the AWS > Account > ServiceNow > Relationships > * policies.
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage DNS resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Removed:
tTL
Bug fixes
Improved descriptions for various resource types to ensure they are clearer and more helpful.
You can now configure and manage CI Relationships for various network resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.
You can now configure and manage CI Relationships for various compute engine resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.
Control Types
GCP > Compute Engine > Disk > ServiceNow > Relationships
You can now configure and manage CI Relationships for various network resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.
Control Types
Azure > Network > Application Security Group > ServiceNow > Import Set
You can now configure and manage CI Relationships for various compute resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.
Control Types
Azure > Compute > Availability Set > ServiceNow > Relationships
Azure > Compute > Disk > ServiceNow > Relationships
You can now configure and manage CI Relationships for global regions, multi-regions, regions and zones in ServiceNow. To get started, set the GCP > Global Region > ServiceNow > Relationships > *, GCP > Multi-Region > ServiceNow > Relationships > *, GCP > Region > ServiceNow > Relationships > * and GCP > Zone > ServiceNow > Relationships > * policies respectively.
Control Types
GCP > Global Region > ServiceNow > Relationships
GCP > Multi-Region > ServiceNow > Relationships
GCP > Region > ServiceNow > Relationships
GCP > Zone > ServiceNow > Relationships
Policy Types
GCP > Global Region > ServiceNow > Relationships
GCP > Global Region > ServiceNow > Relationships > Template
You can now configure and manage CI Relationships for buckets and objects in ServiceNow. To get started, set the GCP > Storage > Bucket > ServiceNow > Relationships > * and GCP > Storage > Object > ServiceNow > Relationships > * policies respectively.
You can now configure and manage CI Relationships for resource groups in ServiceNow. To get started, set the Azure > Resource Group > ServiceNow > Relationships > * policies.
Control Types
Azure > Resource Group > ServiceNow > Relationships
Policy Types
Azure > Resource Group > ServiceNow > Relationships
Azure > Resource Group > ServiceNow > Relationships > Template
You can now configure and manage CI Relationships for elastic IPs, internet gateways and NAT gateways in ServiceNow. To get started, set the AWS > VPC > Elastic IP > ServiceNow > Relationships > *, AWS > VPC > Internet Gateway > ServiceNow > Relationships > * and AWS > VPC > NAT Gateway > ServiceNow > Relationships > * policies respectively.
Control Types
AWS > VPC > Elastic IP > ServiceNow > Relationships
You can now configure and manage CI Relationships for flow logs, network ACLs, security groups and security group rules in ServiceNow. To get started, set the AWS > VPC > Flow Log > ServiceNow > Relationships > *, AWS > VPC > Network ACL > ServiceNow > Relationships > *, AWS > VPC > Security Group > ServiceNow > Relationships > * and AWS > VPC > Security Group Rule > ServiceNow > Relationships > * policies respectively.
You can now configure and manage CI Relationships for route tables, subnets and VPCs in ServiceNow. To get started, set the AWS > VPC > Route Table > ServiceNow > Relationships > *, AWS > VPC > Subnet > ServiceNow > Relationships > * and AWS > VPC > VPC > ServiceNow > Relationships > * policies respectively.
You can now configure and manage CI Relationships for buckets in ServiceNow. To get started, set the AWS > S3 > Bucket > ServiceNow > Relationships > * policies.
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage compute resources in Guardrails. This release includes breaking changes in the CMDB data for virtual machine. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below
Added:
In Azure > Compute > Disk:
supportedCapabilities.diskControllerTypes
diskIopsReadWrite
lastOwnershipUpdateTime
In Azure > Compute > Virtual Machine:
resources
timeCreated
etag
In Azure > Compute > Virtual Machine Scale Set:
constrainedMaximumCapacity
etag
scaleInPolicy
timeCreated
upgradePolicy
storageProfile. diskControllerType
In Azure > Compute > Snapshot:
dataAccessAuthMode
incrementalSnapshotFamilyId
Removed:
In Azure > Compute > Virtual Machine:
statuses.time
Bug fixes
Improved descriptions for various resource types to ensure they are clearer and more helpful.
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Security Center resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below
Renamed:
JitNetworkAccessPolicies to jitNetworkAccessPolicies
Pricing to pricing
Locations to locations
Bug fixes
Improved descriptions for various resource types to ensure they are clearer and more helpful.
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Front Door Service resources in Guardrails. This release includes breaking changes in the CMDB data for Front Door Service. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
The AWS > RoboMaker > Robot Application > CMDB, AWS > RoboMaker > Fleet > CMDB and AWS > RoboMaker > Robot > CMDB policies will now be set to Skip by default because the resource types have been deprecated and will be removed in the next major version. Please check end of support for more information.
Track and manage Fargate FIPS Mode for Gov cloud accounts via Guardrails. To get started, set the AWS > ECS > Account Settings > Fargate FIPS Mode policy.
The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Application Insights resources in Guardrails. This release includes changes in the CMDB data as below.
Added:
flowType
requestSource
Bug fixes
Improved descriptions for various resource types to ensure they are clearer and more helpful.
Users can now manage whether AWS/User grant should include support:* permissions. To get started, set the AWS > Account > Permissions > Support Level policy.
Policy Types
AWS > Account > Permissions > Support Level
Bug fixes
The AWS > Turbot > IAM stack control did not correctly evaluate user memberships in custom IAM groups when the AWS > Turbot > Permissions > Custom Group Levels [Account] policy was set, and users were granted permissions for those custom IAM groups. This issue has now been fixed.
A precheck dependency on the Kubernetes > Cluster > CMDB > Expiration policy was inadvertently added to the Kubernetes > Cluster > CMDB control. This precheck condition has now been removed.
Fixed the rules column in okta_signon_policy, okta_password_policy, okta_idp_discovery_policy and okta_authentication_policy tables to correctly return data instead of null. (#145)
Initial release with support for running Powerpipe benchmarks and controls, creating annotations for Infrastructure as Code (IaC) checks, and uploading snapshots to Turbot Pipes.
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage PostgreSQL resources in Guardrails. This release includes breaking changes in the CMDB data for server and flexible server. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below
Added:
authConfig
dataEncryption
standbyAvailabilityZone
network. delegatedSubnetResourceId
network. privateDnsZoneArmResourceId
replicaCapacity
replicationRole
systemData
configurations.documentationLink
configurations.isConfigPendingRestart
configurations.isDynamicConfig
configurations.isReadOnly
configurations.unit
Modified:
The data type of the attribute firewallRules has been changed from array ([]) to object ({}).
Bug fixes
Improved descriptions for various resource types to ensure they are clearer and more helpful.
Fixed an issue where credentials from the imported foreign schema were lost after restarting the session in the Postgres FDW extension of the plugin. (#2275)
The serviceProperties.table.clientRequestId and serviceProperties.table.requestId properties for storage accounts have now been made dynamic to avoid unnecessary notifications in the activity tab.
Added the ability to configure plugin startup timeout. (#4320)
Installed FDW and embedded Postgres database from GHCR instead of GCP. (#4344)
Updated query JSON output format to add a columns property containing the column information. This allows us to handle duplicate column names by appending a unique suffix to duplicate column name (#4317)
Existing query JSON format:
$ steampipe query "select account_id, arn from aws_account" --output json
{
"rows": [
{
"account_id": "123456789012",
"arn": "arn:aws:::123456789012"
}
]
}
New query JSON format(with new columns property):
$ steampipe query "select account_id, arn from aws_account" --output json
{
"columns": [
{
"name": "account_id",
"data_type": "text"
},
{
"name": "arn",
"data_type": "text"
}
],
"rows": [
{
"account_id": "123456789012",
"arn": "arn:aws:::123456789012"
}
]
}
Bug fixes
Fixed the issue where the plugin manager was incorrectly reporting a shutdown. (#4365)
Updated the aws_ec2_ami table to correctly return disabled AMIs on passing the disabled value to the state optional qual (where state = 'disabled'). (#2277)
Added 100+ new columns across all tables per AWS Go SDK v2 1.27.0. (#2139)
Added Australian Cyber Security Center (ACSC) Essential Eight benchmark (powerpipe benchmark run aws_compliance.benchmark.acsc_essential_eight). (#823)
Volume's metadata will now also include createdBy details in Guardrails CMDB.
The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.
Bug fixes
The AWS > EC2 > Volume > Performance Configuration control would sometimes fail to set the expected configuration per AWS > EC2 > Volume > Performance Configuration > * policies and move to an Invalid state if the required data was not available for new volumes in the CMDB. The control will now move to TBD instead and retry after 5 minutes to fetch the required data correctly and set the performance configuration as expected.
We have updated various policies set during project imports to allow for a smoother import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.
Improved descriptions for various resource types to ensure they are clearer and more helpful.
You can now configure Master Authorized Networks for region and zone clusters via Guardrails. To get started, set the GCP > Kubernetes Engine > Region Cluster > Master Authorized Networks Config and GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config policies respectively.
Improved descriptions for various resource types to ensure they are clearer and more helpful.
We have updated various policies set during subscription imports to allow for a smoother import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.
Improved descriptions for various resource types to ensure they are clearer and more helpful.
The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.
Bug fixes
In version 5.25.0, we added support to ignore permission errors on a bucket via the CMDB policy Enforce: Enabled but ignore permission errors. However, the CMDB control previously ignored permission errors only on the HeadBucket operation and still entered an error state for permission errors on sub-API calls. The CMDB control will now ignore all sub-API calls if the HeadBucket operation is denied access. If the HeadBucket operation is successful, the control will attempt to make all sub-API calls and ignore access denied errors if encountered.
The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.
Improved descriptions for various resource types to ensure they are clearer and more helpful.
Bug fixes
The AWS > VPC > VPC > Stack control would sometimes go into an error state while upserting newly created flow logs in Guardrails due to incorrect mapping of its parent resource. This issue has now been fixed, and the control will upsert flow logs more consistently and reliably than before.
The AWS > Turbot > Logging > Bucket > Default Encryption policy is now deprecated because all buckets are now encrypted by default in AWS. As a result, all buckets created and managed via the AWS > Turbot > Logging > Bucket stack control will now be encrypted by AWS SSE by default. We've also removed ACL settings for buckets and now apply bucket ownership controls instead via the stack control to align with the latest AWS recommendations. Please upgrade the @turbot/aws-s3 mod to v5.26.0 for the stack control to work reliably as before.
Improved descriptions for various resource types to ensure they are clearer and more helpful.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Users can now configure the Terraform version for the AWS > Config > Configuration Recording stack control. To get started, set the AWS > Config > Configuration Recording > Terraform Version policy. We recommend using versions 0.11, 0.12, or 0.15 for this control to create and manage resources effectively and reliably.
Policy Types
AWS > Config > Configuration Recording > Terraform Version
The euuid column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linode accounts. (#56)
The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#60)
Added the version flag to the plugin's Export tool. (#65)
Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#55)
Users can now create and manage labels on Pub/Sub topics created via the GCP > Turbot > Event Handlers > Pub/Sub control. To get started, set the GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels policy.
Guardrails failed to cleanup deleted security group rules via the real-time ec2:RevokeSecurityGroupEgress and ec2:RevokeSecurityGroupIngress events. This issue is now fixed.
The AWS > Turbot > Event Handlers control did not correctly raise the real-time CreateTags and DeleteTags events for VPC security group rules. This issue is now fixed.
Added location_type column as an optional qual to the aws_ec2_instance_availability table and 6 new columns to the aws_ec2_instance_type table. (#2078)
Updated docs for aws_appautoscaling_policy and aws_appautoscaling_target tables to add information on required quals. (#2247)
Added the type column as an optional qual to the aws_auditmanager_control table. (#2254)
Bug fixes
Fixed the GetConfig definition of the aws_auditmanager_control table to correctly return data instead of an error. (#2254)
Fixed the aws_kms_key_rotation table to correctly return nil whenever an AccessDeniedException error is returned by the API. (#2253)
Fixed the caching issue in the standalone plugin FDW extensions. (#480)
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
You can now disable inactive or unapproved service accounts via Guardrails. To get started, set the GCP > IAM > Service Account > Active or GCP > IAM > Service Account > Approved policy to Enforce: Disable inactive with <x> days warning or Enforce: Disable unapproved respectively.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
The AWS > ECR > Repository > CMDB control went into an error state for shared repositories upserted incorrectly in Guardrails CMDB. Shared repositories will now not be upserted under shared accounts or regions, but will only be upserted under their owner accounts and regions.
Fixed the storage_account_block_public_access query to correctly check if the public_network_access column of the azure_storage_account table is correctly set to disabled or not as per the CIS documentation. (#277)
Added NIST 800-172 benchmark (powerpipe benchmark run aws_compliance.benchmark.nist_800_172). (#807)
Bug fixes
Fixed sqs_queue_encrypted_at_rest query to ensure queues using SQS-SSE encryption at rest remain in an ok state instead of alarm. (#805) (Thanks @duncward for the contribution!)
Functionality for resource resources/pipes_workspace_connection moved to manage connections at the workspace level. Previously, the resource used to manage attachment of connections to the workspace defined at the respective identity level. Please follow the migration guide for migrating your existing configuration into the new model.
Resource resources/pipes_connection does not support management of user level connections in line with changes in Pipes.
The Azure > Resource Group > ServiceNow > Configuration Item control would fail to fetch instance credentials internally and did not process the data correctly in ServiceNow. This issue has now been fixed.
The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.
We've updated internal dependencies and now use the latest Azure SDK versions to poll events from Azure Monitor and process them in Guardrails. You won't notice any difference, and things will continue to work smoothly as before.
AWS/DynamoDB/Admin, AWS/DynamoDB/Metadata and AWS/DynamoDB/Operator now include permissions for Resource Policy, Imports, Time to Live and Global Table Version.
Users can now enable/disable Table logging for Storage Accounts via Azure > Storage > Storage Account > Table > Logging control. To get started, set the Azure > Storage > Storage Account > Table > Logging policy.
Control Types
Azure > Storage > Storage Account > Encryption at Rest
The Storage Account CMDB data will now also include information about the account's table service properties.
We've removed the dependency on listKeys permission for Azure > Storage Account > Container > Discovery to run its course to completion. This release includes breaking changes in the CMDB data for containers. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Renamed:
isImmutableStorageWithVersioningEnabled to isImmutableStorageWithVersioning.enabled
Removed:
preventEncryptionScopeOverride
Bug fixes
The Azure > Storage > Storage Account > CMDB control would go into an error state while trying to fetch default Queue and Blob properties if Guardrails did not have permission to list the storage account keys. The control will now not attempt to fetch default Queue and Blob properties if Guardrails does not have the required access for listKeys, and will run its course to completion without going into an error state.
Improved error message for the AWS > S3 > Bucket > CMDB control if it would go into an error state due to insufficient permissions for the headBucket operation.
You can now create connections at the custom tenant, organization or workspace level in Pipes, along with grouping of these within folders to allow easier sharing of related connections.
This is coupled with a fine-grained permissions model, allowing you to share connections & folders broadly across a custom tenant, or restrict access to specific organizations and/or their workspaces.
Kubernetes > StatefulSet > osquery > Configuration > Name
Action Types
Kubernetes > Cluster > Router
Kubernetes > CronJob > Router
Kubernetes > DaemonSet > Router
Kubernetes > Ingress > Router
Kubernetes > Job > Router
Kubernetes > Persistent Volume > Router
Kubernetes > ReplicationController > Router
Kubernetes > StatefulSet > Router
Bug fixes
CMDB controls for various resources sometimes failed to process a large number of updates that occurred in quick succession via Cluster events. We’ve improved our GraphQL queries to handle such a load, and the controls will now be able to process such events more smoothly and reliably than before.
The AWS > S3 > Bucket > CMDB control would go into an error state if Guardrails did not have permissions to call the headBucket operation on a bucket. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > S3 > Bucket > CMDB policy to Enforce: Enabled but ignore permission errors.
In the previous version, we fixed an issue with the Azure > App Service > Web App > Client Certificate Mode control, ensuring that the Client Certificate Mode is set to Require correctly. However, we missed an edge case where the control wouldn’t enforce any mode other than the default setting of Ignore. We have now addressed all cases, and the control will work more reliably and consistently than before.
Added 22 detect and correct pipelines to identify unused and underutilized GCP resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see GCP Thrifty Mod.
Added 24 detect and correct pipelines to identify unused and underutilized Azure resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see Azure Thrifty Mod.
The Import Set policies for various Kubernetes resources will no longer include the Enforce: Sync policy value for integrating Import Sets in ServiceNow.
The Azure > Storage > Storage Account > Queue > Logging control failed to set queue logging properties correctly. This issue has been fixed, and the control will now function correctly as intended.
Fixed issue where local Docker config for the credential store was used when installing plugins from GHCR, enabling installation from GHCR to work even if docker-credential-desktop is not in PATH. (#4323)
Fixed issue where Steampipe returned a 0 exit code even if it failed to export a snapshot. (#4276)
Fixed issue where the query command did not support the legacy 'true' and 'false' values for the --timing flag. (#4282)
Fixed issue where SPS output was not working. (#4297)
Fixed issue where loading connection plugins did not return successfully created connections if some connections failed due to the configuration not being available. (#474)
Fixed issue where scan info in query JSON output was shown even when the timing configuration was not set to verbose. (#4292)
Users can now configure Shielded Instance Configuration for instances. To get started, set GCP > Compute > Instance > Shielded Instance Configuration > * policies.
The Azure > CIS v2.0 > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) control will also evaluate SQL databases for SKU Basic/Consumption.
Control Types
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.06 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
Policy Types
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.06 - Ensure that Network Security Group flow logs are captured and sent to Log Analytics
Bug fixes
The Azure > CIS v2.0 > 4 - Database Services > 01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key control did not evaluate the result correctly, as expected. This is now fixed.
Users can now upgrade the SKU from Basic to Standard for Public IP Addresss via Azure > Network > Public IP Address > Standard SKU control. To get started, set the Azure > Network > Public IP Address > Standard SKU policy.
Control Types
Azure > Network > Public IP Address > Standard SKU
Policy Types
Azure > Network > Public IP Address > Standard SKU
Azure > Network > Public IP Address > Standard SKU > SKU Tier
Action Types
Azure > Network > Public IP Address > Update SKU to Standard
We've added guardrails to help secure access to your database accounts' public endpoints. All database accounts have public endpoints that are accessible through the internet by default. This access can be limited to specific IP ranges, virtual network subnets, and trusted Microsoft services by defining firewall and virtual network rules.
To get started configuring these rules through Guardrails, the following policies should set according to your desired firewall rules configuration:
Azure > Cosmos DB > Database Account > Firewall - Configure default access rules for the public endpoint
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved - Remove unapproved IP ranges
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required - Grant access to specific IP ranges
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved - Remove unapproved virtual network subnets
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required - Grant access to specific virtual network subnets
Please note that if the Azure > Cosmos DB > Database Account > Firewall policy is set to Enforce: Allow only approved virtual networks and IP ranges, only applications in the configured IP ranges, virtual network subnets, and trusted Microsoft services will be allowed to access the database accounts. If these boundaries are not properly configured beforehand or an application is outside of these boundaries, it will lose access to the database accounts.
Control Types
Azure > Cosmos DB > Database Account > Firewall
Azure > Cosmos DB > Database Account > Firewall > IP Ranges
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required
Various Discovery and CMDB controls entered an error state because they used outdated APIs that no longer functioned as expected. We have updated internal package dependencies, and those controls now operate smoothly as intended.
Resolved an issue where an empty outbound_cidr_ranges SSM parameter caused a validation error. Now, if the outbound_cidr_ranges parameter is empty, it will be set to None.
What's new?
Added M7i and M7i-flex instance type.
Updated the HealthCheckProxy lambda function to use python 3.10.
The GCP > Project > CMDB control went into an error state while fetching Access Approval settings for the project if Access Transparency was disabled at the organization level. We have now handled such cases gracefully, and the control will fetch all available details without going into an error state.
Users can now configure authorized networks for instances in Guardrails. To get started, set the GCP > SQL > Instance > Authorized Network > * policies.
Users can now configure Database Flags for instances in Guardrails. To get started, set the GCP > SQL > Instance > Database Flags policy.
Users can now clean up and stop tracking SQL resources in Guardrails. To get started, set the GCP > SQL > CMDB policy to Enforce: Disabled.
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Storage resources in Guardrails. This release includes breaking changes in the CMDB data for storage accounts. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Renamed:
serviceProperties.blob.DeleteRetentionPolicy to serviceProperties.blob.deleteRetentionPolicy
serviceProperties.blob.DeleteRetentionPolicy.Days to serviceProperties.blob.deleteRetentionPolicy.days
serviceProperties.blob.DeleteRetentionPolicy.Enabled to serviceProperties.blob.deleteRetentionPolicy.enabled
serviceProperties.blob.StaticWebsite to serviceProperties.blob.staticWebsite
serviceProperties.blob.StaticWebsite.Enabled to serviceProperties.blob.staticWebsite.enabled
serviceProperties.blob.logging to serviceProperties.blob.blobAnalyticsLogging
serviceProperties.queue.logging to serviceProperties.queue.queueAnalyticsLogging
The data type of the attribute serviceProperties.blob.cors has been changed from string ("") to array ([]).
The data type of the attribute serviceProperties.queue.cors has been changed from string ("") to array ([]).
Users can now enable/disable Blob logging for storage accounts. To get started, set the Azure > Storage > Storage Account > Blob > Logging > * policies.
Users can now check if storage accounts are approved for use based on Infrastructure Encryption settings. To get started, set the Azure > Storage > Storage Account > Approved > Infrastructure Encryption policy.
The domain column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Okta organizations. (#120)
Added support to specify the time period in .spc file for max retries, request timeout, and max backoff time as required. (#112)
Added profile column to the okta_factor table. (#130)
Dependencies
Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#120)
The organization_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linear accounts. (#34)
Bug fixes
Fixed the plugin to correctly check for a valid Personal Access token. (#33)
Dependencies
Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#34)
Guardrails failed to process real-time snapshot events if the AWS > EC2 > Snapshot > CMDB policy was set to Enforce: Enabled for Snapshots not created with AWS Backup. This issue has now been fixed.
Discovery controls for various resource types would go into an error state without discovering resources and upserting them in Guardrails CMDB due to a bad internal build. This issue has been fixed, and those controls will now work correctly as expected.
Users can now enable/disable Trusted Launch for all second generation virtual machines. To get started, set the Azure > Compute > Virtual Machine > Trusted launch policy.
You can now configure Encryption at Rest for Disks. To get started, set the Azure > Compute > Disk > Encryption at Rest > * policies.
User can now register web apps with Entra ID to connect to other Azure services securely without the need for usernames and passwords. To get started, set the Azure > App Service > Web App > System Assigned Identity policy.
Diagnostic Settings details will now also be available for Web Apps in Guardrails CMDB.
Control Types
Azure > App Service > Web App > System Assigned Identity
Policy Types
Azure > App Service > Web App > System Assigned Identity
Action Types
Azure > App Service > Web App > Set System Assigned Identity
Bug fixes
The Azure > App Service > Web App > FTPS State control failed to set the FTPS State correctly for web apps. This issue is now fixed.
Account Password Policy details did not refresh correctly in Guardrails CMDB if those settings were reset to defaults in AWS. This resulted in the AWS > IAM > Account Password Policy > Settings control not applying custom settings correctly. This issue is fixed, and the CMDB details will now refresh correctly, allowing the corresponding Settings control to work as expected.
Discovery controls for various resource types would go into an error state without discovering resources and upserting them in Guardrails CMDB due to a bad internal build. This issue has been fixed, and those controls will now work correctly as expected.
Default policy values for ServiceNow > Application > CMDB, ServiceNow > Cost Center > CMDB & ServiceNow > User > CMDB have been updated from Enforce: Enabled to Skip.
The OUTBOUND_SECURITY_GROUP_ID environment variable in Lambda functions now defaults to using the TEF outbound security group when there is no override specified in TEF and TE.
The Azure > Network > Network Security Group > Ingress Rules > Approved and Azure > Network > Network Security Group > Egress Rules > Approved controls previously deleted an entire rule if at least one of the corresponding port prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected port prefixes instead of deleting the entire rule in such cases.
The AWS > RDS > DB Instance > Approved control will now be skipped for instances that belong to a cluster. To check if a cluster is approved for use, please set the AWS > RDS > DB Cluster > Approved > * policies.
The AWS > RDS > DB Instance > Approved control did not stop an unapproved instance if the corresponding policy was set to Enforce: Stop unapproved or Enforce: Stop unapproved if new, and deletion protection for the instance was enabled. The control will now stop instances correctly in such cases.
The creation of the EncryptionInTransit TopicPolicy has shifted from a custom resource to AWS CloudFormation’s AWS::SNS::TopicPolicy.
Bug fixes
Server
Changes to notifications introduced in version 5.44.2 have been rolled back due to issues with specific queries. This action restores previous functionality and ensures stability across the platform.
Made notifications faster by improving the query, which enhances the performance of the activity tab.
UI
The Depends-on tab on the controls page has been renamed to Related. It now includes the information from the Depends-on tab along with additional related controls information.
Bug fixes
Server
Fixed an issue where sometimes an older mod version was used instead of the latest one after a mod upgrade. Now, the cache is properly updated to always use the latest version.
The Azure > Network > Network Security Group > Ingress Rules > Approved control would sometimes fail to revoke rejected rules when the corresponding policy was set to Enforce: Delete unapproved. This has been fixed, and the control will now work more reliably and consistently than before.
The GCP > Project > CMDB control would incorrectly delete a project from Guardrails CMDB if it was unable to fetch Access Approval settings for the project. This issue has been fixed and the control will now attempt to fetch all available details and will not delete the project from CMDB.
Users can now configure Auto Provisioning for Azure Security Center in Guardrails. To get started, set the Azure > Security Center > Security Center > Auto Provisioning policy.
Control Types
Azure > Security Center > Security Center > Auto Provisioning
Policy Types
Azure > Security Center > Security Center > Auto Provisioning
Action Types
Azure > Security Center > Security Center > Update Auto Provisioning
Updated aws_s3_bucket, aws_s3_bucket_intelligent_tiering_configuration, aws_s3_object and aws_s3_object_version tables to use HeadBucket API instead of GetBucketLocation to fetch the region that the bucket resides in. (#2082) (Thanks @pdecat for the contribution!)
Added column create_time to aws_ec2_key_pair table. (#2196) (Thanks @kasadaamos for the contribution!)
Added instance_type column as an optional qual to the aws_ec2_instance_type table. (#2200)
Bug fixes
Fixed the akas column in aws_health_affected_entity table to correctly return data instead of an error by handling events that do not have any ARN. (#2189)
Fixed cname and endpoint_url columns of aws_elastic_beanstalk_environment table to correctly return data instead of null. (#2201)
Fixed the aws_api_gatewayv2_* tables to correctly return data instead of an error by excluding support for the new unsupported il-central-1 region. (#2190)
The login_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Jira connections. (#119)
The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#128)
Added the version flag to the plugin's Export tool. (#65)
Bug fixes
Fixed pagination in the jira_board table to correctly return all the data instead of partial results. (#127)
Fixed the public_network_access_for_ingestion and the public_network_access_for_query columns of the azure_application_insight table to be of String data type instead of JSON. (#769)
Fixed the azure_role_assignment table to correctly return values for principal_id and principal_type columns instead of null. (#763)
Fixed the web_application_firewall_configuration column of the azure_application_gateway table to correctly return data instead of null. (#770)
Users can now skip upserting snapshots in Guardrails CMDB if they are created via the AWS Backup service. To get started, set the AWS > EC2 > Snapshot > CMDB policy to Enforce: Enabled for Snapshots not created with AWS Backup.
The AWS > Turbot > Service Roles > Source policy went to an invalid state if all but the AWS > Turbot > Service Roles > Event Handlers [Global] policy was enabled. This issue impacted the AWS > Turbot > Service Roles stack control, preventing the role from being created correctly. This has been fixed, and the AWS > Turbot > Service Roles > Source policy will now work as expected.
The AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered control did not evaluate the result correctly, as expected. This is now fixed.
Updated JSON and snapshot output to handle duplicate column names - append a unique suffix to duplicate column names. (#375)
Bug fixes
Fixed bug when generating a snapshot from a benchmark run, the row data is empty if any of the rows are in error. (#366)
Updated mod install to only install or update mods which are command targets (and their dependencies). Set default pull mode for install is latest if there is a target, and minimal if no target is given. (#381)
Fixed incorrect help message for output in powerpipe benchmark/control run. (#367)
Fixed issue where POWERPIPE_PORT env var was not being honoured. (#362)
Updated timing metadata output to rename duration field to duration_ms for consistency with steampipe. (#368)
Dashboard graph should not crash if an invalid edge category color is provided. (#364)
Dashboard flow/hierarchy components should show panel controls. (#363)
Updated output formats
The rows property in the JSON and snapshot output will now have unique column names for duplicate column names.
The columns property will have the original column name as original_name.
For example, for the query:
powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output pps
Here is the updated JSON output:
powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output json
{
"columns": [
{
"name": "title",
"data_type": "text"
},
{
"name": "title_t5zj1",
"data_type": "text",
"original_name": "title"
},
{
"name": "title_t5zj2",
"data_type": "text",
"original_name": "title"
}
],
"rows": [
{
"title": "arn:aws:::882789663776",
"title_t5zj1": "882789663776",
"title_t5zj2": "882789663776"
},
],
"metadata": {
"rows_returned": 3,
"duration_ms": "202ms"
}
}
Here is the updated snapshot output:
{
"schema_version": "20240130",
"panels": {
"custom.dashboard.sql_e5br7b82": {
"dashboard": "custom.dashboard.sql_e5br7b82",
"name": "custom.dashboard.sql_e5br7b82",
"panel_type": "dashboard",
"source_definition": "",
"status": "complete",
"title": "Custom query [e5br7b82]"
},
"custom.table.results": {
"dashboard": "custom.dashboard.sql_e5br7b82",
"name": "custom.table.results",
"panel_type": "table",
"source_definition": "",
"status": "complete",
"sql": " select arn as title, account_id as title, title as title from aws_account",
Updated the existing Flags attribute to include new specific flags that control the operation of Mod Lambda functions within a Virtual Private Cloud (VPC). This update allows Lambdas to use static IP addresses, improving network stability and predictability across different cloud environments.
New flags Added to Flags Attribute:
LAMBDA_IN_VPC_AWS
LAMBDA_IN_VPC_AZURE
LAMBDA_IN_VPC_GCP
LAMBDA_IN_VPC_SERVICENOW
Introduced a new SSM parameter outbound_cidr_ranges to retrieve the Elastic IPs associated with the NAT gateways.
You can now configure Mod Lambda functions to run within a VPC across various providers including AWS, Azure, ServiceNow, and GCP. This update ensures Lambdas operate with static CIDR ranges.
Enhanced osquery/logger API to support payloads up to 10MB.
The AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered control did not evaluate the result correctly, as expected. This is now fixed.
Added Reserve Bank of India - IT Framework for NBFC Regulatory Compliance benchmark (powerpipe benchmark run aws_compliance.benchmark.rbi_itf_nbfc). (#798)
The Azure > Network > Network Security Group > Ingress Rules > Approved and Azure > Network > Network Security Group > Egress Rules > Approved controls previously deleted an entire rule if at least one of the corresponding address prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected address prefix instead of deleting the entire rule in such cases.
Added Reserve Bank of India - IT Framework for NBFC Regulatory Compliance
benchmark (powerpipe benchmark run azure_compliance.benchmark.rbi_itf_nbfc_v2017). (#267)
The GCP > Turbot > Event Handlers > Logging would go into an Invalid state because of incorrect filter patterns defined in the GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer policy. This is fixed and the control will now work as expected.
Guardrails would sometimes process the real-time event compute.networks.delete for default networks incorrectly, resulting in the inadvertent deletion of those networks from CMDB. This is now fixed.
Guardrails failed to process the real-time event s3:PutBucketReplication for buckets. This is now fixed.
The AWS > S3 > Bucket > Access Logging control would sometimes go into an error state if the target bucket name started with a number. This is fixed and the control will now work more smoothly and consistently than before.
The user_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Pipes connections. (#27)
The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#32)
Added the version flag to the plugin's Export tool. (#65)
Bug fixes
Fixed the plugin to correctly authenticate against a custom tenant in Pipes instead of returning a 401 error. (#30)
The login_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Github connections. (#422)
The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#219)
Added the version flag to the plugin's Export tool. (#65)
Bug fixes
Fixed the plugin support for Github OAuth Access token to work correctly. (#432)
Integrate your developer account, team or custom tenant with GitHub, enabling you to install custom Powerpipe mods from public or private repositories. Push changes for instant deploys and live updates.
For more information, see the launch post or check out the docs.
Optimized queries to leverage the connection-level qualifiers for faster execution time and lower API load. To benefit from these enhancements, please upgrade to AliCloud v0.22.0 or higher. (#95)
Kubernetes > Node resources will no longer include the conditions.lastHeartbeatTime or resource_version properties to avoid unnecessary notifications in the activity tab.
The tenant_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Microsoft 365 subscriptions. (#50)
The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#55)
Added the version flag to the plugin's Export tool. (#65)
Dependencies
Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#50)
The tenant_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#175)
The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#180)
Added support for China cloud endpoint and scope based on the environment. (#174)
Added the version flag to the plugin's Export tool. (#65)
Dependencies
Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#175)
Added 30 new 'detect and correct' pipelines to identify unused and underutilized AWS resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see AWS Thrifty Mod.
Optimized queries to leverage the connection-level qualifiers for faster execution time and lower API load. To benefit from these enhancements, please upgrade to GCP v0.52.0 or higher. (#78)
Optimized queries to leverage the connection-level qualifiers for faster execution time and lower API load. To benefit from these enhancements, please upgrade to Azure v0.56.0 or higher. (#124)
Optimized queries to leverage the connection-level qualifiers for faster execution time and lower API load. To benefit from these enhancements, please upgrade to AWS v0.136.0 or higher. (#347)
The GCP > IAM > Service Account Key > Active control will no longer attempt to delete a system-managed service account key deemed inactive by the control.
You can now determine if an IAM access key for a user is latest and deactivate or delete any keys that are not, using Guardrails. To get started, set the AWS > IAM > Access Key > Active > Latest policy.
You can now determine if an IAM server certificate is active based on its expiration. To get started, set the AWS > IAM > Server Certificate > Active > Expired policy.
The tenant_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple OCI tenants. (#606)
The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#614)
Added the version flag to the plugin's Export tool. (#65)
The project column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple GCP projects. (#564)
The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#580)
Added the version flag to the plugin's Export tool. (#65)****
Bug fixes
Fixed the table gcp_cloudfunctions_function to list gen2 cloud functions. (#568) (Thanks @ashutoshmore658 for the contribution!)
Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#755)
The account_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Alibaba Cloud accounts. (#406)
The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#419)
Added the version flag to the plugin's Export tool. (#65)
The context_name column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Kubernetes connections. (#217)
The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#219)
Added the version flag to the plugin's Export tool. (#65)
A connection key column defines a column whose value maps 1-1 to a Steampipe connection
and so can be used to filter connections when executing an aggregator query. These columns are treated as (optional) KeyColumns. This means they are taken into account in the query planning.
Added support for verbose timing information. (#4244)
Implemented SNS topic to handle critical alarms notifications.
Added Product, Vendor Tags to the IAM Role resources created by the TEF stack.
Introduced a new SSM parameter to manage the reserved concurrency settings for the osquery worker lambda function.
Updated Log Bucket Lifecycle Policies:
Increased Retention Period: Extended the retention period of the lifecycle policy for logs in the log bucket with the /processes prefix from 1 day to 2 days.
New Policy Addition: Implemented a new lifecycle policy for managing log retention in the log bucket for logs with the /osquery prefix.
The Azure > Compute > Virtual Machine Scale Set > Tags control would sometimes fail to update tags correctly for Scale Sets launched via Azure marketplace. This is fixed and the control will now update tags correctly, as expected.
Revoke ingress rules that are unapproved for use in Network ACLs. To get started, set the AWS > VPC > Network ACL > Ingress Rules > Approved > * policies.
You can now delete existing Mount Targets which are unapproved for use in the account. To get started, set the AWS > EFS > Mount Target > Approved policy to Enforce: Delete unapproved.
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation
AWS > CIS v3.0 > 1 - Identity and Access Management > Maximum Attestation Duration
AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets
AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation
AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
GCP > CIS v2.0 > 2 - Logging and Monitoring
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
GCP > CIS v2.0 > 3 - Networking
GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project
GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects
GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS
GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet
GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet
GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
GCP > CIS v2.0 > 4 - Virtual Machines
GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
GCP > CIS v2.0 > 7 - BigQuery
GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used > Attestation
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts > Attestation
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts > Attestation
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization > Attestation
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager > Attestation
GCP > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration
GCP > CIS v2.0 > 2 - Logging and Monitoring
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' > Attestation
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
GCP > CIS v2.0 > 2 - Logging and Monitoring > Maximum Attestation Duration
GCP > CIS v2.0 > 3 - Networking
GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project
GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects
GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS
GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet
GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet
GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
GCP > CIS v2.0 > 4 - Virtual Machines
GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects > Attestation
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges > Attestation
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs
GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
The subscription_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#740)
Added the version flag to the plugin's Export tool. (#65)
Bug fixes
Fixed the plugin's Postgres FDW Extension crash issue.
Action Type for Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved control did not render correctly on mod inspect. This is now fixed.
The Azure > Storage > Storage Account > Data Protection control would go into an error state when container delete retention policy data was not available in CMDB. This issue is fixed and the control will now work as expected.
You can now removed unapproved Firewall IP Ranges on PostgreSQL servers and flexi servers. To get started, set the Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > * and Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > * policies respectively.
You can now stop unapproved flexi servers. To get started, set the Azure > PostgreSQL > Flexible Server > Approved policy to Enforce: Stop unapproved or Enforce: Stop unapproved if new.
Control Types
Azure > PostgreSQL > Flexible Server > Firewall
Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges
Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
Azure > PostgreSQL > Server > Firewall
Azure > PostgreSQL > Server > Firewall > IP Ranges
Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved
Policy Types
Azure > PostgreSQL > Flexible Server > Firewall
Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges
Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > Compiled Rules
Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > IP Addresses
Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > Rules
Azure > PostgreSQL > Server > Firewall
Azure > PostgreSQL > Server > Firewall > IP Ranges
Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved
Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > Compiled Rules
Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > IP Addresses
Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > Rules
Action Types
Azure > PostgreSQL > Flexible Server > Stop
Azure > PostgreSQL > Server > Update Firewall IP Ranges
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 Ensure That 'Number of methods required to reset' is set to '2'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
Azure > CIS v2.0 > 02 - Microsoft Defender
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring
Azure > CIS v2.0 > 03 - Storage Accounts
Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour
Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts
Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL
Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible
Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
Azure > CIS v2.0 > 06 - Networking
Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted
Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted
Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted
Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled'
Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' > Attestation
Azure > CIS v2.0 > 01 - Identity and Access Management > Maximum Attestation Duration
Azure > CIS v2.0 > 02 - Microsoft Defender
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' > Attestation
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' > Attestation
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' > Attestation
Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring
Azure > CIS v2.0 > 02 - Microsoft Defender > Maximum Attestation Duration
Azure > CIS v2.0 > 03 - Storage Accounts
Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account > Attestation
Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour
Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation
Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts
Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL
Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible
Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible > Attestation
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation
Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
Azure > CIS v2.0 > 05 - Logging and Monitoring > Maximum Attestation Duration
Azure > CIS v2.0 > 06 - Networking
Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted
Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted
Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted
Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled'
Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis > Attestation
Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service
Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption
Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service
Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App
Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App > Attestation
Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App > Attestation
Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App
Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App > Attestation
Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
Implemented monitoring for worker_factory in the CloudWatch Dashboard widgets "Events Queue Activity" and "Events Queue Backlog".
Established a CloudWatch Alarm for the _worker_factory queue.
Product, Vendor Tags to the IAM Role resources created by the TE stack.
Adjusted the threshold for the CloudWatch Alarm monitoring the _worker queue.
Bug fixes
Server
Now, users with only Turbot/User access will no longer see grants or active grants belonging to other users. This ensures that you only view grants that are relevant to your permissions.
Control will move to error if it fails to determine the state at precheck.
System resilience has been enhanced through extended TTL settings and refined management of suspended processes, aiming to improve stability and reduce backlog issues.
Refined management of various processes to improve stability and reduce backlog issues.
UI
Converted the template_input property of the policy setting in the Terraform plan to YAML format, improving clarity and manageability.
Moved the Turbot > Process Monitor control to operate within the priority queue, ensuring more timely and efficient processing of critical tasks.
Updated the Turbot > Workspace > Background Tasks control to modify the next_tick_timestamp for any policy values that previously had incorrect defaults.
You can now configure rotation reminders for access keys and soft delete for blobs and containers in storage accounts. To get started, set the Azure > Storage > Storage Account > Access Keys > Rotation Reminder > * and Azure > Storage > Storage Account > Data Protection > Soft Delete > * policies respectively.
You can now removed unapproved Firewall IP Ranges on SQL servers. To get started, set the Azure > SQL > Server > Firewall > IP Ranges > Approved > * policies.
Control Types
Azure > SQL > Server > Firewall
Azure > SQL > Server > Firewall > IP Ranges
Azure > SQL > Server > Firewall > IP Ranges > Approved
Policy Types
Azure > SQL > Server > Firewall
Azure > SQL > Server > Firewall > IP Ranges
Azure > SQL > Server > Firewall > IP Ranges > Approved
Azure > SQL > Server > Firewall > IP Ranges > Approved > Compiled Rules
Azure > SQL > Server > Firewall > IP Ranges > Approved > IP Addresses
Azure > SQL > Server > Firewall > IP Ranges > Approved > Rules
Updated the workspace_dashboard dashboard to include information on the accounts, resources, and active controls across different workspaces. (#31)
Updated the workspace_account_report dashboard to display resources, policy settings, alerts, and active controls across workspaces instead of the TE version. (#31)
The rotationPeriod and nextRotationTime attributes for Crypto Keys did not update correctly in CMDB when the rotation policy for such keys was removed. This is now fixed.
You can now configure Encryption in Transit for Flexi Servers. To get started, set the Azure > MySQL > Flexible Server > Encryption in Transit > * policies.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Control Types
Azure > MySQL > Flexible Server > Encryption in Transit
Policy Types
Azure > MySQL > Flexible Server > Encryption in Transit
Action Types
Azure > MySQL > Flexible Server > Update Encryption in Transit
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types
Azure > App Service > App Service Plan > Approved > Custom
Azure > App Service > Function App > Approved > Custom
The AWS > VPC > Flow Log > Configured control would sometimes go into an error state for flow logs created via the AWS console, even though they were correctly claimed by a Guardrails stack. This is now fixed.
The account_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple AWS accounts. (#2133)
Bug fixes
Fixed the getDirectoryServiceSnapshotLimit and getDirectoryServiceEventTopics hydrate calls in the aws_directory_service_directory table to correctly return nil for the unsupported ADConnector services instead of an error. (#2170)
You can now configure log checkpoints for Flexi Servers. To get started, set the Azure > PostgreSQL > Flexible Server > Audit Logging > * policies.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Control Types
Azure > PostgreSQL > Flexible Server > Audit Logging
Policy Types
Azure > PostgreSQL > Flexible Server > Audit Logging
You can now configure expiration for Key Vault Keys and Secrets. To get started, set the Azure > Key Vault > Key > Expiration > * and Azure > Key Vault > Secret > Expiration > * policies respectively.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
The Azure > Storage > Storage Account > Queue > Logging control would go into a skipped state for storage accounts, irrespective of any policy setting for Logging. This issue is fixed and the control will now work as expected.
Added snapshot_block_public_access_state column to aws_ec2_regional_settings table. (#2077)
Bug fixes
Fixed the getDirectoryServiceSnapshotLimit and getDirectoryServiceEventTopics hydrate calls in the aws_directory_service_directory table to correctly return nil for unsupported SharedMicrosoftAD services instead of an error. (#2156)
You can now delete existing Public IP Addresses which are unapproved for use in the Subscription. To get started, set the Azure > Network > Public IP Address > Approved policy to Enforce: Delete unapproved.
The Turbot > IAM > Permissions > Compiled > Levels > Account policy now correctly checks the workspace version if it's installed on a workspace version < 5.50.0.
You can now configure Encryption in Transit for Flexi Servers. To get started, set the Azure > PostgresSql > Flexible Server > Encryption in Transit > * policies.
Control Types
Azure > PostgreSQL > Flexible Server > Encryption in Transit
Policy Types
Azure > PostgreSQL > Flexible Server > Encryption in Transit
Action Types
Azure > PostgreSQL > Flexible Server > Update Encryption in Transit
Updated the foundational_security_lambda_2 control to check for the latest Lambda runtimes as per the AWS FSBP document. (#778) (Thanks @sbldevnet for the contribution!)
Fixed the title of secretsmanager_secret_unused_90_day control. (#783)
You can now delete existing Entra ID users which are unapproved to be used in the Tenant. To get started, set the Azure > Active Directory > User > Approved policy to Enforce: Delete unapproved.
Policy Types
Azure > Active Directory > User > Approved > Custom
Added the following controls to the All Controls benchmark: (#253)
cosmosdb_account_uses_aad_and_rbac
iam_user_not_allowed_to_create_tenants
securitycenter_image_scan_enabled
Bug fixes
Updated the postgres_db_server_allow_access_to_azure_services_disabled query to check if the endIpAddress column is set to 0.0.0.0 instead of 255.255.255.255 as per the CIS documentation. (#253)
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation
AWS > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration
AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets
AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation
AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
You can now manage IMDS defaults for EC2 per region. To get started, set the AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > * policies.
Bug fixes
The AWS > EC2 > Instance > Approved control would sometimes fail to stop instances that were discovered in Guardrails via real-time events if the AWS > EC2 > Instance > Approved policy was set to Enforce: Stop unapproved if new. This is now fixed.
You can now configure connection_throttling parameter for PostgreSQL servers. To get started, set the Azure > PostgreSQL > Server > Audit Logging > Connection Throttling policy.
Added support for quota_project config arg to provide users the ability to set the Project ID used for billing and quota. (#556)
Bug fixes
Fixed the retry_policy_maximum_backoff and retry_policy_minimum_backoff columns of gcp_pubsub_subscription table to correctly return data. (#552) (Thanks to @mvanholsteijn for the contribution!)
Fixed the aws_vpc_eip table to return an Access Denied error instead of an Invalid Memory Address or Nil Pointer Dereference error when a Service Control Policy is applied to an account for a specific region. (#2136)
Fixed the aws_s3_bucket terraform script to prevent the AccessControlListNotSupported: The bucket does not allow ACLs error during the PutBucketAcl terraform call. (#2080) (Thanks @pdecat for the contribution!)
Fixed an issue where querying regional tables while using AWS profiles with cross-account role credentials results in the correct error being reported instead of zero rows. (#2137)
Fixed pagination in the aws_ebs_snapshot table to make fewer API calls when the limit parameter is passed to the query. (#2088)
Fixed the ecs_cluster_active_service_count query in the AWS ECS Cluster Dashboard to correctly return the count of Cluster Active Services instead of ECS Clusters. (#341) (Thanks @mupi2k for the contribution!)
In v5.15.1, we introduced the policy value Enforce: Enabled but ignore permission errors for the AWS > SNS > Subscription > CMDB policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors inadvertently introduced a bug, resulting in the removal of real-time events for Subscription from the SNS EventBridge rule created by the Event Handlers. This issue has now been fixed.
In v5.13.0, we introduced the policy value Enforce: Enabled but ignore permission errors for the AWS > KMS > Key > CMDB policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors inadvertently introduced a bug, resulting in the removal of the EventBridge Rule for KMS by the Event Handlers. This issue has now been fixed.
The Foundational Security Best Practices v1.0.0 benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)
The foundational_security_elbv2 sub-benchmark have been removed.
The following controls are no longer included in the benchmarks:
foundational_security_cloudfront_2
foundational_security_ec2_22
foundational_security_s3_4
Enhancements
The Foundational Security Best Practices v1.0.0 benchmark has been updated to better align with the matching AWS Security Hub. The following updates have been made: (#772)
The following sub-benchmarks have been added to the foundational_security benchmark:
foundational_security_appsync
foundational_security_backup
foundational_security_eventbridge
foundational_security_fsx
foundational_security_msk
foundational_security_pca
foundational_security_route53
foundational_security_sfn
The following controls have been added to the benchmarks:
pipes_workspace_datatank_table: Set PartPer setting for datatank table to be nil if nothing is passed in configuration while updating a datatank table. (#23)
Enhancements:
resources/pipes_workspace: Add support for passing desired_state, db_volume_size_bytes attribute when creating or updating a workspace. Add missing attribute state_reason.
resources/pipes_workspace_pipeline: Add support for passing desired_state attribute when creating or updating a pipeline. Add attributes state and state_reason.
resources/pipes_workspace_datatank: Add support for passing desired_state attribute when creating a datatank.
resources/pipes_workspace_datatank_table: Add support for passing desired_state attribute when creating a datatank_table.
Fixed the project_license_table, project_other_license_count and project_weak_copyleft_license_count queries to use the latest version of EUP (European Union Public License 1.2). (#13)
Fixed the repository_license_table, repository_other_license_count and repository_weak_copyleft_license_count queries to use the latest version of EUP (European Union Public License 1.2). (#25)
Guardrails will now exclude upserting VPC resources that are shared from other accounts and only upsert resources that belong to the owner account.
Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
The AWS > VPC > VPC > Stack control failed to claim security group rules correctly if the protocol for such rules was set to All or TCP in the stack's source policy. This issue has been fixed, and the control will now claim such rules correctly.
We have updated various policy definitions set during account imports to allow for a smoother account import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.
Added auto_minor_version_upgrade column to aws_rds_db_cluster table. (#2109)
Added open_zfs_configuration column to aws_fsx_file_system table. (#2113)
Added logging_configuration column to aws_networkfirewall_firewall table. (#2115)
Added lf_tags column to aws_glue_catalog_table table. (#2128)
Bug fixes
Fixed the query in the aws_s3_bucket table doc to correctly filter out buckets without the application tag. (#2093)
Fixed the aws_cloudtrail_lookup_event input param to pass correctly end_time as an optional qual. (#2102)
Fixed the arn column of the aws_elastic_beanstalk_environment table to correctly return data instead of null. (#2105)
Fixed the template_body_json column of the aws_cloudformation_stack table to correctly return data by adding a new transform function formatJsonBody, replacing the UnmarshalYAML transform function. (#1959)
Fixed the next_execution_time column of aws_ssm_maintenance_window table to be of String datatype instead of TIMESTAMP. (#2116)
Renamed the client_log_options column to connection_log_options in aws_ec2_client_vpn_endpoint table to correctly return data instead of null. (#2122)
Steampipe will no longer officially publish or support a Dockerfile or container images.
Steampipe can be run in a containerized setup. We run it ourselves that way as part of Turbot Pipes. But, we've decided to cease publishing an supporting a container definition because:
The CLI is optimized for developer use on the command line.
Everyone has specific goals and requirements for their containers.
Container setup requires various mounts and access to configuration files.
It's hard to support containers across many different environments.
We welcome users to create and share your own open-source container definitions for Steampipe!
Unsupported US Gov cloud regions were inadvertently included in the AWS > SageMaker > Code Repository > Regions policy, which led to the AWS > SageMaker > Code Repository > Discovery control being in an error state for those regions. We've now removed the unsupported US Gov cloud regions from the Regions policy.
Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
Multiselect Inputs with preselected Options now correctly pre-populate in Slack.
Change detection in throw and output block in pipeline steps works correctly with ternary operators and will not trigger mod reload for white space changes.
Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
In the previous version, we fixed an issue with the AWS > VPC > VPC > Stack control that prevented it from recognizing security group rules with the port range set to 0 correctly. However, the control still failed to claim existing security group rules available in Guardrails CMDB, due to an inadvertent bug introduced in v5.9.2. This issue has now been fixed, and the control will correctly claim existing security group rules.
Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
Previously, Guardrails unnecessarily listened to and processed real-time lists events for various storage resources. We've now improved our events filter to ignore these lists events, thereby reducing unnecessary processing.
Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
The AWS > EC2 > Snapshot > Active and AWS > EC2 > Snapshot > Approved controls will now not attempt to delete a snapshot if it has one or more AMIs attached to it.
In the previous version, although we fixed a bug to prevent upserting volumes and snapshots with incorrect AKAs, there was still a provision for instances to be upserted with incorrect AKAs. We have now addressed this issue as well, ensuring instances are upserted more correctly and consistently than before.
The deprecated ec2-reports:* permissions are now removed from the mod.
Ensure tags are passed during creation of resource pipes_workspace_pipeline and are only updated when a valid value is present in the Terraform configuration.
Guardrails will now exclude upserting VPC resources that are shared from other accounts and only upsert resources that belong to the owner account.
In the previous version, we believed we had resolved an issue with Internet Gateways not being upserted into the CMDB while processing real-time CreateDefaultVpc events. However, we overlooked an edge case in the fix. We have now addressed this issue, ensuring that Internet Gateways will be reliably discovered and upserted into the Guardrails CMDB. We recommend updating the aws-vpc-core mod to version 5.17.1 or higher to enable Guardrails to correctly process real-time CreateDefaultVpc events for Internet Gateways.
Guardrails failed to filter out real-time events for resource types if their parent resource types' CMDB policy was set to Enforce: Disabled. This is now fixed.
We're thrilled to announce the release of 52 new Powerpipe mods, featuring pre-built dashboards and benchmarks for cloud inventory & insights, security & compliance, cost management and shift-left scanning. These include the 43 Steampipe mods to visualize AWS, Azure, GCP, GitHub, Terraform and more using Steampipe as the database. And 9 new, ready-to-use Powerpipe mods providing easy to learn examples to visualize data in Postgres, SQLite, DuckDB, and MySQL!
A full list of mods can be found in the Powerpipe Hub.
For more information on how you can get started incorporating these mods into your own custom dashboards and benchmarks, please see Introducing Powerpipe - Composable Mods.
Benchmarks - 5,000+ open-source controls from CIS, NIST, PCI, HIPAA, FedRamp and more. Run instantly on your machine or as part of your deployment pipeline.
Relationship Diagrams - The only dashboarding tool designed from the ground up to visualize DevOps data. Explore your cloud,understand relationships and drill down to the details.
Dashboards & Reports - High level dashboards provide a quick management view. Reports highlight misconfigurations and attention areas. Filter, pivot and snapshot results.
Code, not clicks - Our dashboards are code. Version controlled, composable, shareable, easy to edit - designed for the way you work. Join our open-source community!
The AWS > VPC > VPC > Stack control would sometimes go into an error state after creating security group rules with port range set to 0. This occurred because the control failed to recognize the existing rule in Guardrails CMDB and attempted to create a new rule instead. This issue has been fixed, and the stack control will now work correctly as expected.
The AWS > VPC > Security Group > CMDB control would sometimes go into an error state for security groups shared from other AWS accounts. We will now exclude shared security groups and only upsert security groups that belong to the owner account.
You can now also manage the IAM Permissions model for Guardrails Users via the AWS > Turbot > IAM > Managed control. The AWS > Turbot > IAM > Managed control is faster and more efficient than the existing AWS > Turbot > IAM control because it utilizes Native AWS APIs rather than Terraform to manage IAM resources. Please note that this feature will work as intended only on TE v5.42.19 or higher and turbot-iam mod v5.11.0 or higher.
Control Types
AWS > Turbot > IAM > Group
AWS > Turbot > IAM > Group > Managed
AWS > Turbot > IAM > Managed
AWS > Turbot > IAM > Policy
AWS > Turbot > IAM > Policy > Managed
AWS > Turbot > IAM > Role
AWS > Turbot > IAM > Role > Managed
AWS > Turbot > IAM > User
AWS > Turbot > IAM > User > Managed
Policy Types
AWS > Turbot > IAM > Managed
Policy Types Renamed
AWS > IAM > Turbot to AWS > Turbot > IAM
Action Types
AWS > Account > Provision Managed Resources
AWS > IAM > Group > Detach and delete
AWS > IAM > Group > IAM Group Managed
AWS > IAM > Policy > Detach and delete
AWS > IAM > Role > IAM Role Managed
AWS > IAM > User > IAM User Managed
Bug fixes
The AWS > IAM > Group > CMDB, AWS > IAM > Role > CMDB, and AWS > IAM > User > CMDB controls previously failed to fetch all attachments for groups, roles, and users, respectively, due to the lack of pagination support. This issue has been fixed, and the controls will now correctly fetch all respective attachments.
Added version column to steampipe_plugin table. (#4141)
Direct all errors and warnings to standard error (stderr). (4162)
Bug fixes
Fixed the issue where search_path_prefix set in database options does not alter the search path. (#4160)
Fix issue where asff output was always missing the first row. (#4157)
Deprecations and migrations
Steampipe mods and dashboards are now separately available in Powerpipe, a new open-source project. The steampipe mod, check and dashboard commands have been deprecated and will be removed in a future version. Migration guide.
Deprecated cloud-host and cloud-token CLI args, and replaced them with pipes-host and pipes-token respectively. (#4137)
Deprecated STEAMPIPE_CLOUD_HOST and STEAMPIPE_CLOUD_TOKEN env vars, replaced with PIPES_HOST and PIPES_TOKEN respectively. (#4137)
Deprecated cloud_host and cloud_token workspace args, replaced with pipes_host and pipes_token respectively. (#4137)
Removed support for deprecated terminal options. (#3751)
Removed support for deprecated max_parallel property in general options. (#4132)
Removed support for deprecated connection options. (#4131)
Removed deprecated version property from the mod require block. (#3750)
The AWS > S3 > Bucket CMDB data will now also include information about Bucket Intelligent Tiering Configuration.
A few policy values in the AWS > S3 > Bucket > Encyprion at Rest policy have now been deprecated and will be removed in the next major mod version (v6.0.0) because they are no longer supported by AWS.
| Deprecated Values
|-
| Check: None
| Check: None or higher
| Enforce: None
| Enforce: None or higher
Previously, Guardrails did not upsert Internet Gateways into the CMDB while processing real-time CreateDefaultVpc events. This issue has been fixed, and Internet Gateways will now be more reliably upserted into the Guardrails CMDB.
We recommend updating the aws-vpc-core mod to v5.17.1 or higher to allow Guardrails to process the CreateDefaultVpc event for Internet Gateways correctly.
Previously, Guardrails did not upsert DHCP Options into the CMDB while processing real-time CreateDefaultVpc events. This issue has been fixed, and DHCP Options will now be more reliably upserted into the Guardrails CMDB.
Previously, Guardrails unnecessarily listened to and processed real-time lists events for various Dataproc resources. We've now improved our events filter to ignore these lists events, thereby reducing unnecessary processing.
The GCP > Turbot > Event Handlers > Pub/Sub stack control previously attempted to create a topic and its IAM member incorrectly when the GCP > Turbot > Event Handlers > Logging > Unique Writer Identity policy was set to Enforce: Unique Identity, but the project number for the project was not available. This is fixed and the control will transition to an Invalid state until Guardrails can correctly fetch the project number.
In a previous version (v5.6.2), we introduced a change in the AWS > S3 > Bucket > Encryption in Transit and AWS > S3 > Bucket > Encryption at Rest control to wait for a few minutes before applying the respective policies to new buckets created via Cloudformation Stacks. We've now extended this feature to all buckets regardless of how they were created, to ensure that IaC changes can be correctly applied to buckets without interference from immediate policy enforcements.
Added: Support for Postgres versions 14.9, 14.10, 15.4 and 15.5.
Added: Support for Redis 7.1.
Added: m6gd.medium to instance type parameter for RDS.
Added: Support for Advanced Tier for SSM Parameters.
Removed: t4.micro and t4.small from instance type parameter for RDS.
Note
To use the latest RDS certificate in commercial cloud, please upgrade TE to 5.42.3 or higher and update the RDS CA Certificate for Commercial Cloud parameter.
The AWS > Secrets Manager > Secret > CMDB control would go into an error state if Guardrails did not have permissions to describe a secret. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > Secrets Manager > Secret > CMDB policy to Enforce: Enabled but ignore permission errors.
You can now attach custom IAM Groups to Guardrails users if the AWS > Turbot > Permissions policy is set to Enforce: User Mode. To get started, set the AWS > Turbot > Permissions > Custom Group Levels [Account] policy and then attach the custom group to a user via the Grant Permission button on the Permissions page. Please note that this feature will work as intended only on TE v5.42.18 or higher and turbot-iam mod v5.11.0 or higher.
Policy Types:
AWS > Turbot > Permissions > Custom Group Levels [Account]
Policy Types renamed:
AWS > Turbot > Permissions > Custom Levels [Account] to AWS > Turbot > Permissions > Custom Role Levels [Account]
AWS > Turbot > Permissions > Custom Levels [Folder] to AWS > Turbot > Permissions > Custom Role Levels [Folder]
Removed support for Memoized functions to be directly assigned as column hydrate functions. Instead, require a wrapper hydrate function. (#756) (#738)
Bug fixes
If cache is disabled for the server, but enabled for the client, the query execution code tries to stream to the cache even though there is no active set operation. (#740)
The AWS > SNS > Subscription > CMDB control would go into an error state if Guardrails did not have permissions to describe a subscription. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > SNS > Subscription > CMDB policy to Enforce: Enabled but ignore permission errors.
The timeout for scheduled snapshot pipelines has been extended from 10 minutes to 1 hour, giving complex benchmarks and dashboards longer to successfully complete.
The GCP > Compute Engine > Instance Template > CMDB control would sometimes go into an error state due to a bad internal build. This is fixed and the control will now work as expected.
Due to an inadvertently introduced issue with an internal build for Azure > Subscription, importing subscriptions encountered schema validation problems. This issue has been resolved, and you can now successfully import subscriptions as before.
In the previous version, while we improved on the way we discovered missing Snapshots and Volumes while processing their update events, we inadvertently introduced a bug where some resources were upserted with incorrect AKAs. Such resources with malformed AKAs should now be cleaned up automatically from the environment, and Guardrails will now discover resources more correctly and consistently than before.
In a previous version (v5.31.4), we implemented a feature to Discover Instances while processing their update events respectively, if those resources were missing from Guardrails CMDB. In busy environments, this would sometimes cause unnecessary Lambda executions. We've now improved this behavior to upsert the missing resources in a lighter and faster way.
Improved the plugin error message when invalid credentials are set in the wiz.spc file. (#23)
Bug fixes
Fixed the service_tickets column in wiz_issue table by removing the action subfield from the ServiceTickets field in the GraphQL response since it was no longer available. (#24#25) (Thanks @sycophantic for the contribution!)
Fixed aws_sfn_state_machine_execution_history table to handle pagination and ignore errors for expired execution history. (#1934) (Thanks @pdecat for the contribution!)
Fixed the aws_health_affected_entity table to correctly return data instead of an interface conversion error. (#2072)
Added support for af-south-1, ap-northeast-3, ap-south-2, ap-southeast-3, ap-southeast-4, ca-west-1, eu-central-2, eu-south-1, eu-south-2, il-central-1 and me-central-1 regions in the AWS > Logs > Regions policy.
You can now configure Block Public Access for Snapshots. To get started, set the AWS > EC2 > Account Attributes > Block Public Access for Snapshots policy.
You can now also disable Block Public Access for AMIs. To get started, set the AWS > EC2 > Account Attributes > Block Public Access for AMIs policy.
AWS/EC2/Admin, AWS/EC2/Metadata and AWS/EC2/Operator now includes permissions for Verified Access Endpoints, Verified Access Groups and Verified Access Trust Providers.
Control Types:
AWS > EC2 > Account Attributes > Block Public Access for Snapshots
Policy Types:
AWS > EC2 > Account Attributes > Block Public Access for Snapshots
Action Types:
AWS > EC2 > Account Attributes > Update Block Public Access for Snapshots
Bug fixes
In a previous version (v5.31.4), we implemented a feature to Discover Snapshots and Volumes while processing their update events respectively, if those resources were missing from Guardrails CMDB. In busy environments, this would sometimes cause unnecessary Lambda executions. We've now improved this behavior to upsert the missing resources in a lighter and faster way.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Updated all the tables to fetch the column data using hydrate functions to optimize the API calls and increase query speed when querying specific columns. (#30)
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Added OAuth config support to provide users the ability to set OAuth secret client ID and OAuth secret value of a service principal. For more information, please see Databricks plugin configuration. (#6) (Thanks @rinzool for the contribution!)
Added Config object to directly pass credentials to the client. (#10)
Optimized aws_cloudwatch_log_stream table's query performance by adding descending, log_group_name, log_stream_name_prefix and order_by new optional key qual columns. (#1951)
Optimized aws_ssm_inventory table's query performance by adding new optional key qual columns such as filter_key, filter_value, network_attribute_key, network_attribute_value, etc. (#1980)
Bug fixes
Fixed aws_cloudwatch_log_group table key column to be globally unique by filtering the results by region. (#1976)
Removed duplicate memoizing of getCommonColumns function from aws_s3_multi_region_access_point and aws_ec2_launch_template tables.(#2065)
Fixed error for column type_name in table aws_ssm_inventory_entry. (#1980)
Added the missing rate-limiter tags for aws_s3_bucket table's GetBucketLocation hydrate function to optimize query performance. (#2066)
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Removed the iam_root_user_virtual_mfa control since it is not recommended as good practice. (#743)
Replaced iam_account_password_policy_strong with iam_account_password_policy_strong_min_reuse_24 in the GDPR, FFIEC and CISA Cyber Essentials benchmarks to align more accurately with the requirements specified in the AWS Config rules. (#739)
Bug fixes
Updated the dashboard image to correctly list all the 25 benchmarks. (#748)
Added column iam_policy to gcp_cloud_run_service table. (#531)
Optimized the gcp_logging_log_entry table result or result timing by applying a timestamp filter. (#508)
Added the json_payload, proto_payload, metadata, resource, operation, and tags columns to gcp_logging_log_entry table. (#508)
Bug fixes
Fixed the addons_config, network_config and network_policy column of gcp_kubernetes_cluster table to correctly return data instead of null. (#530)
Fixed the end_time column of the gcp_sql_backup table to return null instead of an error when end time is unavailable for a SQL backup. (#534)
Fixed the enqueued_time, start_time and window_start_time columns of the gcp_sql_backup table to return null instead of an error when timestamp is unavailable for a SQL backup. (#536)
Fixed the low_iops_ebs_volumes control to now suggest converting io1 and io2 volumes to GP3 volumes, when the base IOPS is less than 16000 instead of 3000. (#167)
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
The GCP > Turbot > Event Poller control now includes a precheck condition to avoid running GraphQL input queries when the GCP > Turbot > Event Poller policy is set to Disabled. You won’t notice any difference and the control should run lighter and quicker than before.
The Azure > Turbot > Event Poller and Azure > Turbot > Management Group Event Poller controls now include a precheck condition to avoid running GraphQL input queries when the Azure > Turbot > Event Poller and Azure > Turbot > Management Group Event Poller policies are set to Disabled respectively. You won’t notice any difference and the controls should run lighter and quicker than before.
The Azure > Turbot > Directory Event Poller control now includes a precheck condition to avoid running GraphQL input queries when the Azure > Turbot > Directory Event Poller policy is set to Disabled. You won’t notice any difference and the control should run lighter and quicker than before.
The AWS > Turbot > Event Poller control now includes a precheck condition to avoid running GraphQL input queries when the AWS > Turbot > Event Poller policy is set to Disabled. You won’t notice any difference and the control should run lighter and quicker than before.
Note : Table aws_sns_topic_subscription will be changing behaviours in a future release to return results from ListSubscriptionsByTopic instead of ListSubscriptions.
Added support for aws_network_interface_sg_attachment Terraform resource for AWS > EC2 > Network Interface.
Bug fixes
The AWS > EC2 > Instance > CMDB control would sometimes trigger multiple times if EnclaveOptions was not set as part of the AWS > EC2 > Instance > CMDB > Attributes policy. This would result in unnecessary Lambda runs for the control. The EnclaveOptions attribute is now available in the CMDB data by default and the EnclaveOptions policy value in AWS > EC2 > Instance > CMDB > Attributes policy has now been deprecated, and will be removed in the next major version.
Fixed the broken network_subnet_to_network_virtual_network edge of the relationship graph in the sql_server_detail dashboard page to correctly reference the network_subnets_for_sql_server query. (#118)
Fixed the kubernetes_cluster_upgraded_with_non_vulnerable_version query to correctly check if a Kubernetes cluster is using an outdated software version. (#235)
Fixed the plugin to return only static tables instead of an error when the objects config argument is not set or the plugin credentials are not set correctly. (#26)
Omitting the PartPer setting for a pipes_workspace_datatank_table resource would have previously resulted in an error, meaning you had to pass connection as the value. This field is now optional, allowing single part tables to be defined.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Updated: The directory API to support Require Signed Assertion Response.
UI:
Added: Introduced UI options for Require Signed Assertion Response for enhanced security in SAML authentication.
Requirements
TEF: 1.51.0
TED: 1.9.1
Base images
Alpine: 3.17.5
Ubuntu: 22.04.3
Enhanced Security and Compatibility Guide for SAML Authentication
Description:
The recent update to @node-saml/passport-saml mandates the signing of the assertion response. To ensure backward compatibility, we have introduced a new configuration option in the UI:
Require Signed Assertion Response
By default, this option is set to Disabled to maintain compatibility with existing setups.
Recommendations:
We recommend enabling this option as it adds an additional layer of security. However, please be aware that enabling this setting might impact the SAML login functionality.
Updated the plugin to use a shared, optimized HTTP client that enhances DNS management and reduces connection floods for more stable and efficient queries. (#2036)
The AWS > RDS > DB Instance > Discovery control would sometimes upsert DocumentDB Instances as RDS Instances in Guardrails CMDB. This is fixed and the control will now filter out DocumentDB Instances while upserting resources in CMDB.
The Enterprise tier expands on the Team tier’s features with enhanced collaboration, enterprise-grade security, and improved scalability, making it ideal for larger organizations:
Organization-wide cloud intelligence & security: Enables tailored data management across business units and teams for sharing insights.
SAML Authentication: Provides secure and seamless SSO user experience using your identity provider.
Multi-Organization RBAC: Allows granular access permissions across organizations and workspaces to protect sensitive data.
Trusted Login Domains: Significantly reduces unauthorized access by restricting logins to trusted domains.
Consolidated Usage and Billing: Simplifies resource and financial tracking with tenant-level visibility plus per organization/workspace details.
Get started in a 14-day free trial then switch to flexible, usage based pricing.
Our trademark policy & terms now clarify that while others are allowed to make their own distribution of Turbot open-source software, they cannot use any of the Turbot trademarks, cloud services, etc.
We now require a signed Contributor License Agreement for all contributions to our AGPL 3.0 and CC BY-NC-ND licensed repositories.
Recompiled with steampipe-plugin-sdk v5.8.0 that includes plugin server encapsulation for in-process and GRPC usage, adding Steampipe Plugin SDK version to _ctx column, and fixing connection and potential divide-by-zero bugs.
35 new, ready-to-use Flowpipe sample mods are now available! These mods serve as practical examples, showcasing the patterns and applications of various library mods. Every mod comes with specific instructions for installation and use, enabling fast and easy setup.
Introducing Flowpipe, a cloud scripting engine. Automation and workflow to connect your clouds to the people, systems and data that matter. Pipelines for DevOps written in HCL.
A full list of library mods can be found in the Flowpipe Hub.
For more information on how you can get started incorporating these library mods into your own mods and pipelines, please see Introducing Flowpipe - Composable Mods.
AWS > IAM > Root > Skip alarm for Approved control
AWS > IAM > Root > Skip alarm for Approved control [90 days]
Bug fixes
The AWS > IAM > Account Password Policy > CMDB control would incorrectly go into an Alarm state when Guardrails was denied access to fetch the Account Password Policy data. This is fixed and the control will now move to an Error state instead for such cases.
Guardrails stack controls would sometimes fail to update IAM resources if the Terraform plan in the stack's source policy was updated. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.0 or higher.
The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
The Table control did not allow extending the resource's Table from any other Table in ServiceNow but the cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.
The Configuration Item control would sometimes go into an invalid state if the corresponding Table was not found in ServiceNow. The control will now go to an error state instead, which will allow Guardrails to retry running the control automatically.
The Configuration Item control would sometimes fail to detect if any columns were missing from the corresponding Table before creating a record in ServiceNow. This is fixed and the control will now work correctly as expected.
The Discovery controls for Application, Cost Center and User would sometimes upsert resources with incorrect AKAs for a freshly imported ServiceNow Instance in Guardrails CMDB. This is fixed and the controls will now work as expected.
The AWS > Turbot > Event Poller policy will now be automatically set to Disabled if any of the AWS > Turbot > Event Handlers or AWS > Turbot > Event Handlers [Global] policies is set to Enforce: Configured.
You can now Enable/Disable Firebase Management API via Guardrails. To get started, set the GCP > Firebase > API Enabled policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added support for newer US, Europe, India and US Government regions in the Azure > Synapse Analytics > Regions policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Azure > API Management > API Management Service > Approved > Custom
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Azure > Data Factory > Dataset > Approved > Custom
Azure > Data Factory > Factory > Approved > Custom
Azure > Data Factory > Pipeline > Approved > Custom
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Azure > Front Door > Front Door > Approved > Custom
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Azure > SignalR Service > SignalR > Approved > Custom
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Fixed the plugin to pass the namespace qualifier to the kubernetes API client when querying namespace scoped resources. (#181) (Thanks @pdecat for the contribution!!)
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Azure > Recovery Service > Vault > Approved > Custom
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > SWF > Domain > Approved > Custom
Action Types:
AWS > SWF > Domain > Set Tags
AWS > SWF > Domain > Skip alarm for Active control
AWS > SWF > Domain > Skip alarm for Active control [90 days]
AWS > SWF > Domain > Skip alarm for Approved control
AWS > SWF > Domain > Skip alarm for Approved control [90 days]
AWS > SWF > Domain > Skip alarm for Tags control
AWS > SWF > Domain > Skip alarm for Tags control [90 days]
Removed the following tables using the search API that no longer work due to API limitations. These tables will be added back if functionality can be restored.
Fixed the compute_firewall_allow_tcp_connections_proxied_by_iap query to correctly include all the ports and source IP ranges. (#128) (Thanks @saisirishreddy for the contribution!)
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
AWS > QLDB > Ledger > Approved > Custom
Action Types:
AWS > QLDB > Ledger > Delete from AWS
AWS > QLDB > Ledger > Set Tags
AWS > QLDB > Ledger > Skip alarm for Active control
AWS > QLDB > Ledger > Skip alarm for Active control [90 days]
AWS > QLDB > Ledger > Skip alarm for Approved control
AWS > QLDB > Ledger > Skip alarm for Approved control [90 days]
AWS > QLDB > Ledger > Skip alarm for Tags control
AWS > QLDB > Ledger > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > Neptune > DB Cluster > Approved > Custom
AWS > Neptune > DB Instance > Approved > Custom
Action Types:
AWS > Neptune > DB Cluster > Delete from AWS
AWS > Neptune > DB Cluster > Set Tags
AWS > Neptune > DB Cluster > Skip alarm for Active control
AWS > Neptune > DB Cluster > Skip alarm for Active control [90 days]
AWS > Neptune > DB Cluster > Skip alarm for Approved control
AWS > Neptune > DB Cluster > Skip alarm for Approved control [90 days]
AWS > Neptune > DB Cluster > Skip alarm for Tags control
AWS > Neptune > DB Cluster > Skip alarm for Tags control [90 days]
AWS > Neptune > DB Instance > Delete from AWS
AWS > Neptune > DB Instance > Set Tags
AWS > Neptune > DB Instance > Skip alarm for Active control
AWS > Neptune > DB Instance > Skip alarm for Active control [90 days]
AWS > Neptune > DB Instance > Skip alarm for Approved control
AWS > Neptune > DB Instance > Skip alarm for Approved control [90 days]
AWS > Neptune > DB Instance > Skip alarm for Tags control
AWS > Neptune > DB Instance > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > DAX > Cluster > Approved > Custom
Action Types:
AWS > DAX > Cluster > Delete from AWS
AWS > DAX > Cluster > Set Tags
AWS > DAX > Cluster > Skip alarm for Active control
AWS > DAX > Cluster > Skip alarm for Active control [90 days]
AWS > DAX > Cluster > Skip alarm for Approved control
AWS > DAX > Cluster > Skip alarm for Approved control [90 days]
AWS > DAX > Cluster > Skip alarm for Tags control
AWS > DAX > Cluster > Skip alarm for Tags control [90 days]
Updated: Updated the package passport-saml to @node-saml/passport-saml: 4.0.4
Updated: The directory API to support Require Signed Authentication Response and Strict Audience Validation.
UI:
Added: Introduced UI options for Require Signed Authentication Response and Strict Audience Validation for enhanced security in SAML authentication.
Enhanced Security and Compatibility Guide for SAML Authentication
Description
The recent package change for @node-saml/passport-saml has made it mandatory to sign the audience response and perform audience validation. To maintain backward compatibility, we have introduced two new options in the UI:
Require Signed Authentication Response
Strict Audience Validation
To make it backward compatible, both of these options are initially set to Disabled by default.
Important Note: This change ensures that the audience response is signed and audience validation is enforced. These checks were not available in earlier versions of the package.
Recommendations
We recommend customers enable both of these properties as they add an additional layer of security. However, it's important to be aware that enabling these properties might potentially break SAML login functionality. Therefore, certain steps need to be taken before enabling them.
Here are specific recommendations for popular Identity Providers (IDPs):
Okta
Strict Audience Validation: If enabled, ensure that the "Issuer ID" matches the "Audience Restriction."
OneLogin
Require Signed Authentication Response: This feature should be disabled in OneLogin, as OneLogin does not support it.
Strict Audience Validation: If enabled, ensure that the "Issuer ID" matches the "Audience".
Azure Entra ID (Previously Known as Azure AD)
Require Signed Authentication Response: If enabled, make sure you choose the Signing option to be "SIGN SAML response and assertion". The Signing option is available on the Signing Certificate page of Entra ID
Please follow these recommendations carefully to make sure you're able to transition smoothly to the updated SAML package.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > App Mesh > Mesh > Approved > Custom
Action Types:
AWS > App Mesh > Mesh > Delete from AWS
AWS > App Mesh > Mesh > Set Tags
AWS > App Mesh > Mesh > Skip alarm for Active control
AWS > App Mesh > Mesh > Skip alarm for Active control [90 days]
AWS > App Mesh > Mesh > Skip alarm for Approved control
AWS > App Mesh > Mesh > Skip alarm for Approved control [90 days]
AWS > App Mesh > Mesh > Skip alarm for Tags control
AWS > App Mesh > Mesh > Skip alarm for Tags control [90 days]
Updated the plugin dependency section of the mod to use min_version instead of version. (#130)
Bug fixes
Fixed the kms_key_separation_of_duties_enforced query to ensure that separation of duties is enforced while assigning KMS-related roles to users. (#132)
Updated the plugin dependency section of the mod to use min_version instead of version. (#222)
Bug fixes
Fixed the compute_vm_tcp_udp_access_restricted_internet query to ensure internet-facing virtual machines are protected with network security groups. (#224)
Updated the plugin dependency section of the mod to use min_version instead of version. (#161)
Renamed the control lambda_function_with_graviton2 to lambda_function_with_graviton in order to maintain consistency. (#158) (Thanks @bluedoors for the contribution!)
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
The AWS > ElastiCache > Snapshot > CMDB control would go into an error state due to a bad internal build. This is fixed and the control will now work correctly as expected.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > Glue > Crawler > Delete from AWS
AWS > Glue > Crawler > Set Tags
AWS > Glue > Crawler > Skip alarm for Active control
AWS > Glue > Crawler > Skip alarm for Active control [90 days]
AWS > Glue > Crawler > Skip alarm for Approved control
AWS > Glue > Crawler > Skip alarm for Approved control [90 days]
AWS > Glue > Crawler > Skip alarm for Tags control
AWS > Glue > Crawler > Skip alarm for Tags control [90 days]
AWS > Glue > Data Catalog > Skip alarm for Encryption at Rest control
AWS > Glue > Data Catalog > Skip alarm for Encryption at Rest control [90 days]
AWS > Glue > Database > Delete from AWS
AWS > Glue > Database > Skip alarm for Active control
AWS > Glue > Database > Skip alarm for Active control [90 days]
AWS > Glue > Database > Skip alarm for Approved control
AWS > Glue > Database > Skip alarm for Approved control [90 days]
AWS > Glue > Development Endpoint [Deprecated] > Delete from AWS
AWS > Glue > Development Endpoint [Deprecated] > Set Tags
AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Active control
AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Active control [90 days]
AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Approved control
AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Approved control [90 days]
AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Tags control
AWS > Glue > Development Endpoint [Deprecated] > Skip alarm for Tags control [90 days]
AWS > Glue > Job > Delete from AWS
AWS > Glue > Job > Set Tags
AWS > Glue > Job > Skip alarm for Active control
AWS > Glue > Job > Skip alarm for Active control [90 days]
AWS > Glue > Job > Skip alarm for Approved control
AWS > Glue > Job > Skip alarm for Approved control [90 days]
AWS > Glue > Job > Skip alarm for Tags control
AWS > Glue > Job > Skip alarm for Tags control [90 days]
AWS > Glue > ML Transform > Delete from AWS
AWS > Glue > ML Transform > Set Tags
AWS > Glue > ML Transform > Skip alarm for Active control
AWS > Glue > ML Transform > Skip alarm for Active control [90 days]
AWS > Glue > ML Transform > Skip alarm for Approved control
AWS > Glue > ML Transform > Skip alarm for Approved control [90 days]
AWS > Glue > ML Transform > Skip alarm for Tags control
AWS > Glue > ML Transform > Skip alarm for Tags control [90 days]
AWS > Glue > Security Configuration > Delete from AWS
AWS > Glue > Security Configuration > Skip alarm for Active control
AWS > Glue > Security Configuration > Skip alarm for Active control [90 days]
AWS > Glue > Security Configuration > Skip alarm for Approved control
AWS > Glue > Security Configuration > Skip alarm for Approved control [90 days]
AWS > Glue > Table > Delete from AWS
AWS > Glue > Table > Skip alarm for Active control
AWS > Glue > Table > Skip alarm for Active control [90 days]
AWS > Glue > Table > Skip alarm for Approved control
AWS > Glue > Table > Skip alarm for Approved control [90 days]
AWS > Glue > Trigger > Delete from AWS
AWS > Glue > Trigger > Set Tags
AWS > Glue > Trigger > Skip alarm for Active control
AWS > Glue > Trigger > Skip alarm for Active control [90 days]
AWS > Glue > Trigger > Skip alarm for Approved control
AWS > Glue > Trigger > Skip alarm for Approved control [90 days]
AWS > Glue > Trigger > Skip alarm for Tags control
AWS > Glue > Trigger > Skip alarm for Tags control [90 days]
AWS > Glue > Workflow > Delete from AWS
AWS > Glue > Workflow > Set Tags
AWS > Glue > Workflow > Skip alarm for Active control
AWS > Glue > Workflow > Skip alarm for Active control [90 days]
AWS > Glue > Workflow > Skip alarm for Approved control
AWS > Glue > Workflow > Skip alarm for Approved control [90 days]
AWS > Glue > Workflow > Skip alarm for Tags control
AWS > Glue > Workflow > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > CodeCommit > Repository > Approved > Custom
Action Types:
AWS > CodeCommit > Repository > Delete from AWS
AWS > CodeCommit > Repository > Set Tags
AWS > CodeCommit > Repository > Skip alarm for Active control
AWS > CodeCommit > Repository > Skip alarm for Active control [90 days]
AWS > CodeCommit > Repository > Skip alarm for Approved control
AWS > CodeCommit > Repository > Skip alarm for Approved control [90 days]
AWS > CodeCommit > Repository > Skip alarm for Tags control
AWS > CodeCommit > Repository > Skip alarm for Tags control [90 days]
Fixed the description of the name column in aws_organizations_account table. (#1947) (Thanks @badideasforsale for the contribution!)
Dependencies
Recompiled plugin with steampipe-plugin-sdk v5.6.3 which addresses the issue of expired credentials being intermittently retained in the connection cache. (#1956)
Fixed expired credentials sometimes being left in the connection cache. Update connection cache to use a backing store per connection, rather than a shared backing store. (#699)
Users can now set a Unique Writer Identity for Logging Sink created via the GCP > Turbot > Event Handlers stack. To get started, set the GCP > Turbot > Event Handlers > Logging > Unique Writer Identity policy.
Guardrails stack controls would sometimes fail to update Pub/Sub Topic resources if the Terraform plan in the stack's source policy was updated. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.0 or higher.
Guardrails stack controls would sometimes fail to update Logging Sink resources if the Terraform plan in the stack's source policy was updated. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.0 or higher.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > Glacier > Vault > Approved > Custom
Action Types:
AWS > Glacier > Vault > Delete from AWS
AWS > Glacier > Vault > Set Tags
AWS > Glacier > Vault > Skip alarm for Active control
AWS > Glacier > Vault > Skip alarm for Active control [90 days]
AWS > Glacier > Vault > Skip alarm for Approved control
AWS > Glacier > Vault > Skip alarm for Approved control [90 days]
AWS > Glacier > Vault > Skip alarm for Tags control
AWS > Glacier > Vault > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > WAF Regional > Rule > Approved > Custom
Action Types:
AWS > WAF Regional > Rule > Delete from AWS
AWS > WAF Regional > Rule > Skip alarm for Active control
AWS > WAF Regional > Rule > Skip alarm for Active control [90 days]
AWS > WAF Regional > Rule > Skip alarm for Approved control
AWS > WAF Regional > Rule > Skip alarm for Approved control [90 days]
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
AWS > VPC > Egress Only Internet Gateway > Delete from AWS
AWS > VPC > Egress Only Internet Gateway > Set Tags
AWS > VPC > Egress Only Internet Gateway > Skip alarm for Active control
AWS > VPC > Egress Only Internet Gateway > Skip alarm for Active control [90 days]
AWS > VPC > Egress Only Internet Gateway > Skip alarm for Approved control
AWS > VPC > Egress Only Internet Gateway > Skip alarm for Approved control [90 days]
AWS > VPC > Egress Only Internet Gateway > Skip alarm for Tags control
AWS > VPC > Egress Only Internet Gateway > Skip alarm for Tags control [90 days]
AWS > VPC > Elastic IP > Delete from AWS
AWS > VPC > Elastic IP > Set Tags
AWS > VPC > Elastic IP > Skip alarm for Active control
AWS > VPC > Elastic IP > Skip alarm for Active control [90 days]
AWS > VPC > Elastic IP > Skip alarm for Approved control
AWS > VPC > Elastic IP > Skip alarm for Approved control [90 days]
AWS > VPC > Elastic IP > Skip alarm for Tags control
AWS > VPC > Elastic IP > Skip alarm for Tags control [90 days]
AWS > VPC > Endpoint > Delete from AWS
AWS > VPC > Endpoint > Set Tags
AWS > VPC > Endpoint > Skip alarm for Active control
AWS > VPC > Endpoint > Skip alarm for Active control [90 days]
AWS > VPC > Endpoint > Skip alarm for Approved control
AWS > VPC > Endpoint > Skip alarm for Approved control [90 days]
AWS > VPC > Endpoint > Skip alarm for Tags control
AWS > VPC > Endpoint > Skip alarm for Tags control [90 days]
AWS > VPC > Endpoint Service > Delete from AWS
AWS > VPC > Endpoint Service > Set Tags
AWS > VPC > Endpoint Service > Skip alarm for Active control
AWS > VPC > Endpoint Service > Skip alarm for Active control [90 days]
AWS > VPC > Endpoint Service > Skip alarm for Approved control
AWS > VPC > Endpoint Service > Skip alarm for Approved control [90 days]
AWS > VPC > Endpoint Service > Skip alarm for Tags control
AWS > VPC > Endpoint Service > Skip alarm for Tags control [90 days]
AWS > VPC > Internet Gateway > Delete from AWS
AWS > VPC > Internet Gateway > Set Tags
AWS > VPC > Internet Gateway > Skip alarm for Active control
AWS > VPC > Internet Gateway > Skip alarm for Active control [90 days]
AWS > VPC > Internet Gateway > Skip alarm for Approved control
AWS > VPC > Internet Gateway > Skip alarm for Approved control [90 days]
AWS > VPC > Internet Gateway > Skip alarm for Tags control
AWS > VPC > Internet Gateway > Skip alarm for Tags control [90 days]
AWS > VPC > NAT Gateway > Delete from AWS
AWS > VPC > NAT Gateway > Set Tags
AWS > VPC > NAT Gateway > Skip alarm for Active control
AWS > VPC > NAT Gateway > Skip alarm for Active control [90 days]
AWS > VPC > NAT Gateway > Skip alarm for Approved control
AWS > VPC > NAT Gateway > Skip alarm for Approved control [90 days]
AWS > VPC > NAT Gateway > Skip alarm for Tags control
AWS > VPC > NAT Gateway > Skip alarm for Tags control [90 days]
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
AWS > VPC > DHCP Options > Delete from AWS
AWS > VPC > DHCP Options > Set Tags
AWS > VPC > DHCP Options > Skip alarm for Active control
AWS > VPC > DHCP Options > Skip alarm for Active control [90 days]
AWS > VPC > DHCP Options > Skip alarm for Tags control
AWS > VPC > DHCP Options > Skip alarm for Tags control [90 days]
AWS > VPC > Route Table > Delete from AWS
AWS > VPC > Route Table > Set Tags
AWS > VPC > Route Table > Skip alarm for Active control
AWS > VPC > Route Table > Skip alarm for Active control [90 days]
AWS > VPC > Route Table > Skip alarm for Tags control
AWS > VPC > Route Table > Skip alarm for Tags control [90 days]
AWS > VPC > Subnet > Delete from AWS
AWS > VPC > Subnet > Set Tags
AWS > VPC > Subnet > Skip alarm for Active control
AWS > VPC > Subnet > Skip alarm for Active control [90 days]
AWS > VPC > Subnet > Skip alarm for Tags control
AWS > VPC > Subnet > Skip alarm for Tags control [90 days]
AWS > VPC > VPC > Delete from AWS
AWS > VPC > VPC > Set Tags
AWS > VPC > VPC > Skip alarm for Active control
AWS > VPC > VPC > Skip alarm for Active control [90 days]
AWS > VPC > VPC > Skip alarm for Tags control
AWS > VPC > VPC > Skip alarm for Tags control [90 days]
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > Elasticsearch > Domain > Approved > Custom
Action Types:
AWS > Elasticsearch > Domain > Delete from AWS
AWS > Elasticsearch > Domain > Set Tags
AWS > Elasticsearch > Domain > Skip alarm for Active control
AWS > Elasticsearch > Domain > Skip alarm for Active control [90 days]
AWS > Elasticsearch > Domain > Skip alarm for Approved control
AWS > Elasticsearch > Domain > Skip alarm for Approved control [90 days]
AWS > Elasticsearch > Domain > Skip alarm for Tags control
AWS > Elasticsearch > Domain > Skip alarm for Tags control [90 days]
The AWS > EC2 > Account Attributes > CMDB control would go into an error state due to a bad internal build. This is fixed and the control will now work correctly as expected.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > ElastiCache > Cache Cluster > Delete from AWS
AWS > ElastiCache > Cache Cluster > Set Tags
AWS > ElastiCache > Cache Cluster > Skip alarm for Active control
AWS > ElastiCache > Cache Cluster > Skip alarm for Active control [90 days]
AWS > ElastiCache > Cache Cluster > Skip alarm for Tags control
AWS > ElastiCache > Cache Cluster > Skip alarm for Tags control [90 days]
AWS > ElastiCache > Cache Parameter Group > Delete from AWS
AWS > ElastiCache > Cache Parameter Group > Skip alarm for Active control
AWS > ElastiCache > Cache Parameter Group > Skip alarm for Active control [90 days]
AWS > ElastiCache > Replication Group > Delete from AWS
AWS > ElastiCache > Replication Group > Skip alarm for Active control
AWS > ElastiCache > Replication Group > Skip alarm for Active control [90 days]
AWS > ElastiCache > Snapshot > Delete from AWS
AWS > ElastiCache > Snapshot > Set Tags
AWS > ElastiCache > Snapshot > Skip alarm for Active control
AWS > ElastiCache > Snapshot > Skip alarm for Active control [90 days]
AWS > ElastiCache > Snapshot > Skip alarm for Tags control
AWS > ElastiCache > Snapshot > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > Data Pipeline > Pipeline > Approved > Custom
Action Types:
AWS > Data Pipeline > Pipeline > Delete from AWS
AWS > Data Pipeline > Pipeline > Set Tags
AWS > Data Pipeline > Pipeline > Skip alarm for Active control
AWS > Data Pipeline > Pipeline > Skip alarm for Active control [90 days]
AWS > Data Pipeline > Pipeline > Skip alarm for Approved control
AWS > Data Pipeline > Pipeline > Skip alarm for Approved control [90 days]
AWS > Data Pipeline > Pipeline > Skip alarm for Tags control
AWS > Data Pipeline > Pipeline > Skip alarm for Tags control [90 days]
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Added support for ap-northeast-3 and us-gov-east-1 regions in the AWS > SageMaker > Regions policy.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
AWS > Events > Rule > Skip alarm for Approved control
AWS > Events > Rule > Skip alarm for Approved control [90 days]
AWS > Events > Target > Skip alarm for Active control
AWS > Events > Target > Skip alarm for Active control [90 days]
AWS > Events > Target > Skip alarm for Approved control
AWS > Events > Target > Skip alarm for Approved control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > WAF > IP Set > Delete from AWS
AWS > WAF > IP Set > Skip alarm for Active control
AWS > WAF > IP Set > Skip alarm for Active control [90 days]
AWS > WAF > IP Set > Skip alarm for Approved control
AWS > WAF > IP Set > Skip alarm for Approved control [90 days]
AWS > WAF > IP Set v2 Global > Delete from AWS
AWS > WAF > IP Set v2 Global > Set Tags
AWS > WAF > IP Set v2 Global > Skip alarm for Active control
AWS > WAF > IP Set v2 Global > Skip alarm for Active control [90 days]
AWS > WAF > IP Set v2 Global > Skip alarm for Approved control
AWS > WAF > IP Set v2 Global > Skip alarm for Approved control [90 days]
AWS > WAF > IP Set v2 Global > Skip alarm for Tags control
AWS > WAF > IP Set v2 Global > Skip alarm for Tags control [90 days]
AWS > WAF > IP Set v2 Regional > Delete from AWS
AWS > WAF > IP Set v2 Regional > Set Tags
AWS > WAF > IP Set v2 Regional > Skip alarm for Active control
AWS > WAF > IP Set v2 Regional > Skip alarm for Active control [90 days]
AWS > WAF > IP Set v2 Regional > Skip alarm for Approved control
AWS > WAF > IP Set v2 Regional > Skip alarm for Approved control [90 days]
AWS > WAF > IP Set v2 Regional > Skip alarm for Tags control
AWS > WAF > IP Set v2 Regional > Skip alarm for Tags control [90 days]
AWS > WAF > Rate Based Rule > Delete from AWS
AWS > WAF > Rate Based Rule > Skip alarm for Active control
AWS > WAF > Rate Based Rule > Skip alarm for Active control [90 days]
AWS > WAF > Rate Based Rule > Skip alarm for Approved control
AWS > WAF > Rate Based Rule > Skip alarm for Approved control [90 days]
AWS > WAF > Regex Pattern Set v2 Global > Delete from AWS
AWS > WAF > Regex Pattern Set v2 Global > Set Tags
AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Active control
AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Active control [90 days]
AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Approved control
AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Approved control [90 days]
AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Tags control
AWS > WAF > Regex Pattern Set v2 Global > Skip alarm for Tags control [90 days]
AWS > WAF > Regex Pattern Set v2 Regional > Delete from AWS
AWS > WAF > Regex Pattern Set v2 Regional > Set Tags
AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Active control
AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Active control [90 days]
AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Approved control
AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Approved control [90 days]
AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Tags control
AWS > WAF > Regex Pattern Set v2 Regional > Skip alarm for Tags control [90 days]
AWS > WAF > Rule > Delete from AWS
AWS > WAF > Rule > Skip alarm for Active control
AWS > WAF > Rule > Skip alarm for Active control [90 days]
AWS > WAF > Rule > Skip alarm for Approved control
AWS > WAF > Rule > Skip alarm for Approved control [90 days]
AWS > WAF > Rule Group v2 Global > Delete from AWS
AWS > WAF > Rule Group v2 Global > Set Tags
AWS > WAF > Rule Group v2 Global > Skip alarm for Active control
AWS > WAF > Rule Group v2 Global > Skip alarm for Active control [90 days]
AWS > WAF > Rule Group v2 Global > Skip alarm for Approved control
AWS > WAF > Rule Group v2 Global > Skip alarm for Approved control [90 days]
AWS > WAF > Rule Group v2 Global > Skip alarm for Tags control
AWS > WAF > Rule Group v2 Global > Skip alarm for Tags control [90 days]
AWS > WAF > Rule Group v2 Regional > Delete from AWS
AWS > WAF > Rule Group v2 Regional > Set Tags
AWS > WAF > Rule Group v2 Regional > Skip alarm for Active control
AWS > WAF > Rule Group v2 Regional > Skip alarm for Active control [90 days]
AWS > WAF > Rule Group v2 Regional > Skip alarm for Approved control
AWS > WAF > Rule Group v2 Regional > Skip alarm for Approved control [90 days]
AWS > WAF > Rule Group v2 Regional > Skip alarm for Tags control
AWS > WAF > Rule Group v2 Regional > Skip alarm for Tags control [90 days]
AWS > WAF > Web ACL > Delete from AWS
AWS > WAF > Web ACL > Set Tags
AWS > WAF > Web ACL > Skip alarm for Active control
AWS > WAF > Web ACL > Skip alarm for Active control [90 days]
AWS > WAF > Web ACL > Skip alarm for Approved control
AWS > WAF > Web ACL > Skip alarm for Approved control [90 days]
AWS > WAF > Web ACL > Skip alarm for Tags control
AWS > WAF > Web ACL > Skip alarm for Tags control [90 days]
AWS > WAF > Web ACL v2 Global > Delete from AWS
AWS > WAF > Web ACL v2 Global > Set Tags
AWS > WAF > Web ACL v2 Global > Skip alarm for Active control
AWS > WAF > Web ACL v2 Global > Skip alarm for Active control [90 days]
AWS > WAF > Web ACL v2 Global > Skip alarm for Approved control
AWS > WAF > Web ACL v2 Global > Skip alarm for Approved control [90 days]
AWS > WAF > Web ACL v2 Global > Skip alarm for Tags control
AWS > WAF > Web ACL v2 Global > Skip alarm for Tags control [90 days]
AWS > WAF > Web ACL v2 Regional > Delete from AWS
AWS > WAF > Web ACL v2 Regional > Set Tags
AWS > WAF > Web ACL v2 Regional > Skip alarm for Active control
AWS > WAF > Web ACL v2 Regional > Skip alarm for Active control [90 days]
AWS > WAF > Web ACL v2 Regional > Skip alarm for Approved control
AWS > WAF > Web ACL v2 Regional > Skip alarm for Approved control [90 days]
AWS > WAF > Web ACL v2 Regional > Skip alarm for Tags control
AWS > WAF > Web ACL v2 Regional > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
AWS > Backup > Backup Plan > Delete from AWS
AWS > Backup > Backup Plan > Set Tags
AWS > Backup > Backup Plan > Skip alarm for Active control
AWS > Backup > Backup Plan > Skip alarm for Active control [90 days]
AWS > Backup > Backup Plan > Skip alarm for Tags control
AWS > Backup > Backup Plan > Skip alarm for Tags control [90 days]
AWS > Backup > Backup Selection > Delete from AWS
AWS > Backup > Backup Selection > Skip alarm for Active control
AWS > Backup > Backup Selection > Skip alarm for Active control [90 days]
AWS > Backup > Backup Vault > Delete from AWS
AWS > Backup > Backup Vault > Set Tags
AWS > Backup > Backup Vault > Skip alarm for Active control
AWS > Backup > Backup Vault > Skip alarm for Active control [90 days]
AWS > Backup > Backup Vault > Skip alarm for Tags control
AWS > Backup > Backup Vault > Skip alarm for Tags control [90 days]
AWS > Backup > Recovery Point > Delete from AWS
AWS > Backup > Recovery Point > Set Tags
AWS > Backup > Recovery Point > Skip alarm for Active control
AWS > Backup > Recovery Point > Skip alarm for Active control [90 days]
AWS > Backup > Recovery Point > Skip alarm for Tags control
AWS > Backup > Recovery Point > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
Added support for ap-south-1, af-south-1, cn-north-1 and us-gov-east-1 regions in the AWS > WorkSpaces > Regions policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > WorkSpaces > WorkSpace > Approved > Custom
Action Types:
AWS > WorkSpaces > WorkSpace > Delete from AWS
AWS > WorkSpaces > WorkSpace > Set Tags
AWS > WorkSpaces > WorkSpace > Skip alarm for Active control
AWS > WorkSpaces > WorkSpace > Skip alarm for Active control [90 days]
AWS > WorkSpaces > WorkSpace > Skip alarm for Approved control
AWS > WorkSpaces > WorkSpace > Skip alarm for Approved control [90 days]
AWS > WorkSpaces > WorkSpace > Skip alarm for Tags control
AWS > WorkSpaces > WorkSpace > Skip alarm for Tags control [90 days]
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
Added support for cn-north-1, cn-northwest-1, us-gov-east-1 and us-gov-west-1 regions in the AWS > MQ > Regions policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > Amazon MQ > Broker > Approved > Custom
Action Types:
AWS > Amazon MQ > Broker > Delete from AWS
AWS > Amazon MQ > Broker > Set Tags
AWS > Amazon MQ > Broker > Skip alarm for Active control
AWS > Amazon MQ > Broker > Skip alarm for Active control [90 days]
AWS > Amazon MQ > Broker > Skip alarm for Approved control
AWS > Amazon MQ > Broker > Skip alarm for Approved control [90 days]
AWS > Amazon MQ > Broker > Skip alarm for Tags control
AWS > Amazon MQ > Broker > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > Logs > Log Group > Delete from AWS
AWS > Logs > Log Group > Set Tags
AWS > Logs > Log Group > Skip alarm for Active control
AWS > Logs > Log Group > Skip alarm for Active control [90 days]
AWS > Logs > Log Group > Skip alarm for Approved control
AWS > Logs > Log Group > Skip alarm for Approved control [90 days]
AWS > Logs > Log Group > Skip alarm for Encryption at Rest control
AWS > Logs > Log Group > Skip alarm for Encryption at Rest control [90 days]
AWS > Logs > Log Group > Skip alarm for Tags control
AWS > Logs > Log Group > Skip alarm for Tags control [90 days]
AWS > Logs > Log Stream > Delete from AWS
AWS > Logs > Log Stream > Skip alarm for Active control
AWS > Logs > Log Stream > Skip alarm for Active control [90 days]
AWS > Logs > Log Stream > Skip alarm for Approved control
AWS > Logs > Log Stream > Skip alarm for Approved control [90 days]
AWS > Logs > Metric Filter > Delete from AWS
AWS > Logs > Metric Filter > Skip alarm for Active control
AWS > Logs > Metric Filter > Skip alarm for Active control [90 days]
AWS > Logs > Metric Filter > Skip alarm for Approved control
AWS > Logs > Metric Filter > Skip alarm for Approved control [90 days]
AWS > Logs > Resource Policy > Delete from AWS
AWS > Logs > Resource Policy > Skip alarm for Active control
AWS > Logs > Resource Policy > Skip alarm for Active control [90 days]
AWS > Logs > Resource Policy > Skip alarm for Approved control
AWS > Logs > Resource Policy > Skip alarm for Approved control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
Added support for cn-north-1, cn-northwest-1, us-gov-east-1 and us-gov-west-1 regions in the AWS > FSx > Regions policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > FSx > Backup > Approved > Custom
AWS > FSx > File System > Approved > Custom
Action Types:
AWS > FSx > Backup > Delete from AWS
AWS > FSx > Backup > Set Tags
AWS > FSx > Backup > Skip alarm for Active control
AWS > FSx > Backup > Skip alarm for Active control [90 days]
AWS > FSx > Backup > Skip alarm for Approved control
AWS > FSx > Backup > Skip alarm for Approved control [90 days]
AWS > FSx > Backup > Skip alarm for Tags control
AWS > FSx > Backup > Skip alarm for Tags control [90 days]
AWS > FSx > File System > Delete from AWS
AWS > FSx > File System > Set Tags
AWS > FSx > File System > Skip alarm for Active control
AWS > FSx > File System > Skip alarm for Active control [90 days]
AWS > FSx > File System > Skip alarm for Approved control
AWS > FSx > File System > Skip alarm for Approved control [90 days]
AWS > FSx > File System > Skip alarm for Tags control
AWS > FSx > File System > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
AWS > CloudWatch > Alarm > Delete from AWS
AWS > CloudWatch > Alarm > Set Tags
AWS > CloudWatch > Alarm > Skip alarm for Active control
AWS > CloudWatch > Alarm > Skip alarm for Active control [90 days]
AWS > CloudWatch > Alarm > Skip alarm for Approved control
AWS > CloudWatch > Alarm > Skip alarm for Approved control [90 days]
AWS > CloudWatch > Alarm > Skip alarm for Tags control
AWS > CloudWatch > Alarm > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
Added support for ca-central-1, eu-west-2, sa-east-1, us-east-2 and us-gov-east-1 regions in the AWS > AppStream > Regions policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Updated github_issue, github_my_issue, github_pull_request, github_search_issue, and github_search_pull_request tables to only include nested and user permission columns in GraphQL request when requested. This should result in faster queries and large scale queries completing more consistently. (#342)
Fixed vanta_computer table queries failing due to inclusion of deprecated API field requiresLocationServices in fetchDomainEndpoints query. (#19) (Thanks @eric-glb for the contribution!)
The Sentry base URL can now be set through the base_url config argument or SENTRY_URL environment variable. (#11) (Thanks @beudbeud for the contribution!)
The AWS > EC2 > Volume > Discovery control would go into an error state because of an unintended GraphQL query bug. This is fixed and the control will now work correctly as expected.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > GuardDuty > Detector > Delete from AWS
AWS > GuardDuty > Detector > Set Tags
AWS > GuardDuty > Detector > Skip alarm for Active control
AWS > GuardDuty > Detector > Skip alarm for Active control [90 days]
AWS > GuardDuty > Detector > Skip alarm for Approved control
AWS > GuardDuty > Detector > Skip alarm for Approved control [90 days]
AWS > GuardDuty > Detector > Skip alarm for Tags control
AWS > GuardDuty > Detector > Skip alarm for Tags control [90 days]
AWS > GuardDuty > IPSet > Delete from AWS
AWS > GuardDuty > IPSet > Set Tags
AWS > GuardDuty > IPSet > Skip alarm for Active control
AWS > GuardDuty > IPSet > Skip alarm for Active control [90 days]
AWS > GuardDuty > IPSet > Skip alarm for Approved control
AWS > GuardDuty > IPSet > Skip alarm for Approved control [90 days]
AWS > GuardDuty > IPSet > Skip alarm for Tags control
AWS > GuardDuty > IPSet > Skip alarm for Tags control [90 days]
AWS > GuardDuty > ThreatIntelSet > Delete from AWS
AWS > GuardDuty > ThreatIntelSet > Set Tags
AWS > GuardDuty > ThreatIntelSet > Skip alarm for Active control
AWS > GuardDuty > ThreatIntelSet > Skip alarm for Active control [90 days]
AWS > GuardDuty > ThreatIntelSet > Skip alarm for Approved control
AWS > GuardDuty > ThreatIntelSet > Skip alarm for Approved control [90 days]
AWS > GuardDuty > ThreatIntelSet > Skip alarm for Tags control
AWS > GuardDuty > ThreatIntelSet > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > EMR > Cluster > Delete from AWS
AWS > EMR > Cluster > Set Tags
AWS > EMR > Cluster > Skip alarm for Active control
AWS > EMR > Cluster > Skip alarm for Active control [90 days]
AWS > EMR > Cluster > Skip alarm for Approved control
AWS > EMR > Cluster > Skip alarm for Approved control [90 days]
AWS > EMR > Cluster > Skip alarm for Tags control
AWS > EMR > Cluster > Skip alarm for Tags control [90 days]
AWS > EMR > Security Configuration > Delete from AWS
AWS > EMR > Security Configuration > Skip alarm for Active control
AWS > EMR > Security Configuration > Skip alarm for Active control [90 days]
AWS > EMR > Security Configuration > Skip alarm for Approved control
AWS > EMR > Security Configuration > Skip alarm for Approved control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > ECS > Cluster > Delete from AWS
AWS > ECS > Cluster > Set Tags
AWS > ECS > Cluster > Skip alarm for Active control
AWS > ECS > Cluster > Skip alarm for Active control [90 days]
AWS > ECS > Cluster > Skip alarm for Approved control
AWS > ECS > Cluster > Skip alarm for Approved control [90 days]
AWS > ECS > Cluster > Skip alarm for Tags control
AWS > ECS > Cluster > Skip alarm for Tags control [90 days]
AWS > ECS > Container Instance > Delete from AWS
AWS > ECS > Container Instance > Skip alarm for Active control
AWS > ECS > Container Instance > Skip alarm for Active control [90 days]
AWS > ECS > Container Instance > Skip alarm for Approved control
AWS > ECS > Container Instance > Skip alarm for Approved control [90 days]
AWS > ECS > Service > Delete from AWS
AWS > ECS > Service > Set Tags
AWS > ECS > Service > Skip alarm for Active control
AWS > ECS > Service > Skip alarm for Active control [90 days]
AWS > ECS > Service > Skip alarm for Approved control
AWS > ECS > Service > Skip alarm for Approved control [90 days]
AWS > ECS > Service > Skip alarm for Tags control
AWS > ECS > Service > Skip alarm for Tags control [90 days]
AWS > ECS > Task Definition > Delete from AWS
AWS > ECS > Task Definition > Set Tags
AWS > ECS > Task Definition > Skip alarm for Active control
AWS > ECS > Task Definition > Skip alarm for Active control [90 days]
AWS > ECS > Task Definition > Skip alarm for Approved control
AWS > ECS > Task Definition > Skip alarm for Approved control [90 days]
AWS > ECS > Task Definition > Skip alarm for Tags control
AWS > ECS > Task Definition > Skip alarm for Tags control [90 days]
You can now configure Block Public Access for AMIs. To get started, set the AWS > EC2 > Account Attributes > Block Public Access for AMIs policy to Enforce: Enable Block Public Access for AMIs.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Control Types:
AWS > EC2 > Account Attributes > Block Public Access for AMIs
Policy Types:
AWS > EC2 > Account Attributes > Block Public Access for AMIs
Action Types:
AWS > EC2 > Account Attributes > Update Block Public Access for AMIs
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > SES > Identity > Delete from AWS
AWS > SES > Identity > Skip alarm for Active control
AWS > SES > Identity > Skip alarm for Active control [90 days]
AWS > SES > Identity > Skip alarm for Approved control
AWS > SES > Identity > Skip alarm for Approved control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > Security Hub > Hub > Approved > Custom
Action Types:
AWS > Security Hub > Hub > Delete from AWS
AWS > Security Hub > Hub > Set Tags
AWS > Security Hub > Hub > Skip alarm for Approved control
AWS > Security Hub > Hub > Skip alarm for Approved control [90 days]
AWS > Security Hub > Hub > Skip alarm for Tags control
AWS > Security Hub > Hub > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > Kinesis > Consumer > Delete from AWS
AWS > Kinesis > Consumer > Skip alarm for Active control
AWS > Kinesis > Consumer > Skip alarm for Active control [90 days]
AWS > Kinesis > Consumer > Skip alarm for Approved control
AWS > Kinesis > Consumer > Skip alarm for Approved control [90 days]
AWS > Kinesis > Stream > Delete from AWS
AWS > Kinesis > Stream > Set Tags
AWS > Kinesis > Stream > Skip alarm for Active control
AWS > Kinesis > Stream > Skip alarm for Active control [90 days]
AWS > Kinesis > Stream > Skip alarm for Approved control
AWS > Kinesis > Stream > Skip alarm for Approved control [90 days]
AWS > Kinesis > Stream > Skip alarm for Encryption at Rest control
AWS > Kinesis > Stream > Skip alarm for Encryption at Rest control [90 days]
AWS > Kinesis > Stream > Skip alarm for Tags control
AWS > Kinesis > Stream > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > DynamoDB > Backup > Delete from AWS
AWS > DynamoDB > Backup > Skip alarm for Active control
AWS > DynamoDB > Backup > Skip alarm for Active control [90 days]
AWS > DynamoDB > Backup > Skip alarm for Approved control
AWS > DynamoDB > Backup > Skip alarm for Approved control [90 days]
AWS > DynamoDB > Global Table > Delete from AWS
AWS > DynamoDB > Global Table > Skip alarm for Active control
AWS > DynamoDB > Global Table > Skip alarm for Active control [90 days]
AWS > DynamoDB > Global Table > Skip alarm for Approved control
AWS > DynamoDB > Global Table > Skip alarm for Approved control [90 days]
AWS > DynamoDB > Table > Delete from AWS
AWS > DynamoDB > Table > Set Tags
AWS > DynamoDB > Table > Skip alarm for Active control
AWS > DynamoDB > Table > Skip alarm for Active control [90 days]
AWS > DynamoDB > Table > Skip alarm for Approved control
AWS > DynamoDB > Table > Skip alarm for Approved control [90 days]
AWS > DynamoDB > Table > Skip alarm for Encryption at Rest control
AWS > DynamoDB > Table > Skip alarm for Encryption at Rest control [90 days]
AWS > DynamoDB > Table > Skip alarm for Tags control
AWS > DynamoDB > Table > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > Shield > Protection > Approved > Custom
Action Types:
AWS > Shield > Protection > Delete from AWS
AWS > Shield > Protection > Skip alarm for Active control
AWS > Shield > Protection > Skip alarm for Active control [90 days]
AWS > Shield > Protection > Skip alarm for Approved control
AWS > Shield > Protection > Skip alarm for Approved control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > Directory Service > Directory > Approved > Custom
Action Types:
AWS > Directory Service > Directory > Delete from AWS
AWS > Directory Service > Directory > Skip alarm for Active control
AWS > Directory Service > Directory > Skip alarm for Active control [90 days]
AWS > Directory Service > Directory > Skip alarm for Approved control
AWS > Directory Service > Directory > Skip alarm for Approved control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > CodeBuild > Build > Delete from AWS
AWS > CodeBuild > Build > Skip alarm for Active control
AWS > CodeBuild > Build > Skip alarm for Active control [90 days]
AWS > CodeBuild > Build > Skip alarm for Approved control
AWS > CodeBuild > Build > Skip alarm for Approved control [90 days]
AWS > CodeBuild > Project > Delete from AWS
AWS > CodeBuild > Project > Set Tags
AWS > CodeBuild > Project > Skip alarm for Active control
AWS > CodeBuild > Project > Skip alarm for Active control [90 days]
AWS > CodeBuild > Project > Skip alarm for Approved control
AWS > CodeBuild > Project > Skip alarm for Approved control [90 days]
AWS > CodeBuild > Project > Skip alarm for Tags control
AWS > CodeBuild > Project > Skip alarm for Tags control [90 days]
AWS > CodeBuild > Source Credential > Delete from AWS
AWS > CodeBuild > Source Credential > Skip alarm for Active control
AWS > CodeBuild > Source Credential > Skip alarm for Active control [90 days]
AWS > CodeBuild > Source Credential > Skip alarm for Approved control
AWS > CodeBuild > Source Credential > Skip alarm for Approved control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > Athena > NamedQuery > Approved > Custom
AWS > Athena > Workgroup > Approved > Custom
Action Types:
AWS > Athena > NamedQuery > Delete from AWS
AWS > Athena > NamedQuery > Set Tags
AWS > Athena > NamedQuery > Skip alarm for Active control
AWS > Athena > NamedQuery > Skip alarm for Active control [90 days]
AWS > Athena > NamedQuery > Skip alarm for Approved control
AWS > Athena > NamedQuery > Skip alarm for Approved control [90 days]
AWS > Athena > NamedQuery > Skip alarm for Tags control
AWS > Athena > NamedQuery > Skip alarm for Tags control [90 days]
AWS > Athena > Workgroup > Delete from AWS
AWS > Athena > Workgroup > Set Tags
AWS > Athena > Workgroup > Skip alarm for Active control
AWS > Athena > Workgroup > Skip alarm for Active control [90 days]
AWS > Athena > Workgroup > Skip alarm for Approved control
AWS > Athena > Workgroup > Skip alarm for Approved control [90 days]
AWS > Athena > Workgroup > Skip alarm for Tags control
AWS > Athena > Workgroup > Skip alarm for Tags control [90 days]
Removed custom plugin level retryer which was unnecessary as the plugin already uses the AWS SDK retryer. (#1932)
The plugin now retries errors with the error code UnknownError. These are often thrown by services like SNS when performing a large number of requests. (#1932)
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > CloudSearch > Domain > Skip alarm for Active control
AWS > CloudSearch > Domain > Skip alarm for Active control [90 days]
AWS > CloudSearch > Domain > Skip alarm for Approved control
AWS > CloudSearch > Domain > Skip alarm for Approved control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
AWS > API Gateway > API > Delete from AWS
AWS > API Gateway > API > Set Tags
AWS > API Gateway > API > Skip alarm for Active control
AWS > API Gateway > API > Skip alarm for Active control [90 days]
AWS > API Gateway > API > Skip alarm for Approved control
AWS > API Gateway > API > Skip alarm for Approved control [90 days]
AWS > API Gateway > API > Skip alarm for Tags control
AWS > API Gateway > API > Skip alarm for Tags control [90 days]
AWS > API Gateway > API Key > Delete from AWS
AWS > API Gateway > API Key > Set Tags
AWS > API Gateway > API Key > Skip alarm for Active control
AWS > API Gateway > API Key > Skip alarm for Active control [90 days]
AWS > API Gateway > API Key > Skip alarm for Approved control
AWS > API Gateway > API Key > Skip alarm for Approved control [90 days]
AWS > API Gateway > API Key > Skip alarm for Tags control
AWS > API Gateway > API Key > Skip alarm for Tags control [90 days]
AWS > API Gateway > API V2 > Delete from AWS
AWS > API Gateway > API V2 > Set Tags
AWS > API Gateway > API V2 > Skip alarm for Active control
AWS > API Gateway > API V2 > Skip alarm for Active control [90 days]
AWS > API Gateway > API V2 > Skip alarm for Approved control
AWS > API Gateway > API V2 > Skip alarm for Approved control [90 days]
AWS > API Gateway > API V2 > Skip alarm for Tags control
AWS > API Gateway > API V2 > Skip alarm for Tags control [90 days]
AWS > API Gateway > Authorizer > Delete from AWS
AWS > API Gateway > Authorizer > Skip alarm for Active control
AWS > API Gateway > Authorizer > Skip alarm for Active control [90 days]
AWS > API Gateway > Authorizer > Skip alarm for Approved control
AWS > API Gateway > Authorizer > Skip alarm for Approved control [90 days]
AWS > API Gateway > Authorizer V2 > Delete from AWS
AWS > API Gateway > Authorizer V2 > Skip alarm for Active control
AWS > API Gateway > Authorizer V2 > Skip alarm for Active control [90 days]
AWS > API Gateway > Authorizer V2 > Skip alarm for Approved control
AWS > API Gateway > Authorizer V2 > Skip alarm for Approved control [90 days]
AWS > API Gateway > Domain Name V2 > Delete from AWS
AWS > API Gateway > Domain Name V2 > Set Tags
AWS > API Gateway > Domain Name V2 > Skip alarm for Active control
AWS > API Gateway > Domain Name V2 > Skip alarm for Active control [90 days]
AWS > API Gateway > Domain Name V2 > Skip alarm for Approved control
AWS > API Gateway > Domain Name V2 > Skip alarm for Approved control [90 days]
AWS > API Gateway > Domain Name V2 > Skip alarm for Tags control
AWS > API Gateway > Domain Name V2 > Skip alarm for Tags control [90 days]
AWS > API Gateway > Integration V2 > Delete from AWS
AWS > API Gateway > Integration V2 > Skip alarm for Active control
AWS > API Gateway > Integration V2 > Skip alarm for Active control [90 days]
AWS > API Gateway > Integration V2 > Skip alarm for Approved control
AWS > API Gateway > Integration V2 > Skip alarm for Approved control [90 days]
AWS > API Gateway > Resource > Delete from AWS
AWS > API Gateway > Resource > Skip alarm for Active control
AWS > API Gateway > Resource > Skip alarm for Active control [90 days]
AWS > API Gateway > Resource > Skip alarm for Approved control
AWS > API Gateway > Resource > Skip alarm for Approved control [90 days]
AWS > API Gateway > Stage > Delete from AWS
AWS > API Gateway > Stage > Set Tags
AWS > API Gateway > Stage > Skip alarm for Active control
AWS > API Gateway > Stage > Skip alarm for Active control [90 days]
AWS > API Gateway > Stage > Skip alarm for Approved control
AWS > API Gateway > Stage > Skip alarm for Approved control [90 days]
AWS > API Gateway > Stage > Skip alarm for Tags control
AWS > API Gateway > Stage > Skip alarm for Tags control [90 days]
AWS > API Gateway > Stage v2 > Delete from AWS
AWS > API Gateway > Stage v2 > Set Tags
AWS > API Gateway > Stage v2 > Skip alarm for Active control
AWS > API Gateway > Stage v2 > Skip alarm for Active control [90 days]
AWS > API Gateway > Stage v2 > Skip alarm for Approved control
AWS > API Gateway > Stage v2 > Skip alarm for Approved control [90 days]
AWS > API Gateway > Stage v2 > Skip alarm for Tags control
AWS > API Gateway > Stage v2 > Skip alarm for Tags control [90 days]
AWS > API Gateway > Usage Plan > Delete from AWS
AWS > API Gateway > Usage Plan > Set Tags
AWS > API Gateway > Usage Plan > Skip alarm for Active control
AWS > API Gateway > Usage Plan > Skip alarm for Active control [90 days]
AWS > API Gateway > Usage Plan > Skip alarm for Approved control
AWS > API Gateway > Usage Plan > Skip alarm for Approved control [90 days]
AWS > API Gateway > Usage Plan > Skip alarm for Tags control
AWS > API Gateway > Usage Plan > Skip alarm for Tags control [90 days]
AWS/Amplify/Admin and AWS/Amplify/Metadata now also include permissions for Deployment, WebHook and Artifacts.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > Amplify > App > Approved > Custom
Action Types:
AWS > Amplify > App > Delete from AWS
AWS > Amplify > App > Set Tags
AWS > Amplify > App > Skip alarm for Active control
AWS > Amplify > App > Skip alarm for Active control [90 days]
AWS > Amplify > App > Skip alarm for Approved control
AWS > Amplify > App > Skip alarm for Approved control [90 days]
AWS > Amplify > App > Skip alarm for Tags control
AWS > Amplify > App > Skip alarm for Tags control [90 days]
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
AWS > ACM > Certificate > Approved > Custom
Action Types:
AWS > ACM > Certificate > Delete from AWS
AWS > ACM > Certificate > Set Tags
AWS > ACM > Certificate > Skip alarm for Active control
AWS > ACM > Certificate > Skip alarm for Active control [90 days]
AWS > ACM > Certificate > Skip alarm for Approved control
AWS > ACM > Certificate > Skip alarm for Approved control [90 days]
AWS > ACM > Certificate > Skip alarm for Tags control
AWS > ACM > Certificate > Skip alarm for Tags control [90 days]
Updated the queries to use the attributes_std and address columns from the terraform_resource table instead of arguments, type and name columns for better support of terraform state files. (#34)
Dependencies
Terraform plugin v0.10.0 or higher is now required. (#34)
Updated the queries to use the attributes_std and address columns from the terraform_resource table instead of arguments, type and name columns for better support of terraform state files. (#42)
Dependencies
Terraform plugin v0.10.0 or higher is now required. (#42)
Updated the queries to use the attributes_std and address columns from the terraform_resource table instead of arguments, type and name columns for better support of terraform state files. (#35)
Dependencies
Terraform plugin v0.10.0 or higher is now required. (#35)
Updated the queries to use the attributes_std and address columns from the terraform_resource table instead of arguments, type and name columns for better support of terraform state files. (#90)
Dependencies
Terraform plugin v0.10.0 or higher is now required. (#90)
Fixed the source_account_id column of aws_securityhub_finding table to correctly return data instead of null. (#1927) (Thanks @gabrielsoltz for the contribution!)
Fixed the members column of aws_rds_db_cluster table to correctly return data instead of null. (#1926)
The initialise function is now being called for implicit hydrate configs (i.e. hydrate functions without explicit config), thereby preventing nil pointer reference errors when the hydrate function returns an error. (#683)
Define multiple instances of a plugin version using a plugin connection config block. (#3807)
The maximum memory used by plugins and the CLI can now be specified either in plugin instance definitions or the new plugin options block. (#3807)
New introspection tables steampipe_plugin and steampipe_plugin_limiter containing all configured plugin instances and limiters. (#3746)
New introspection table steampipe_server_settings populated with server settings data during service startup. (#3462)
Running plugin install with no arguments installs all referenced plugins. (#3451)
New --output flag for plugin list cmd allows selection between json and table output. (#3368)
Each plugin directory ncontains a version.json which can be used to recompose the global plugin versions.json if it is missing or corrupt. (#3492)
Typing .cache in interactive prompt shows the current value of cache. (#2439)
Steampipe commands bypass plugin requirement check if installed plugin is locally built. (#3643)
New skip-config flag disables writing of default plugin config during plugin installation. (#3531, #2206)
Logs are now written to file instead of console. (#2916)
When plugin startup fails, report useful message in the CLI. (#3732)
Users are warned to not have mod.sp files in home directory. (#2321)
Updated messaging when service is started on an unavailable port. (#623)
Log files are rotated if the process is active across date boundaries. (#125, #3825)
Listen hosts may be selected when starting steampipe service. (#3505)
Initialisation behaviour for the sample options has been changed: always copy a sample file (default.spc.sample), but only overwrite the default.spc file with the sample content if the existing file has not been modified. (#3431)
Validation for the workspace profile cache settings. (#3646)
Support OCI registries requiring authentication. (#2819)
Limiters provide a simple, flexible interface to implement client-site rate limiting and concurrency thresholds at compile time or run time. You can use limiters to:
Smooth the request rate from Steampipe to reduce load on the remote API or service
Limit the number of parallel requests to reduce contention for client and network resources
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
The source_type config argument has been deprecated and will be removed in the next major version. Please use the source_types config argument instead. If both config arguments are set, source_types will take precedence. For backward compatibility, please see below for old and new value equivalents: (#167)
Removed the output column in the exec_command table. This column has been replaced by the stdout_output and stderr_output columns. (#13)
What's new?
Added stdout_output and stderr_output columns to the exec_command table. (#13)
Added stream column to the exec_command_line table. (#13)
Added plugin limiter exec_global with MaxConcurrency set to 15 in an effort to reduce abuse reports due to large number of concurrent remote connections. (#13)
Bug fixes
Results from the exec_command table should now be consistent when using local and remote connections. (#13)
Diagnostics property added to _ctx column, containing information on hydrate calls and rate limiting (enabled by setting env var STEAMPIPE_DIAGNOSTIC_LEVEL=all)
Support for JSONB operators in List hydrate functions. (#594)
Type property added to ConnectionConfig protobuf definition to determine if a connection is an aggregator. (#590)
When plugin startup fails, write a specially formatted string to stdout so plugin manager can parse the output and display a useful message. (#619)
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
AWS/MSK/Admin, AWS/MSK/Metadata and AWS/MSK/Operator now also include permissions for Cluster V2, Scram Secrets and Kafka VPC Connections.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
Policy Types:
AWS > MSK > Cluster > Approved > Custom
AWS > MSK > Cluster > Approved > Instance Types
Action Types:
AWS > MSK > Cluster > Delete from AWS
AWS > MSK > Cluster > Set Tags
AWS > MSK > Cluster > Skip alarm for Active control
AWS > MSK > Cluster > Skip alarm for Active control [90 days]
AWS > MSK > Cluster > Skip alarm for Approved control
AWS > MSK > Cluster > Skip alarm for Approved control [90 days]
AWS > MSK > Cluster > Skip alarm for Tags control
AWS > MSK > Cluster > Skip alarm for Tags control [90 days]
Bug fixes
Guardrails would sometimes fail to upsert clusters correctly in CMDB. This is now fixed.
Added support for Global Event Handlers. This release contains new Guardrails policies and controls to support deployment of Global Event Handlers for AWS.
AWS/RDS/Admin, AWS/RDS/Metadata and AWS/RDS/Operator now include permissions for Performance Insights.
Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
Added support for querying on-premise Jira instances. This can be done by setting the personal_access_token config argument in the jira.spc file. (#86) (Thanks @juandspy for the contribution!)
Added support for new multi-regions NAM8, NAM9, NAM10, NAM11, NAM12, NAM13, NAM14, NAM15, NAM-EUR-ASIA1, NAM-EUR-ASIA3, IN, EUR5, EUR6, EUROPE and EMEA in the GCP > Project > Regions policy.
Update github_my_repository, github_repository, and github_search_repository tables to only include requested columns in GraphQL request. This should result in faster queries and large scale queries completing more consistently. (#338)
The AWS > VPC > Security Group > CMDB control would sometimes go into an error state if the TE version installed on the workspace was 5.42.1 or lower. This is fixed and the control will now work as expected.
Added support for new europe-west10 region in the GCP > Project > Regions policy.
Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
Added support for new asia-northeast3, asia-south2, asia-southeast2, australia-southeast2, europe-central2, europe-southwest1, europe-west10, europe-west12, europe-west8, europe-west9, me-central1, me-west1, northamerica-northeast2, southamerica-west1, us-east5, us-south1, us-west3 and us-west4 regions in the GCP > Compute Engine > Regions policy.
Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
Bug fixes
The real-time Event Handlers would sometimes fail to upsert data disks attached to instances in Guardrails CMDB. This is now fixed.
Guardrails stack controls would fail to claim any existing Security Group if the Security Group was available in Guardrails CMDB and the stack's Source policy included the Terraform plan for the Security Group. This is fixed and stack control will now be able to claim existing Security Groups correctly. Please note that this fix will only work for workspaces on TE v5.42.2 or higher.
Guardrails stack controls would sometimes fail to update Security Groups and Security Group Rules if the Terraform plan in the stack's source policy included changes to attributes which force replaced the resource. This is fixed and the stack controls will now update such resources correctly, as expected. Please note that this fix will only work for workspaces on TE v5.42.2 or higher.
After starting/stopping an instance successfully, the AWS > EC2 > Instance > Schedule control would try and perform the same start/stop action again if the state of the instance was changed outside of the control within 1 hour of the successful start/stop run. This is fixed and the control will now not trigger a start/stop action again for a minimum of 1 hour of the previous successful run.
Fixed the invalid memory address or nil pointer dereference errors when querying Terraform configuration or plan or state files that included null valued arguments. (#56)
Fixed the plugin to return nil instead of an error when the file/path specified in dockerfile_paths or docker_compose_file_paths config arguments does not exist. (#38)
Added the missing resource column in the queries of glue_data_catalog_encryption_settings_metadata_encryption_enabled and glue_data_catalog_encryption_settings_password_encryption_enabled controls. (#715)
Deprecated domain column in net_certificate table, which has been replaced by the address column. Please note that the address column requires a port, e.g., github.com:443. This column will be removed in a future version. (#50)
What's new?
Added address column to the net_certificate table to allow specifying a port with the domain name. (#50)
Updated the bitbucket.spc and index.md files to include details of BITBUCKET_USERNAME, BITBUCKET_PASSWORD, and BITBUCKET_API_BASE_URL environment variables. (#77)
A few policy values would sometimes fail to evaluate correctly if the mod was installed on TE v5.42.1. We've fixed this issue and such policy values will now be evaluated correctly.
We've updated the runtime for lambda functions in the aws-efs mod to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
We've updated the runtime for lambda functions in the aws-config mod to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
We've updated the runtime for lambda functions in the aws-cloudtrail mod to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Added: Added support for control/action update notifications.
Added: Support for interface in control types.
Added: Turbot Installation Type environment variable.
Added: SES SendEmail permission to Worker Lambda Role.
Added: Add notification index to improve performance of notifications.
Updated: Improve policy value create/update with a more efficient database design.
Updated: Description of TE stack from Turbot Enterprise to Turbot Guardrails Enterprise.
Updated: @slack/web-api to 6.8.1. @wry/equality to 0.5.6. anymatch to 3.1.3. archiver to 5.3.1. body-parser to 1.20.2. chai to 4.3.7. chokidar to 3.5.3. classnames to 2.3.2. cli-progress to 3.12.0. copy-to-clipboard to 3.3.3. dataloader to 2.2.2. diff to 5.1.0. express to 4.18.2. generate-password to 1.7.0. graphql-2-json-schema to 0.10.0. http-status-codes to 2.2.0. lodash-match-pattern to 2.3.1. micromatch to 4.0.5. mockserver-client to 5.15.0. moment-timezone to 0.5.43. nconf to 0.12.0. nodemailer to 6.9.2. nunjucks to 3.2.4. passport to 0.6.0. pg to 8.10.0. performant-array-to-tree to 1.11.0. prismjs to 1.29.0. prompt to 1.3.0. prompts to 2.4.2. recursive-readdir to 2.2.3. redux to 4.2.1. resolve to 1.22.2. semver to 7.5.1. simple-git to 3.18.0. unzipper to 0.10.14. uri-js to 4.4.1. vm2 to 3.9.19 and other dev dependencies. Removed aws-appsync and aws-xray-sdk. ioredis to 5.3.1.
UI
Updated: Updated new login logo and home page logo.
Updated: Turbot directory should be created in guardrails.turbot.com.
Updated: Turbot directory SSO login should be redirected to there respective guardrails domain.
Note
IAM change in this release:
Updated worker lambda to include SES SendEmail permissions.
Rebrand to Turbot Guardrails CLI. We recommend using the new guardrails registries guardrails.turbot.com, guardrails.turbot-stg.com or guardrails.turbot-dev.com to publish a guardrails mod. To maintain compatibility, none of the existing commands have changed, your existing configuration and commands will continue to work as before.
Rebrand to Turbot Guardrails provider. Resource and data source names in this provider have not changed to maintain compatibility. Existing templates will continue to work as-is without need to change anything.
Added: Tagging details now included in CSV download for GCP Compute Engine VM Instances, Azure Compute Virtual Machines, Azure Compute Disks and EBS Volumes report.
Added: New filters for Turbot Files and Smart Folders in the resource browser.
Updated: Editing a Turbot File via the UI no longer requires the resource AKA to be specified.
Fixed: Resource deletion will no longer trigger an increase the count of active controls.
Updated: Moved management of the Elasticache user group to CloudFormation
instead of the Hive Manager lambda. It is no longer necessary to update the
Redis access control groups after making changes to the Redis cluster.
Updated: Turbot will now use AWS Terraform provider version 3.75.0 when
Turbot > Stack Terraform Version [Default] is set to 0.15.*
Bug fixes
Fixed: Timestamp display in the console now updates correctly for recently
deleted mods.
Fixed: When an Action fails due to cloud provider throttling, Turbot will
now reschedule the control that triggered the action, those actions should now
be more consistently applied under heavy loads.
Note AWS IAM permissions change in this release:
Updated: Worker Lambda to include Elasticache permissions to support the
Turbot > Cache > Health Check control.
Updated: Hive Manager no longer manages the authentication configuration for
ElastiCache. This responsibility has shifted to Turbot Guardrails Enterprise Database.
Added: New parameter for attaching a custom security group to each ECS host.
Added: New parameter for attaching a custom security group to the TE ALB. Requires TE > v5.40.0.
Added: Option added to enable IMDSv2 for ECS hosts.
Added: New parameters to specify the size and type of EBS volumes attached to ECS Hosts.
Added: New parameter to specify a port for outbound SMTP (if needed).
Updated: The db_pair security group now includes Elasticache rules, when Elasticache is enabled.
Deprecation
As a result of this change to the db_pair security group, the Elasticache cache_pair security group is no longer required. It will be removed in a future release.
Fixed: Improved handling of HTTP "Too Many Requests" (429) errors.
Enterprise
Updated: TE Management Lambdas, and ECS Containers will be deployed with the
NodeJS 16.x runtime. This change is independent of Mod Lambda runtime
versions.
Added: If specified in TEF, a custom security group may be assigned to the TE
ALB.
Updated: Query for resource notifications to improve performance when using
the Activity sub-tab on the resource page.
Updated: Improved logic used to determine when to run maintenance control for
stale policy values.
Updated: Mod install controlls will now use the standard worker queue instead
of worker_priority queue to allow other actions to take priority during mod
installs.
Enterprise
Updated: Updated Ubuntu vm2 package to version 3.9.11. to resolve
CVE-2022-36067.
Updated: Message retetion period of events priority queue changed to 96 hours.
Fixed: Apollo UI behaves properly when setting backoff interval of an action.
Fixed: Actor display information will now fallback to unidentified if
persona and identity are not available.
Updated: UI will now use the actor information of the process (if supplied)
for Policy Setting CRUD operations.
Updated: Action runs now carry the identity of its launcher. This changes the
way notifications are presented. Previously notifications from an action
showed as Unidentified, now they will carry the identity of the launcher,
most of the time this will be the Turbot identity unless the action is
launched by a user from Turbot UI.
Enterprise
Updated: Linux Environment control to support version 3 of SELinux Python
bindings
Quick Actions Quick Actions is a new feature that allows Turbot users to
initaite specific (one time) control enforcements on their cloud environment via
the Turbot UI. Cloud operations teams can use Quick Actions to remediate cloud
configuration issues (e.g. enable encryption on a resource) or snooze Turbot
alarms for issues that we want to come back to later. More
details in the documentation. Quick actions will be rolling out across all
supported cloud services in the coming months (based on your feedback); this
initial release covers resources in the following AWS mods:
cloudtrail
ec2
kms
lambda
rds
s3
sns
sqs
vpc
Disabling the Quick Actions feature
Quick Actions use the permissions granted to the Turbot service user or
cross-account role used to import your cloud service account into Turbot.
Execution of quick actions will fail if the underlying role prevents those
actions from occuring.
The Quick Actions feature is disabled by default, but can easily be enabled
via the Turbot > Quick Actions > Enabled policy. If you would like to
prevent lower level Turbot administrators from enabling Quick Actions for
their cloud service accounts, then make sure you set
Turbot > Quick Actions > Enabled to Disabled at the Turbot level using the
Required option.
The policy Turbot > Quick Actions > Permission Levels offers fine-grained
control over which Turbot permission levels are required to execute specific
quick actions. These permission limits can be set globally and specific
exceptions can be managed down to the individual cloud service account level.
Enterprise
Split package dependencies between Server and UI so they can use independent
versions of GraphQL.
Updated: Moved management of the Elasticache user group to CloudFormation
instead of the Hive Manager lambda. It is no longer necessary to update the
Redis access control groups after making changes to the Redis cluster.
1.30.0 [2022-03-01]
What's new?
Updated: Elasticache now uses the db_pair security group from TEF 1.47.0.
Fixed: The Cloudformation Hive custom resource used to depend on Elasticache
when it shouldn't have in environments without Elasticache deployed.
Deprecation
As a result of this change to the db_pair security group, the Elasticache
cache_pair security group is no longer required. It will be removed in a
future release.
There are IAM changes in this release for the turbot_policy_parameter.
What's new?
Turbot Security Group is added and includes rules for Ansible and LDAP. The security group is intended for additional rules to be added under feature flags. Note: the existing LDAP and Ansible security groups will remain for older TE versions.
Dashboard for ECS Cluster metrics is now added.
Autoscaling parameters were added for the Events Service.
ElastiCache Security Groups and Subnet Groups are now added to the overrides template.
TEF Workspace Manager now prevents users from changing the workspace name.
OSGuardrail parameter location from Advanced - OS Guardrails to Advanced - Deployment Group.
turbot_parameters and turbot_policy_parameter lambda functions now include VPC config.
turbot_policy_parameter IAM Role now includes EC2 network interfaces policy.
Improved input validation to not allow blank values.
template build was loading the lock-file from the base branch to determine
the current template version. When using a work-in-progress (wip) branch, this
could lead to identifying an incorrect current version, leading to rebasing
errors. Fix by loading the lock file from the wip branch.
turbot compose (used by all CLI commands that compose mods) now omits the
releaseNotes field from turbot.head.json. It is still included in
turbot.dist.json.
turbot template has a new --unchanged-issue <issue_id> argument. When a
template build operation commits changes to git, if no files have actually
changed then the commit message will use this issue instead of the normal
--issue <issue_id> field. The commit message will also specify "no changes".
Further refined our IAM permissions for S3 bucket access, with a focus on
removing more wildcards. It was already good, but now it's better.
Bug fixes
Made the ElastiCache network infrastructure optional through Development
Mode. It was harmless, but not necessary unless ElastiCache is enabled in
TED.
Moved policy parameter role into the IAM stacks, where it belongs.
Databases should never automatically upgrade their minor or major versions.
Doing so takes the database out of sync with the CloudFormation stack, leading
to upgrade rollbacks. We've deliberately removed these options and set the
auto-update to false.
Changes to the Turbot audit trail log group in v1.14.0 forced a name change,
which is difficult for customers with integrations. This version removes that
requirement, so existing installs keep their original log group name.
Bug fixes
Required TEF version dropped back down to TEF v1.25.0. v1.27.0 is only
required if you are setting up the experimental ElastiCache features.
Reclaimed the ECSDesiredInstanceCount parameter, which now defaults to
using ECSMinInstanceCount instead. This frees up a precious parameter slot
for other options.
Added the DevelopmentMode parameter for internal use, which groups options
like using the latest container image (instead of cached).
For environments with ElastiCache enabled in TED, cache subnet group and
security groups have been added.
The deletion policy for the DB Parameter Group is now set to Retain.
New installations will now add the stack ID to the audit trail log group,
making it easier to re-install TED multiple times in testing / setup.
New ExperimentalFeatures flag, allowing gradual introduction of new
capabilities. The first one is installation of ElastiCache preparing for
future use in TE.
ECS Agent should attempt to use the locally cached image, which dramatically
reduces disk IO and download bandwidth.
Upgrade via CloudFormation had a race condition in our custom resource Lambda
functions that could be triggered when doing a large number of upgrades or
rollbacks in parallel.
When a custom outbound access security group is specified in the TEF template
do not create the {prefix}_outbound_internet_security_group or the
{prefix}_{version}_outbound_internet_security_group.
turbot install - checks if a compatible version of each dependency is
already installed. If so, it is does not install from the registry unless
there is a newer version available.
turbot template build --rebase rebuilds templates while using rebase to
better merge and preserve custom changes to the rendered files since the last
build.
The (optional) API Gateway to proxy external events to the internal Turbot
load balancer was returning error codes (5xx) all queries even though it
worked successfully. This could lead to retries of the message (which were
not processed due to our duplicate detection). Errors in both the event
handler and the health check have been cleared.
As part of preparing for connection pooling, the hive manager included steps
to initialize multiple database roles. These are not yet in use so have been
removed.
As part of preparing for connection pooling, the hive manager included steps
to initialize multiple database roles. These are not yet in use so have been
removed.
The default browser facing security group (used by the load balancer) is now
open on port 80, so HTTP traffic can be automatically redirected to HTTPS at
the load balancer level.
Expanded EC2 instance type options, and changed the default to t3.medium.
Changed the default maximum limit for ECS hosts from 64 to a more sensible,
but still generous, 8.
Further restricted permissions to EC2 hosts, limiting the accessible resources
as much as possible.
Introducing a new parameter model in TEF, allowing parameter "overrides" to
be optionally set in SSM. Turbot creates default parameters, but will
automatically detect any overrides you create during the stack run. This
allows us to expand beyond the 60 parameter limit of CloudFormation.
Each Turbot version installs minimal IAM policies and roles specific to its
requirements. Some customers prefer more control over IAM management, so we
now support BYO-IAM with parameters for all IAM entities required in the
Turbot primary account.
Added parameters to optionally set the ALB Log Prefix and ALB Idle Timeout.
TEF will now perform a rolling update of the EC2 hosts if required due to
launch configuration changes, ensuring no downtime during upgrades.
Allow preinstall check Lambda function to use VPC from non-VPC setting.
Parameter groups created in GovCloud do not support newer parameters, unless a
new parameter group is created (Note: AWS Commerical accounts were not
affected by this). This blocks some existing customers from upgrading their
TED stack. Because parameter group changes require a reboot (downtime), and
most customers do not require this change, we've made it an optional parameter
in the stack to force the change as required.
Default storage allocation for new installs is now 1TB (up from 100GB).
turbot install was attempting to install the latest version, which would
fail if that version was not available or recommended. It will now install the
latest recommended version, or if none are recommended, the latest available
version.
Network Interface permissions added in v1.19.0 are low risk, but have
been tightened further to only be granted in environments running Lambda
inside the VPC.
TED and TE are being enhanced to automatically check that their required
versions of TEF and TED are installed. The Lambda function they use for
that check (custom resource during the CloudFormation stack run) is
deployed in TEF, and added in this release.
Turbot Guardrails Enterprise uses a lot of Lambda functions to execute mod code. For
organizations who prefer more visibility into network traffic, we're adding
support to run these functions inside the VPC. This version of TEF expands
the IAM permissions granted to Lambda functions with the minimum required
to attach Network Interface cards.
TED now automatically checks the required TEF version is installed. If not,
the TED stack will automatically rollback allowing you to upgrade TEF first.
Flags parameter will allow features to be enabled or disabled at the
installation level giving us more flexibility to innovate and gradually
deploy features.
The default for TrackFunctions in v1.7.0 was pl. Consider changing this to
none (the new, more common, default in v1.8.0) if you don't require that
tracking.
What's new?
Process log data collected by Turbot is being moved into TED level management.
This better aligns with our model of data separation and encryption. This
version adds S3 buckets with encryption and lifecycle rules to start accepting
that (and other future) data.
If the master password is an empty string then Turbot will reset it
automatically when required. The default was previously blank, requiring the
parameter to be set (even if to empty string). This was difficult to
understand and implement for those automating TED configuration. We now
default to the empty string.
Added new DB instance size option of m5.8xlarge.
Bug fixes
Resource names related to metric collection, alarms and dashboards have been
updated to use the ResourceName prefix. This aligns them with all other TED
resources and makes it easier to track or target them with local rules.
Moved to ECS optimized Amazon Linux 2 as our host OS for containers.
(Previously we used ECS optimized Amazon Linux 1.)
Expanded proxy server support, particularly through the ECS bootstrap sequence.
We now support HTTP and HTTPS requests being routed to a http:// proxy for
all traffic - no need for endpoints or similar in any case. (We do not yet
support custom certificates and https:// proxies.)
TEF now publishes an SSM parameter with the currently installed version,
which will be used in the future to check version compatibility during TED
and TE upgrades.
Mod authors often want to set their new version as RECOMMENDED in the
registry, telling users it's the best choice. Use
turbot publish --force-recommended and turbot modify --force-recommended
to mark this version as RECOMMENDED and set all currently recommended
versions to AVAILABLE.
Bug fixes
turbot test was showing incorrect test data validation errors, due to a
graphql schema change that had not been handled by the CLI.
Allow Self-Signed Certificate parameter, instructing Turbot to ignore
certificate errors when connecting to external services - for example -
enterprise environments with an outbound internet proxy.
S3 bucket inventory has been enabled, setting us up for future batch
operations on collections of log files.
Updated lifecycle rules to clean deleted versions of debug logs and
match changes to the prefix of log files.
Added a "connectivity test" lambda function, making it easier to verify that
an environment has the necessary network setup. Run
${ResourceNamePrefix}_connectivity_checker manually to test.
Improved descriptions for the Installation Domain and Turbot Certificate ARN
parameters.
turbot login was failing if the ~/.config folder did not exist.
turbot template build was always expecting a wip-* instance branch to
exist. It's now correctly limited to runs where --use-instance-root-branch
is passed.
Proxy support via the HTTPS_PROXY environment variable. Login, install mods
and publish to our registry all via your favorite proxy. (Provided it's a
http:// proxy, we don't support https:// yet.)
Updates Hive Manager, which includes the ability to convert ownership of
database schemas. This is part of a longer term effort to move database
ownership to specific turbot roles, reducing our use of the master account.
Manage published mods in the registry from the CLI, including their status and
description. For example
turbot registry modify --mod "@turbot/aws" --mod-version "5.0.0" --status RECOMMENDED --description "updated description".
Usually a newly published version should be the recommended one. So now you
can do that automatically during turbot publish using the
--status RECOMMENDED flag.
turbot template build now supports instance root branch names with a random
suffix, following the naming convention: wip/<instance root name>/*. We've
found scheme much more effective at scale.
We now automatically include RELEASE_NOTES.md as well as CHANGELOG.md when
building a mod. Release notes are intended for users while a changelog is
intended for developers or others obsessed over details.
turbot test validates input query, but only works for a single query (not
for the more advanced array of queries syntax). Previously the test would
always fail for an array of queries, so we're now skipping the test in these
cases until it can be fully supported.
Bug fixes
turbot publish --dir <mod folder> did not work if run outside the mod
folder - the function zips were not correctly created.
EC2 instances used for ECS should have AssociatePublicIpAddress set to false.
This is a defence improvement since our EC2 instances are run in a private VPC
so were not publically accessible anyway.
Some organizations need to use a self-signed certificate for their ALB. This would
fail a certificate check when also using our API Gateway proxy. Use the Self
Signed Certificate In ALB parameter to ignore these certificate errors.
Bug fixes
The IAM role used for ECS EC2 instances is now named consistently with our
other IAM roles.
Existing TEF installations must install v1.9.0 before upgrading to
v1.10.0. This sequence will automatically preserve and transition parameter
settings for S3 bucket names as we move from fixed names to randomized names
by default for new installations.
What's new?
Log and process buckets now use a partly random name by default, making new
installations smoother and easier to troubleshoot.
Security access from the load balancer to ECS has changed from requiring
port 8443 to requiring the full high port range of 32768-65535. This
allows us to run ECS in bridge mode and efficiently reuse IP addresses across
Turbot core containers.
The outbound security group now allows port 80 outbound by default. This
makes cloud-init in the ECS optimized image run much faster than only
providing port 443 outbound.
If you are upgrading from a previous TEF version, you will
need to make the modifications listed below:
Add ports 32768-65535 to the Load Balancer Security Group OUTBOUND to the API Security Group
Add ports 32768-65535 to the API Security Group INBOUND from the Load Balancer Security Group
Add port 80 to the Outbound Internet Security Group OUTBOUND to 0.0.0.0/0
What's new?
Use ECS on EC2 (instead of Fargate) to accelerate container startup
time (particularly for stacks), increase cost efficiency at scale,
and prepare for wider container use at the core level.
A new directive, +schema has been added for turbot compose. This allows
you to include a specific item from a schema file, including all definitions
which are referenced.
turbot template build will now run even if there are changes on the local
branch, if neither the --use-fleet-branch or --use-instance-root-branch
arguments are set. This is useful when running building templates for the
first time with local config updated but not committed.
turbot aws credentials now supports --aws-profile <aws_profile>,
--profile <turbot_profile> and
--access-key <turbot_access_key> --secret-key <turbot_secret_key>
combinations.
Bug fixes
turbot test was doing type coercion of input data before validation. It now
expects correct types to be passed, matching the behavior of the Turbot
server.
Use --no-color to simplify the output of any command. Sometimes less is
more.
turbot template build --git --branch <branch-name> allows you to specify the
branch the build operations will be committed onto.
turbot template build no longer supports the --config flag. Use
template.yml files instead.
Bug fixes
turbot install was not downloading files. Now it does.
turbot template build was creating template.yml files for every template
instance. This is noisy and defeats the value of template inheritence, so has
been stopped.
Clearer reporting of errors when running turbot template build.
turbot template build --fleet-mode now defaults to update, which is almost
always the right choice.
When running turbot template build --git it is no longer necessary to
specify a base git branch, it sensibly assumes you want to use the current
branch.
Use turbot pack --zip-file awesome.zip to output mods with any name you
prefer.
turbot template outdated fixed to work with specific template definition
directories.
Only save successful template operations to the branch when using
turbot template build --git. Previously we were polluting that goodness with
failures as well.
Limit template-lock.yml to data that is absolutely necessary, removing noise
from change logs.
Disabled turbot template update. Please use turbot template build instead,
as you probably already were.
turbot inspect --output-format will now accept either a file path to the template or the template string directly.
Clearer output of the actions taken when running turbot template build.
Automatic code merging when doing updates with turbot template build will now merge successful changes onto a single branch and write failed patches to the filesystem for easier review.
Reduced scope of permissions granted to custom mod Lambda functions. These
add extra levels of protection and take effect as mods are installed or
updated in Turbot v5.5.0 or later.
turbot template build has a special case "provider" field in the render
context. Long term it will be removed. Short term, it should not break for
vendor level mods like @turbot/aws or @turbot/linux.
Instance Type for Replica DB will now default to Same as Primary DB, which
is a lot easier than having to set and maintain it manually when most of the
time they are the same anyway.
The parameter Instance Type for Replica DB is new and must be set during
upgrade. (Note: Fixed in v1.3.0 to use Same as Primary DB by default.)
What's new?
The Turbot Audit Trail is stored in a CloudWatch Log group managed in TED. It
will now be retained if the TED stack is deleted, avoiding loss of audit trail
data in that rare scenario.
Easily configure auto-scaling of the database storage up to a maximum value.
Read replicas can now have a different instance class to the primary.
Typically they have a lower load level, so we've added flexibility to optimize
costs.
Default to using the alpha region (as defined in TEF) for primary DB install.
Use turbot aws credentials --account 123456789012 --profile my-account to
generate and save temporary AWS credentials into your local AWS profile.
Easily work across many AWS accounts using your single Turbot profile.
Filter turbot template build to target all instances of a specific template,
which is great when you are in the process of converting code to use the
template (some code in template management, some still custom).
Bug fixes
turbot test was broken in v1.0.4 due to a missing dependency. Life is better with friends.
The Hive Manager and Workspace Manager lambda functions used during the
workspace upgrade process were not properly connecting to the database using
SSL during initial workspace creation (they were during upgrades). Our change
to force SSL on the database in TED revealed this issue, which is now fixed.
Expanded the list of database instance classes available during install to
include older generations (e.g. m3) which are required for AWS us-gov-west-1.
Added the AWS RDS 2017 certificate as an option, since it's uniquely used and
required in Gov Cloud installs.
TEF version is now published as an output parameter in CloudFormation. (We'd
rather that Service Catalog showed this automatically, but there is an AWS
quirk that breaks that feature when Service Catalog versions are published
using CloudFormation.)
Workspace upgrades may now take up to 15 minutes before timing out. This
allows us to run larger data migration jobs during the upgrade process.
(Don't worry, we design these to be background tasks that don't affect
availability during the upgrade.)
Custom security groups are published as SSM parameters allowing them to be
leveraged by the Turbot Guardrails Enterprise CloudFormation stacks to override
per-version default security groups.
Bug fixes
GovCloud installations require conditions in IAM to match the correct
partition arn:aws-us-gov:.
The AWS RDS certificate change requires a database reboot. This may cause a
brief impact on availability. Please schedule this change for a suitable
window.
What's new?
SSL is now required by default for all connections to the database. We used
SSL anyway, but now we enforce it at the DB level as an extra precaution.
Upgrade database instances to the AWS RDS 2019 root certificate (their 2015
certificate is expiring soon).
Registry name validation should work for valid registries like turbot.com.
turbot test has a test.awsProfile field to set the AWS profile to use when
running tests locally. This has been moved into the generic, customizable
test.options.awsProile location since it's relevant to AWS mods specifically
rather than a core feature of Turbot.
