Changelog

Subscribe to all changelog posts via RSS or follow #changelog on our Slack community to stay updated on everything we ship.

Bug fixes

  • Server
    • Added support for OpenTofu 1.x (open-source Terraform) integration via Guardrail.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Added support for OpenTofu v1.8.3 (open source Terraform) container to run Stack [Native] controls.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

  • GCP > Project > Stack [Native]

Policy Types

  • GCP > Project > Stack [Native]
  • GCP > Project > Stack [Native] > Modifier
  • GCP > Project > Stack [Native] > Secret Variables
  • GCP > Project > Stack [Native] > Source
  • GCP > Project > Stack [Native] > Variables

What's new?

  • Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

  • Azure > Subscription > Stack [Native]

Policy Types

  • Azure > Subscription > Stack [Native]
  • Azure > Subscription > Stack [Native] > Modifier
  • Azure > Subscription > Stack [Native] > Secret Variables
  • Azure > Subscription > Stack [Native] > Source
  • Azure > Subscription > Stack [Native] > Variables

What's new?

  • Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

  • Azure > Network > Virtual Network > Stack [Native]

Policy Types

  • Azure > Network > Virtual Network > Stack [Native]
  • Azure > Network > Virtual Network > Stack [Native] > Modifier
  • Azure > Network > Virtual Network > Stack [Native] > Secret Variables
  • Azure > Network > Virtual Network > Stack [Native] > Source
  • Azure > Network > Virtual Network > Stack [Native] > Variables

What's new?

  • Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

  • AWS > VPC > Stack [Native]
  • AWS > VPC > VPC > Stack [Native]

Policy Types

  • AWS > VPC > Stack [Native]
  • AWS > VPC > Stack [Native] > Modifier
  • AWS > VPC > Stack [Native] > Secret Variables
  • AWS > VPC > Stack [Native] > Source
  • AWS > VPC > Stack [Native] > Variables
  • AWS > VPC > VPC > Stack [Native]
  • AWS > VPC > VPC > Stack [Native] > Modifier
  • AWS > VPC > VPC > Stack [Native] > Secret Variables
  • AWS > VPC > VPC > Stack [Native] > Source
  • AWS > VPC > VPC > Stack [Native] > Variables

What's new?

  • Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

  • AWS > Account > Stack [Native]
  • AWS > Region > Stack [Native]

Policy Types

  • AWS > Account > Stack [Native]
  • AWS > Account > Stack [Native] > Modifier
  • AWS > Account > Stack [Native] > Secret Variables
  • AWS > Account > Stack [Native] > Source
  • AWS > Account > Stack [Native] > Variables
  • AWS > Region > Stack [Native]
  • AWS > Region > Stack [Native] > Modifier
  • AWS > Region > Stack [Native] > Secret Variables
  • AWS > Region > Stack [Native] > Source
  • AWS > Region > Stack [Native] > Variables

What's new?

  • Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

  • AWS > S3 > Bucket > Stack [Native]

Policy Types

  • AWS > S3 > Bucket [Native]
  • AWS > S3 > Bucket [Native] > Modifier
  • AWS > S3 > Bucket [Native] > Secret Variables
  • AWS > S3 > Bucket [Native] > Source
  • AWS > S3 > Bucket [Native] > Variables

What's new?

  • Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

  • AWS > IAM > Stack [Native]

Policy Types

  • AWS > IAM > Stack [Native]
  • AWS > IAM > Stack [Native] > Modifier
  • AWS > IAM > Stack [Native] > Secret Variables
  • AWS > IAM > Stack [Native] > Source
  • AWS > IAM > Stack [Native] > Variables

What's new?

Enhancements

  • Added instance_type_pattern column as an optional qual to the aws_ec2_instance_type table. (#2301)
  • Added image_digest column as an optional qual to the aws_ecr_image_scan_finding table. (#2357)
  • Added created_at and updated_at columns as optional quals to the aws_securityhub_finding table. (#2298)
  • Added account_password_present column to aws_iam_account_summary table. (#2346)
  • Add tags column to aws_backup_plan table. (#2336) (Thanks @pdecat for the contribution!)

Bug fixes

  • Fixed the aws_rds_db_instance table to correctly return data instead of an error by ignoring the CertificateNotFound error code. (#2363)

What's new?

  • Improved CLI load time for environments with many connection resources.
  • Updated Go to v1.23.

Bug fixes

  • The real-time Event Handlers would fail to update details for Flow Logs attached to Virtual Networks. This is now fixed.

Bug fixes

  • Guardrails would fail to update CMDB for virtual networks when flow logs were created or removed from such resources. This is now fixed.

What's new?

  • Added pipelines to run CIS v3.0.0 benchmark. These pipelines can be used to identify Azure resources that are non-compliant with CIS recommendations and also remediate them according to CIS remediation suggestions. For usage information and a full list of pipelines, please see Azure CIS Mod.

What's new?

  • Added 109 new 'detect and correct' pipelines to identify Azure resources that are non-compliant with common security and compliance checks. These pipelines can also remediate non-compliant automatically or with approval steps. For usage information and a full list of pipelines, please see Azure Compliance Mod.

Bug fixes

  • The AWS > VPC > VPC > Flow Logging control previously attempted to destroy and recreate flow logs with CloudWatch log groups as the destination on successive runs due to an incorrect ARN reference to the log destination. This issue is now fixed, and the control will no longer unnecessarily destroy and recreate flow logs in such cases.

What's new?

  • New pipelines added: (#22)
    • encrypt_storage_account
    • set_mysql_flexible_server_parameter
    • set_postgres_flexible_server_configuration
    • set_postgres_flexible_server_require_secure_transport
    • set_sql_server_tde_key
    • update_compute_disk_encryption_with_cmk
    • update_compute_disk
    • update_key_vault_rbac_authorization
    • update_sql_server_public_network_access
    • update_storage_account_blob_public_access

What's new?

  • New pipelines added: (#81)
    • generate_iam_credential_report

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

Bug fixes

  • We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

Bug fixes

  • We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

Bug fixes

  • In a previous version, we resolved an issue in the Azure > Compute > Virtual Machine Scale Set > Tags control to ensure tags were updated correctly for Scale Sets launched via the Azure Marketplace. However, the control occasionally failed to update tags for Scale Sets on certain purchase plans. This issue has now been addressed, and the control will update tags correctly and reliably for all types of Scale Sets.

Bug fixes

  • We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

Bug fixes

  • We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

Bug fixes

  • We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

Bug fixes

  • UI
    • Updated the filter logic on the Reports page for more accurate results.
    • Resolved an issue where resource links in the Permissions section redirected to the profile page instead of the resource page when grouped by resources.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Users can now define a list of events to filter out while polling for events using the Azure > Turbot > Event Poller. To get started, set the Azure > Turbot > Event Poller > Excluded Events policy.

Policy Types

  • Azure > Turbot > Event Poller > Excluded Events

What's new?

  • Users can now check and enforce SQS SSE for queue encryption. To get started, configure the AWS > SQS > Queue > Encryption at Rest policy to one of the following values: Check: SQS SSE, Check: SQS SSE or higher, Enforce: SQS SSE or Enforce: SQS SSE or higher.

What's new?

  • Check if Kubernetes clusters are approved for use via Guardrails. To get started, set the Kubernetes > Cluster > Approved > * policies.

Control Types

  • Kubernetes > Cluster > Approved

Policy Types

  • Kubernetes > Cluster > Approved
  • Kubernetes > Cluster > Approved > Custom

Bug fixes

  • The Azure > App Service > Function App > HTTPS Only control would sometime fail to enable the setting in Azure. This is now fixed.

Bug fixes

  • The GCP > Compute Engine > Instance > Serial Port Access and GCP > Compute Engine > Instance > Block Project Wide SSH Keys controls would sometimes go into an error state due to incorrect references to CMDB attributes. This is fixed and the controls will now work as expected.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

Bug fixes

  • Guardrails would fail to delete unapproved ingress rules when the Azure > Network > Network Security Group > Ingress Rules > Approved policy was set to Enforce: Delete unapproved. This is now fixed.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

Bug fixes

  • Guardrails would sometimes update the createTimestamp for Web Apps and Function Apps incorrectly when processing update events for these resources. We have updated the internal logic to ensure the createTimestamp is now updated correctly and more reliably than before.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

Bug fixes

  • Disks created alongside VMs sometimes lacked createdBy details in their metadata. The internal logic has been updated to ensure createdBy details are added more reliably for these disks.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

Bug fixes

  • The GCP > IAM > Service Account Key > Active control has been updated to use validAfterTime instead of metadata.createTimestamp to accurately evaluate the age of the resource.

What's new?

  • The list of supported regions for various resource types has been refreshed. This update enables Guardrails to discover and manage resources across all supported regions for these resource types in Azure.

What's new?

  • Users can now check and delete DB clusters that are not approved for use if they lack encryption at rest. To get started, set the AWS > RDS > DB Cluster > Approved > Encryption at Rest > * policies.

Policy Types

  • AWS > RDS > DB Cluster > Approved > Encryption at Rest
  • AWS > RDS > DB Cluster > Approved > Encryption at Rest > Customer Managed Key

What's new?

  • Users can now check if their account spend is On Target per Budget. To get started, set the AWS > Account > Budget > Enabled policy to Check: Budget > State is On Target.

Bug fixes

  • UI
    • Resolved an issue where reports pages could crash if certain information was null

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Resolved an issue where actor information was not being passed correctly during the process execution, ensuring accurate tracking and processing of actor-related data.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The AWS > VPC > Route > CMDB control would go into an error state due to an incorrect use of a function from an internal node package. This is now fixed.

Bug fixes

  • Guardrails would sometimes update the createdBy details for storage accounts due to mishandled real-time update events. This issue has been fixed, and createdBy details will now be stored more reliably and consistently than before.
  • In a previous version, we inadvertently introduced a bug that prevented the createTimestamp details from being stored in the metadata of new storage accounts upserted in Guardrails CMDB. This issue has now been resolved, and createTimestamp details are now stored correctly and reliably.

What's new?

Enhancements

  • Added error, is_public, resource_owner_account and resource_type optional quals for aws_accessanalyzer_finding table. (#2331) (Thanks @dbermuehler for the contribution!)
  • Updated the aws_s3_object table to use the HeadObject API to retrieve object metadata. (#2312) (Thanks @JonMerlevede for the contribution!)

Bug fixes

  • Fixed the aws_s3_bucket table to correctly return data by ignoring the not found error in getBucketTagging and getBucketWebsite hydrate functions. (#2335)

Bug fixes

  • Fixed minor spelling issues in query help output. (#542)
  • Updated error message to inform users to run make dashboard_assets when dashboard assets are not present. (#524)

Bug fixes

  • Fixed the issue where the steampipe interactive meta-command .cache clear was not clearing the cache. (#4443)

What's new?

  • Added NYDFS 23 benchmark (powerpipe benchmark run aws_compliance.benchmark.nydfs_23). (#844)

What's new?

  • Resource's metadata will now also include createdBy details in Guardrails CMDB.

Bug fixes

  • The AWS > VPC > VPC > Flow Logging control would sometimes fail to update flow logs if the Max Aggregation Interval in the stack's source policy was updated. This is fixed and the stack control will now update such resources correctly, as expected.

What's new?

  • Users can now configure the maximum aggregation interval in the AWS > VPC > VPC > Flow Logging control. To get started, set the AWS > VPC > VPC > Flow Logging > Cloud Watch > Maximum Aggregation Interval policy and/or AWS > VPC > VPC > Flow Logging > S3 > Maximum Aggregation Interval policy.

Policy Types

  • AWS > VPC > VPC > Flow Logging > Cloud Watch > Maximum Aggregation Interval
  • AWS > VPC > VPC > Flow Logging > S3 > Maximum Aggregation Interval

Enhancements

  • Added multi_region and multi_region_configuration columns to aws_kms_key table. (#2338) (Thanks @pdecat for the contribution!)

Bug fixes

  • Fixed the comparison operator (<= or >=) for number and date filter in aws_inspector2_finding table. (#2332) (Thanks @dbermuehler for the contribution!)

Bug fixes

  • Fixed the trigger_parameters column of the circleci_pipeline table to correctly return data instead of JSON unmarshalling error. (#53)

What's new?

Enhancements

  • Added labels and tags columns to the gcp_compute_global_forwarding_rule table. (#678) (Thanks @pdecat for the contribution!)
  • Added database_installed_version and maintenance_version columns to the gcp_sql_database_instance table. (#677) (Thanks @pdecat for the contribution!)

Bug fixes

  • Fixed the gcp_compute_instance_group table to correctly return data for regional instance groups' instances column. (#670) (Thanks @pdecat for the contribution!)
  • Fixed the kubernetes_node_pool table to correctly return data instead of an error for node pools with auto-pilot disabled. (#668) (Thanks @multani for the contribution!)

Resource Types

  • Azure > SQL > Managed Instance

Control Types

  • Azure > SQL > Managed Instance > Active
  • Azure > SQL > Managed Instance > Approved
  • Azure > SQL > Managed Instance > CMDB
  • Azure > SQL > Managed Instance > Discovery
  • Azure > SQL > Managed Instance > Tags

Policy Types

  • Azure > SQL > Managed Instance > Active
  • Azure > SQL > Managed Instance > Active > Age
  • Azure > SQL > Managed Instance > Active > Last Modified
  • Azure > SQL > Managed Instance > Approved
  • Azure > SQL > Managed Instance > Approved > Custom
  • Azure > SQL > Managed Instance > Approved > Regions
  • Azure > SQL > Managed Instance > Approved > Usage
  • Azure > SQL > Managed Instance > CMDB
  • Azure > SQL > Managed Instance > Regions
  • Azure > SQL > Managed Instance > Tags
  • Azure > SQL > Managed Instance > Tags > Template

Action Types

  • Azure > SQL > Managed Instance > Delete
  • Azure > SQL > Managed Instance > Router
  • Azure > SQL > Managed Instance > Set Tags

Bug fixes

  • Controls previously targeting the AWS > IAM > Credential Report resource type have now been updated to target either the AWS > IAM > Root or AWS > IAM > User resource types, depending on the specific control requirements. This adjustment more accurately aligns each control with the relevant resources, enabling more precise and targeted checks.

What's new?

  • Added CIS v3.0.0 benchmark (powerpipe benchmark run azure_compliance.benchmark.cis_v300). (#282)

Bug fixes

  • Fixed the elb_application_lb_waf_enabled query to correctly flag ELB application load balancers as alarm when the associated WAF is disabled. (#840)
  • Fixed the cloudfront_distribution_custom_origins_encryption_in_transit_enabled query to remove duplicate AWS CloudFront distributions from the result. (#829) (Thanks to @sbldevnet for the contribution!)
  • Fixed the where clause of the cloudfront_distribution_use_secure_cipher query to correctly check if the CloudFront distributions have insecure cipher protocols. (#827) (Thanks to @sbldevnet for the contribution!)

Bug fixes

  • The Azure > Security Center > Security Center > Auto Provisioning control is now deprecated and will now move to an Invalid state if enforcements are applied. This follows the deprecation plan announcement from Azure. The control will be removed in a future mod version.

Control Types

Renamed

  • Azure > Security Center > Security Center > Auto Provisioning to Azure > Security Center > Security Center > Auto Provisioning [Deprecated]

Policy Types

Renamed

  • Azure > Security Center > Security Center > Auto Provisioning to Azure > Security Center > Security Center > Auto Provisioning [Deprecated]

Action Types

Removed

  • Azure > Security Center > Security Center > Update Auto Provisioning

Bug fixes

  • trigger run command now exits when the execution is paused. (#962).
  • Event jsonl output file deletion is now handled correctly. (#960).

All Pipes workspaces are now running Steampipe v1.0.0.

For more information on this Steampipe release, see the launch post or check out the release notes.

All Pipes workspaces are now running Powerpipe v1.0.0.

For more information on this Powerpipe release, see the launch post or check out the release notes.

With a web UI, point-and-click mod installation, and easy integration with Slack and GitHub, Pipes takes workflows-as-code to the next level.

For more information, see the launch post or check out the docs.

All the components of Turbot's open source suite are now fully integrated into Pipes.

For more information, see the launch post or check out the docs.

Bug Fixes

  • Cleaned up documentation and standardized the file naming conventions of *.ppvars.example files across the following 24 mods to ensure alignment with the Powerpipe v1.0.0 release:
    • steampipe-mod-alicloud-compliance
    • steampipe-mod-aws-perimeter
    • steampipe-mod-aws-tags
    • steampipe-mod-aws-thrifty
    • steampipe-mod-aws-top-10
    • steampipe-mod-azure-compliance
    • steampipe-mod-azure-tags
    • steampipe-mod-azure-thrifty
    • steampipe-mod-digitalocean-thrifty
    • steampipe-mod-docker-compliance
    • steampipe-mod-gcp-compliance
    • steampipe-mod-gcp-labels
    • steampipe-mod-gcp-thrifty
    • steampipe-mod-github-compliance
    • steampipe-mod-kubernetes-compliance
    • steampipe-mod-microsoft365-compliance
    • steampipe-mod-net-insights
    • steampipe-mod-oci-compliance
    • steampipe-mod-oci-thrifty
    • steampipe-mod-snowflake-compliance
    • steampipe-mod-terraform-aws-compliance
    • steampipe-mod-terraform-azure-compliance
    • steampipe-mod-terraform-gcp-compliance
    • steampipe-mod-terraform-oci-compliance

Bug fixes

  • Added missing checks to the 1.12, 1.16, and 1.22 pipelines in CIS v3.0.0 and v4.0.0. (#3)

Bug fixes

  • Fix crashing cases when using --output json. (#594).
  • Coerce variables set in interactive console to their declared type. (#595).
  • Nested pipelines now correctly pauses parent pipelines. (#955).
  • Pipeline with max_concurrency setting is now automatically paused and will successfully resume. (#957).
  • form_url is now sanitized.

What's new?

  • Added CIS v4.0.0 benchmark (steampipe check benchmark.cis_v400). (#836)
  • Added ebs_encryption_by_default_enabled and vpc_security_group_restrict_ingress_cifs_port_all controls to the All Controls benchmark. (#835)

Enhancements

  • Added the ebs_encryption_by_default_enabled control to the rbi_cyber_security_annex_i_1_3 benchmark. (#835)
  • Set python3.8 as deprecated Lambda runtime in lambda_function_use_latest_runtime control. (#833) (Thanks to @sbldevnet for the contribution!)
  • Updated iam_access_analyzer_enabled_without_findings and ssm_document_prohibit_public_access controls to use latest columns and tables from the AWS plugin. (#835)

Bug fixes

  • VPC security group rule controls that check for restricted port access now correctly detect rules with ports in a port range instead of only exact port matches. (#835)
  • Fixed the 2.2.1 control in CIS v1.5.0, v2.0.0, v3.0.0 benchmarks to check if EBS encryption by default is enabled instead of individual volume encryption settings. (#835)
  • Fixed the fedramp_moderate_rev_4_sc_28 benchmark to check if EBS encryption by default is enabled instead of individual volume encryption settings. (#835)

Deprecated

  • Deprecated the ec2_ebs_default_encryption_enabled control and query. Please use the ebs_encryption_by_default control and query instead.

What's new?

Control Types

  • Kubernetes > CronJob > ServiceNow > Import Set
  • Kubernetes > DaemonSet > ServiceNow > Import Set
  • Kubernetes > Ingress > ServiceNow > Import Set
  • Kubernetes > Job > ServiceNow > Import Set
  • Kubernetes > Persistent Volume > ServiceNow > Import Set
  • Kubernetes > ReplicationController > ServiceNow > Import Set
  • Kubernetes > StatefulSet > ServiceNow > Import Set

Policy Types

  • Kubernetes > CronJob > ServiceNow > Import Set
  • Kubernetes > CronJob > ServiceNow > Import Set > Archive Columns
  • Kubernetes > CronJob > ServiceNow > Import Set > Insert Mode
  • Kubernetes > CronJob > ServiceNow > Import Set > Record
  • Kubernetes > CronJob > ServiceNow > Import Set > Table Name
  • Kubernetes > DaemonSet > ServiceNow > Import Set
  • Kubernetes > DaemonSet > ServiceNow > Import Set > Archive Columns
  • Kubernetes > DaemonSet > ServiceNow > Import Set > Insert Mode
  • Kubernetes > DaemonSet > ServiceNow > Import Set > Record
  • Kubernetes > DaemonSet > ServiceNow > Import Set > Table Name
  • Kubernetes > Ingress > ServiceNow > Import Set
  • Kubernetes > Ingress > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Ingress > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Ingress > ServiceNow > Import Set > Record
  • Kubernetes > Ingress > ServiceNow > Import Set > Table Name
  • Kubernetes > Job > ServiceNow > Import Set
  • Kubernetes > Job > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Job > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Job > ServiceNow > Import Set > Record
  • Kubernetes > Job > ServiceNow > Import Set > Table Name
  • Kubernetes > Persistent Volume > ServiceNow > Import Set
  • Kubernetes > Persistent Volume > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Persistent Volume > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Persistent Volume > ServiceNow > Import Set > Record
  • Kubernetes > Persistent Volume > ServiceNow > Import Set > Table Name
  • Kubernetes > ReplicationController > ServiceNow > Import Set
  • Kubernetes > ReplicationController > ServiceNow > Import Set > Archive Columns
  • Kubernetes > ReplicationController > ServiceNow > Import Set > Insert Mode
  • Kubernetes > ReplicationController > ServiceNow > Import Set > Record
  • Kubernetes > ReplicationController > ServiceNow > Import Set > Table Name
  • Kubernetes > StatefulSet > ServiceNow > Import Set
  • Kubernetes > StatefulSet > ServiceNow > Import Set > Archive Columns
  • Kubernetes > StatefulSet > ServiceNow > Import Set > Insert Mode
  • Kubernetes > StatefulSet > ServiceNow > Import Set > Record
  • Kubernetes > StatefulSet > ServiceNow > Import Set > Table Name

Bug fixes

  • In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

Bug fixes

  • Removed unused node package dependencies for tenant lambda functions.

Bug fixes

  • Added verification_token column toaws_ses_domain_identity table which was accidentally removed in v1.0.0.

Bug fixes

  • In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

Bug fixes

  • In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

Bug fixes

  • In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

Bug fixes

  • In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

Bug fixes

  • In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

What's new?

Policy Types

  • GCP > Compute Engine > Disk > ServiceNow > Import Set > Insert Mode
  • GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Insert Mode
  • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Insert Mode
  • GCP > Compute Engine > Health Check > ServiceNow > Import Set > Insert Mode
  • GCP > Compute Engine > Image > ServiceNow > Import Set > Insert Mode
  • GCP > Compute Engine > Instance > ServiceNow > Import Set > Insert Mode
  • GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Insert Mode
  • GCP > Compute Engine > Node Group > ServiceNow > Import Set > Insert Mode
  • GCP > Compute Engine > Node template > ServiceNow > Import Set > Insert Mode
  • GCP > Compute Engine > Project > ServiceNow > Import Set > Insert Mode
  • GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Insert Mode
  • GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Insert Mode
  • GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Insert Mode

Bug fixes

  • In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

Bug fixes

  • In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

Bug fixes

  • In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

Bug fixes

  • In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

Bug fixes

  • In version 5.5.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing Security Center resources in Guardrails. However, this caused controls to enter an error state for US Gov cloud subscriptions because the APIs did not work as expected. We have now updated dependencies that are compatible with both commercial and US Gov cloud subscriptions, ensuring that controls in both environments will work as expected.
  • The Azure > Security Center > Security Center > CMDB control would go into an error state if it was not able to fetch policy assignment details correctly. This issue has now been fixed.

Bug fixes

  • In version 5.8.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing Monitor resources in Guardrails. However, this caused controls to enter an error state for US Gov cloud subscriptions because the APIs did not work as expected. We have now updated dependencies that are compatible with both commercial and US Gov cloud subscriptions, ensuring that controls in both environments will work as expected.

Bug fixes

  • In version 5.9.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing DNS resources in Guardrails. However, this caused controls to enter an error state due to the inadvertent use of incorrect endpoints. This issue has been fixed, and the controls will now work as expected.

Bug fixes

  • In version 5.18.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing Compute resources in Guardrails. However, this caused controls to enter an error state due to the inadvertent use of incorrect endpoints. This issue has been fixed, and the controls will now work as expected.

Bug fixes

  • In version 5.4.0, we updated internal dependencies to use the latest Azure SDK versions for discovering and managing API Management resources in Guardrails. However, this caused controls to enter an error state due to the inadvertent use of incorrect endpoints. This issue has been fixed, and the controls will now work as expected.

What's new?

  • Added 84 new 'detect and correct' pipelines to identify AWS resources that are non-compliant with common security and compliance checks. These pipelines can also remediate non-compliant automatically or with approval steps. For usage information and a full list of pipelines, please see AWS Compliance Mod.

What's new?

  • Added pipelines to run CIS v3.0.0 and v4.0.0 benchmarks. These pipelines can be used to identify AWS resources that are non-compliant with CIS recommendations and also remediate them according to CIS remediation suggestions. For usage information and a full list of pipelines, please see AWS CIS Mod.

What's new?

  • We've updated internal dependencies and now use the new authentication method to discover and manage Automation resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Whats new

  • connection resource to manage credentials. Documentation.
  • database property has been added to mod. A database can be a connection reference, connection string, or Pipes workspace to query.

Deprecations

  • Deprecated database CLI arg. See Setting the Database for the new syntax to set the database.
  • Deprecated POWERPIPE_DATABASE env var. See Setting the Database for the new syntax to set the database.
  • Deprecated database workspace profile arg. See Setting the Database for the new syntax to set the database.

Breaking changes

The mod functionality, which was previously deprecated and moved to Powerpipe, has been removed in this version.

  • Removed the check, dashboard, mod, and variable commands. (#4413)
  • Removed support for running named queries. (#4416)
  • Removed the watch and mod-location CLI args from the query command. (#4417)
  • Removed the dashboard, dashboard-listen, and dashboard-port CLI args from the service command. (#4418)
  • Removed the STEAMPIPE_MOD_LOCATION and STEAMPIPE_INTROSPECTION env vars. (#4419)
  • Removed support for deprecated STEAMPIPE_CLOUD_HOST and STEAMPIPE_CLOUD_TOKEN env vars. (#4420)
  • Removed the watch, introspection, and mod-location workspace profile args. (#4421)
  • Removed the check and dashboard options from workspace profiles. (#4422)
  • Removed the dashboard option from global options (default.spc). (#4423)

We're excited to announce the v1.0.0 release of all 76 Flowpipe mods, including 29 Library mods, 6 Standard mods, and 41 Sample mods!

Breaking changes

  • Flowpipe v1.0.0 is now required. For a full list of CLI changes, please see the Flowpipe v1.0.0 CHANGELOG.
  • In Flowpipe configuration files (.fpc), credential and credential_import resources have been renamed to connection and connection_import respectively.
  • Updated the following param types:
    • approvers: list(string) to list(notifier).
    • database: string to connection.steampipe.
    • notifier: string to notifier.
  • Updated the following variable types:
    • approvers: list(string) to list(notifier).
    • database: string to connection.steampipe.
    • notifier: string to notifier.
  • Renamed cred param to conn and updated its type from string to conn.

What's new?

Bug fixes

  • Passing pipeline references to nested mods for execution. (#908)
  • Do not crash if pipeline reference is set to a string. (#911)

Deprecation

  • credential and credential_import are deprecated to be replaced with connection and connection_import.

Bug fixes

  • In a previous version, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

We’re excited to announce the v1.0.0 release of 116 Steampipe plugins!

While there are no significant changes in the new plugin versions, this release aligns with Steampipe's v1.0.0 launch. The plugins now adhere to semantic versioning, ensuring backward compatibility within each major version.

Bug fixes

  • In v5.3.1, we updated the internal logic for the Import Set controls to convert JSON objects to strings to store them reliably in ServiceNow. However, applying transformation logic to this data proved to be difficult in such cases. We have reverted this behavior, and JSON objects will no longer be transformed via the Import Set control. They will now be synced to ServiceNow in their original format.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Key Vault resources in Guardrails. This release includes breaking changes in the CMDB data for key, and secret. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below:

KeyVault > Vault

Added :

  • enableSoftDelete
  • publicNetworkAccess
  • enableRbacAuthorization

KeyVault > Key

Added :

  • hsmPlatform

Removed:

  • key.e
  • key.n

KeyVault > Secret

Modified :

  • ID property does not contain the secret version.

Removed:

  • expires
  • updated
  • created

Bug fixes

  • The Azure > Key Vault > Key > CMDB control would go into an error state while fetching key rotation policy details for managed keys. The control will no longer attempt to fetch the key rotation policy details for such keys and will work as expected.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • Added support for PostgresSQL 16.
  • Added support for custom hive key.
  • Default database engine version changed to 15.7.
  • Default cache engine version set to 7.1.
  • M4 and R4 instance types removed from the supported database instance list due to deprecation.

What's new?

  • Server

    • Introduced Activity Retention feature for Smart Retention control to enhance version and data management.
  • UI

    • Support for downloading AWS CloudFormation templates directly from the AWS import page.

Bug fixes

  • Server

    • Resolved controls getting stuck when Notify or Ignore keywords were missing in the notification rules.
  • UI

    • The + button for adding permissions now correctly applies the appropriate attributes.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Policy Types:

    • Turbot > Workspace > Retention > Activity Purge Limit.
    • Turbot > Workspace > Retention > Activity Retention.
  • Control Types:

    • Add support to Turbot > Smart Retention control to enhance version and data management.

Requirements

  • TE: 5.35.4

What's new?

  • You can now check if flexible servers have a TLS version setting of 1.2 or higher enabled. To get started, set the Azure > MySQL > Flexible Server > Set Minimum TLS Version policy to Check: TLS 1.2 or higher.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage resources in Guardrails. This release includes breaking changes in the CMDB data for Azure. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.

Azure > Management Group

Modified :

  • The value of type property is updated as type: Microsoft.Management/managementGroups, earlier it was /providers/Microsoft.Management/managementGroups

What's new?

  • We've updated internal dependencies and now use the new authentication method to discover and manage SQL Virtual Machine resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage SQL resources in Guardrails. This release includes breaking changes in the CMDB data for server, database, and elasticpool. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below:

Renamed:

  • transparentDataEncryption.status to transparentDataEncryption.state
  • databaseThreatDetectionPolicy to databaseSecurityAlertPolicy

Added:

Azure SQL > Server

  • Added administrators block
  • isManagedIdentityInUse
  • autoRotationEnabled
  • externalGovernanceStatus
  • minimalTlsVersion
  • privateEndpointConnections
  • publicNetworkAccess
  • restrictOutboundNetworkAccess
  • serverAzureADAdministrator.azureADOnlyAuthentication

Azure SQL > Database

  • availabilityZone
  • currentBackupStorageRedundancy
  • databaseSecurityAlertPolicy. creationTime
  • transparentDataEncryption.location
  • isInfraEncryptionEnabled
  • isLedgerOn
  • maintenanceConfigurationId
  • requestedBackupStorageRedundancy
  • maintenanceConfigurationId

Azure SQL > ElasticPool

  • maintenanceConfigurationId

Modified:

  • The value of the attribute serverAzureADAdministrator.name has been changed from string (activeDirectory) to string (ActiveDirectory).
  • The data type of the attribute databaseThreatDetectionPolicy.disabledAlerts has been changed from string ("") to object ([]).
  • The data type of the attribute databaseThreatDetectionPolicy.emailAddresses has been changed from string ("") to object ([]).
  • The data type of the attribute databaseThreatDetectionPolicy.emailAccountAdmins has been changed from string (Disabled/Enabled) to boolean (false/true).
  • The data type of the attribute disabledAlerts has been changed from string ("") to object ([]).

Removed:

  • databaseThreatDetectionPolicy.useServerDefault

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Resource Providers in Guardrails.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Network resources in Guardrails.

Network > NetworkInterface

Added :

  • auxiliaryMode
  • auxiliarySku
  • kind
  • disableTcpStateTracking

Network > PrivateDNSZone

Added :

  • internalId

Network > VirtualNetworkGateway

Added :

  • allowVirtualWanTraffic
  • allowRemoteVnetTraffic

Modified :

  • activeActive property updated as active

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Monitor resources in Guardrails. This release includes changes in the CMDB data for action groups.

Added:

  • tags
  • kind

Resource Types

  • Azure > Monitor > Metric Alert

Control Types

  • Azure > Monitor > Action Group > Tags
  • Azure > Monitor > Metric Alert > Active
  • Azure > Monitor > Metric Alert > Approved
  • Azure > Monitor > Metric Alert > CMDB
  • Azure > Monitor > Metric Alert > Discovery
  • Azure > Monitor > Metric Alert > Tags

Policy Types

  • Azure > Monitor > Action Group > Tags
  • Azure > Monitor > Action Group > Tags > Template
  • Azure > Monitor > Metric Alert > Active
  • Azure > Monitor > Metric Alert > Active > Age
  • Azure > Monitor > Metric Alert > Active > Last Modified
  • Azure > Monitor > Metric Alert > Approved
  • Azure > Monitor > Metric Alert > Approved > Custom
  • Azure > Monitor > Metric Alert > Approved > Usage
  • Azure > Monitor > Metric Alert > CMDB
  • Azure > Monitor > Metric Alert > Tags
  • Azure > Monitor > Metric Alert > Tags > Template
  • Azure > Monitor > Tags Template [Default]

Action Types

  • Azure > Monitor > Action Group > Set Tags
  • Azure > Monitor > Metric Alert > Delete
  • Azure > Monitor > Metric Alert > Router
  • Azure > Monitor > Metric Alert > Set Tags

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Managed Identity resources in Guardrails. This release includes changes in the CMDB data as below.

Removed:

  • clientSecretUrl

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Log Analytics resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage IAM resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Firewall resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage CosmosDB resources in Guardrails.

Added:

createMode

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The AWS > Account > Budget > Budget control would enter an error state for US Gov cloud accounts because the budget APIs are not supported for these accounts. We have updated the control to avoid making these API calls and instead rely on the AWS > Account > Budget > State policy being updated periodically, allowing the control to evaluate the outcome correctly.

What's new?

  • You can now configure and manage CI Relationships for various Kubernetes resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.

Control Types

  • Kubernetes > Cluster > ServiceNow > Relationships
  • Kubernetes > ConfigMap > ServiceNow > Relationships
  • Kubernetes > CronJob > ServiceNow > Relationships
  • Kubernetes > DaemonSet > ServiceNow > Relationships
  • Kubernetes > Deployment > ServiceNow > Relationships
  • Kubernetes > Ingress > ServiceNow > Relationships
  • Kubernetes > Job > ServiceNow > Relationships
  • Kubernetes > Namespace > ServiceNow > Relationships
  • Kubernetes > Node > ServiceNow > Relationships
  • Kubernetes > Persistent Volume > ServiceNow > Relationships
  • Kubernetes > Pod > ServiceNow > Relationships
  • Kubernetes > ReplicaSet > ServiceNow > Relationships
  • Kubernetes > ReplicationController > ServiceNow > Relationships
  • Kubernetes > Service > ServiceNow > Relationships
  • Kubernetes > StatefulSet > ServiceNow > Relationships

Policy Types

  • Kubernetes > Cluster > ServiceNow > Relationships
  • Kubernetes > Cluster > ServiceNow > Relationships > Template
  • Kubernetes > ConfigMap > ServiceNow > Relationships
  • Kubernetes > ConfigMap > ServiceNow > Relationships > Template
  • Kubernetes > CronJob > ServiceNow > Relationships
  • Kubernetes > CronJob > ServiceNow > Relationships > Template
  • Kubernetes > DaemonSet > ServiceNow > Relationships
  • Kubernetes > DaemonSet > ServiceNow > Relationships > Template
  • Kubernetes > Deployment > ServiceNow > Relationships
  • Kubernetes > Deployment > ServiceNow > Relationships > Template
  • Kubernetes > Ingress > ServiceNow > Relationships
  • Kubernetes > Ingress > ServiceNow > Relationships > Template
  • Kubernetes > Job > ServiceNow > Relationships
  • Kubernetes > Job > ServiceNow > Relationships > Template
  • Kubernetes > Namespace > ServiceNow > Relationships
  • Kubernetes > Namespace > ServiceNow > Relationships > Template
  • Kubernetes > Node > ServiceNow > Relationships
  • Kubernetes > Node > ServiceNow > Relationships > Template
  • Kubernetes > Persistent Volume > ServiceNow > Relationships
  • Kubernetes > Persistent Volume > ServiceNow > Relationships > Template
  • Kubernetes > Pod > ServiceNow > Relationships
  • Kubernetes > Pod > ServiceNow > Relationships > Template
  • Kubernetes > ReplicaSet > ServiceNow > Relationships
  • Kubernetes > ReplicaSet > ServiceNow > Relationships > Template
  • Kubernetes > ReplicationController > ServiceNow > Relationships
  • Kubernetes > ReplicationController > ServiceNow > Relationships > Template
  • Kubernetes > Service > ServiceNow > Relationships
  • Kubernetes > Service > ServiceNow > Relationships > Template
  • Kubernetes > StatefulSet > ServiceNow > Relationships
  • Kubernetes > StatefulSet > ServiceNow > Relationships > Template

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Load Balancer resources in Guardrails.

What's new?

  • You can now configure and manage CI Relationships for projects in ServiceNow. To get started, set the GCP > Project > ServiceNow > Relationships > * policies.

Control Types

  • GCP > Project > ServiceNow > Relationships

Policy Types

  • GCP > Project > ServiceNow > Relationships
  • GCP > Project > ServiceNow > Relationships > Template

What's new?

  • You can now configure and manage CI Relationships for subscriptions in ServiceNow. To get started, set the Azure > Subscription > ServiceNow > Relationships > * policies.

Control Types

  • Azure > Subscription > ServiceNow > Relationships

Policy Types

  • Azure > Subscription > ServiceNow > Relationships
  • Azure > Subscription > ServiceNow > Relationships > Template

What's new?

  • You can now configure and manage CI Relationships for accounts in ServiceNow. To get started, set the AWS > Account > ServiceNow > Relationships > * policies.

Control Types

  • AWS > Account > ServiceNow > Relationships

Policy Types

  • AWS > Account > ServiceNow > Relationships
  • AWS > Account > ServiceNow > Relationships > Template

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage DNS resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.

Removed:

  • tTL

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Databricks resources in Guardrails.

Added:

  • createdBy
  • updatedBy
  • systemData
  • createdDateTime

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Container Registry resources in Guardrails.

Added:

  • softDeletePolicy
  • azureADAuthenticationAsArmPolicy

What's new?

  • You can now configure and manage CI Relationships for various network resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.

Control Types

  • GCP > Network > Firewall > ServiceNow > Relationships
  • GCP > Network > Forwarding Rule > ServiceNow > Relationships
  • GCP > Network > Network > ServiceNow > Relationships
  • GCP > Network > Route > ServiceNow > Relationships
  • GCP > Network > Router > ServiceNow > Relationships
  • GCP > Network > Subnetwork > ServiceNow > Relationships
  • GCP > Network > Target Pool > ServiceNow > Relationships
  • GCP > Network > Target VPN Gateway > ServiceNow > Relationships

Policy Types

  • GCP > Network > Firewall > ServiceNow > Relationships
  • GCP > Network > Firewall > ServiceNow > Relationships > Template
  • GCP > Network > Forwarding Rule > ServiceNow > Relationships
  • GCP > Network > Forwarding Rule > ServiceNow > Relationships > Template
  • GCP > Network > Network > ServiceNow > Relationships
  • GCP > Network > Network > ServiceNow > Relationships > Template
  • GCP > Network > Route > ServiceNow > Relationships
  • GCP > Network > Route > ServiceNow > Relationships > Template
  • GCP > Network > Router > ServiceNow > Relationships
  • GCP > Network > Router > ServiceNow > Relationships > Template
  • GCP > Network > Subnetwork > ServiceNow > Relationships
  • GCP > Network > Subnetwork > ServiceNow > Relationships > Template
  • GCP > Network > Target Pool > ServiceNow > Relationships
  • GCP > Network > Target Pool > ServiceNow > Relationships > Template
  • GCP > Network > Target VPN Gateway > ServiceNow > Relationships
  • GCP > Network > Target VPN Gateway > ServiceNow > Relationships > Template

What's new?

  • You can now configure and manage CI Relationships for various compute engine resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.

Control Types

  • GCP > Compute Engine > Disk > ServiceNow > Relationships
  • GCP > Compute Engine > Image > ServiceNow > Relationships
  • GCP > Compute Engine > Instance > ServiceNow > Relationships
  • GCP > Compute Engine > Node Group > ServiceNow > Relationships
  • GCP > Compute Engine > Node template > ServiceNow > Relationships
  • GCP > Compute Engine > Snapshot > ServiceNow > Relationships

Policy Types

  • GCP > Compute Engine > Disk > ServiceNow > Relationships
  • GCP > Compute Engine > Disk > ServiceNow > Relationships > Template
  • GCP > Compute Engine > Image > ServiceNow > Relationships
  • GCP > Compute Engine > Image > ServiceNow > Relationships > Template
  • GCP > Compute Engine > Instance > ServiceNow > Relationships
  • GCP > Compute Engine > Instance > ServiceNow > Relationships > Template
  • GCP > Compute Engine > Node Group > ServiceNow > Relationships
  • GCP > Compute Engine > Node Group > ServiceNow > Relationships > Template
  • GCP > Compute Engine > Node template > ServiceNow > Relationships
  • GCP > Compute Engine > Node template > ServiceNow > Relationships > Template
  • GCP > Compute Engine > Snapshot > ServiceNow > Relationships
  • GCP > Compute Engine > Snapshot > ServiceNow > Relationships > Template

What's new?

  • You can now configure and manage CI Relationships for various network resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.

Control Types

  • Azure > Network > Application Security Group > ServiceNow > Import Set
  • Azure > Network > Application Security Group > ServiceNow > Relationships
  • Azure > Network > Express Route Circuits > ServiceNow > Import Set
  • Azure > Network > Network Interface > ServiceNow > Import Set
  • Azure > Network > Network Interface > ServiceNow > Relationships
  • Azure > Network > Network Security Group > ServiceNow > Relationships
  • Azure > Network > Private DNS Zones > ServiceNow > Import Set
  • Azure > Network > Private Endpoints > ServiceNow > Import Set
  • Azure > Network > Public IP Address > ServiceNow > Import Set
  • Azure > Network > Public IP Address > ServiceNow > Relationships
  • Azure > Network > Route Table > ServiceNow > Import Set
  • Azure > Network > Route Table > ServiceNow > Relationships
  • Azure > Network > Subnet > ServiceNow > Import Set
  • Azure > Network > Subnet > ServiceNow > Relationships
  • Azure > Network > Virtual Network > ServiceNow > Import Set
  • Azure > Network > Virtual Network > ServiceNow > Relationships
  • Azure > Network > Virtual Network Gateway > ServiceNow > Import Set
  • Azure > Network > Virtual Network Gateway > ServiceNow > Relationships

Policy Types

  • Azure > Network > Application Security Group > ServiceNow > Import Set
  • Azure > Network > Application Security Group > ServiceNow > Import Set > Archive Columns
  • Azure > Network > Application Security Group > ServiceNow > Import Set > Insert Mode
  • Azure > Network > Application Security Group > ServiceNow > Import Set > Record
  • Azure > Network > Application Security Group > ServiceNow > Import Set > Table Name
  • Azure > Network > Application Security Group > ServiceNow > Relationships
  • Azure > Network > Application Security Group > ServiceNow > Relationships > Template
  • Azure > Network > Express Route Circuits > ServiceNow > Import Set
  • Azure > Network > Express Route Circuits > ServiceNow > Import Set > Archive Columns
  • Azure > Network > Express Route Circuits > ServiceNow > Import Set > Insert Mode
  • Azure > Network > Express Route Circuits > ServiceNow > Import Set > Record
  • Azure > Network > Express Route Circuits > ServiceNow > Import Set > Table Name
  • Azure > Network > Network Interface > ServiceNow > Import Set
  • Azure > Network > Network Interface > ServiceNow > Import Set > Archive Columns
  • Azure > Network > Network Interface > ServiceNow > Import Set > Insert Mode
  • Azure > Network > Network Interface > ServiceNow > Import Set > Record
  • Azure > Network > Network Interface > ServiceNow > Import Set > Table Name
  • Azure > Network > Network Interface > ServiceNow > Relationships
  • Azure > Network > Network Interface > ServiceNow > Relationships > Template
  • Azure > Network > Network Security Group > ServiceNow > Import Set > Insert Mode
  • Azure > Network > Network Security Group > ServiceNow > Relationships
  • Azure > Network > Network Security Group > ServiceNow > Relationships > Template
  • Azure > Network > Private DNS Zones > ServiceNow > Import Set
  • Azure > Network > Private DNS Zones > ServiceNow > Import Set > Archive Columns
  • Azure > Network > Private DNS Zones > ServiceNow > Import Set > Insert Mode
  • Azure > Network > Private DNS Zones > ServiceNow > Import Set > Record
  • Azure > Network > Private DNS Zones > ServiceNow > Import Set > Table Name
  • Azure > Network > Private Endpoints > ServiceNow > Import Set
  • Azure > Network > Private Endpoints > ServiceNow > Import Set > Archive Columns
  • Azure > Network > Private Endpoints > ServiceNow > Import Set > Insert Mode
  • Azure > Network > Private Endpoints > ServiceNow > Import Set > Record
  • Azure > Network > Private Endpoints > ServiceNow > Import Set > Table Name
  • Azure > Network > Public IP Address > ServiceNow > Import Set
  • Azure > Network > Public IP Address > ServiceNow > Import Set > Archive Columns
  • Azure > Network > Public IP Address > ServiceNow > Import Set > Insert Mode
  • Azure > Network > Public IP Address > ServiceNow > Import Set > Record
  • Azure > Network > Public IP Address > ServiceNow > Import Set > Table Name
  • Azure > Network > Public IP Address > ServiceNow > Relationships
  • Azure > Network > Public IP Address > ServiceNow > Relationships > Template
  • Azure > Network > Route Table > ServiceNow > Import Set
  • Azure > Network > Route Table > ServiceNow > Import Set > Archive Columns
  • Azure > Network > Route Table > ServiceNow > Import Set > Insert Mode
  • Azure > Network > Route Table > ServiceNow > Import Set > Record
  • Azure > Network > Route Table > ServiceNow > Import Set > Table Name
  • Azure > Network > Route Table > ServiceNow > Relationships
  • Azure > Network > Route Table > ServiceNow > Relationships > Template
  • Azure > Network > Subnet > ServiceNow > Import Set
  • Azure > Network > Subnet > ServiceNow > Import Set > Archive Columns
  • Azure > Network > Subnet > ServiceNow > Import Set > Insert Mode
  • Azure > Network > Subnet > ServiceNow > Import Set > Record
  • Azure > Network > Subnet > ServiceNow > Import Set > Table Name
  • Azure > Network > Subnet > ServiceNow > Relationships
  • Azure > Network > Subnet > ServiceNow > Relationships > Template
  • Azure > Network > Virtual Network > ServiceNow > Import Set
  • Azure > Network > Virtual Network > ServiceNow > Import Set > Archive Columns
  • Azure > Network > Virtual Network > ServiceNow > Import Set > Insert Mode
  • Azure > Network > Virtual Network > ServiceNow > Import Set > Record
  • Azure > Network > Virtual Network > ServiceNow > Import Set > Table Name
  • Azure > Network > Virtual Network > ServiceNow > Relationships
  • Azure > Network > Virtual Network > ServiceNow > Relationships > Template
  • Azure > Network > Virtual Network Gateway > ServiceNow > Import Set
  • Azure > Network > Virtual Network Gateway > ServiceNow > Import Set > Archive Columns
  • Azure > Network > Virtual Network Gateway > ServiceNow > Import Set > Insert Mode
  • Azure > Network > Virtual Network Gateway > ServiceNow > Import Set > Record
  • Azure > Network > Virtual Network Gateway > ServiceNow > Import Set > Table Name
  • Azure > Network > Virtual Network Gateway > ServiceNow > Relationships
  • Azure > Network > Virtual Network Gateway > ServiceNow > Relationships > Template

What's new?

  • You can now configure and manage CI Relationships for various compute resources in ServiceNow. To get started, set their ServiceNow Relationships policies respectively.

Control Types

  • Azure > Compute > Availability Set > ServiceNow > Relationships
  • Azure > Compute > Disk > ServiceNow > Relationships
  • Azure > Compute > Image > ServiceNow > Relationships
  • Azure > Compute > Snapshot > ServiceNow > Relationships
  • Azure > Compute > Virtual Machine > ServiceNow > Relationships

Policy Types

  • Azure > Compute > Availability Set > ServiceNow > Import Set > Insert Mode
  • Azure > Compute > Availability Set > ServiceNow > Relationships
  • Azure > Compute > Availability Set > ServiceNow > Relationships > Template
  • Azure > Compute > Disk > ServiceNow > Import Set > Insert Mode
  • Azure > Compute > Disk > ServiceNow > Relationships
  • Azure > Compute > Disk > ServiceNow > Relationships > Template
  • Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Insert Mode
  • Azure > Compute > Image > ServiceNow > Import Set > Insert Mode
  • Azure > Compute > Image > ServiceNow > Relationships
  • Azure > Compute > Image > ServiceNow > Relationships > Template
  • Azure > Compute > Snapshot > ServiceNow > Import Set > Insert Mode
  • Azure > Compute > Snapshot > ServiceNow > Relationships
  • Azure > Compute > Snapshot > ServiceNow > Relationships > Template
  • Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Insert Mode
  • Azure > Compute > Virtual Machine > ServiceNow > Import Set > Insert Mode
  • Azure > Compute > Virtual Machine > ServiceNow > Relationships
  • Azure > Compute > Virtual Machine > ServiceNow > Relationships > Template
  • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Insert Mode

What's new?

  • You can now configure and manage CI Relationships for global regions, multi-regions, regions and zones in ServiceNow. To get started, set the GCP > Global Region > ServiceNow > Relationships > *, GCP > Multi-Region > ServiceNow > Relationships > *, GCP > Region > ServiceNow > Relationships > * and GCP > Zone > ServiceNow > Relationships > * policies respectively.

Control Types

  • GCP > Global Region > ServiceNow > Relationships
  • GCP > Multi-Region > ServiceNow > Relationships
  • GCP > Region > ServiceNow > Relationships
  • GCP > Zone > ServiceNow > Relationships

Policy Types

  • GCP > Global Region > ServiceNow > Relationships
  • GCP > Global Region > ServiceNow > Relationships > Template
  • GCP > Multi-Region > ServiceNow > Relationships
  • GCP > Multi-Region > ServiceNow > Relationships > Template
  • GCP > Region > ServiceNow > Relationships
  • GCP > Region > ServiceNow > Relationships > Template
  • GCP > Zone > ServiceNow > Relationships
  • GCP > Zone > ServiceNow > Relationships > Template

What's new?

  • You can now configure and manage CI Relationships for buckets and objects in ServiceNow. To get started, set the GCP > Storage > Bucket > ServiceNow > Relationships > * and GCP > Storage > Object > ServiceNow > Relationships > * policies respectively.

Control Types

  • GCP > Storage > Bucket > ServiceNow > Relationships
  • GCP > Storage > Object > ServiceNow > Relationships

Policy Types

  • GCP > Storage > Bucket > ServiceNow > Relationships
  • GCP > Storage > Bucket > ServiceNow > Relationships > Template
  • GCP > Storage > Object > ServiceNow > Relationships
  • GCP > Storage > Object > ServiceNow > Relationships > Template

What's new?

  • You can now configure and manage CI Relationships for resource groups in ServiceNow. To get started, set the Azure > Resource Group > ServiceNow > Relationships > * policies.

Control Types

  • Azure > Resource Group > ServiceNow > Relationships

Policy Types

  • Azure > Resource Group > ServiceNow > Relationships
  • Azure > Resource Group > ServiceNow > Relationships > Template

What's new?

  • You can now configure and manage CI Relationships for containers, file shares, queues and storage accounts in ServiceNow. To get started, set the Azure > Storage > Container > ServiceNow > Relationships > *, Azure > Storage > File Share > ServiceNow > Relationships > *, Azure > Storage > Queue > ServiceNow > Relationships > * and Azure > Storage > Storage Account > ServiceNow > Relationships > * policies respectively.

Control Types

  • Azure > Storage > Container > ServiceNow > Relationships
  • Azure > Storage > FileShare > ServiceNow > Relationships
  • Azure > Storage > Queue > ServiceNow > Relationships
  • Azure > Storage > Storage Account > ServiceNow > Relationships

Policy Types

  • Azure > Storage > Container > ServiceNow > Import Set > Insert Mode
  • Azure > Storage > Container > ServiceNow > Relationships
  • Azure > Storage > Container > ServiceNow > Relationships > Template
  • Azure > Storage > FileShare > ServiceNow > Import Set > Insert Mode
  • Azure > Storage > FileShare > ServiceNow > Relationships
  • Azure > Storage > FileShare > ServiceNow > Relationships > Template
  • Azure > Storage > Queue > ServiceNow > Import Set > Insert Mode
  • Azure > Storage > Queue > ServiceNow > Relationships
  • Azure > Storage > Queue > ServiceNow > Relationships > Template
  • Azure > Storage > Storage Account > ServiceNow > Import Set > Insert Mode
  • Azure > Storage > Storage Account > ServiceNow > Relationships
  • Azure > Storage > Storage Account > ServiceNow > Relationships > Template

What's new?

  • You can now configure and manage CI Relationships for elastic IPs, internet gateways and NAT gateways in ServiceNow. To get started, set the AWS > VPC > Elastic IP > ServiceNow > Relationships > *, AWS > VPC > Internet Gateway > ServiceNow > Relationships > * and AWS > VPC > NAT Gateway > ServiceNow > Relationships > * policies respectively.

Control Types

  • AWS > VPC > Elastic IP > ServiceNow > Relationships
  • AWS > VPC > Internet Gateway > ServiceNow
  • AWS > VPC > Internet Gateway > ServiceNow > Configuration Item
  • AWS > VPC > Internet Gateway > ServiceNow > Relationships
  • AWS > VPC > Internet Gateway > ServiceNow > Table
  • AWS > VPC > NAT Gateway > ServiceNow
  • AWS > VPC > NAT Gateway > ServiceNow > Configuration Item
  • AWS > VPC > NAT Gateway > ServiceNow > Relationships
  • AWS > VPC > NAT Gateway > ServiceNow > Table

Policy Types

  • AWS > VPC > Elastic IP > ServiceNow > Relationships
  • AWS > VPC > Elastic IP > ServiceNow > Relationships > Template
  • AWS > VPC > Internet Gateway > ServiceNow
  • AWS > VPC > Internet Gateway > ServiceNow > Configuration Item
  • AWS > VPC > Internet Gateway > ServiceNow > Configuration Item > Record
  • AWS > VPC > Internet Gateway > ServiceNow > Configuration Item > Table Definition
  • AWS > VPC > Internet Gateway > ServiceNow > Relationships
  • AWS > VPC > Internet Gateway > ServiceNow > Relationships > Template
  • AWS > VPC > Internet Gateway > ServiceNow > Table
  • AWS > VPC > Internet Gateway > ServiceNow > Table > Definition
  • AWS > VPC > NAT Gateway > ServiceNow
  • AWS > VPC > NAT Gateway > ServiceNow > Configuration Item
  • AWS > VPC > NAT Gateway > ServiceNow > Configuration Item > Record
  • AWS > VPC > NAT Gateway > ServiceNow > Configuration Item > Table Definition
  • AWS > VPC > NAT Gateway > ServiceNow > Relationships
  • AWS > VPC > NAT Gateway > ServiceNow > Relationships > Template
  • AWS > VPC > NAT Gateway > ServiceNow > Table
  • AWS > VPC > NAT Gateway > ServiceNow > Table > Definition

Control Types

  • AWS > VPC > Customer Gateway > ServiceNow
  • AWS > VPC > Customer Gateway > ServiceNow > Configuration Item
  • AWS > VPC > Customer Gateway > ServiceNow > Relationships
  • AWS > VPC > Customer Gateway > ServiceNow > Table
  • AWS > VPC > Transit Gateway > ServiceNow
  • AWS > VPC > Transit Gateway > ServiceNow > Configuration Item
  • AWS > VPC > Transit Gateway > ServiceNow > Relationships
  • AWS > VPC > Transit Gateway > ServiceNow > Table
  • AWS > VPC > VPN Gateway > ServiceNow
  • AWS > VPC > VPN Gateway > ServiceNow > Configuration Item
  • AWS > VPC > VPN Gateway > ServiceNow > Relationships
  • AWS > VPC > VPN Gateway > ServiceNow > Table

Policy Types

  • AWS > VPC > Customer Gateway > ServiceNow
  • AWS > VPC > Customer Gateway > ServiceNow > Configuration Item
  • AWS > VPC > Customer Gateway > ServiceNow > Configuration Item > Record
  • AWS > VPC > Customer Gateway > ServiceNow > Configuration Item > Table Definition
  • AWS > VPC > Customer Gateway > ServiceNow > Relationships
  • AWS > VPC > Customer Gateway > ServiceNow > Relationships > Template
  • AWS > VPC > Customer Gateway > ServiceNow > Table
  • AWS > VPC > Customer Gateway > ServiceNow > Table > Definition
  • AWS > VPC > Transit Gateway > ServiceNow
  • AWS > VPC > Transit Gateway > ServiceNow > Configuration Item
  • AWS > VPC > Transit Gateway > ServiceNow > Configuration Item > Record
  • AWS > VPC > Transit Gateway > ServiceNow > Configuration Item > Table Definition
  • AWS > VPC > Transit Gateway > ServiceNow > Relationships
  • AWS > VPC > Transit Gateway > ServiceNow > Relationships > Template
  • AWS > VPC > Transit Gateway > ServiceNow > Table
  • AWS > VPC > Transit Gateway > ServiceNow > Table > Definition
  • AWS > VPC > VPN Gateway > ServiceNow
  • AWS > VPC > VPN Gateway > ServiceNow > Configuration Item
  • AWS > VPC > VPN Gateway > ServiceNow > Configuration Item > Record
  • AWS > VPC > VPN Gateway > ServiceNow > Configuration Item > Table Definition
  • AWS > VPC > VPN Gateway > ServiceNow > Relationships
  • AWS > VPC > VPN Gateway > ServiceNow > Relationships > Template
  • AWS > VPC > VPN Gateway > ServiceNow > Table
  • AWS > VPC > VPN Gateway > ServiceNow > Table > Definition

What's new?

  • You can now configure and manage CI Relationships for AMIs, instances, key pairs, network interfaces, snapshots and volumes in ServiceNow. To get started, set the AWS > EC2 > AMI > ServiceNow > Relationships > *, AWS > EC2 > Instance > ServiceNow > Relationships > *, AWS > EC2 > Key Pair > ServiceNow > Relationships > *, AWS > EC2 > Network Interface > ServiceNow > Relationships > *, AWS > EC2 > Snapshot > ServiceNow > Relationships > * and AWS > EC2 > Volume > ServiceNow > Relationships > * policies respectively.

Control Types

  • AWS > EC2 > AMI > ServiceNow
  • AWS > EC2 > AMI > ServiceNow > Configuration Item
  • AWS > EC2 > AMI > ServiceNow > Relationships
  • AWS > EC2 > AMI > ServiceNow > Table
  • AWS > EC2 > Instance > ServiceNow > Relationships
  • AWS > EC2 > Key Pair > ServiceNow
  • AWS > EC2 > Key Pair > ServiceNow > Configuration Item
  • AWS > EC2 > Key Pair > ServiceNow > Relationships
  • AWS > EC2 > Key Pair > ServiceNow > Table
  • AWS > EC2 > Network Interface > ServiceNow
  • AWS > EC2 > Network Interface > ServiceNow > Configuration Item
  • AWS > EC2 > Network Interface > ServiceNow > Relationships
  • AWS > EC2 > Network Interface > ServiceNow > Table
  • AWS > EC2 > Snapshot > ServiceNow > Relationships
  • AWS > EC2 > Volume > ServiceNow > Relationships

Policy Types

  • AWS > EC2 > AMI > ServiceNow
  • AWS > EC2 > AMI > ServiceNow > Configuration Item
  • AWS > EC2 > AMI > ServiceNow > Configuration Item > Record
  • AWS > EC2 > AMI > ServiceNow > Configuration Item > Table Definition
  • AWS > EC2 > AMI > ServiceNow > Relationships
  • AWS > EC2 > AMI > ServiceNow > Relationships > Template
  • AWS > EC2 > AMI > ServiceNow > Table
  • AWS > EC2 > AMI > ServiceNow > Table > Definition
  • AWS > EC2 > Instance > ServiceNow > Relationships
  • AWS > EC2 > Instance > ServiceNow > Relationships > Template
  • AWS > EC2 > Key Pair > ServiceNow
  • AWS > EC2 > Key Pair > ServiceNow > Configuration Item
  • AWS > EC2 > Key Pair > ServiceNow > Configuration Item > Record
  • AWS > EC2 > Key Pair > ServiceNow > Configuration Item > Table Definition
  • AWS > EC2 > Key Pair > ServiceNow > Relationships
  • AWS > EC2 > Key Pair > ServiceNow > Relationships > Template
  • AWS > EC2 > Key Pair > ServiceNow > Table
  • AWS > EC2 > Key Pair > ServiceNow > Table > Definition
  • AWS > EC2 > Network Interface > ServiceNow
  • AWS > EC2 > Network Interface > ServiceNow > Configuration Item
  • AWS > EC2 > Network Interface > ServiceNow > Configuration Item > Record
  • AWS > EC2 > Network Interface > ServiceNow > Configuration Item > Table Definition
  • AWS > EC2 > Network Interface > ServiceNow > Relationships
  • AWS > EC2 > Network Interface > ServiceNow > Relationships > Template
  • AWS > EC2 > Network Interface > ServiceNow > Table
  • AWS > EC2 > Network Interface > ServiceNow > Table > Definition
  • AWS > EC2 > Snapshot > ServiceNow > Relationships
  • AWS > EC2 > Snapshot > ServiceNow > Relationships > Template
  • AWS > EC2 > Volume > ServiceNow > Relationships
  • AWS > EC2 > Volume > ServiceNow > Relationships > Template

What's new?

Control Types

  • GCP > Vertex AI > Endpoint > ServiceNow
  • GCP > Vertex AI > Endpoint > ServiceNow > Configuration Item
  • GCP > Vertex AI > Endpoint > ServiceNow > Import Set
  • GCP > Vertex AI > Endpoint > ServiceNow > Table
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Configuration Item
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Table

Policy Types

  • GCP > Vertex AI > Endpoint > ServiceNow
  • GCP > Vertex AI > Endpoint > ServiceNow > Configuration Item
  • GCP > Vertex AI > Endpoint > ServiceNow > Configuration Item > Record
  • GCP > Vertex AI > Endpoint > ServiceNow > Configuration Item > Table Definition
  • GCP > Vertex AI > Endpoint > ServiceNow > Import Set
  • GCP > Vertex AI > Endpoint > ServiceNow > Import Set > Archive Columns
  • GCP > Vertex AI > Endpoint > ServiceNow > Import Set > Insert Mode
  • GCP > Vertex AI > Endpoint > ServiceNow > Import Set > Record
  • GCP > Vertex AI > Endpoint > ServiceNow > Import Set > Table Name
  • GCP > Vertex AI > Endpoint > ServiceNow > Table
  • GCP > Vertex AI > Endpoint > ServiceNow > Table > Definition
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Configuration Item
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Configuration Item > Record
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Configuration Item > Table Definition
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set > Archive Columns
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set > Insert Mode
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set > Record
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Import Set > Table Name
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Table
  • GCP > Vertex AI > Notebook Runtime Template > ServiceNow > Table > Definition

What's new?

Control Types

  • GCP > Dataplex > Lake > ServiceNow
  • GCP > Dataplex > Lake > ServiceNow > Configuration Item
  • GCP > Dataplex > Lake > ServiceNow > Import Set
  • GCP > Dataplex > Lake > ServiceNow > Table
  • GCP > Dataplex > Task > ServiceNow
  • GCP > Dataplex > Task > ServiceNow > Configuration Item
  • GCP > Dataplex > Task > ServiceNow > Import Set
  • GCP > Dataplex > Task > ServiceNow > Table
  • GCP > Dataplex > Zone > ServiceNow
  • GCP > Dataplex > Zone > ServiceNow > Configuration Item
  • GCP > Dataplex > Zone > ServiceNow > Import Set
  • GCP > Dataplex > Zone > ServiceNow > Table

Policy Types

  • GCP > Dataplex > Lake > ServiceNow
  • GCP > Dataplex > Lake > ServiceNow > Configuration Item
  • GCP > Dataplex > Lake > ServiceNow > Configuration Item > Record
  • GCP > Dataplex > Lake > ServiceNow > Configuration Item > Table Definition
  • GCP > Dataplex > Lake > ServiceNow > Import Set
  • GCP > Dataplex > Lake > ServiceNow > Import Set > Archive Columns
  • GCP > Dataplex > Lake > ServiceNow > Import Set > Insert Mode
  • GCP > Dataplex > Lake > ServiceNow > Import Set > Record
  • GCP > Dataplex > Lake > ServiceNow > Import Set > Table Name
  • GCP > Dataplex > Lake > ServiceNow > Table
  • GCP > Dataplex > Lake > ServiceNow > Table > Definition
  • GCP > Dataplex > Task > ServiceNow
  • GCP > Dataplex > Task > ServiceNow > Configuration Item
  • GCP > Dataplex > Task > ServiceNow > Configuration Item > Record
  • GCP > Dataplex > Task > ServiceNow > Configuration Item > Table Definition
  • GCP > Dataplex > Task > ServiceNow > Import Set
  • GCP > Dataplex > Task > ServiceNow > Import Set > Archive Columns
  • GCP > Dataplex > Task > ServiceNow > Import Set > Insert Mode
  • GCP > Dataplex > Task > ServiceNow > Import Set > Record
  • GCP > Dataplex > Task > ServiceNow > Import Set > Table Name
  • GCP > Dataplex > Task > ServiceNow > Table
  • GCP > Dataplex > Task > ServiceNow > Table > Definition
  • GCP > Dataplex > Zone > ServiceNow
  • GCP > Dataplex > Zone > ServiceNow > Configuration Item
  • GCP > Dataplex > Zone > ServiceNow > Configuration Item > Record
  • GCP > Dataplex > Zone > ServiceNow > Configuration Item > Table Definition
  • GCP > Dataplex > Zone > ServiceNow > Import Set
  • GCP > Dataplex > Zone > ServiceNow > Import Set > Archive Columns
  • GCP > Dataplex > Zone > ServiceNow > Import Set > Insert Mode
  • GCP > Dataplex > Zone > ServiceNow > Import Set > Record
  • GCP > Dataplex > Zone > ServiceNow > Import Set > Table Name
  • GCP > Dataplex > Zone > ServiceNow > Table
  • GCP > Dataplex > Zone > ServiceNow > Table > Definition

What's new?

  • You can now configure and manage CI Relationships for flow logs, network ACLs, security groups and security group rules in ServiceNow. To get started, set the AWS > VPC > Flow Log > ServiceNow > Relationships > *, AWS > VPC > Network ACL > ServiceNow > Relationships > *, AWS > VPC > Security Group > ServiceNow > Relationships > * and AWS > VPC > Security Group Rule > ServiceNow > Relationships > * policies respectively.

Control Types

  • AWS > VPC > Flow Log > ServiceNow
  • AWS > VPC > Flow Log > ServiceNow > Configuration Item
  • AWS > VPC > Flow Log > ServiceNow > Relationships
  • AWS > VPC > Flow Log > ServiceNow > Table
  • AWS > VPC > Network ACL > ServiceNow > Relationships
  • AWS > VPC > Security Group > ServiceNow > Relationships
  • AWS > VPC > Security Group Rule > ServiceNow
  • AWS > VPC > Security Group Rule > ServiceNow > Configuration Item
  • AWS > VPC > Security Group Rule > ServiceNow > Relationships
  • AWS > VPC > Security Group Rule > ServiceNow > Table

Policy Types

  • AWS > VPC > Flow Log > ServiceNow
  • AWS > VPC > Flow Log > ServiceNow > Configuration Item
  • AWS > VPC > Flow Log > ServiceNow > Configuration Item > Record
  • AWS > VPC > Flow Log > ServiceNow > Configuration Item > Table Definition
  • AWS > VPC > Flow Log > ServiceNow > Relationships
  • AWS > VPC > Flow Log > ServiceNow > Relationships > Template
  • AWS > VPC > Flow Log > ServiceNow > Table
  • AWS > VPC > Flow Log > ServiceNow > Table > Definition
  • AWS > VPC > Network ACL > ServiceNow > Relationships
  • AWS > VPC > Network ACL > ServiceNow > Relationships > Template
  • AWS > VPC > Security Group > ServiceNow > Relationships
  • AWS > VPC > Security Group > ServiceNow > Relationships > Template
  • AWS > VPC > Security Group Rule > ServiceNow
  • AWS > VPC > Security Group Rule > ServiceNow > Configuration Item
  • AWS > VPC > Security Group Rule > ServiceNow > Configuration Item > Record
  • AWS > VPC > Security Group Rule > ServiceNow > Configuration Item > Table Definition
  • AWS > VPC > Security Group Rule > ServiceNow > Relationships
  • AWS > VPC > Security Group Rule > ServiceNow > Relationships > Template
  • AWS > VPC > Security Group Rule > ServiceNow > Table
  • AWS > VPC > Security Group Rule > ServiceNow > Table > Definition

What's new?

  • You can now configure and manage CI Relationships for route tables, subnets and VPCs in ServiceNow. To get started, set the AWS > VPC > Route Table > ServiceNow > Relationships > *, AWS > VPC > Subnet > ServiceNow > Relationships > * and AWS > VPC > VPC > ServiceNow > Relationships > * policies respectively.

Control Types

  • AWS > VPC > Route Table > ServiceNow > Relationships
  • AWS > VPC > Subnet > ServiceNow > Relationships
  • AWS > VPC > VPC > ServiceNow > Relationships

Policy Types

  • AWS > VPC > Route Table > ServiceNow > Relationships
  • AWS > VPC > Route Table > ServiceNow > Relationships > Template
  • AWS > VPC > Subnet > ServiceNow > Relationships
  • AWS > VPC > Subnet > ServiceNow > Relationships > Template
  • AWS > VPC > VPC > ServiceNow > Relationships
  • AWS > VPC > VPC > ServiceNow > Relationships > Template

What's new?

Control Types

  • AWS > Account > ServiceNow
  • AWS > Account > ServiceNow > Configuration Item
  • AWS > Account > ServiceNow > Table
  • AWS > Region > ServiceNow
  • AWS > Region > ServiceNow > Configuration Item
  • AWS > Region > ServiceNow > Relationships
  • AWS > Region > ServiceNow > Table

Policy Types

  • AWS > Account > ServiceNow
  • AWS > Account > ServiceNow > Configuration Item
  • AWS > Account > ServiceNow > Configuration Item > Record
  • AWS > Account > ServiceNow > Configuration Item > Table Definition
  • AWS > Account > ServiceNow > Table
  • AWS > Account > ServiceNow > Table > Definition
  • AWS > Region > ServiceNow
  • AWS > Region > ServiceNow > Configuration Item
  • AWS > Region > ServiceNow > Configuration Item > Record
  • AWS > Region > ServiceNow > Configuration Item > Table Definition
  • AWS > Region > ServiceNow > Relationships
  • AWS > Region > ServiceNow > Relationships > Template
  • AWS > Region > ServiceNow > Table
  • AWS > Region > ServiceNow > Table > Definition

What's new?

  • You can now configure and manage CI Relationships for buckets in ServiceNow. To get started, set the AWS > S3 > Bucket > ServiceNow > Relationships > * policies.

Control Types

  • AWS > S3 > Bucket > ServiceNow > Relationships

Policy Types

  • AWS > S3 > Bucket > ServiceNow > Import Set > Insert Mode
  • AWS > S3 > Bucket > ServiceNow > Relationships
  • AWS > S3 > Bucket > ServiceNow > Relationships > Template

What's new?

  • AWS/Billing/Admin, AWS/Billing/Metadata and AWS/Billing/Operator now also include purchase orders permissions.

Bug fixes

  • Server
    • Removed recursive loop detection logic, as this is now managed effectively by Lambda.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Fixed the issue where the search path setting was not retained while navigating to a different dashboard. (#325)

What's new?

  • Added support to process enable and disable real-time events for Dataplex.

Resource Types

  • GCP > Dataplex
  • GCP > Dataplex > Lake
  • GCP > Dataplex > Task
  • GCP > Dataplex > Zone

Control Types

  • GCP > Dataplex > API Enabled
  • GCP > Dataplex > CMDB
  • GCP > Dataplex > Discovery
  • GCP > Dataplex > Lake > Active
  • GCP > Dataplex > Lake > Approved
  • GCP > Dataplex > Lake > CMDB
  • GCP > Dataplex > Lake > Discovery
  • GCP > Dataplex > Lake > Labels
  • GCP > Dataplex > Lake > Usage
  • GCP > Dataplex > Task > Active
  • GCP > Dataplex > Task > Approved
  • GCP > Dataplex > Task > CMDB
  • GCP > Dataplex > Task > Discovery
  • GCP > Dataplex > Task > Labels
  • GCP > Dataplex > Task > Usage
  • GCP > Dataplex > Zone > Active
  • GCP > Dataplex > Zone > Approved
  • GCP > Dataplex > Zone > CMDB
  • GCP > Dataplex > Zone > Discovery
  • GCP > Dataplex > Zone > Labels
  • GCP > Dataplex > Zone > Usage

Policy Types

  • GCP > Dataplex > API Enabled
  • GCP > Dataplex > Approved Regions [Default]
  • GCP > Dataplex > CMDB
  • GCP > Dataplex > Enabled
  • GCP > Dataplex > Labels Template [Default]
  • GCP > Dataplex > Lake > Active
  • GCP > Dataplex > Lake > Active > Age
  • GCP > Dataplex > Lake > Active > Last Modified
  • GCP > Dataplex > Lake > Approved
  • GCP > Dataplex > Lake > Approved > Custom
  • GCP > Dataplex > Lake > Approved > Regions
  • GCP > Dataplex > Lake > Approved > Usage
  • GCP > Dataplex > Lake > CMDB
  • GCP > Dataplex > Lake > Labels
  • GCP > Dataplex > Lake > Labels > Template
  • GCP > Dataplex > Lake > Regions
  • GCP > Dataplex > Lake > Usage
  • GCP > Dataplex > Lake > Usage > Limit
  • GCP > Dataplex > Permissions
  • GCP > Dataplex > Permissions > Levels
  • GCP > Dataplex > Permissions > Levels > Modifiers
  • GCP > Dataplex > Regions
  • GCP > Dataplex > Task > Active
  • GCP > Dataplex > Task > Active > Age
  • GCP > Dataplex > Task > Active > Last Modified
  • GCP > Dataplex > Task > Approved
  • GCP > Dataplex > Task > Approved > Custom
  • GCP > Dataplex > Task > Approved > Regions
  • GCP > Dataplex > Task > Approved > Usage
  • GCP > Dataplex > Task > CMDB
  • GCP > Dataplex > Task > Labels
  • GCP > Dataplex > Task > Labels > Template
  • GCP > Dataplex > Task > Regions
  • GCP > Dataplex > Task > Usage
  • GCP > Dataplex > Task > Usage > Limit
  • GCP > Dataplex > Zone > Active
  • GCP > Dataplex > Zone > Active > Age
  • GCP > Dataplex > Zone > Active > Last Modified
  • GCP > Dataplex > Zone > Approved
  • GCP > Dataplex > Zone > Approved > Custom
  • GCP > Dataplex > Zone > Approved > Regions
  • GCP > Dataplex > Zone > Approved > Usage
  • GCP > Dataplex > Zone > CMDB
  • GCP > Dataplex > Zone > Labels
  • GCP > Dataplex > Zone > Labels > Template
  • GCP > Dataplex > Zone > Regions
  • GCP > Dataplex > Zone > Usage
  • GCP > Dataplex > Zone > Usage > Limit
  • GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-dataplex
  • GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-dataplex
  • GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-dataplex

Action Types

  • GCP > Dataplex > Lake > Delete
  • GCP > Dataplex > Lake > Router
  • GCP > Dataplex > Lake > Set Labels
  • GCP > Dataplex > Set API Enabled
  • GCP > Dataplex > Task > Delete
  • GCP > Dataplex > Task > Router
  • GCP > Dataplex > Task > Set Labels
  • GCP > Dataplex > Zone > Delete
  • GCP > Dataplex > Zone > Router
  • GCP > Dataplex > Zone > Set Labels

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage compute resources in Guardrails. This release includes breaking changes in the CMDB data for virtual machine. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below

Added:

In Azure > Compute > Disk:

  • supportedCapabilities.diskControllerTypes
  • diskIopsReadWrite
  • lastOwnershipUpdateTime

In Azure > Compute > Virtual Machine:

  • resources
  • timeCreated
  • etag

In Azure > Compute > Virtual Machine Scale Set:

  • constrainedMaximumCapacity
  • etag
  • scaleInPolicy
  • timeCreated
  • upgradePolicy
  • storageProfile. diskControllerType

In Azure > Compute > Snapshot:

  • dataAccessAuthMode
  • incrementalSnapshotFamilyId

Removed:

In Azure > Compute > Virtual Machine:

  • statuses.time

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage App Service resources in Guardrails.

Added:

Azure > App Service > App Service Plan

  • elasticScaleEnabled
  • numberOfWorkers
  • zoneRedundant

Azure > App Service > Function App

  • configuration.acrUseManagedIdentityCreds
  • configuration.acrUserManagedIdentityID
  • configuration.elasticWebAppScaleLimit
  • configuration.ipSecurityRestrictionsDefaultAction
  • configuration.metadata
  • configuration.minTlsCipherSuite
  • configuration.scmIpSecurityRestrictionsDefaultAction
  • dnsConfiguration
  • publicNetworkAccess
  • vnetBackupRestoreEnabled
  • vnetContentShareEnabled
  • vnetImagePullEnabled
  • vnetRouteAllEnabled

Azure > App Service > Web App

  • configuration.acrUseManagedIdentityCreds
  • configuration.acrUserManagedIdentityID
  • configuration.elasticWebAppScaleLimit
  • configuration.ipSecurityRestrictionsDefaultAction
  • configuration.metadata
  • configuration.minTlsCipherSuite
  • configuration.scmIpSecurityRestrictionsDefaultAction
  • dnsConfiguration
  • publicNetworkAccess
  • vnetBackupRestoreEnabled
  • vnetContentShareEnabled
  • vnetImagePullEnabled
  • vnetRouteAllEnabled

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage API Management resources in Guardrails.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Security Center resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below

Renamed:

  • JitNetworkAccessPolicies to jitNetworkAccessPolicies
  • Pricing to pricing
  • Locations to locations

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage MySQL resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Front Door Service resources in Guardrails. This release includes breaking changes in the CMDB data for Front Door Service. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.

Added:

  • frontdoorId
  • rulesEngines
  • extendedProperties
  • backendPoolsSettings
  • backendPool.privateLinkAlias
  • backendPool.privateLinkLocation
  • backendPool.privateEndpointStatus
  • backendPool.privateLinkResourceId
  • backendPool.privateLinkApprovalMessage
  • routingRule.rulesEngine
  • routingRule.routeConfiguration.odataType
  • routingRule.routeConfiguration.cacheConfiguration.cacheDuration
  • routingRule.routeConfiguration.cacheConfiguration.queryParameters
  • routingRule.webApplicationFirewallPolicyLink

Modified:

  • routingRule.backendPool to routingRule.routeConfiguration.backendPool
  • routingRule.forwardingProtocol to routingRule.routeConfiguration.forwardingProtocol
  • routingRule.customForwardingPath to routingRule.routeConfiguration.customForwardingPath
  • routingRule.cacheConfiguration.dynamicCompression to routingRule.routeConfiguration.cacheConfiguration. dynamicCompression
  • routingRule.cacheConfiguration.queryParameterStripDirective to routingRule.routeConfiguration.cacheConfiguration. queryParameterStripDirective

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Data Factory resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage AKS resources in Guardrails.

Added:

  • networkProfile.podCidrs
  • networkProfile.ipFamilies
  • networkProfile.outboundType
  • networkProfile.serviceCidrs
  • networkProfile.networkPolicy
  • networkProfile.loadBalancerProfile.backendPoolType
  • networkProfile.loadBalancerProfile.countIPv6
  • networkProfile.loadBalancerProfile.idleTimeoutInMinutes
  • networkProfile.loadBalancerProfile.allocatedOutboundPorts
  • agentPoolProfiles.mode
  • agentPoolProfiles.osSKU
  • agentPoolProfiles.enableFips
  • agentPoolProfiles.osDiskType
  • agentPoolProfiles.spotMaxPrice
  • agentPoolProfiles.scaleDownMode
  • agentPoolProfiles.enableUltraSSD
  • agentPoolProfiles.kubeletDiskType
  • agentPoolProfiles.upgradeSettings.maxSurge
  • agentPoolProfiles.nodeImageVersion
  • agentPoolProfiles.enableEncryptionAtHost
  • agentPoolProfiles.currentOrchestratorVersion

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage SignalR resources in Guardrails.

Added:

  • hostNamePrefix
  • serverless. connectionTimeoutInSeconds

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Service Bus resources in Guardrails.

Added:

Azure > Service Bus > Namespace

  • disableLocalAuth
  • status
  • zoneRedundant

Azure > Service Bus > Queue

  • maxMessageSizeInKilobytes

Azure > Service Bus > Topic

  • maxMessageSizeInKilobytes

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Relay resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Recovery Service resources in Guardrails.

Added: Azure > Recovery Service > Vault

  • properties.backupStorageVersion
  • properties.bcdrSecurityLevel
  • properties.publicNetworkAccess
  • properties.restoreSettings
  • properties.secureScore
  • properties.securitySettings

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The AWS > RoboMaker > Robot Application > CMDB, AWS > RoboMaker > Fleet > CMDB and AWS > RoboMaker > Robot > CMDB policies will now be set to Skip by default because the resource types have been deprecated and will be removed in the next major version. Please check end of support for more information.

What's new?

  • Track and manage Fargate FIPS Mode for Gov cloud accounts via Guardrails. To get started, set the AWS > ECS > Account Settings > Fargate FIPS Mode policy.
  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Resource Types

  • AWS > ECS > Account Settings

Control Types

  • AWS > ECS > Account Settings > CMDB
  • AWS > ECS > Account Settings > Discovery
  • AWS > ECS > Account Settings > Fargate FIPS Mode

Policy Types

  • AWS > ECS > Account Settings > CMDB
  • AWS > ECS > Account Settings > Fargate FIPS Mode
  • AWS > ECS > Account Settings > Regions

Action Types

  • AWS > ECS > Account Settings > Router
  • AWS > ECS > Account Settings > Update Fargate FIPS Mode

What's new?

  • Server

    • Introduced support for multi-architecture images, now compatible with both ARM64 and x86_64.
    • Added a default resource query to the context of calculated policies.
    • Updated several node packages to newer versions for improved functionality and security.
    • Updated Lambda to support recursive loops.
  • UI

    • Now you can use the + sign to grant permissions in the context of both the identity and resource.
    • Updated several node packages to newer versions for improved functionality and security.

Bug fixes

  • Server

    • Azure Credential Resolver now respects proxy settings, adding full proxy support.
  • UI

    • Updated policy pack Terraform to correctly reference turbot_policy_pack.
    • Adjusted the Admin page layout for improved usability.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Enhancements

  • Added an optional param blocks to the post_message pipeline. (#24) (Thanks @johnlayton for the contribution!)

Bug fixes

  • resource/turbot_policy_pack_attachment: terraform apply failed to detect existing Policy Pack attachments. (#181)

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Application Insights resources in Guardrails. This release includes changes in the CMDB data as below.

Added:

  • flowType
  • requestSource

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Application Gateway resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Resource Types

  • AWS > Support

Policy Types

  • AWS > Support > API Enabled
  • AWS > Support > Enabled
  • AWS > Support > Permissions
  • AWS > Support > Permissions > Levels
  • AWS > Support > Permissions > Levels > Modifiers
  • AWS > Support > Permissions > Lockdown
  • AWS > Support > Permissions > Lockdown > API Boundary
  • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-support
  • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-support
  • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-support

What's new?

  • Users can now manage whether AWS/User grant should include support:* permissions. To get started, set the AWS > Account > Permissions > Support Level policy.

Policy Types

  • AWS > Account > Permissions > Support Level

Bug fixes

  • The AWS > Turbot > IAM stack control did not correctly evaluate user memberships in custom IAM groups when the AWS > Turbot > Permissions > Custom Group Levels [Account] policy was set, and users were granted permissions for those custom IAM groups. This issue has now been fixed.

Bug fixes

  • The AWS > EC2 > Volume > CMDB control would sometimes run unnecessarily due to a bad internal GraphQL dependency. This is now fixed.

Bug fixes

  • Fixed put_s3_bucket_encryption pipeline to correctly encrypt an S3 bucket without returning an error. (#68) (Thanks @gcasilva for the contribution!)

Bug fixes

  • A precheck dependency on the Kubernetes > Cluster > CMDB > Expiration policy was inadvertently added to the Kubernetes > Cluster > CMDB control. This precheck condition has now been removed.

Resource Types

  • GCP > Vertex AI
  • GCP > Vertex AI > Endpoint
  • GCP > Vertex AI > Notebook Runtime Template

Control Types

  • GCP > Vertex AI > API Enabled
  • GCP > Vertex AI > CMDB
  • GCP > Vertex AI > Discovery
  • GCP > Vertex AI > Endpoint > Active
  • GCP > Vertex AI > Endpoint > Approved
  • GCP > Vertex AI > Endpoint > CMDB
  • GCP > Vertex AI > Endpoint > Discovery
  • GCP > Vertex AI > Endpoint > Labels
  • GCP > Vertex AI > Endpoint > Usage
  • GCP > Vertex AI > Notebook Runtime Template > Active
  • GCP > Vertex AI > Notebook Runtime Template > Approved
  • GCP > Vertex AI > Notebook Runtime Template > CMDB
  • GCP > Vertex AI > Notebook Runtime Template > Discovery
  • GCP > Vertex AI > Notebook Runtime Template > Router
  • GCP > Vertex AI > Notebook Runtime Template > Usage

Policy Types

  • GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-vertexai
  • GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-vertexai
  • GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-vertexai
  • GCP > Vertex AI > API Enabled
  • GCP > Vertex AI > Approved Regions [Default]
  • GCP > Vertex AI > CMDB
  • GCP > Vertex AI > Enabled
  • GCP > Vertex AI > Endpoint > Active
  • GCP > Vertex AI > Endpoint > Active > Age
  • GCP > Vertex AI > Endpoint > Active > Last Modified
  • GCP > Vertex AI > Endpoint > Approved
  • GCP > Vertex AI > Endpoint > Approved > Custom
  • GCP > Vertex AI > Endpoint > Approved > Regions
  • GCP > Vertex AI > Endpoint > Approved > Usage
  • GCP > Vertex AI > Endpoint > CMDB
  • GCP > Vertex AI > Endpoint > Labels
  • GCP > Vertex AI > Endpoint > Labels > Template
  • GCP > Vertex AI > Endpoint > Regions
  • GCP > Vertex AI > Endpoint > Usage
  • GCP > Vertex AI > Endpoint > Usage > Limit
  • GCP > Vertex AI > Labels Template [Default]
  • GCP > Vertex AI > Notebook Runtime Template > Active
  • GCP > Vertex AI > Notebook Runtime Template > Active > Age
  • GCP > Vertex AI > Notebook Runtime Template > Active > Last Modified
  • GCP > Vertex AI > Notebook Runtime Template > Approved
  • GCP > Vertex AI > Notebook Runtime Template > Approved > Custom
  • GCP > Vertex AI > Notebook Runtime Template > Approved > Regions
  • GCP > Vertex AI > Notebook Runtime Template > Approved > Usage
  • GCP > Vertex AI > Notebook Runtime Template > CMDB
  • GCP > Vertex AI > Notebook Runtime Template > Regions
  • GCP > Vertex AI > Notebook Runtime Template > Usage
  • GCP > Vertex AI > Notebook Runtime Template > Usage > Limit
  • GCP > Vertex AI > Permissions
  • GCP > Vertex AI > Permissions > Levels
  • GCP > Vertex AI > Permissions > Levels > Modifiers
  • GCP > Vertex AI > Regions

Action Types

  • GCP > Vertex AI > Endpoint > Delete
  • GCP > Vertex AI > Endpoint > Router
  • GCP > Vertex AI > Endpoint > Set Labels
  • GCP > Vertex AI > Notebook Runtime Template > Delete
  • GCP > Vertex AI > Set API Enabled

What's new?

  • Added support to process real-time enable and disable events for Vertex AI API via Service Usage APIs.

What's new?

Bug fixes

  • Fixed the rules column in okta_signon_policy, okta_password_policy, okta_idp_discovery_policy and okta_authentication_policy tables to correctly return data instead of null. (#145)

Dependencies

All Pipes workspaces are now running Steampipe v0.24.0.

For more information on this Steampipe release, see the release notes.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Search Management resources in Guardrails.

Added:

  • authOptions
  • disableLocalAuth
  • encryptionWithCmk
  • networkRuleSet
  • privateEndpointConnections
  • publicNetworkAccess
  • semanticSearch
  • sharedPrivateLinkResources

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Enhancements

  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package.
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed pagination across all the tables. (#34)

Dependencies

What's new?

  • Initial release with support for installing Powerpipe and adding it to $PATH.

What's new?

  • Initial release with support for running Powerpipe benchmarks and controls, creating annotations for Infrastructure as Code (IaC) checks, and uploading snapshots to Turbot Pipes.

What's new?

Action Types

  • GCP > Storage > Bucket > Set Fine-grained Access Control
  • GCP > Storage > Bucket > Set Uniform Access Control

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Synapse Analytics resources in Guardrails.

Added: Azure > Synapse Analytics > Workspace

  • azureADOnlyAuthentication
  • createManagedPrivateEndpoint
  • encryption
  • extraProperties
  • publicNetworkAccess
  • settings
  • trustedServiceBypassEnabled
  • workspaceUID

Azure > Synapse Analytics > SQL Pool

  • storageAccountType

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

Action Types

  • Azure > Storage > Storage Account > Set Minimum TLS Version

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage PostgreSQL resources in Guardrails. This release includes breaking changes in the CMDB data for server and flexible server. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below

Added:

  • authConfig

  • dataEncryption

  • standbyAvailabilityZone

  • network. delegatedSubnetResourceId

  • network. privateDnsZoneArmResourceId

  • replicaCapacity

  • replicationRole

  • systemData

  • configurations.documentationLink

  • configurations.isConfigPendingRestart

  • configurations.isDynamicConfig

  • configurations.isReadOnly

  • configurations.unit

Modified:

  • The data type of the attribute firewallRules has been changed from array ([]) to object ({}).

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Network Watcher resources in Guardrails.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • Fixed an issue where credentials from the imported foreign schema were lost after restarting the session in the Postgres FDW extension of the plugin. (#2275)

Dependencies

What's new?

Enhancements

  • Added connection_info column to the gcp_alloydb_instance table. (#651)

Bug fixes

  • Removed the name column from the gcp_bigquery_table table since the API response did not include this field. (#648)

Dependencies

Enhancements

  • Added the event_region column to the aws_health_event table. (#2293)
  • Added the location_type column to the aws_ec2_instance_type table. (#2294)

Bug fixes

  • Removed unnecessary hydration of the instance_type column in aws_ec2_instance_type table. (#2294)
  • Fixed an issue where credentials from import foreign schema were lost after restarting session in the Posgres FDW extensions of the plugin. (#2275)

Bug fixes

  • Fixed the CLI to correctly display the latest released version when using the steampipe -v command. (#4388)

Bug fixes

  • Fixed an issue where Steampipe failed to download the embedded PostgreSQL database and FDW during installation. (#4382)

Deprecations

Bug fixes

  • Fixed secret references for AWS creds in README.

Dependencies

  • Bumped @actions/core from v0.10.0 to v0.10.1.
  • Bumped @vercel/ncc from v0.38.0 to v0.38.1.
  • Bumped actions/setup-node from 3 to 4. (#95)
  • Bumped actions/upload-artifact from 3 to 4. (#100)
  • Bumped braces from 3.0.2 to 3.0.3. (#109)
  • Bumped eslint from 8.52.0 to 8.56.0. (#101)
  • Bumped eslint from 8.56.0 to 9.2.0. (#108)
  • Bumped github/codeql-action from 2 to 3. (#99)
  • Bumped semver from v7.5.4 to v7.6.3.
  • Update to node v20 in action and check-dist workflow (#104) (Thanks @francois2metz for the contribution!)

Bug fixes

  • trigger introspection output correctly shows param attribute. (#900)

Bug fixes

  • The serviceProperties.table.clientRequestId and serviceProperties.table.requestId properties for storage accounts have now been made dynamic to avoid unnecessary notifications in the activity tab.

Bug fixes

  • Fixed incorrect references to various Quick Actions.

Whats new

  • Added the ability to configure plugin startup timeout. (#4320)
  • Installed FDW and embedded Postgres database from GHCR instead of GCP. (#4344)
  • Updated query JSON output format to add a columns property containing the column information. This allows us to handle duplicate column names by appending a unique suffix to duplicate column name (#4317)

Existing query JSON format:

$ steampipe query "select account_id, arn from aws_account" --output json
{
"rows": [
{
"account_id": "123456789012",
"arn": "arn:aws:::123456789012"
}
]
}

New query JSON format(with new columns property):

$ steampipe query "select account_id, arn from aws_account" --output json
{
"columns": [
{
"name": "account_id",
"data_type": "text"
},
{
"name": "arn",
"data_type": "text"
}
],
"rows": [
{
"account_id": "123456789012",
"arn": "arn:aws:::123456789012"
}
]
}

Bug fixes

  • Fixed the issue where the plugin manager was incorrectly reporting a shutdown. (#4365)

What's new?

  • tags argument in pipeline param and mod variable resources. (#898).
  • Updated Docker dependency to v27.1.2.

What's new?

Policy Types

  • Kubernetes > Cluster > ServiceNow > Import Set > Insert Mode
  • Kubernetes > ConfigMap > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Deployment > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Namespace > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Node > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Pod > ServiceNow > Import Set > Insert Mode
  • Kubernetes > ReplicaSet > ServiceNow > Import Set > Insert Mode
  • Kubernetes > Service > ServiceNow > Import Set > Insert Mode

Bug fixes

  • Improved error handling for osquery error events.

Bug fixes

  • Query controls for various resource types will now go into an invalid state if we receive an error from the osquery agent.

What's new?

Enhancements

  • Added time_created column to the azure_compute_virtual_machine table. (#831)
  • Added ip_configuration, linked_public_ip_address, nat_gateway and service_public_ip_address columns to the azure_public_ip table. (#836)
  • Added 20 new columns to the azure_postgresql_flexible_server table. (#824)

Bug fixes

  • Fixed the ip_configurations column of the azure_subnet table to correctly return data instead of null. (#822)
  • Fixed the web_application_firewall_configuration column of azure_application_gateway table to correctly return data instead of null. (#835)

Dependencies

  • Recompiled plugin with Go version 1.22. (#832)
  • Recompiled plugin with steampipe-plugin-sdk v5.10.4 that fixes logging in the plugin export tool.
  • Updated the azure_mysql_flexible_server and azure_postgresql_flexible_server tables to use the new Azure ARM Go package. (#820)

What's new?

Enhancements

  • Updated the aws_ec2_ami table to correctly return disabled AMIs on passing the disabled value to the state optional qual (where state = 'disabled'). (#2277)
  • Added 100+ new columns across all tables per AWS Go SDK v2 1.27.0. (#2139)

Dependencies

Bug fixes

  • source attribute in function step is now evaluated relative to the its mod directory rather than the root mod directory. (#895).

What's new?

  • Added Australian Cyber Security Center (ACSC) Essential Eight benchmark (powerpipe benchmark run aws_compliance.benchmark.acsc_essential_eight). (#823)

What's new?

Policy Types

  • GCP > Storage > Bucket > ServiceNow > Import Set > Insert Mode
  • GCP > Storage > Object > ServiceNow > Import Set > Insert Mode

Control Types

  • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set

Policy Types

  • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set > Archive Columns
  • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set > Insert Mode
  • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set > Record
  • GCP > Kubernetes Engine > Region Cluster > ServiceNow > Import Set > Table Name
  • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set > Archive Columns
  • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set > Insert Mode
  • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set > Record
  • GCP > Kubernetes Engine > Region Node Pool > ServiceNow > Import Set > Table Name
  • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set > Archive Columns
  • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set > Insert Mode
  • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set > Record
  • GCP > Kubernetes Engine > Zone Cluster > ServiceNow > Import Set > Table Name
  • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set
  • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set > Archive Columns
  • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set > Insert Mode
  • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set > Record
  • GCP > Kubernetes Engine > Zone Node Pool > ServiceNow > Import Set > Table Name

What's new?

Policy Types

  • GCP > Global Region > ServiceNow > Import Set > Insert Mode
  • GCP > Multi-Region > ServiceNow > Import Set > Insert Mode
  • GCP > Project > ServiceNow > Import Set > Insert Mode
  • GCP > Region > ServiceNow > Import Set > Insert Mode
  • GCP > Zone > ServiceNow > Import Set > Insert Mode

Control Types

  • Azure > AKS > Managed Cluster > ServiceNow > Import Set

Policy Types

  • Azure > AKS > Managed Cluster > ServiceNow > Import Set
  • Azure > AKS > Managed Cluster > ServiceNow > Import Set > Archive Columns
  • Azure > AKS > Managed Cluster > ServiceNow > Import Set > Insert Mode
  • Azure > AKS > Managed Cluster > ServiceNow > Import Set > Record
  • Azure > AKS > Managed Cluster > ServiceNow > Import Set > Table Name

What's new?

Policy Types

  • Azure > Subscription > ServiceNow > Import Set > Insert Mode

What's new?

Policy Types

  • ServiceNow > Import Set > Insert Mode [Default]

Bug fixes

  • Guardrails did not correctly raise the real-time modifyVolume event for EBS Volume Notifications. This issue is now fixed.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

Action Types

  • AWS > SWF > Domain > Delete from AWS

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

Bug fixes

  • Fixed incorrect references to various Quick Actions.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

What's new?

  • Volume's metadata will now also include createdBy details in Guardrails CMDB.
  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • The AWS > EC2 > Volume > Performance Configuration control would sometimes fail to set the expected configuration per AWS > EC2 > Volume > Performance Configuration > * policies and move to an Invalid state if the required data was not available for new volumes in the CMDB. The control will now move to TBD instead and retry after 5 minutes to fetch the required data correctly and set the performance configuration as expected.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed incorrect references to various Quick Actions.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Enhancements

  • The VPC Security Group detail page now includes information on the following associated services: (#352) (Thanks @maxcorbin for the contribution!)
    • Amazon MQ broker
    • ECS service
    • ECS task

GCP integrations now make use of temporary credentials via service account impersonation using the Service Account Token Creator role.

For more information, check out the docs.

What's new?

  • trigger list command includes triggers from root mod's immediate dependencies. (#892).

Bug fixes

  • Function step will no longer randomly fail in slower host machines. (#888).
  • Mod variable definition now matches Powerpipe's definition. (#889).

What's new?

  • The Azure > Storage> Storage Account > CMDB control will now also fetch diagnostic settings details and store them in CMDB.
  • Track and manage storage account access keys in Guardrails CMDB.

Resource Types

  • Azure > Storage > Access Key

Control Types

  • Azure > Storage > Access Key > CMDB
  • Azure > Storage > Access Key > Discovery

Policy Types

  • Azure > Storage > Access Key > CMDB

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.
  • Fixed the AKA format for rule group v2 global and regional resource types.

What's new?

  • Added SOC2 2017 benchmark (powerpipe benchmark run gcp_compliance.benchmark.soc_2_2017). (#181)

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Control Types

  • GCP > Global Region > ServiceNow
  • GCP > Global Region > ServiceNow > Configuration Item
  • GCP > Global Region > ServiceNow > Import Set
  • GCP > Global Region > ServiceNow > Table
  • GCP > Multi-Region > ServiceNow
  • GCP > Multi-Region > ServiceNow > Configuration Item
  • GCP > Multi-Region > ServiceNow > Import Set
  • GCP > Multi-Region > ServiceNow > Table
  • GCP > Region > ServiceNow
  • GCP > Region > ServiceNow > Configuration Item
  • GCP > Region > ServiceNow > Import Set
  • GCP > Region > ServiceNow > Table
  • GCP > Zone > ServiceNow
  • GCP > Zone > ServiceNow > Configuration Item
  • GCP > Zone > ServiceNow > Import Set
  • GCP > Zone > ServiceNow > Table

Policy Types

  • GCP > Global Region > ServiceNow
  • GCP > Global Region > ServiceNow > Configuration Item
  • GCP > Global Region > ServiceNow > Configuration Item > Record
  • GCP > Global Region > ServiceNow > Configuration Item > Table Definition
  • GCP > Global Region > ServiceNow > Import Set
  • GCP > Global Region > ServiceNow > Import Set > Archive Columns
  • GCP > Global Region > ServiceNow > Import Set > Record
  • GCP > Global Region > ServiceNow > Import Set > Table Name
  • GCP > Global Region > ServiceNow > Table
  • GCP > Global Region > ServiceNow > Table > Definition
  • GCP > Multi-Region > ServiceNow
  • GCP > Multi-Region > ServiceNow > Configuration Item
  • GCP > Multi-Region > ServiceNow > Configuration Item > Record
  • GCP > Multi-Region > ServiceNow > Configuration Item > Table Definition
  • GCP > Multi-Region > ServiceNow > Import Set
  • GCP > Multi-Region > ServiceNow > Import Set > Archive Columns
  • GCP > Multi-Region > ServiceNow > Import Set > Record
  • GCP > Multi-Region > ServiceNow > Import Set > Table Name
  • GCP > Multi-Region > ServiceNow > Table
  • GCP > Multi-Region > ServiceNow > Table > Definition
  • GCP > Region > ServiceNow
  • GCP > Region > ServiceNow > Configuration Item
  • GCP > Region > ServiceNow > Configuration Item > Record
  • GCP > Region > ServiceNow > Configuration Item > Table Definition
  • GCP > Region > ServiceNow > Import Set
  • GCP > Region > ServiceNow > Import Set > Archive Columns
  • GCP > Region > ServiceNow > Import Set > Record
  • GCP > Region > ServiceNow > Import Set > Table Name
  • GCP > Region > ServiceNow > Table
  • GCP > Region > ServiceNow > Table > Definition
  • GCP > Zone > ServiceNow
  • GCP > Zone > ServiceNow > Configuration Item
  • GCP > Zone > ServiceNow > Configuration Item > Record
  • GCP > Zone > ServiceNow > Configuration Item > Table Definition
  • GCP > Zone > ServiceNow > Import Set
  • GCP > Zone > ServiceNow > Import Set > Archive Columns
  • GCP > Zone > ServiceNow > Import Set > Record
  • GCP > Zone > ServiceNow > Import Set > Table Name
  • GCP > Zone > ServiceNow > Table
  • GCP > Zone > ServiceNow > Table > Definition

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

Bug fixes

  • The Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.

What's new?

  • You can now configure parameter groups for DB clusters. To get started, set the AWS > RDS > DB Cluster > Parameter Group > * policies.

Control Types

  • AWS > RDS > DB Cluster > Parameter Group

Policy Types

  • AWS > RDS > DB Cluster > Parameter Group
  • AWS > RDS > DB Cluster > Parameter Group > Name

Action Types

  • AWS > RDS > DB Cluster > Update Parameter Group

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Whats new

  • Added JSON extension support for DuckDB backends. (#467)

Bug fixes

  • Fixed the incorrect mod reference in the output of powerpipe help command. (#471)

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • Added detect_and_correct_sql_database_instances_with_incorrect_labels pipleine for SQL Database Instance. (#6)

Enhancements

  • Added a default value for the base_label_rules variable. (#7)

Enhancements

  • Added a default value for the base_tag_rules variable. (#18)

Enhancements

  • Added a default value for the base_tag_rules variable. (#28)

Bug fixes

  • Fixed an issue where Steampipe failed to create a new connection if it was outside the defined search path. (#4353)

Bug fixes

  • Server

    • Resolved an issue where policy values were not being terminated due to a race condition.
    • The ServiceNow credentials resolver will now display a clear message when the instance is hibernate or unavailable state.
  • UI

    • Fixed an issue where filters on the Resource Explorer page were not functioning correctly.
    • The Import button on the Connect page has been updated to Connect.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • We have updated various policies set during project imports to allow for a smoother import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • You can now configure Master Authorized Networks for region and zone clusters via Guardrails. To get started, set the GCP > Kubernetes Engine > Region Cluster > Master Authorized Networks Config and GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config policies respectively.

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Control Types

  • GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config

Policy Types

  • GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config

Action Types

  • GCP > Kubernetes Engine > Region Cluster > Set Desired Master Authorized Network Config
  • GCP > Kubernetes Engine > Zone Cluster > Set Desired Master Authorized Network Config

What's new?

  • We have updated various policies set during subscription imports to allow for a smoother import experience. We recommend upgrading your TE to v5.42.21 or higher to enable these changes to take effect.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Resource Types

  • Azure > Network > Private Link Service

Control Types

  • Azure > Network > Private Link Service > Active
  • Azure > Network > Private Link Service > Approved
  • Azure > Network > Private Link Service > CMDB
  • Azure > Network > Private Link Service > Discovery
  • Azure > Network > Private Link Service > Tags

Policy Types

  • Azure > Network > Private Link Service > Active
  • Azure > Network > Private Link Service > Active > Age
  • Azure > Network > Private Link Service > Active > Last Modified
  • Azure > Network > Private Link Service > Approved
  • Azure > Network > Private Link Service > Approved > Custom
  • Azure > Network > Private Link Service > Approved > Regions
  • Azure > Network > Private Link Service > Approved > Usage
  • Azure > Network > Private Link Service > CMDB
  • Azure > Network > Private Link Service > Regions
  • Azure > Network > Private Link Service > Tags
  • Azure > Network > Private Link Service > Tags > Template

Action Types

  • Azure > Network > Private Link Service > Delete
  • Azure > Network > Private Link Service > Router
  • Azure > Network > Private Link Service > Set Tags

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.

Bug fixes

  • In version 5.25.0, we added support to ignore permission errors on a bucket via the CMDB policy Enforce: Enabled but ignore permission errors. However, the CMDB control previously ignored permission errors only on the HeadBucket operation and still entered an error state for permission errors on sub-API calls. The CMDB control will now ignore all sub-API calls if the HeadBucket operation is denied access. If the HeadBucket operation is successful, the control will attempt to make all sub-API calls and ignore access denied errors if encountered.

Bug fixes

  • Complex nested map data type in pipeline param no longer fails with a mismatched types error. (#879).

What's new?

  • On-demand trigger execution. (#864).
  • param support for trigger. (#840).

Bug fixes

  • Complex data type in pipeline param no longer fails with a mismatched types error. (#879).
  • Pipeline param default value is not nested in a map data type. (#880).

Whats new

  • Recompiled CLI with Go v1.22. (#448)

Bug fixes

  • Fixed issue where CLI notifications interfered with the Powerpipe JSON outputs resulting in invalid JSON outputs. (#452)
  • Fixed an issue where Powerpipe crashed when running a benchmark with the --dry-run flag set. (#455)

What's new?

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Resource Types

  • Azure > Provider > Container Registry

Control Types

  • Azure > Provider > Container Registry > CMDB
  • Azure > Provider > Container Registry > Discovery
  • Azure > Provider > Container Registry > Registered

Policy Types

  • Azure > Provider > Container Registry > CMDB
  • Azure > Provider > Container Registry > Registered

Action Types

  • Azure > Provider > Container Registry > Set Registered

Resource Types

  • Azure > Container Registry
  • Azure > Container Registry > Registry

Control Types

  • Azure > Container Registry > Registry > Active
  • Azure > Container Registry > Registry > Approved
  • Azure > Container Registry > Registry > CMDB
  • Azure > Container Registry > Registry > Discovery
  • Azure > Container Registry > Registry > Tags

Policy Types

  • Azure > Container Registry > Approved Regions [Default]
  • Azure > Container Registry > Enabled
  • Azure > Container Registry > Permissions
  • Azure > Container Registry > Permissions > Levels
  • Azure > Container Registry > Permissions > Levels > Modifiers
  • Azure > Container Registry > Regions
  • Azure > Container Registry > Registry > Active
  • Azure > Container Registry > Registry > Active > Age
  • Azure > Container Registry > Registry > Active > Last Modified
  • Azure > Container Registry > Registry > Approved
  • Azure > Container Registry > Registry > Approved > Custom
  • Azure > Container Registry > Registry > Approved > Regions
  • Azure > Container Registry > Registry > Approved > Usage
  • Azure > Container Registry > Registry > CMDB
  • Azure > Container Registry > Registry > Regions
  • Azure > Container Registry > Registry > Tags
  • Azure > Container Registry > Registry > Tags > Template
  • Azure > Container Registry > Tags Template [Default]
  • Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-containerregistry
  • Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-containerregistry

Action Types

  • Azure > Container Registry > Registry > Delete
  • Azure > Container Registry > Registry > Router
  • Azure > Container Registry > Registry > Set Tags

What's new?

  • The Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • The AWS > VPC > VPC > Stack control would sometimes go into an error state while upserting newly created flow logs in Guardrails due to incorrect mapping of its parent resource. This issue has now been fixed, and the control will upsert flow logs more consistently and reliably than before.

Bug fixes

  • The CMDB control for the service resource type will no longer depend on the API Enabled policy being set to Enforce: Enabled for the service.

What's new?

  • Added support for Postgres versions 13.14, 13.15, 13.16, 14.11, 14.12, 14.13 and 15.8.
  • Updated Default value for the RDS certificate to rds-ca-rsa4096-g1.

5.0.0 (2024-08-13)

Resource Types

  • Azure > Managed Identity
  • Azure > Managed Identity > User Assigned Identity

Control Types

  • Azure > Managed Identity > User Assigned Identity > Active
  • Azure > Managed Identity > User Assigned Identity > Approved
  • Azure > Managed Identity > User Assigned Identity > CMDB
  • Azure > Managed Identity > User Assigned Identity > Discovery
  • Azure > Managed Identity > User Assigned Identity > Tags

Policy Types

  • Azure > Managed Identity > Approved Regions [Default]
  • Azure > Managed Identity > Enabled
  • Azure > Managed Identity > Permissions
  • Azure > Managed Identity > Permissions > Levels
  • Azure > Managed Identity > Permissions > Levels > Modifiers
  • Azure > Managed Identity > Regions
  • Azure > Managed Identity > Tags Template [Default]
  • Azure > Managed Identity > User Assigned Identity > Active
  • Azure > Managed Identity > User Assigned Identity > Active > Age
  • Azure > Managed Identity > User Assigned Identity > Active > Last Modified
  • Azure > Managed Identity > User Assigned Identity > Approved
  • Azure > Managed Identity > User Assigned Identity > Approved > Custom
  • Azure > Managed Identity > User Assigned Identity > Approved > Regions
  • Azure > Managed Identity > User Assigned Identity > Approved > Usage
  • Azure > Managed Identity > User Assigned Identity > CMDB
  • Azure > Managed Identity > User Assigned Identity > Regions
  • Azure > Managed Identity > User Assigned Identity > Tags
  • Azure > Managed Identity > User Assigned Identity > Tags > Template
  • Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-managedidentity
  • Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-managedidentity

Action Types

  • Azure > Managed Identity > User Assigned Identity > Delete
  • Azure > Managed Identity > User Assigned Identity > Router
  • Azure > Managed Identity > User Assigned Identity > Set Tags

Whats new

  • Recompiled CLI with Go v1.22. (#4340)

Bug fixes

  • Fixed query error message to not include internal function names. (#4335)

What's new?

  • Added CIS AWS Compute Services v1.0.0 benchmark (powerpipe benchmark run aws_compliance.benchmark.cis_compute_service_v100). (#814)

Bug fixes

  • Fixed iam_root_user_hardware_mfa_enabled query to correctly return ok when hardware MFA is enabled for the root user. (#815)

What's new?

  • The AWS > Turbot > Logging > Bucket > Default Encryption policy is now deprecated because all buckets are now encrypted by default in AWS. As a result, all buckets created and managed via the AWS > Turbot > Logging > Bucket stack control will now be encrypted by AWS SSE by default. We've also removed ACL settings for buckets and now apply bucket ownership controls instead via the stack control to align with the latest AWS recommendations. Please upgrade the @turbot/aws-s3 mod to v5.26.0 for the stack control to work reliably as before.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Policy Types

Renamed

  • AWS > Turbot > Logging > Bucket > Default Encryption to AWS > Turbot > Logging > Bucket > Default Encryption [Deprecated]

What's new?

  • Added support for aws_s3_bucket_ownership_controls Terraform resource for buckets.
  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • Users can now configure the Terraform version for the AWS > Config > Configuration Recording stack control. To get started, set the AWS > Config > Configuration Recording > Terraform Version policy. We recommend using versions 0.11, 0.12, or 0.15 for this control to create and manage resources effectively and reliably.

Policy Types

  • AWS > Config > Configuration Recording > Terraform Version

What's new?

Enhancements

  • The euuid column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linode accounts. (#56)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#60)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

What's new?

  • Users can now create and manage labels on Pub/Sub topics created via the GCP > Turbot > Event Handlers > Pub/Sub control. To get started, set the GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels policy.

Policy Types

  • GCP > Turbot > Event Handlers > Pub/Sub > Subscription > Labels > Ignore Changes
  • GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels
  • GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels > Ignore Changes

Bug fixes

  • Guardrails failed to cleanup deleted security group rules via the real-time ec2:RevokeSecurityGroupEgress and ec2:RevokeSecurityGroupIngress events. This issue is now fixed.

Bug fixes

  • The AWS > Turbot > Event Handlers control did not correctly raise the real-time CreateTags and DeleteTags events for VPC security group rules. This issue is now fixed.

Bug fixes

  • Fixed the okta_factor table to correctly return data instead of a nil pointer dereference error. (#137)
  • Fixed the caching issue in the standalone plugin FDW extensions. (#480)

Enhancements

  • Added the GetConfig in the github_repository_content table. (#445)

Bug fixes

  • Fixed the caching issue in the standalone plugin FDW extensions. (#480)

Enhancements

  • Added Reader and Data Access role assignment information to the docs/index.md file. (#811)

Bug fixes

  • Fixed the azure_compute_virtual_machine table to correctly populate the guest_configuration_assignments column across all Azure environments. (#816)
  • Fixed the azure_role_assignment table to correctly return the result while using any mode of plugin authentication. (#809)
  • Fixed the paging issue in the azure_monitor_activity_log_event table. (#810)
  • Fixed the caching issue in the standalone plugin FDW extensions. (#480)

Enhancements

  • Added location_type column as an optional qual to the aws_ec2_instance_availability table and 6 new columns to the aws_ec2_instance_type table. (#2078)
  • Updated docs for aws_appautoscaling_policy and aws_appautoscaling_target tables to add information on required quals. (#2247)
  • Added the type column as an optional qual to the aws_auditmanager_control table. (#2254)

Bug fixes

  • Fixed the GetConfig definition of the aws_auditmanager_control table to correctly return data instead of an error. (#2254)
  • Fixed the aws_kms_key_rotation table to correctly return nil whenever an AccessDeniedException error is returned by the API. (#2253)
  • Fixed the caching issue in the standalone plugin FDW extensions. (#480)

What's new?

  • Users can now configure flow logging for subnetworks. To get started, set the GCP > Network > Subnetwork > Flow Log policy.

Control Types

  • GCP > Network > Subnetwork > Flow Log

Policy Types

  • GCP > Network > Subnetwork > Flow Log

Action Types

  • GCP > Network > Subnetwork > Set Flow Log

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Resource Types

  • Azure > Provider > Elastic
  • Azure > Provider > Managed Identity

Control Types

  • Azure > Provider > Elastic > CMDB
  • Azure > Provider > Elastic > Discovery
  • Azure > Provider > Elastic > Registered
  • Azure > Provider > Managed Identity > CMDB
  • Azure > Provider > Managed Identity > Discovery
  • Azure > Provider > Managed Identity > Registered

Policy Types

  • Azure > Provider > Elastic > CMDB
  • Azure > Provider > Elastic > Registered
  • Azure > Provider > Managed Identity > CMDB
  • Azure > Provider > Managed Identity > Registered

Action Types

  • Azure > Provider > Elastic > Set Registered
  • Azure > Provider > Managed Identity > Set Registered

Bug fixes

  • The variable command no longer fails if the .flowpipe directory in the user's home directory is not created yet. (#872).

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • You can now disable inactive or unapproved service accounts via Guardrails. To get started, set the GCP > IAM > Service Account > Active or GCP > IAM > Service Account > Approved policy to Enforce: Disable inactive with <x> days warning or Enforce: Disable unapproved respectively.

Action Types

  • GCP > IAM > Service Account > Disable

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Bug fixes

  • The AWS > ECR > Repository > CMDB control went into an error state for shared repositories upserted incorrectly in Guardrails CMDB. Shared repositories will now not be upserted under shared accounts or regions, but will only be upserted under their owner accounts and regions.

Bug fixes

  • Guardrails failed to process the real-time event ec2:CreateReplaceRootVolumeTask for instances. This is now fixed.

Enhancements

  • Added the following controls to the All Controls benchmark: (#176)
    • alloydb_instance_log_error_verbosity_database_flag_default_or_stricter
    • alloydb_instance_log_min_error_statement_database_flag_configured
    • alloydb_instance_log_min_messages_database_flag_error

Enhancements

  • Added the following controls to the All Controls benchmark: (#274)
    • application_gateway_waf_uses_specified_mode
    • application_insights_block_log_ingestion_and_querying_from_public
    • log_analytics_workspace_block_log_ingestion_and_querying_from_public
    • log_analytics_workspace_block_non_azure_ingestion

Bug fixes

  • Fixed the storage_account_block_public_access query to correctly check if the public_network_access column of the azure_storage_account table is correctly set to disabled or not as per the CIS documentation. (#277)

What's new?

  • Added NIST 800-172 benchmark (powerpipe benchmark run aws_compliance.benchmark.nist_800_172). (#807)

Bug fixes

  • Fixed sqs_queue_encrypted_at_rest query to ensure queues using SQS-SSE encryption at rest remain in an ok state instead of alarm. (#805) (Thanks @duncward for the contribution!)

v0.14.0 of the Terraform Provider for Pipes is now available.

Breaking Changes

  • Functionality for resource resources/pipes_workspace_connection moved to manage connections at the workspace level. Previously, the resource used to manage attachment of connections to the workspace defined at the respective identity level. Please follow the migration guide for migrating your existing configuration into the new model.
  • Resource resources/pipes_connection does not support management of user level connections in line with changes in Pipes.

What's new?

  • Resource pipes_organization_connection
  • Resource pipes_organization_connection_folder
  • Resource pipes_organization_connection_folder_permission
  • Resource pipes_organization_connection_permission
  • Resource pipes_organization_integration
  • Resource pipes_tenant_connection
  • Resource pipes_tenant_connection_folder
  • Resource pipes_tenant_connection_folder_permission
  • Resource pipes_tenant_connection_permission
  • Resource pipes_tenant_integration
  • Resource pipes_user_integration
  • Resource pipes_workspace_connection_folder
  • Resource pipes_workspace_schema

Enhancements

  • Resource resources/pipes_workspace_mod add support for storing attribute state_reason

v0.10.0 of the Pipes SDK Go is now available.

What's new?

  • Intregation Management APIs for Tenants, Users, Organizations, UserWorkspaces and OrgWorkspaces.
  • Tenant Connection Management APIs.
  • Tenant Connection Folder Management APIs.
  • User Connection Folder Management APIs.
  • Organization Connection Management APIs.
  • Organization Connection Folder Management APIs.
  • Workspace Connection Management APIs.
  • Workspace Connection Folder Management APIs.
  • Permission Management APIs for Connections and ConnectionFolders.

Enhancements

  • Add support for installing mods that are associated to integrations.
  • Add support for setting search path prefix for a workspace.

What's new?

  • Server

    • Made notifications faster by improving the query, which enhances the performance of the resource activity tab.
  • UI

    • Fixed a bug where policy pack creation would fail if the AKA was not provided from the user interface.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The Azure > Resource Group > ServiceNow > Configuration Item control would fail to fetch instance credentials internally and did not process the data correctly in ServiceNow. This issue has now been fixed.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Control Types

  • GCP > Project > ServiceNow > Import Set

Policy Types

  • GCP > Project > ServiceNow > Import Set
  • GCP > Project > ServiceNow > Import Set > Archive Columns
  • GCP > Project > ServiceNow > Import Set > Record
  • GCP > Project > ServiceNow > Import Set > Table Name

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

Bug fixes

  • The Import Set control for various resources would push JSON objects to ServiceNow without converting them to strings. This would result in ServiceNow reading those JSON objects in an incorrect format. The Import Set control will now convert such JSON objects to strings so that they are stored reliably and consistently in ServiceNow.

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to poll events from Azure Monitor and process them in Guardrails. You won't notice any difference, and things will continue to work smoothly as before.

What's new?

  • AWS/DynamoDB/Admin, AWS/DynamoDB/Metadata and AWS/DynamoDB/Operator now include permissions for Resource Policy, Imports, Time to Live and Global Table Version.

Breaking changes

  • Removed the following columns in gcp_cloudfunctions_function table to align with the new API response structure: (#612)
    • environment_variables
    • source_upload_url
    • version_id

What's new?

  • Added the impersonate_access_token config argument to support plugin authentication by using a pre-generated temporary access token. (#621)

Enhancements

  • Added 17 new columns to the gcp_cloudfunctions_function table. (#612)

Bug fixes

  • Fixed the cache key issue in the SecretManager service client creation. (#624)

What's new?

Control Types

  • Azure > Network > Network Security Group > ServiceNow > Import Set

Policy Types

  • Azure > Network > Network Security Group > ServiceNow > Import Set
  • Azure > Network > Network Security Group > ServiceNow > Import Set > Archive Columns
  • Azure > Network > Network Security Group > ServiceNow > Import Set > Record
  • Azure > Network > Network Security Group > ServiceNow > Import Set > Table Name

What's new?

Control Types

  • Azure > Subscription > ServiceNow > Import Set

Policy Types

  • Azure > Subscription > ServiceNow > Import Set
  • Azure > Subscription > ServiceNow > Import Set > Archive Columns
  • Azure > Subscription > ServiceNow > Import Set > Record
  • Azure > Subscription > ServiceNow > Import Set > Table Name

What's new?

  • Users can now enable/disable Table logging for Storage Accounts via Azure > Storage > Storage Account > Table > Logging control. To get started, set the Azure > Storage > Storage Account > Table > Logging policy.

Control Types

  • Azure > Storage > Storage Account > Encryption at Rest
  • Azure > Storage > Storage Account > Table
  • Azure > Storage > Storage Account > Table > Logging

Policy Types

  • Azure > Storage > Storage Account > Encryption at Rest
  • Azure > Storage > Storage Account > Encryption at Rest > Customer Managed Key
  • Azure > Storage > Storage Account > Table
  • Azure > Storage > Storage Account > Table > Logging
  • Azure > Storage > Storage Account > Table > Logging > Properties
  • Azure > Storage > Storage Account > Table > Logging > Retention Days

Action Types

  • Azure > Storage > Storage Account > Update Encryption at Rest

  • Azure > Storage > Storage Account > Update Storage Account Table Logging

  • The Storage Account CMDB data will now also include information about the account's table service properties.

  • We've removed the dependency on listKeys permission for Azure > Storage Account > Container > Discovery to run its course to completion. This release includes breaking changes in the CMDB data for containers. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.

Renamed: isImmutableStorageWithVersioningEnabled to isImmutableStorageWithVersioning.enabled

Removed: preventEncryptionScopeOverride

Bug fixes

  • The Azure > Storage > Storage Account > CMDB control would go into an error state while trying to fetch default Queue and Blob properties if Guardrails did not have permission to list the storage account keys. The control will now not attempt to fetch default Queue and Blob properties if Guardrails does not have the required access for listKeys, and will run its course to completion without going into an error state.

Bug fixes

  • Improved error message for the AWS > S3 > Bucket > CMDB control if it would go into an error state due to insufficient permissions for the headBucket operation.

What's new?

  • Server
    • Migrated from Node.js 18 to Node.js 20 for improved performance and security.
    • Updated the Mod Lambda architecture to ARM64 for better efficiency.
    • Added support for Node.js 20 in the Lambda runtime.

Bug fixes

  • Server
    • Resolved an issue where the next tick timestamp was not being set for large commands

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • UI
    • Resolved deletion issue from UI for Policy Packs with latest Turbot Mod(5.45.0) and TE 5.45.0.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Fixed the issue where the --arg flag was not working for control and query runs. (#439)
  • Fixed data inconsistency issue in snapshot output when the same control was included in multiple benchmarks. (#436)

Import a tree of folders and projects as Pipes connections, control permissions for workspaces, and auto-create aggregators.

For more information, see the launch post or check out the docs.

You can now create connections at the custom tenant, organization or workspace level in Pipes, along with grouping of these within folders to allow easier sharing of related connections.

This is coupled with a fine-grained permissions model, allowing you to share connections & folders broadly across a custom tenant, or restrict access to specific organizations and/or their workspaces.

For more information, check out the docs:

Import a tree of management groups and subscriptions as Pipes connections, control permissions for workspaces, and auto-create aggregators.

For more information, see the launch post or check out the docs.

Import a tree of OUs and accounts as Pipes connections, control permissions for workspaces, and auto-create aggregators.

For more information, see the launch post or check out the docs.

What's new?

Control Types

  • Kubernetes > CronJob > ServiceNow
  • Kubernetes > CronJob > ServiceNow > Configuration Item
  • Kubernetes > CronJob > ServiceNow > Table
  • Kubernetes > DaemonSet > ServiceNow
  • Kubernetes > DaemonSet > ServiceNow > Configuration Item
  • Kubernetes > DaemonSet > ServiceNow > Table
  • Kubernetes > Ingress > ServiceNow
  • Kubernetes > Ingress > ServiceNow > Configuration Item
  • Kubernetes > Ingress > ServiceNow > Table
  • Kubernetes > Job > ServiceNow
  • Kubernetes > Job > ServiceNow > Configuration Item
  • Kubernetes > Job > ServiceNow > Table
  • Kubernetes > Persistent Volume > ServiceNow
  • Kubernetes > Persistent Volume > ServiceNow > Configuration Item
  • Kubernetes > Persistent Volume > ServiceNow > Table
  • Kubernetes > ReplicationController > ServiceNow
  • Kubernetes > ReplicationController > ServiceNow > Configuration Item
  • Kubernetes > ReplicationController > ServiceNow > Table
  • Kubernetes > StatefulSet > ServiceNow
  • Kubernetes > StatefulSet > ServiceNow > Configuration Item
  • Kubernetes > StatefulSet > ServiceNow > Table

Policy Types

  • Kubernetes > CronJob > ServiceNow
  • Kubernetes > CronJob > ServiceNow > Configuration Item
  • Kubernetes > CronJob > ServiceNow > Configuration Item > Record
  • Kubernetes > CronJob > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > CronJob > ServiceNow > Table
  • Kubernetes > CronJob > ServiceNow > Table > Definition
  • Kubernetes > DaemonSet > ServiceNow
  • Kubernetes > DaemonSet > ServiceNow > Configuration Item
  • Kubernetes > DaemonSet > ServiceNow > Configuration Item > Record
  • Kubernetes > DaemonSet > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > DaemonSet > ServiceNow > Table
  • Kubernetes > DaemonSet > ServiceNow > Table > Definition
  • Kubernetes > Ingress > ServiceNow
  • Kubernetes > Ingress > ServiceNow > Configuration Item
  • Kubernetes > Ingress > ServiceNow > Configuration Item > Record
  • Kubernetes > Ingress > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Ingress > ServiceNow > Table
  • Kubernetes > Ingress > ServiceNow > Table > Definition
  • Kubernetes > Job > ServiceNow
  • Kubernetes > Job > ServiceNow > Configuration Item
  • Kubernetes > Job > ServiceNow > Configuration Item > Record
  • Kubernetes > Job > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Job > ServiceNow > Table
  • Kubernetes > Job > ServiceNow > Table > Definition
  • Kubernetes > Persistent Volume > ServiceNow
  • Kubernetes > Persistent Volume > ServiceNow > Configuration Item
  • Kubernetes > Persistent Volume > ServiceNow > Configuration Item > Record
  • Kubernetes > Persistent Volume > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Persistent Volume > ServiceNow > Table
  • Kubernetes > Persistent Volume > ServiceNow > Table > Definition
  • Kubernetes > ReplicationController > ServiceNow
  • Kubernetes > ReplicationController > ServiceNow > Configuration Item
  • Kubernetes > ReplicationController > ServiceNow > Configuration Item > Record
  • Kubernetes > ReplicationController > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > ReplicationController > ServiceNow > Table
  • Kubernetes > ReplicationController > ServiceNow > Table > Definition
  • Kubernetes > StatefulSet > ServiceNow
  • Kubernetes > StatefulSet > ServiceNow > Configuration Item
  • Kubernetes > StatefulSet > ServiceNow > Configuration Item > Record
  • Kubernetes > StatefulSet > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > StatefulSet > ServiceNow > Table
  • Kubernetes > StatefulSet > ServiceNow > Table > Definition

What's new?

Resource Types

  • Kubernetes > CronJob
  • Kubernetes > DaemonSet
  • Kubernetes > Ingress
  • Kubernetes > Job
  • Kubernetes > Persistent Volume
  • Kubernetes > ReplicationController
  • Kubernetes > StatefulSet

Control Types

  • Kubernetes > ConfigMap > Active
  • Kubernetes > CronJob > Active
  • Kubernetes > CronJob > Annotations
  • Kubernetes > CronJob > Approved
  • Kubernetes > CronJob > CMDB
  • Kubernetes > CronJob > Labels
  • Kubernetes > CronJob > Query
  • Kubernetes > DaemonSet > Active
  • Kubernetes > DaemonSet > Annotations
  • Kubernetes > DaemonSet > Approved
  • Kubernetes > DaemonSet > CMDB
  • Kubernetes > DaemonSet > Labels
  • Kubernetes > DaemonSet > Query
  • Kubernetes > Deployment > Active
  • Kubernetes > Ingress > Active
  • Kubernetes > Ingress > Annotations
  • Kubernetes > Ingress > Approved
  • Kubernetes > Ingress > CMDB
  • Kubernetes > Ingress > Labels
  • Kubernetes > Ingress > Query
  • Kubernetes > Job > Active
  • Kubernetes > Job > Annotations
  • Kubernetes > Job > Approved
  • Kubernetes > Job > CMDB
  • Kubernetes > Job > Labels
  • Kubernetes > Job > Query
  • Kubernetes > Namespace > Active
  • Kubernetes > Node > Active
  • Kubernetes > Persistent Volume > Active
  • Kubernetes > Persistent Volume > Annotations
  • Kubernetes > Persistent Volume > Approved
  • Kubernetes > Persistent Volume > CMDB
  • Kubernetes > Persistent Volume > Labels
  • Kubernetes > Persistent Volume > Query
  • Kubernetes > Pod > Active
  • Kubernetes > ReplicaSet > Active
  • Kubernetes > ReplicationController > Active
  • Kubernetes > ReplicationController > Annotations
  • Kubernetes > ReplicationController > Approved
  • Kubernetes > ReplicationController > CMDB
  • Kubernetes > ReplicationController > Labels
  • Kubernetes > ReplicationController > Query
  • Kubernetes > Service > Active
  • Kubernetes > StatefulSet > Active
  • Kubernetes > StatefulSet > Annotations
  • Kubernetes > StatefulSet > Approved
  • Kubernetes > StatefulSet > CMDB
  • Kubernetes > StatefulSet > Labels
  • Kubernetes > StatefulSet > Query

Policy Types

  • Kubernetes > Cluster > CMDB > Expiration
  • Kubernetes > Cluster > CMDB > Expiration > Expiration Days
  • Kubernetes > Cluster > osquery
  • Kubernetes > Cluster > osquery > Configuration
  • Kubernetes > ConfigMap > Active
  • Kubernetes > ConfigMap > Active > Age
  • Kubernetes > ConfigMap > Active > Last Modified
  • Kubernetes > CronJob > Active
  • Kubernetes > CronJob > Active > Age
  • Kubernetes > CronJob > Active > Last Modified
  • Kubernetes > CronJob > Annotations
  • Kubernetes > CronJob > Annotations > Template
  • Kubernetes > CronJob > Approved
  • Kubernetes > CronJob > Approved > Custom
  • Kubernetes > CronJob > CMDB
  • Kubernetes > CronJob > Labels
  • Kubernetes > CronJob > Labels > Template
  • Kubernetes > CronJob > osquery
  • Kubernetes > CronJob > osquery > Configuration
  • Kubernetes > CronJob > osquery > Configuration > Columns
  • Kubernetes > CronJob > osquery > Configuration > Interval
  • Kubernetes > CronJob > osquery > Configuration > Name
  • Kubernetes > DaemonSet > Active
  • Kubernetes > DaemonSet > Active > Age
  • Kubernetes > DaemonSet > Active > Last Modified
  • Kubernetes > DaemonSet > Annotations
  • Kubernetes > DaemonSet > Annotations > Template
  • Kubernetes > DaemonSet > Approved
  • Kubernetes > DaemonSet > Approved > Custom
  • Kubernetes > DaemonSet > CMDB
  • Kubernetes > DaemonSet > Labels
  • Kubernetes > DaemonSet > Labels > Template
  • Kubernetes > DaemonSet > osquery
  • Kubernetes > DaemonSet > osquery > Configuration
  • Kubernetes > DaemonSet > osquery > Configuration > Columns
  • Kubernetes > DaemonSet > osquery > Configuration > Interval
  • Kubernetes > DaemonSet > osquery > Configuration > Name
  • Kubernetes > Deployment > Active
  • Kubernetes > Deployment > Active > Age
  • Kubernetes > Deployment > Active > Last Modified
  • Kubernetes > Ingress > Active
  • Kubernetes > Ingress > Active > Age
  • Kubernetes > Ingress > Active > Last Modified
  • Kubernetes > Ingress > Annotations
  • Kubernetes > Ingress > Annotations > Template
  • Kubernetes > Ingress > Approved
  • Kubernetes > Ingress > Approved > Custom
  • Kubernetes > Ingress > CMDB
  • Kubernetes > Ingress > Labels
  • Kubernetes > Ingress > Labels > Template
  • Kubernetes > Ingress > osquery
  • Kubernetes > Ingress > osquery > Configuration
  • Kubernetes > Ingress > osquery > Configuration > Columns
  • Kubernetes > Ingress > osquery > Configuration > Interval
  • Kubernetes > Ingress > osquery > Configuration > Name
  • Kubernetes > Job > Active
  • Kubernetes > Job > Active > Age
  • Kubernetes > Job > Active > Last Modified
  • Kubernetes > Job > Annotations
  • Kubernetes > Job > Annotations > Template
  • Kubernetes > Job > Approved
  • Kubernetes > Job > Approved > Custom
  • Kubernetes > Job > CMDB
  • Kubernetes > Job > Labels
  • Kubernetes > Job > Labels > Template
  • Kubernetes > Job > osquery
  • Kubernetes > Job > osquery > Configuration
  • Kubernetes > Job > osquery > Configuration > Columns
  • Kubernetes > Job > osquery > Configuration > Interval
  • Kubernetes > Job > osquery > Configuration > Name
  • Kubernetes > Namespace > Active
  • Kubernetes > Namespace > Active > Age
  • Kubernetes > Namespace > Active > Last Modified
  • Kubernetes > Node > Active
  • Kubernetes > Node > Active > Age
  • Kubernetes > Node > Active > Last Modified
  • Kubernetes > Persistent Volume > Active
  • Kubernetes > Persistent Volume > Active > Age
  • Kubernetes > Persistent Volume > Active > Last Modified
  • Kubernetes > Persistent Volume > Annotations
  • Kubernetes > Persistent Volume > Annotations > Template
  • Kubernetes > Persistent Volume > Approved
  • Kubernetes > Persistent Volume > Approved > Custom
  • Kubernetes > Persistent Volume > CMDB
  • Kubernetes > Persistent Volume > Labels
  • Kubernetes > Persistent Volume > Labels > Template
  • Kubernetes > Persistent Volume > osquery
  • Kubernetes > Persistent Volume > osquery > Configuration
  • Kubernetes > Persistent Volume > osquery > Configuration > Columns
  • Kubernetes > Persistent Volume > osquery > Configuration > Interval
  • Kubernetes > Persistent Volume > osquery > Configuration > Name
  • Kubernetes > Pod > Active
  • Kubernetes > Pod > Active > Age
  • Kubernetes > Pod > Active > Last Modified
  • Kubernetes > ReplicaSet > Active
  • Kubernetes > ReplicaSet > Active > Age
  • Kubernetes > ReplicaSet > Active > Last Modified
  • Kubernetes > ReplicationController > Active
  • Kubernetes > ReplicationController > Active > Age
  • Kubernetes > ReplicationController > Active > Last Modified
  • Kubernetes > ReplicationController > Annotations
  • Kubernetes > ReplicationController > Annotations > Template
  • Kubernetes > ReplicationController > Approved
  • Kubernetes > ReplicationController > Approved > Custom
  • Kubernetes > ReplicationController > CMDB
  • Kubernetes > ReplicationController > Labels
  • Kubernetes > ReplicationController > Labels > Template
  • Kubernetes > ReplicationController > osquery
  • Kubernetes > ReplicationController > osquery > Configuration
  • Kubernetes > ReplicationController > osquery > Configuration > Columns
  • Kubernetes > ReplicationController > osquery > Configuration > Interval
  • Kubernetes > ReplicationController > osquery > Configuration > Name
  • Kubernetes > Service > Active
  • Kubernetes > Service > Active > Age
  • Kubernetes > Service > Active > Last Modified
  • Kubernetes > StatefulSet > Active
  • Kubernetes > StatefulSet > Active > Age
  • Kubernetes > StatefulSet > Active > Last Modified
  • Kubernetes > StatefulSet > Annotations
  • Kubernetes > StatefulSet > Annotations > Template
  • Kubernetes > StatefulSet > Approved
  • Kubernetes > StatefulSet > Approved > Custom
  • Kubernetes > StatefulSet > CMDB
  • Kubernetes > StatefulSet > Labels
  • Kubernetes > StatefulSet > Labels > Template
  • Kubernetes > StatefulSet > osquery
  • Kubernetes > StatefulSet > osquery > Configuration
  • Kubernetes > StatefulSet > osquery > Configuration > Columns
  • Kubernetes > StatefulSet > osquery > Configuration > Interval
  • Kubernetes > StatefulSet > osquery > Configuration > Name

Action Types

  • Kubernetes > Cluster > Router
  • Kubernetes > CronJob > Router
  • Kubernetes > DaemonSet > Router
  • Kubernetes > Ingress > Router
  • Kubernetes > Job > Router
  • Kubernetes > Persistent Volume > Router
  • Kubernetes > ReplicationController > Router
  • Kubernetes > StatefulSet > Router

Bug fixes

  • CMDB controls for various resources sometimes failed to process a large number of updates that occurred in quick succession via Cluster events. We’ve improved our GraphQL queries to handle such a load, and the controls will now be able to process such events more smoothly and reliably than before.

What's new?

  • The AWS > S3 > Bucket > CMDB control would go into an error state if Guardrails did not have permissions to call the headBucket operation on a bucket. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > S3 > Bucket > CMDB policy to Enforce: Enabled but ignore permission errors.

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • In the previous version, we fixed an issue with the Azure > App Service > Web App > Client Certificate Mode control, ensuring that the Client Certificate Mode is set to Require correctly. However, we missed an edge case where the control wouldn’t enforce any mode other than the default setting of Ignore. We have now addressed all cases, and the control will work more reliably and consistently than before.

What's new?

  • Interactive workflows in the terminal via console integration. Blog.
  • Simplified progress output for flowpipe pipeline run command when running in Client mode and not using the --verbose arg.
  • --data-dir parameter to specify the location of the event store database. (#852).
  • --execution-id parameter to specify custom execution id for pipeline run. (#856).
  • Update Go version to v1.22.4.

Bug fixes

  • Return a non-zero exit code if there's a failure. (#855).
  • loop block now respect the if step attribute. (#858).

What's new?

  • Added 22 detect and correct pipelines to identify unused and underutilized GCP resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see GCP Thrifty Mod.

What's new?

  • Detect and correct misconfigured labels across 8 GCP resource types.
  • Automatically add mandatory labels (e.g. env, owner).
  • Clean up prohibited labels (e.g. secret, key).
  • Reconcile shorthand or misspelled label keys to standardized keys (e.g. cc to cost_center).
  • Update label values to conform to expected standards, ensuring consistency (e.g. Prod to prod).

For detailed usage information and a full list of pipelines, please see GCP Labels Mod.

What's new?

  • Added 24 detect and correct pipelines to identify unused and underutilized Azure resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see Azure Thrifty Mod.

What's new?

  • Detect and correct misconfigured tags across 55+ Azure resource types.
  • Automatically add mandatory tags (e.g. env, owner).
  • Clean up prohibited tags (e.g. secret, key).
  • Reconcile shorthand or misspelled tag keys to standardized keys (e.g. cc to cost_center).
  • Update tag values to conform to expected standards, ensuring consistency (e.g. Prod to prod).

For detailed usage information and a full list of pipelines, please see Azure Tags Mod.

What's new?

  • The mod has been updated to run in the Wizard mode by default.

What's new?

  • Detect and correct misconfigured tags across 65+ AWS resource types.
  • Automatically add mandatory tags (e.g. env, owner).
  • Clean up prohibited tags (e.g. secret, key).
  • Reconcile shorthand or misspelled tag keys to standardized keys (e.g. cc to cost_center).
  • Update tag values to conform to expected standards, ensuring consistency (e.g. Prod to prod).

For detailed usage information and a full list of pipelines, please see AWS Tags Mod.

What's new?

  • Updated AWS Lambda function architecture to ARM64 for improved performance and cost efficiency.

What's new?

  • Server

    • Improved memory optimization for Redis.
    • Updated all AWS Lambda functions in the TE environment to use ARM64 architecture for improved performance and cost efficiency.
    • Allow notifications rules to accept nunjucks for Email address.
    • Updated several node packages to newer versions for improved functionality and security.
  • UI

    • Smart Folders are now called Policy Packs.
    • Now you can add AKA while creating Policy Packs from UI.

Bug fixes

  • Server

    • Fixed an issue where controls remained in TBD state for accounts imported without an External ID.
  • UI

    • Removed the unsupported feature for rearranging Policy Packs from the UI.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The Import Set policies for various Kubernetes resources will no longer include the Enforce: Sync policy value for integrating Import Sets in ServiceNow.

Control Types

  • GCP > Storage > Object > ServiceNow > Import Set

Policy Types

  • GCP > Storage > Object > ServiceNow > Import Set
  • GCP > Storage > Object > ServiceNow > Import Set > Archive Columns
  • GCP > Storage > Object > ServiceNow > Import Set > Record
  • GCP > Storage > Object > ServiceNow > Import Set > Table Name

Control Types

  • GCP > Compute Engine > Disk > ServiceNow > Import Set
  • GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > Image > ServiceNow > Import Set
  • GCP > Compute Engine > Instance > ServiceNow > Import Set
  • GCP > Compute Engine > Instance Template > ServiceNow > Import Set
  • GCP > Compute Engine > Node Group > ServiceNow > Import Set
  • GCP > Compute Engine > Node template > ServiceNow > Import Set
  • GCP > Compute Engine > Project > ServiceNow > Import Set
  • GCP > Compute Engine > Region Disk > ServiceNow > Import Set
  • GCP > Compute Engine > Region Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > Snapshot > ServiceNow > Import Set

Policy Types

  • GCP > Compute Engine > Disk > ServiceNow > Import Set
  • GCP > Compute Engine > Disk > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Disk > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Disk > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Record
  • GCP > Compute Engine > HTTP Health Check > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Record
  • GCP > Compute Engine > HTTPS Health Check > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > Health Check > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Health Check > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Health Check > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Image > ServiceNow > Import Set
  • GCP > Compute Engine > Image > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Image > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Image > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Instance > ServiceNow > Import Set
  • GCP > Compute Engine > Instance > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Instance > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Instance > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Instance Template > ServiceNow > Import Set
  • GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Instance Template > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Node Group > ServiceNow > Import Set
  • GCP > Compute Engine > Node Group > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Node Group > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Node Group > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Node template > ServiceNow > Import Set
  • GCP > Compute Engine > Node template > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Node template > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Node template > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Project > ServiceNow > Import Set
  • GCP > Compute Engine > Project > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Project > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Project > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Region Disk > ServiceNow > Import Set
  • GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Region Disk > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Region Health Check > ServiceNow > Import Set
  • GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Region Health Check > ServiceNow > Import Set > Table Name
  • GCP > Compute Engine > Snapshot > ServiceNow > Import Set
  • GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Archive Columns
  • GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Record
  • GCP > Compute Engine > Snapshot > ServiceNow > Import Set > Table Name

Control Types

  • Azure > Storage > Container > ServiceNow > Import Set
  • Azure > Storage > FileShare > ServiceNow > Import Set
  • Azure > Storage > Queue > ServiceNow > Import Set

Policy Types

  • Azure > Storage > Container > ServiceNow > Import Set
  • Azure > Storage > Container > ServiceNow > Import Set > Archive Columns
  • Azure > Storage > Container > ServiceNow > Import Set > Record
  • Azure > Storage > Container > ServiceNow > Import Set > Table Name
  • Azure > Storage > FileShare > ServiceNow > Import Set
  • Azure > Storage > FileShare > ServiceNow > Import Set > Archive Columns
  • Azure > Storage > FileShare > ServiceNow > Import Set > Record
  • Azure > Storage > FileShare > ServiceNow > Import Set > Table Name
  • Azure > Storage > Queue > ServiceNow > Import Set
  • Azure > Storage > Queue > ServiceNow > Import Set > Archive Columns
  • Azure > Storage > Queue > ServiceNow > Import Set > Record
  • Azure > Storage > Queue > ServiceNow > Import Set > Table Name

Control Types

  • Azure > Compute > Availability Set > ServiceNow > Import Set
  • Azure > Compute > Disk > ServiceNow > Import Set
  • Azure > Compute > Disk Encryption Set > ServiceNow > Import Set
  • Azure > Compute > Image > ServiceNow > Import Set
  • Azure > Compute > Snapshot > ServiceNow > Import Set
  • Azure > Compute > Ssh Public Key > ServiceNow > Import Set
  • Azure > Compute > Virtual Machine > ServiceNow > Import Set
  • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set

Policy Types

  • Azure > Compute > Availability Set > ServiceNow > Import Set
  • Azure > Compute > Availability Set > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Availability Set > ServiceNow > Import Set > Record
  • Azure > Compute > Availability Set > ServiceNow > Import Set > Table Name
  • Azure > Compute > Disk > ServiceNow > Import Set
  • Azure > Compute > Disk > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Disk > ServiceNow > Import Set > Record
  • Azure > Compute > Disk > ServiceNow > Import Set > Table Name
  • Azure > Compute > Disk Encryption Set > ServiceNow > Import Set
  • Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Record
  • Azure > Compute > Disk Encryption Set > ServiceNow > Import Set > Table Name
  • Azure > Compute > Image > ServiceNow > Import Set
  • Azure > Compute > Image > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Image > ServiceNow > Import Set > Record
  • Azure > Compute > Image > ServiceNow > Import Set > Table Name
  • Azure > Compute > Snapshot > ServiceNow > Import Set
  • Azure > Compute > Snapshot > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Snapshot > ServiceNow > Import Set > Record
  • Azure > Compute > Snapshot > ServiceNow > Import Set > Table Name
  • Azure > Compute > Ssh Public Key > ServiceNow > Import Set
  • Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Record
  • Azure > Compute > Ssh Public Key > ServiceNow > Import Set > Table Name
  • Azure > Compute > Virtual Machine > ServiceNow > Import Set
  • Azure > Compute > Virtual Machine > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Virtual Machine > ServiceNow > Import Set > Record
  • Azure > Compute > Virtual Machine > ServiceNow > Import Set > Table Name
  • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set
  • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Archive Columns
  • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Record
  • Azure > Compute > Virtual Machine Scale Set > ServiceNow > Import Set > Table Name

Control Types

  • AWS > S3 > Bucket > ServiceNow > Import Set

Policy Types

  • AWS > S3 > Bucket > ServiceNow > Import Set
  • AWS > S3 > Bucket > ServiceNow > Import Set > Archive Columns
  • AWS > S3 > Bucket > ServiceNow > Import Set > Record
  • AWS > S3 > Bucket > ServiceNow > Import Set > Table Name

What's new?

  • Added support to archive Import Sets in ServiceNow.

Enhancements

  • Added column create_time to gcp_sql_database_instance table. (#615)

Bug fixes

  • Fixed the gcp_alloydb_cluster and gcp_alloydb_instance tables to correctly return values for project column instead of null. (#617)

What's new?

Bug fixes

  • Fixed the power_state column of the azure_compute_virtual_machine table to correctly return data instead of a nil pointer dereference error. (#804)

Bug fixes

  • The Azure > App Service > Web App > Client Certificate Mode control did not apply Enforce: Require settings correctly. This is now fixed.

What's new?

  • Added support for google_monitoring_alert_policy and google_monitoring_notification_channel Terraform resources.

Control Types

  • GCP > Monitoring > Alert Policy > Configured
  • GCP > Monitoring > Notification Channel > Configured

Policy Types

  • GCP > Monitoring > Alert Policy > Configured
  • GCP > Monitoring > Alert Policy > Configured > Claim Precedence
  • GCP > Monitoring > Alert Policy > Configured > Source
  • GCP > Monitoring > Notification Channel > Configured
  • GCP > Monitoring > Notification Channel > Configured > Claim Precedence
  • GCP > Monitoring > Notification Channel > Configured > Source

What's new?

  • Added support for google_logging_metric Terraform resource.

Control Types

  • GCP > Logging > Metric > Configured

Policy Types

  • GCP > Logging > Metric > Configured
  • GCP > Logging > Metric > Configured > Claim Precedence
  • GCP > Logging > Metric > Configured > Source

Bug fixes

  • The Azure > Storage > Storage Account > Queue > Logging control failed to set queue logging properties correctly. This issue has been fixed, and the control will now function correctly as intended.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • Improved descriptions for various resource types to ensure they are clearer and more helpful.

Bug fixes

  • Fixed plugin loading issues by eliminating the need for manual caching, ensuring smoother and more reliable plugin installations. (#50)

What's new?

  • Added the insecure_skip_verify connection config argument to support bypassing the SSL/TLS certificate verification while querying the tables. (#48)

Enhancements

  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package.

Dependencies

Bug fixes

  • Fixed issue where local Docker config for the credential store was used when installing plugins from GHCR, enabling installation from GHCR to work even if docker-credential-desktop is not in PATH. (#4323)
  • Fixed issue where Steampipe returned a 0 exit code even if it failed to export a snapshot. (#4276)
  • Fixed issue where the query command did not support the legacy 'true' and 'false' values for the --timing flag. (#4282)
  • Fixed issue where SPS output was not working. (#4297)
  • Fixed issue where loading connection plugins did not return successfully created connections if some connections failed due to the configuration not being available. (#474)
  • Fixed issue where scan info in query JSON output was shown even when the timing configuration was not set to verbose. (#4292)

What's new?

  • Users can now configure Shielded Instance Configuration for instances. To get started, set GCP > Compute > Instance > Shielded Instance Configuration > * policies.

Control Types

  • GCP > Compute Engine > Instance > Shielded Instance Configuration

Policy Types

  • GCP > Compute Engine > Instance > Shielded Instance Configuration
  • GCP > Compute Engine > Instance > Shielded Instance Configuration > Integrity Monitoring
  • GCP > Compute Engine > Instance > Shielded Instance Configuration > Secure Boot
  • GCP > Compute Engine > Instance > Shielded Instance Configuration > vTPM

Action Types

  • GCP > Compute Engine > Instance > Set Shielded Instance Configuration

What's new?

  • The Azure > CIS v2.0 > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) control will also evaluate SQL databases for SKU Basic/Consumption.

Control Types

  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.06 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics

Policy Types

  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.06 - Ensure that Network Security Group flow logs are captured and sent to Log Analytics

Bug fixes

  • The Azure > CIS v2.0 > 4 - Database Services > 01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key control did not evaluate the result correctly, as expected. This is now fixed.

What's new?

DOCUMENTATION:

  • resource/turbot_policy_pack: Added documentation for akas attribute for the resource. (#179)

What's new?

  • Users can now configure Encryption In Transit for instances. To get started, set the GCP > SQL > Instance > Encryption In Transit policy.

Control Types

  • GCP > SQL > Instance > Encryption In Transit

Policy Types

  • GCP > SQL > Instance > Encryption In Transit

Action Types

  • GCP > SQL > Instance > Update Encryption in Transit

What's new?

Control Types

  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure API Keys Only Exist for Active Services
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure API Keys Are Restricted to Only APIs That Application Needs Access
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure API Keys Are Rotated Every 90 Days

Policy Types

  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure API Keys Only Exist for Active Services
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure API Keys Are Restricted To Use by Only Specified Hosts and Apps
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure API Keys Are Restricted to Only APIs That Application Needs Access
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure API Keys Are Rotated Every 90 Days

What's new?

  • Users can now upgrade the SKU from Basic to Standard for Public IP Addresss via Azure > Network > Public IP Address > Standard SKU control. To get started, set the Azure > Network > Public IP Address > Standard SKU policy.

Control Types

  • Azure > Network > Public IP Address > Standard SKU

Policy Types

  • Azure > Network > Public IP Address > Standard SKU
  • Azure > Network > Public IP Address > Standard SKU > SKU Tier

Action Types

  • Azure > Network > Public IP Address > Update SKU to Standard

What's new?

  • We've added guardrails to help secure access to your database accounts' public endpoints. All database accounts have public endpoints that are accessible through the internet by default. This access can be limited to specific IP ranges, virtual network subnets, and trusted Microsoft services by defining firewall and virtual network rules.

To get started configuring these rules through Guardrails, the following policies should set according to your desired firewall rules configuration:

Azure > Cosmos DB > Database Account > Firewall - Configure default access rules for the public endpoint Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved - Remove unapproved IP ranges Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required - Grant access to specific IP ranges Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved - Remove unapproved virtual network subnets Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required - Grant access to specific virtual network subnets Please note that if the Azure > Cosmos DB > Database Account > Firewall policy is set to Enforce: Allow only approved virtual networks and IP ranges, only applications in the configured IP ranges, virtual network subnets, and trusted Microsoft services will be allowed to access the database accounts. If these boundaries are not properly configured beforehand or an application is outside of these boundaries, it will lose access to the database accounts.

Control Types

  • Azure > Cosmos DB > Database Account > Firewall
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required

Policy Types

  • Azure > Cosmos DB > Database Account > Firewall
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > CIDR Ranges
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > Compiled Rules
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > Rules
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Compiled Items
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Exceptions
  • Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Items
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Compiled Rules
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Rules
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Subnets
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required
  • Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required > Items

Action Types

  • Azure > Cosmos DB > Database Account > Update Firewall Default Access Rule
  • Azure > Cosmos DB > Database Account > Update Firewall IP Ranges
  • Azure > Cosmos DB > Database Account > Update Firewall Virtual Networks

Bug fixes

  • Various Discovery and CMDB controls entered an error state because they used outdated APIs that no longer functioned as expected. We have updated internal package dependencies, and those controls now operate smoothly as intended.

Bug fixes

  • Resolved an issue where an empty outbound_cidr_ranges SSM parameter caused a validation error. Now, if the outbound_cidr_ranges parameter is empty, it will be set to None.

What's new?

  • Added M7i and M7i-flex instance type.
  • Updated the HealthCheckProxy lambda function to use python 3.10.

Bug fixes

  • The GCP > Project > CMDB control went into an error state while fetching Access Approval settings for the project if Access Transparency was disabled at the organization level. We have now handled such cases gracefully, and the control will fetch all available details without going into an error state.

What's new?

  • Users can now configure authorized networks for instances in Guardrails. To get started, set the GCP > SQL > Instance > Authorized Network > * policies.
  • Users can now configure Database Flags for instances in Guardrails. To get started, set the GCP > SQL > Instance > Database Flags policy.
  • Users can now clean up and stop tracking SQL resources in Guardrails. To get started, set the GCP > SQL > CMDB policy to Enforce: Disabled.

Control Types

  • GCP > SQL > Instance > Authorized Network
  • GCP > SQL > Instance > Authorized Network > Approved
  • GCP > SQL > Instance > Database Flags

Policy Types

  • GCP > SQL > Instance > Authorized Network
  • GCP > SQL > Instance > Authorized Network > Approved
  • GCP > SQL > Instance > Authorized Network > Approved > CIDR Ranges
  • GCP > SQL > Instance > Database Flags
  • GCP > SQL > Instance > Database Flags > MySQL
  • GCP > SQL > Instance > Database Flags > MySQL > Template
  • GCP > SQL > Instance > Database Flags > PostgreSQL
  • GCP > SQL > Instance > Database Flags > PostgreSQL > Template
  • GCP > SQL > Instance > Database Flags > SQL Server
  • GCP > SQL > Instance > Database Flags > SQL Server > Template

Action Types

  • GCP > SQL > Instance > Update Authorized Network
  • GCP > SQL > Instance > Update Database Flags

What's new?

  • We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Storage resources in Guardrails. This release includes breaking changes in the CMDB data for storage accounts. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.

    Renamed:

    • serviceProperties.blob.DeleteRetentionPolicy to serviceProperties.blob.deleteRetentionPolicy
    • serviceProperties.blob.DeleteRetentionPolicy.Days to serviceProperties.blob.deleteRetentionPolicy.days
    • serviceProperties.blob.DeleteRetentionPolicy.Enabled to serviceProperties.blob.deleteRetentionPolicy.enabled
    • serviceProperties.blob.StaticWebsite to serviceProperties.blob.staticWebsite
    • serviceProperties.blob.StaticWebsite.Enabled to serviceProperties.blob.staticWebsite.enabled
    • serviceProperties.blob.logging to serviceProperties.blob.blobAnalyticsLogging
    • serviceProperties.queue.logging to serviceProperties.queue.queueAnalyticsLogging

    Added:

    • serviceProperties.blob.deleteRetentionPolicy.AllowPermanentDelete

    Modified:

    • The data type of the attribute serviceProperties.blob.cors has been changed from string ("") to array ([]).
    • The data type of the attribute serviceProperties.queue.cors has been changed from string ("") to array ([]).
  • Users can now enable/disable Blob logging for storage accounts. To get started, set the Azure > Storage > Storage Account > Blob > Logging > * policies.

  • Users can now check if storage accounts are approved for use based on Infrastructure Encryption settings. To get started, set the Azure > Storage > Storage Account > Approved > Infrastructure Encryption policy.

Control Types

  • Azure > Storage > Storage Account > Blob
  • Azure > Storage > Storage Account > Blob > Logging

Renamed

  • Azure > Storage > Storage Account > Public Access to Azure > Storage > Storage Account > Blob Public Access

Policy Types

  • Azure > Storage > Storage Account > Approved > Infrastructure Encryption
  • Azure > Storage > Storage Account > Blob
  • Azure > Storage > Storage Account > Blob > Logging
  • Azure > Storage > Storage Account > Blob > Logging > Properties
  • Azure > Storage > Storage Account > Blob > Logging > Retention Days

Renamed

  • Azure > Storage > Storage Account > Public Access to Azure > Storage > Storage Account > Blob Public Access

Action Types

  • Azure > Storage > Storage Account > Update Storage Account Blob Logging

Renamed

  • Azure > Storage > Storage Account > Set Public Access to Azure > Storage > Storage Account > Set Blob Public Access

What's new?

  • Users can now configure Client Certificate Mode for web apps. To get started, set the Azure > App Service > Web App > Client Certificate Mode policy.

Control Types

  • Azure > App Service > Web App > Client Certificate Mode

Policy Types

  • Azure > App Service > Web App > Client Certificate Mode

Action Types

  • Azure > App Service > Web App > Set Client Certificate Mode

What's new?

Enhancements

  • The domain column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Okta organizations. (#120)
  • Added support to specify the time period in .spc file for max retries, request timeout, and max backoff time as required. (#112)
  • Added profile column to the okta_factor table. (#130)

Dependencies

  • Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#120)

Enhancements

  • The organization_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Linear accounts. (#34)

Bug fixes

  • Fixed the plugin to correctly check for a valid Personal Access token. (#33)

Dependencies

  • Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#34)

Enhancements

  • Added column power_state to the azure_compute_virtual_machine_scale_set_vm table. (#800) (Thanks @pdepdecatcat for the contribution!)

Bug fixes

  • Fixed the azure_log_alert table to correctly return values for actions, condition, description, enabled, and scopes columns instead of null. (#796)

What's new?

FEATURES:

  • New Resource: turbot_policy_pack (#171)
  • New Resource: turbot_policy_pack_attachment (#173)

ENHANCEMENTS:

  • resource/turbot_smart_folder: The parent argument is now optional and defaults to tmod:@turbot/turbot#/. (#177)

What's new?

Resource Types

  • GCP > IAM > API Key

Control Types

  • GCP > IAM > API Key > Active
  • GCP > IAM > API Key > Approved
  • GCP > IAM > API Key > CMDB
  • GCP > IAM > API Key > Discovery
  • GCP > IAM > API Key > Usage

Policy Types

  • GCP > IAM > API Key > Active
  • GCP > IAM > API Key > Active > Age
  • GCP > IAM > API Key > Active > Last Modified
  • GCP > IAM > API Key > Approved
  • GCP > IAM > API Key > Approved > Custom
  • GCP > IAM > API Key > Approved > Usage
  • GCP > IAM > API Key > CMDB
  • GCP > IAM > API Key > Usage
  • GCP > IAM > API Key > Usage > Limit

Action Types

  • GCP > IAM > API Key > Delete
  • GCP > IAM > API Key > Router

What's new?

  • You can now configure Encryption at Rest for datasets. To get started, set the GCP > BigQuery > Dataset > Encryption at Rest > * policies.

Control Types

  • GCP > BigQuery > Dataset > Encryption at Rest

Policy Types

  • GCP > BigQuery > Dataset > Encryption at Rest
  • GCP > BigQuery > Dataset > Encryption at Rest > Customer Managed Key

Action Types

  • GCP > BigQuery > Dataset > Update Encryption At Rest

What's new?

Control Types

  • Kubernetes > Cluster > ServiceNow > Import Set
  • Kubernetes > ConfigMap > ServiceNow > Import Set
  • Kubernetes > Deployment > ServiceNow > Import Set
  • Kubernetes > Namespace > ServiceNow > Import Set
  • Kubernetes > Node > ServiceNow > Import Set
  • Kubernetes > Pod > ServiceNow > Import Set
  • Kubernetes > ReplicaSet > ServiceNow > Import Set
  • Kubernetes > Service > ServiceNow > Import Set

Policy Types

  • Kubernetes > Cluster > ServiceNow > Import Set
  • Kubernetes > Cluster > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Cluster > ServiceNow > Import Set > Record
  • Kubernetes > Cluster > ServiceNow > Import Set > Table Name
  • Kubernetes > ConfigMap > ServiceNow > Import Set
  • Kubernetes > ConfigMap > ServiceNow > Import Set > Archive Columns
  • Kubernetes > ConfigMap > ServiceNow > Import Set > Record
  • Kubernetes > ConfigMap > ServiceNow > Import Set > Table Name
  • Kubernetes > Deployment > ServiceNow > Import Set
  • Kubernetes > Deployment > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Deployment > ServiceNow > Import Set > Record
  • Kubernetes > Deployment > ServiceNow > Import Set > Table Name
  • Kubernetes > Namespace > ServiceNow > Import Set
  • Kubernetes > Namespace > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Namespace > ServiceNow > Import Set > Record
  • Kubernetes > Namespace > ServiceNow > Import Set > Table Name
  • Kubernetes > Node > ServiceNow > Import Set
  • Kubernetes > Node > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Node > ServiceNow > Import Set > Record
  • Kubernetes > Node > ServiceNow > Import Set > Table Name
  • Kubernetes > Pod > ServiceNow > Import Set
  • Kubernetes > Pod > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Pod > ServiceNow > Import Set > Record
  • Kubernetes > Pod > ServiceNow > Import Set > Table Name
  • Kubernetes > ReplicaSet > ServiceNow > Import Set
  • Kubernetes > ReplicaSet > ServiceNow > Import Set > Archive Columns
  • Kubernetes > ReplicaSet > ServiceNow > Import Set > Record
  • Kubernetes > ReplicaSet > ServiceNow > Import Set > Table Name
  • Kubernetes > Service > ServiceNow > Import Set
  • Kubernetes > Service > ServiceNow > Import Set > Archive Columns
  • Kubernetes > Service > ServiceNow > Import Set > Record
  • Kubernetes > Service > ServiceNow > Import Set > Table Name

Bug fixes

  • Guardrails failed to process real-time snapshot events if the AWS > EC2 > Snapshot > CMDB policy was set to Enforce: Enabled for Snapshots not created with AWS Backup. This issue has now been fixed.

What's new?

  • Users can now configure DNSSEC for managed zones via Guardrails. To get started, set theGCP > DNS > Managed Zone > DNSSEC Configuration policy.
  • Users can now configure logging for DNS policies. To get started, set the GCP > DNS > Policy > Logging policy.

Control Types

  • GCP > DNS > Managed Zone > DNSSEC Configuration
  • GCP > DNS > Policy > Logging

Policy Types

  • GCP > DNS > Managed Zone > DNSSEC Configuration
  • GCP > DNS > Policy > Logging

Action Types

  • GCP > DNS > Managed Zone > Update DNSSEC Configuration
  • GCP > DNS > Policy > Update Logging

Bug fixes

  • Discovery controls for various resource types would go into an error state without discovering resources and upserting them in Guardrails CMDB due to a bad internal build. This issue has been fixed, and those controls will now work correctly as expected.

What's new?

  • Users can now enable/disable Trusted Launch for all second generation virtual machines. To get started, set the Azure > Compute > Virtual Machine > Trusted launch policy.
  • You can now configure Encryption at Rest for Disks. To get started, set the Azure > Compute > Disk > Encryption at Rest > * policies.

Control Types

  • Azure > Compute > Disk > Encryption at Rest
  • Azure > Compute > Virtual Machine > Trusted Launch

Policy Types

  • Azure > Compute > Disk > Encryption at Rest
  • Azure > Compute > Disk > Encryption at Rest > Disk Encryption Set
  • Azure > Compute > Virtual Machine > Trusted launch

Action Types

  • Azure > Compute > Disk > Update Encryption at Rest
  • Azure > Compute > Virtual Machine > Update Trusted Luanch

What's new?

  • User can now register web apps with Entra ID to connect to other Azure services securely without the need for usernames and passwords. To get started, set the Azure > App Service > Web App > System Assigned Identity policy.
  • Diagnostic Settings details will now also be available for Web Apps in Guardrails CMDB.

Control Types

  • Azure > App Service > Web App > System Assigned Identity

Policy Types

  • Azure > App Service > Web App > System Assigned Identity

Action Types

  • Azure > App Service > Web App > Set System Assigned Identity

Bug fixes

  • The Azure > App Service > Web App > FTPS State control failed to set the FTPS State correctly for web apps. This issue is now fixed.

What's new?

Policy Types

  • GCP > BigQuery > Dataset > Approved > Custom

What's new?

  • Users can now configure retention policy for flow logs. To get started, set the Azure > Network Watcher > Flow Log > Retention Policy > * policies.

Control Types

  • Azure > Network Watcher > Flow Log > Retention Policy

Policy Types

  • Azure > Network Watcher > Flow Log > Retention Policy
  • Azure > Network Watcher > Flow Log > Retention Policy > Days

Action Types

  • Azure > Network Watcher > Flow Log > Update Retention Policy

What's new?

  • The Azure > Active Directory > Directory > CMDB control will now also fetch named locations and authorization policy details and store them in CMDB.

Bug fixes

  • Account Password Policy details did not refresh correctly in Guardrails CMDB if those settings were reset to defaults in AWS. This resulted in the AWS > IAM > Account Password Policy > Settings control not applying custom settings correctly. This issue is fixed, and the CMDB details will now refresh correctly, allowing the corresponding Settings control to work as expected.

What's new?

Bug fixes

  • Fixed the caching issue in aws_organizations_account table. (#2236)
  • Fixed typo (missing comma) in an example query of aws_health_affected_entity table document. (#2237) (Thanks @tieum for the contribution!)

What's new?

  • The Azure > Security Center > Security Center > CMDB control will now also fetch security settings details and store them in CMDB.

Bug fixes

  • Discovery controls for various resource types would go into an error state without discovering resources and upserting them in Guardrails CMDB due to a bad internal build. This issue has been fixed, and those controls will now work correctly as expected.

Bug fixes

  • Fixed the export tool of the plugin to return a non-zero error code instead of 0 whenever an error occurred. (#79)

Enhancements

  • Added column public_network_access to the azure_storage_account table. (#794)

Bug fixes

  • Fixed the export tool of the plugin to return a non-zero error code instead of 0 whenever an error occurred. (#79)

Enhancements

  • Added 16 new columns to the aws_lambda_version table. (#2229)

Bug fixes

  • Fixed the export tool of the plugin to return a non-zero error code instead of 0 whenever an error occurred. (#79)

Bug fixes

  • Server
    • Resolved an issue that caused control targeting to accounts fail when AWS Gov accounts were imported in commercial environment.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

The default value for GCP > Storage > Bucket > ServiceNow > Import Set now shows the resource_type_uri correctly.

Control Types

Added

  • GCP > Storage > Bucket > ServiceNow > Import Set

Policy Types

Added

  • GCP > Storage > Bucket > ServiceNow > Import Set
  • GCP > Storage > Bucket > ServiceNow > Import Set > Archive Columns
  • GCP > Storage > Bucket > ServiceNow > Import Set > Record
  • GCP > Storage > Bucket > ServiceNow > Import Set > Table Name

What's new?

  • ServiceNow > Turbot > Watches > GCP Archive and Delete Record action now supports archiving Import Set records.

Control Types

Added

  • Azure > Storage > Storage Account > ServiceNow > Import Set

Policy Types

Added

  • Azure > Storage > Storage Account > ServiceNow > Import Set
  • Azure > Storage > Storage Account > ServiceNow > Import Set > Archive Columns
  • Azure > Storage > Storage Account > ServiceNow > Import Set > Record
  • Azure > Storage > Storage Account > ServiceNow > Import Set > Table Name

What's new?

  • ServiceNow > Turbot > Watches > Azure Archive and Delete Record action now supports archiving Import Set records.

Bug fixes

  • Default policy values for ServiceNow > Application > CMDB, ServiceNow > Cost Center > CMDB & ServiceNow > User > CMDB have been updated from Enforce: Enabled to Skip.

Policy Types

Added

  • ServiceNow > Import Set
  • ServiceNow > Import Set > Table Name [Default]

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Server
    • The OUTBOUND_SECURITY_GROUP_ID environment variable in Lambda functions now defaults to using the TEF outbound security group when there is no override specified in TEF and TE.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The Azure > Network > Network Security Group > Ingress Rules > Approved and Azure > Network > Network Security Group > Egress Rules > Approved controls previously deleted an entire rule if at least one of the corresponding port prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected port prefixes instead of deleting the entire rule in such cases.

Bug fixes

  • Reverted the export CLI behavior to return <nil> for null values instead of "". (#77)

Bug fixes

  • Reverted the export CLI behavior to return <nil> for null values instead of "". (#77)

Bug fixes

  • Reverted the export CLI behavior to return <nil> for null values instead of "". (#77)

Bug fixes

  • The AWS > RDS > DB Instance > Approved control will now be skipped for instances that belong to a cluster. To check if a cluster is approved for use, please set the AWS > RDS > DB Cluster > Approved > * policies.
  • The AWS > RDS > DB Instance > Approved control did not stop an unapproved instance if the corresponding policy was set to Enforce: Stop unapproved or Enforce: Stop unapproved if new, and deletion protection for the instance was enabled. The control will now stop instances correctly in such cases.

What's new

Enhancements

  • Added 9 new columns to the aws_elasticache_cluster table. (#2224)

Bug fixes

  • Fixed the aws_s3_object table not returning any rows due to panic error. (#2221)
  • Fixed no rows being returned from the ``table if an unqualified query is run before one withparent_id` specified.
  • Fixed data type for configuration_endpoint column in aws_elasticache_cluster table to be json. (#2214)

What's new?

  • Server
    • The creation of the EncryptionInTransit TopicPolicy has shifted from a custom resource to AWS CloudFormation’s AWS::SNS::TopicPolicy.

Bug fixes

  • Server
    • Changes to notifications introduced in version 5.44.2 have been rolled back due to issues with specific queries. This action restores previous functionality and ensures stability across the platform.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Enhancements

  • Optimized log_group_metric_* queries to minimize API usage, achieving faster performance. (#802)

What's new?

  • Server

    • Made notifications faster by improving the query, which enhances the performance of the activity tab.
  • UI

    • The Depends-on tab on the controls page has been renamed to Related. It now includes the information from the Depends-on tab along with additional related controls information.

Bug fixes

  • Server
    • Fixed an issue where sometimes an older mod version was used instead of the latest one after a mod upgrade. Now, the cache is properly updated to always use the latest version.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The Azure > Network > Network Security Group > Ingress Rules > Approved control would sometimes fail to revoke rejected rules when the corresponding policy was set to Enforce: Delete unapproved. This has been fixed, and the control will now work more reliably and consistently than before.

What's new?

Enhancements

  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#101)
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed the arguments column of terraform_resource table to correctly return the type field. (#99) (#92)

Dependencies

What's new?

Bug fixes

  • Improved the error messaging for file parsing in the github_workflow table. (#438)

Dependencies

  • Recompiled plugin with github.com/cloudflare/circl v1.3.7. (#418)

Bug fixes

  • Turbot > osquery > Event Handler action was not able to handle events for large payloads. This issue is now fixed.

Bug fixes

  • The GCP > Project > CMDB control would incorrectly delete a project from Guardrails CMDB if it was unable to fetch Access Approval settings for the project. This issue has been fixed and the control will now attempt to fetch all available details and will not delete the project from CMDB.

All Pipes workspaces are now running Steampipe v0.23.2.

For more information on this Steampipe release, see the release notes.

All Pipes workspaces are now running Powerpipe v0.4.0.

For more information on this Powerpipe release, see the release notes.

Bug fixes

  • Users can now configure Auto Provisioning for Azure Security Center in Guardrails. To get started, set the Azure > Security Center > Security Center > Auto Provisioning policy.

Control Types

  • Azure > Security Center > Security Center > Auto Provisioning

Policy Types

  • Azure > Security Center > Security Center > Auto Provisioning

Action Types

  • Azure > Security Center > Security Center > Update Auto Provisioning

Bug fixes

  • Fixed the issue of missing and inconsistent columns in Kubernetes CRD tables. (#229) (Thanks @dongho-jung for the contribution!!)

What's new?

Enhancements

  • Updated aws_s3_bucket, aws_s3_bucket_intelligent_tiering_configuration, aws_s3_object and aws_s3_object_version tables to use HeadBucket API instead of GetBucketLocation to fetch the region that the bucket resides in. (#2082) (Thanks @pdecat for the contribution!)
  • Added column create_time to aws_ec2_key_pair table. (#2196) (Thanks @kasadaamos for the contribution!)
  • Added instance_type column as an optional qual to the aws_ec2_instance_type table. (#2200)

Bug fixes

  • Fixed the akas column in aws_health_affected_entity table to correctly return data instead of an error by handling events that do not have any ARN. (#2189)
  • Fixed cname and endpoint_url columns of aws_elastic_beanstalk_environment table to correctly return data instead of null. (#2201)
  • Fixed the aws_api_gatewayv2_* tables to correctly return data instead of an error by excluding support for the new unsupported il-central-1 region. (#2190)

Enhancements

  • The login_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Jira connections. (#119)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#128)
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed pagination in the jira_board table to correctly return all the data instead of partial results. (#127)

Dependencies

What's new?

Bug fixes

  • Fixed the public_network_access_for_ingestion and the public_network_access_for_query columns of the azure_application_insight table to be of String data type instead of JSON. (#769)
  • Fixed the azure_role_assignment table to correctly return values for principal_id and principal_type columns instead of null. (#763)
  • Fixed the web_application_firewall_configuration column of the azure_application_gateway table to correctly return data instead of null. (#770)

What's new?

  • Added support for the profile connection config argument. (#409)

Bug fixes

  • Fixed the alicloud_cs_kubernetes_cluster table to ensure it correctly returns data when querying clusters without tags. (#426)

What's new?

  • Added FedRAMP High benchmark (powerpipe benchmark run azure_compliance.benchmark.fedramp_high). (#270)

What's new?

  • Subscription CMDB data will now also include tagging details for the subscription.

What's new?

  • The Azure > Security Center > Security Center > Defender Plan control now also supports services like Cloud Posture, Containers and Cosmos DB.

What's new?

  • Server

    • Added support for newer auth mechanism to fetch temporary Azure credentials via the @azure/msal-node package.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Users can now skip upserting snapshots in Guardrails CMDB if they are created via the AWS Backup service. To get started, set the AWS > EC2 > Snapshot > CMDB policy to Enforce: Enabled for Snapshots not created with AWS Backup.

Bug fixes

  • The AWS > Turbot > Service Roles > Source policy went to an invalid state if all but the AWS > Turbot > Service Roles > Event Handlers [Global] policy was enabled. This issue impacted the AWS > Turbot > Service Roles stack control, preventing the role from being created correctly. This has been fixed, and the AWS > Turbot > Service Roles > Source policy will now work as expected.

Bug fixes

  • The AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered control did not evaluate the result correctly, as expected. This is now fixed.

Whats new

  • Updated JSON and snapshot output to handle duplicate column names - append a unique suffix to duplicate column names. (#375)

Bug fixes

  • Fixed bug when generating a snapshot from a benchmark run, the row data is empty if any of the rows are in error. (#366)
  • Updated mod install to only install or update mods which are command targets (and their dependencies). Set default pull mode for install is latest if there is a target, and minimal if no target is given. (#381)
  • Fixed incorrect help message for output in powerpipe benchmark/control run. (#367)
  • Fixed issue where POWERPIPE_PORT env var was not being honoured. (#362)
  • Updated timing metadata output to rename duration field to duration_ms for consistency with steampipe. (#368)
  • Dashboard graph should not crash if an invalid edge category color is provided. (#364)
  • Dashboard flow/hierarchy components should show panel controls. (#363)

Updated output formats

The rows property in the JSON and snapshot output will now have unique column names for duplicate column names. The columns property will have the original column name as original_name. For example, for the query:

powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output pps

Here is the updated JSON output:

powerpipe query run " select arn as title, account_id as title, title as title from aws_account" --output json
{
"columns": [
{
"name": "title",
"data_type": "text"
},
{
"name": "title_t5zj1",
"data_type": "text",
"original_name": "title"
},
{
"name": "title_t5zj2",
"data_type": "text",
"original_name": "title"
}
],
"rows": [
{
"title": "arn:aws:::882789663776",
"title_t5zj1": "882789663776",
"title_t5zj2": "882789663776"
},
],
"metadata": {
"rows_returned": 3,
"duration_ms": "202ms"
}
}

Here is the updated snapshot output:

{
"schema_version": "20240130",
"panels": {
"custom.dashboard.sql_e5br7b82": {
"dashboard": "custom.dashboard.sql_e5br7b82",
"name": "custom.dashboard.sql_e5br7b82",
"panel_type": "dashboard",
"source_definition": "",
"status": "complete",
"title": "Custom query [e5br7b82]"
},
"custom.table.results": {
"dashboard": "custom.dashboard.sql_e5br7b82",
"name": "custom.table.results",
"panel_type": "table",
"source_definition": "",
"status": "complete",
"sql": " select arn as title, account_id as title, title as title from aws_account",
"properties": {
"name": "results"
},
"data": {
"columns": [
{
"name": "title",
"data_type": "TEXT"
},
{
"name": "title_t5zj1",
"data_type": "TEXT",
"original_name": "title"
},
{
"name": "title_t5zj2",
"data_type": "TEXT",
"original_name": "title"
}
],
"rows": [
{
"title": "arn:aws:::876515858155",
"title_t5zj1": "876515858155",
"title_t5zj2": "morales-aaa"
},
{
"title": "arn:aws:::882789663776",
"title_t5zj1": "882789663776",
"title_t5zj2": "882789663776"
},
{
"title": "arn:aws:::097350876455",
"title_t5zj1": "097350876455",
"title_t5zj2": "turbot-silverwater"
}
]
}
}
},
"inputs": {},
"variables": {},
"search_path": null,
"start_time": "2024-06-06T14:50:16.906739+01:00",
"end_time": "2024-06-06T14:50:16.991955+01:00",
"layout": {
"name": "custom.dashboard.sql_e5br7b82",
"children": [
{
"name": "custom.table.results",
"panel_type": "table"
}
],
"panel_type": "dashboard"
}
}

What's new?

  • Updated the existing Flags attribute to include new specific flags that control the operation of Mod Lambda functions within a Virtual Private Cloud (VPC). This update allows Lambdas to use static IP addresses, improving network stability and predictability across different cloud environments. New flags Added to Flags Attribute:

    • LAMBDA_IN_VPC_AWS
    • LAMBDA_IN_VPC_AZURE
    • LAMBDA_IN_VPC_GCP
    • LAMBDA_IN_VPC_SERVICENOW
  • Introduced a new SSM parameter outbound_cidr_ranges to retrieve the Elastic IPs associated with the NAT gateways.

What's new?

  • Server

    • You can now configure Mod Lambda functions to run within a VPC across various providers including AWS, Azure, ServiceNow, and GCP. This update ensures Lambdas operate with static CIDR ranges.
    • Enhanced osquery/logger API to support payloads up to 10MB.

Requirements

  • TEF: 1.59.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • Minor fixes and improvements.

Bug fixes

  • The AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered control did not evaluate the result correctly, as expected. This is now fixed.

What's new?

  • Added NIST Cybersecurity Framework (CSF) v1.0 benchmark (powerpipe benchmark run gcp_compliance.benchmark.nist_csf_v10). (#168)
  • Added NIST 800-53 Revision 5 benchmark (powerpipe benchmark run gcp_compliance.benchmark.nist_800_53_rev_5). (#168)

Bug fixes

  • Fixed the kms_key_users_limited_to_3 query to correctly return data by removing the hardcoded GCP connection name. (#170)
  • Fixed the logging_bucket_retention_policy_enabled query to correctly return data by adding the missing project column to the query. (#173)

What's new?

  • Added Reserve Bank of India - IT Framework for NBFC Regulatory Compliance benchmark (powerpipe benchmark run aws_compliance.benchmark.rbi_itf_nbfc). (#798)

Bug fixes

  • The Azure > Network > Network Security Group > Ingress Rules > Approved and Azure > Network > Network Security Group > Egress Rules > Approved controls previously deleted an entire rule if at least one of the corresponding address prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected address prefix instead of deleting the entire rule in such cases.

What's new?

  • Add support for installing mods from a branch or from the local file system. (#849).

    To install from a branch:

    flowpipe mod install github.com/turbot/flowpipe-mod-aws-thrifty#main

    To reference a mod in the local file system:

    flowpipe mod install ../mods/local_mod_folder
  • Add --pull flag to mod command to control the mod update strategy. (#849). Possible update strategies are:

    • full - check branch and tags for both latest and accuracy
    • latest - update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)
    • development - update branches and broken constraints to latest, leave satisfied constraints unchanged
    • minimal - only update broken constraints, do not check branches for new commits
  • Variable list and show commands. (#373)

Bug fixes

  • Pipeline references declared in subsequent files are correctly identified and processed.
  • Preserves pipeline params ordering as specified in the pipeline definition. (#408)

What's new?

  • Added HIPAA benchmark (powerpipe benchmark run gcp_compliance.benchmark.hipaa). (#165)
  • Added PCI DSS v3.2.1 benchmark (powerpipe benchmark run gcp_compliance.benchmark.pci_dss_v321). (#163)

Enhancements

  • Optimized several queries to minimize API usage, achieving faster performance. (#162)

What's new?

  • Added Reserve Bank of India - IT Framework for NBFC Regulatory Compliance benchmark (powerpipe benchmark run azure_compliance.benchmark.rbi_itf_nbfc_v2017). (#267)

Bug fixes

  • The GCP > Turbot > Event Handlers > Logging would go into an Invalid state because of incorrect filter patterns defined in the GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer policy. This is fixed and the control will now work as expected.

Bug fixes

  • Guardrails would sometimes process the real-time event compute.networks.delete for default networks incorrectly, resulting in the inadvertent deletion of those networks from CMDB. This is now fixed.

What's new?

Resource Types

  • AWS > AppFabric

Policy Types

  • AWS > AppFabric > API Enabled
  • AWS > AppFabric > Approved Regions [Default]
  • AWS > AppFabric > Enabled
  • AWS > AppFabric > Permissions
  • AWS > AppFabric > Permissions > Levels
  • AWS > AppFabric > Permissions > Levels > Modifiers
  • AWS > AppFabric > Permissions > Lockdown
  • AWS > AppFabric > Permissions > Lockdown > API Boundary
  • AWS > AppFabric > Regions
  • AWS > AppFabric > Tags Template [Default]
  • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-appfabric
  • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-appfabric
  • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-appfabric

What's new?

Control Types

  • GCP > IAM > Project User > Approved

Policy Types

  • GCP > IAM > Project User > Approved
  • GCP > IAM > Project User > Approved > Custom
  • GCP > IAM > Project User > Approved > Usage

Bug fixes

  • Respect the app version defined powerpipe block of the mod require block. (#405)
  • Dashboard UI should handle graph categories containing resource_name rather than name. (#360)

Bug fixes

  • Guardrails failed to process the real-time event s3:PutBucketReplication for buckets. This is now fixed.
  • The AWS > S3 > Bucket > Access Logging control would sometimes go into an error state if the target bucket name started with a number. This is fixed and the control will now work more smoothly and consistently than before.

Enhancements

  • The user_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Pipes connections. (#27)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#32)
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed the plugin to correctly authenticate against a custom tenant in Pipes instead of returning a 401 error. (#30)

Dependencies

What's new?

  • Added Detect and Correct pipeline for DynamoDB tables with stale data. (#34)

What's new?

  • Added the following new pipeline:
    • delete_dynamodb_table

Enhancements

  • Added runtime variable support for control lambda_function_use_latest_runtime. (#791)

Bug fixes

  • Fixed the ecr_repository_image_scan_on_push_enabled query to use the correct common dimensions. (#793)

What's new?

Enhancements

  • The login_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Github connections. (#422)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#219)
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed the plugin support for Github OAuth Access token to work correctly. (#432)

Dependencies

Bug fixes

  • Updated Postgres FDW to v1.11.2 to remove unnecessary NOTICE level log messages. (#469)

What's new?

  • Added NIST SP 800-171 Revision 2 benchmark (powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2). (#264)

Integrate your developer, team or custom tenant with GitHub, enabling you to install custom Powerpipe mods from public or private repositories. Push changes for instant deploys and live updates.

For more information, see the launch post or check out the docs.

Bug fixes

  • Guardrails failed to discover system storage containers (e.g. $logs) for storage accounts. This is now fixed.

Bug fixes

  • Added support to process enable and disable real-time events for BigQuery Data Transfer API via Service Usage APIs.

5.0.0 (2024-05-15)

What's new?

Resource Types

  • GCP > BigQuery Data Transfer
  • GCP > BigQuery Data Transfer > Transfer Config

Control Types

  • GCP > BigQuery Data Transfer > API Enabled
  • GCP > BigQuery Data Transfer > CMDB
  • GCP > BigQuery Data Transfer > Discovery
  • GCP > BigQuery Data Transfer > Transfer Config > Active
  • GCP > BigQuery Data Transfer > Transfer Config > Approved
  • GCP > BigQuery Data Transfer > Transfer Config > CMDB
  • GCP > BigQuery Data Transfer > Transfer Config > Discovery
  • GCP > BigQuery Data Transfer > Transfer Config > Usage

Policy Types

  • GCP > BigQuery Data Transfer > API Enabled
  • GCP > BigQuery Data Transfer > Approved Regions [Default]
  • GCP > BigQuery Data Transfer > CMDB
  • GCP > BigQuery Data Transfer > Enabled
  • GCP > BigQuery Data Transfer > Permissions
  • GCP > BigQuery Data Transfer > Permissions > Levels
  • GCP > BigQuery Data Transfer > Permissions > Levels > Modifiers
  • GCP > BigQuery Data Transfer > Regions
  • GCP > BigQuery Data Transfer > Transfer Config > Active
  • GCP > BigQuery Data Transfer > Transfer Config > Active > Age
  • GCP > BigQuery Data Transfer > Transfer Config > Active > Last Modified
  • GCP > BigQuery Data Transfer > Transfer Config > Approved
  • GCP > BigQuery Data Transfer > Transfer Config > Approved > Custom
  • GCP > BigQuery Data Transfer > Transfer Config > Approved > Usage
  • GCP > BigQuery Data Transfer > Transfer Config > CMDB
  • GCP > BigQuery Data Transfer > Transfer Config > Regions
  • GCP > BigQuery Data Transfer > Transfer Config > Usage
  • GCP > BigQuery Data Transfer > Transfer Config > Usage > Limit
  • GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer
  • GCP > Turbot > Permissions > Compiled > Levels > @turbot/gcp-bigquerydatatransfer
  • GCP > Turbot > Permissions > Compiled > Service Permissions > @turbot/gcp-bigquerydatatransfer

Action Types

  • GCP > BigQuery Data Transfer > Set API Enabled
  • GCP > BigQuery Data Transfer > Transfer Config > Delete
  • GCP > BigQuery Data Transfer > Transfer Config > Router

Bug fixes

  • Load locals in order of dependency. (#399).

Whats new

  • Added support for installing mods from a branch or from the local file system. (#285)

    To install from a branch:

    powerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected#main

    To reference a mod in the local file system:

    powerpipe mod install ../mods/local_mod_folder
  • Added --pull flag to mod, dashboard and benchmark commands to control the mod update strategy. (#352). Possible update strategies are:

    • full - check branch and tags for both latest and accuracy
    • latest - update everything to latest, but only branches - not tags - are commit checked (which is the same as latest)
    • development - update branches and broken constraints to latest, leave satisfied constraints unchanged
    • minimal - only update broken constraints, do not check branches for new commits

Bug fixes

  • Fixed control category titles to use osquery instead of Osquery.

Bug fixes

  • Kubernetes > Node resources will no longer include the conditions.lastHeartbeatTime or resource_version properties to avoid unnecessary notifications in the activity tab.

What's new?

Resource Types

  • AWS > EventBridge Scheduler

Policy Types

  • AWS > EventBridge Scheduler > API Enabled
  • AWS > EventBridge Scheduler > Approved Regions [Default]
  • AWS > EventBridge Scheduler > Enabled
  • AWS > EventBridge Scheduler > Permissions
  • AWS > EventBridge Scheduler > Permissions > Levels
  • AWS > EventBridge Scheduler > Permissions > Levels > Modifiers
  • AWS > EventBridge Scheduler > Permissions > Lockdown
  • AWS > EventBridge Scheduler > Permissions > Lockdown > API Boundary
  • AWS > EventBridge Scheduler > Regions
  • AWS > EventBridge Scheduler > Tags Template [Default]
  • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-eventbridgescheduler
  • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-eventbridgescheduler
  • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-eventbridgescheduler

What's new?

Resource Types

  • AWS > EventBridge Pipes

Policy Types

  • AWS > EventBridge Pipes > API Enabled
  • AWS > EventBridge Pipes > Approved Regions [Default]
  • AWS > EventBridge Pipes > Enabled
  • AWS > EventBridge Pipes > Permissions
  • AWS > EventBridge Pipes > Permissions > Levels
  • AWS > EventBridge Pipes > Permissions > Levels > Modifiers
  • AWS > EventBridge Pipes > Permissions > Lockdown
  • AWS > EventBridge Pipes > Permissions > Lockdown > API Boundary
  • AWS > EventBridge Pipes > Regions
  • AWS > EventBridge Pipes > Tags Template [Default]
  • AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-eventbridgepipes
  • AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-eventbridgepipes
  • AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-eventbridgepipes

Enhancements

  • The tenant_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Microsoft 365 subscriptions. (#50)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#55)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

  • Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#50)

Enhancements

  • The tenant_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#175)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#180)
  • Added support for China cloud endpoint and scope based on the environment. (#174)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

  • Recompiled plugin with steampipe-plugin-sdk v5.10.1 which ensures that QueryData passed to ConnectionKeyColumns value callback is populated with ConnectionManager. (#175)

What's new?

  • Added 30 new 'detect and correct' pipelines to identify unused and underutilized AWS resources, as well as deprecated resource configurations. These pipelines also suggest potential remediation actions to optimize costs. For usage information and a full list of pipelines, please see AWS Thrifty Mod.

What's new?

  • Server

    • Added a new GraphQL resolver for osquery to generate an enrollSecret.
    • Added new REST APIs for osquery management, which includes:
      • api/latest/osquery/enroll
      • api/latest/osquery/config
      • api/latest/osquery/logger
    • Introduced a dedicated worker, along with SQS FIFO queue and SNS topic FIFO, to run osquery operations.
    • Implemented a new serviceNowCredential resolver specifically for Kubernetes clusters.
    • Upgraded our SDK (@turbot/sdk) to version 5.15.0 and our fn toolkit (@turbot/fn) to version 5.22.0, to support FIFO queues.
  • UI

    • Added support for connecting to Kubernetes, facilitating easier integration and management.
    • Added report for AWS CIS v2.0.
    • Added report for AWS CIS v3.0.
    • Added report for Azure CIS v2.0.
    • Added report for GCP CIS v2.0.

Requirements

  • TEF: 1.58.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

Control Types

  • Kubernetes > Cluster > ServiceNow
  • Kubernetes > Cluster > ServiceNow > Configuration Item
  • Kubernetes > Cluster > ServiceNow > Table
  • Kubernetes > ConfigMap > ServiceNow
  • Kubernetes > ConfigMap > ServiceNow > Configuration Item
  • Kubernetes > ConfigMap > ServiceNow > Table
  • Kubernetes > Deployment > ServiceNow
  • Kubernetes > Deployment > ServiceNow > Configuration Item
  • Kubernetes > Deployment > ServiceNow > Table
  • Kubernetes > Namespace > ServiceNow
  • Kubernetes > Namespace > ServiceNow > Configuration Item
  • Kubernetes > Namespace > ServiceNow > Table
  • Kubernetes > Node > ServiceNow
  • Kubernetes > Node > ServiceNow > Configuration Item
  • Kubernetes > Node > ServiceNow > Table
  • Kubernetes > Pod > ServiceNow
  • Kubernetes > Pod > ServiceNow > Configuration Item
  • Kubernetes > Pod > ServiceNow > Table
  • Kubernetes > ReplicaSet > ServiceNow
  • Kubernetes > ReplicaSet > ServiceNow > Configuration Item
  • Kubernetes > ReplicaSet > ServiceNow > Table
  • Kubernetes > Service > ServiceNow
  • Kubernetes > Service > ServiceNow > Configuration Item
  • Kubernetes > Service > ServiceNow > Table
  • ServiceNow > Turbot > Watches > Kubernetes

Policy Types

  • Kubernetes > Cluster > ServiceNow
  • Kubernetes > Cluster > ServiceNow > Configuration Item
  • Kubernetes > Cluster > ServiceNow > Configuration Item > Record
  • Kubernetes > Cluster > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Cluster > ServiceNow > Table
  • Kubernetes > Cluster > ServiceNow > Table > Definition
  • Kubernetes > ConfigMap > ServiceNow
  • Kubernetes > ConfigMap > ServiceNow > Configuration Item
  • Kubernetes > ConfigMap > ServiceNow > Configuration Item > Record
  • Kubernetes > ConfigMap > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > ConfigMap > ServiceNow > Table
  • Kubernetes > ConfigMap > ServiceNow > Table > Definition
  • Kubernetes > Deployment > ServiceNow
  • Kubernetes > Deployment > ServiceNow > Configuration Item
  • Kubernetes > Deployment > ServiceNow > Configuration Item > Record
  • Kubernetes > Deployment > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Deployment > ServiceNow > Table
  • Kubernetes > Deployment > ServiceNow > Table > Definition
  • Kubernetes > Namespace > ServiceNow
  • Kubernetes > Namespace > ServiceNow > Configuration Item
  • Kubernetes > Namespace > ServiceNow > Configuration Item > Record
  • Kubernetes > Namespace > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Namespace > ServiceNow > Table
  • Kubernetes > Namespace > ServiceNow > Table > Definition
  • Kubernetes > Node > ServiceNow
  • Kubernetes > Node > ServiceNow > Configuration Item
  • Kubernetes > Node > ServiceNow > Configuration Item > Record
  • Kubernetes > Node > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Node > ServiceNow > Table
  • Kubernetes > Node > ServiceNow > Table > Definition
  • Kubernetes > Pod > ServiceNow
  • Kubernetes > Pod > ServiceNow > Configuration Item
  • Kubernetes > Pod > ServiceNow > Configuration Item > Record
  • Kubernetes > Pod > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Pod > ServiceNow > Table
  • Kubernetes > Pod > ServiceNow > Table > Definition
  • Kubernetes > ReplicaSet > ServiceNow
  • Kubernetes > ReplicaSet > ServiceNow > Configuration Item
  • Kubernetes > ReplicaSet > ServiceNow > Configuration Item > Record
  • Kubernetes > ReplicaSet > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > ReplicaSet > ServiceNow > Table
  • Kubernetes > ReplicaSet > ServiceNow > Table > Definition
  • Kubernetes > Service > ServiceNow
  • Kubernetes > Service > ServiceNow > Configuration Item
  • Kubernetes > Service > ServiceNow > Configuration Item > Record
  • Kubernetes > Service > ServiceNow > Configuration Item > Table Definition
  • Kubernetes > Service > ServiceNow > Table
  • Kubernetes > Service > ServiceNow > Table > Definition
  • ServiceNow > Turbot > Watches > Kubernetes

Action Types

  • ServiceNow > Turbot > Watches > Kubernetes Archive And Delete Record

What's new?

Resource Types

  • osquery

Control Types

  • Turbot > Workspace > osquery
  • Turbot > Workspace > osquery > Secret Rotation

Policy Types

  • Turbot > Workspace > osquery
  • Turbot > Workspace > osquery > Enroll Secret Expiration
  • Turbot > Workspace > osquery > Secrets
  • Turbot > Workspace > osquery > Secrets > Expiration Period
  • Turbot > Workspace > osquery > Secrets > Rotation
  • osquery > Configuration

Action Types

  • Turbot > Rotate osquery Secret
  • osquery > Event Handler

What's new?

Resource Types

  • Kubernetes
  • Kubernetes > Cluster
  • Kubernetes > ConfigMap
  • Kubernetes > Deployment
  • Kubernetes > Namespace
  • Kubernetes > Node
  • Kubernetes > Pod
  • Kubernetes > ReplicaSet
  • Kubernetes > Service

Control Types

  • Kubernetes > Cluster > CMDB
  • Kubernetes > ConfigMap > Annotations
  • Kubernetes > ConfigMap > Approved
  • Kubernetes > ConfigMap > CMDB
  • Kubernetes > ConfigMap > Labels
  • Kubernetes > ConfigMap > Query
  • Kubernetes > Deployment > Annotations
  • Kubernetes > Deployment > Approved
  • Kubernetes > Deployment > CMDB
  • Kubernetes > Deployment > Labels
  • Kubernetes > Deployment > Query
  • Kubernetes > Namespace > Annotations
  • Kubernetes > Namespace > Approved
  • Kubernetes > Namespace > CMDB
  • Kubernetes > Namespace > Labels
  • Kubernetes > Namespace > Query
  • Kubernetes > Node > Annotations
  • Kubernetes > Node > Approved
  • Kubernetes > Node > CMDB
  • Kubernetes > Node > Labels
  • Kubernetes > Node > Query
  • Kubernetes > Pod > Annotations
  • Kubernetes > Pod > Approved
  • Kubernetes > Pod > CMDB
  • Kubernetes > Pod > Labels
  • Kubernetes > Pod > Query
  • Kubernetes > ReplicaSet > Annotations
  • Kubernetes > ReplicaSet > Approved
  • Kubernetes > ReplicaSet > CMDB
  • Kubernetes > ReplicaSet > Labels
  • Kubernetes > ReplicaSet > Query
  • Kubernetes > Service > Annotations
  • Kubernetes > Service > Approved
  • Kubernetes > Service > CMDB
  • Kubernetes > Service > Labels
  • Kubernetes > Service > Query

Policy Types

  • Kubernetes > Cluster > CMDB
  • Kubernetes > ConfigMap > Annotations
  • Kubernetes > ConfigMap > Annotations > Template
  • Kubernetes > ConfigMap > Approved
  • Kubernetes > ConfigMap > Approved > Custom
  • Kubernetes > ConfigMap > CMDB
  • Kubernetes > ConfigMap > Labels
  • Kubernetes > ConfigMap > Labels > Template
  • Kubernetes > ConfigMap > osquery
  • Kubernetes > ConfigMap > osquery > Configuration
  • Kubernetes > ConfigMap > osquery > Configuration > Columns
  • Kubernetes > ConfigMap > osquery > Configuration > Interval
  • Kubernetes > ConfigMap > osquery > Configuration > Name
  • Kubernetes > Deployment > Annotations
  • Kubernetes > Deployment > Annotations > Template
  • Kubernetes > Deployment > Approved
  • Kubernetes > Deployment > Approved > Custom
  • Kubernetes > Deployment > CMDB
  • Kubernetes > Deployment > Labels
  • Kubernetes > Deployment > Labels > Template
  • Kubernetes > Deployment > osquery
  • Kubernetes > Deployment > osquery > Configuration
  • Kubernetes > Deployment > osquery > Configuration > Columns
  • Kubernetes > Deployment > osquery > Configuration > Interval
  • Kubernetes > Deployment > osquery > Configuration > Name
  • Kubernetes > Namespace > Annotations
  • Kubernetes > Namespace > Annotations > Template
  • Kubernetes > Namespace > Approved
  • Kubernetes > Namespace > Approved > Custom
  • Kubernetes > Namespace > CMDB
  • Kubernetes > Namespace > Labels
  • Kubernetes > Namespace > Labels > Template
  • Kubernetes > Namespace > osquery
  • Kubernetes > Namespace > osquery > Configuration
  • Kubernetes > Namespace > osquery > Configuration > Columns
  • Kubernetes > Namespace > osquery > Configuration > Interval
  • Kubernetes > Namespace > osquery > Configuration > Name
  • Kubernetes > Node > Annotations
  • Kubernetes > Node > Annotations > Template
  • Kubernetes > Node > Approved
  • Kubernetes > Node > Approved > Custom
  • Kubernetes > Node > CMDB
  • Kubernetes > Node > Labels
  • Kubernetes > Node > Labels > Template
  • Kubernetes > Node > osquery
  • Kubernetes > Node > osquery > Configuration
  • Kubernetes > Node > osquery > Configuration > Columns
  • Kubernetes > Node > osquery > Configuration > Interval
  • Kubernetes > Node > osquery > Configuration > Name
  • Kubernetes > Pod > Annotations
  • Kubernetes > Pod > Annotations > Template
  • Kubernetes > Pod > Approved
  • Kubernetes > Pod > Approved > Custom
  • Kubernetes > Pod > CMDB
  • Kubernetes > Pod > Labels
  • Kubernetes > Pod > Labels > Template
  • Kubernetes > Pod > osquery
  • Kubernetes > Pod > osquery > Configuration
  • Kubernetes > Pod > osquery > Configuration > Columns
  • Kubernetes > Pod > osquery > Configuration > Interval
  • Kubernetes > Pod > osquery > Configuration > Name
  • Kubernetes > ReplicaSet > Annotations
  • Kubernetes > ReplicaSet > Annotations > Template
  • Kubernetes > ReplicaSet > Approved
  • Kubernetes > ReplicaSet > Approved > Custom
  • Kubernetes > ReplicaSet > CMDB
  • Kubernetes > ReplicaSet > Labels
  • Kubernetes > ReplicaSet > Labels > Template
  • Kubernetes > ReplicaSet > osquery
  • Kubernetes > ReplicaSet > osquery > Configuration
  • Kubernetes > ReplicaSet > osquery > Configuration > Columns
  • Kubernetes > ReplicaSet > osquery > Configuration > Interval
  • Kubernetes > ReplicaSet > osquery > Configuration > Name
  • Kubernetes > Service > Annotations
  • Kubernetes > Service > Annotations > Template
  • Kubernetes > Service > Approved
  • Kubernetes > Service > Approved > Custom
  • Kubernetes > Service > CMDB
  • Kubernetes > Service > Labels
  • Kubernetes > Service > Labels > Template
  • Kubernetes > Service > osquery
  • Kubernetes > Service > osquery > Configuration
  • Kubernetes > Service > osquery > Configuration > Columns
  • Kubernetes > Service > osquery > Configuration > Interval
  • Kubernetes > Service > osquery > Configuration > Name
  • Kubernetes > osquery
  • Kubernetes > osquery > Decorators

Action Types

  • Kubernetes > ConfigMap > Router
  • Kubernetes > Deployment > Router
  • Kubernetes > Namespace > Router
  • Kubernetes > Node > Router
  • Kubernetes > Pod > Router
  • Kubernetes > ReplicaSet > Router
  • Kubernetes > Service > Router

Bug fixes

  • The GCP > IAM > Service Account Key > Active control will no longer attempt to delete a system-managed service account key deemed inactive by the control.

What's new?

  • You can now determine if an IAM access key for a user is latest and deactivate or delete any keys that are not, using Guardrails. To get started, set the AWS > IAM > Access Key > Active > Latest policy.
  • You can now determine if an IAM server certificate is active based on its expiration. To get started, set the AWS > IAM > Server Certificate > Active > Expired policy.

Policy Types

  • AWS > IAM > Access Key > Active > Latest
  • AWS > IAM > Server Certificate > Active > Expired

Enhancements

  • The tenant_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple OCI tenants. (#606)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#614)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

Enhancements

  • The project column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple GCP projects. (#564)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#580)
  • Added the version flag to the plugin's Export tool. (#65)****

Bug fixes

  • Fixed the table gcp_cloudfunctions_function to list gen2 cloud functions. (#568) (Thanks @ashutoshmore658 for the contribution!)

Dependencies

Enhancements

  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#756)

Bug fixes

  • Fixed the server_properties column in the azure_postgresql_flexible_server table to correctly return data instead of nil. (#754)

Dependencies

Enhancements

  • The account_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Alibaba Cloud accounts. (#406)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#419)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

Bug fixes

  • Updated FDW to 1.11.1 to fix bad Linux Arm build. (#4271)
  • Updated hydrates count in timing verbose mode to use integer formatting(e.g. 119,138). (#4270)

Bug fixes

  • Pipeline execution no longer stalls when concurrency limit is applied and if clause returns false. (#836).
  • Trigger's common attributes (title, description, tags, documentation) allow functions and expresions. (#394).

Bug fixes

  • The GCP > Project > CMDB control would go into an error state if Access Approval API was disabled in GCP. This is now fixed.

Enhancements

  • The context_name column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Kubernetes connections. (#217)
  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package. (#219)
  • Added the version flag to the plugin's Export tool. (#65)

Dependencies

v0.138.0 [2024-05-09]

Enhancements

  • The Plugin and the Steampipe Anywhere binaries are now built with the netgo package for both the Linux and Darwin systems. (#219) (#2180)

Bug fixes

  • Fixed the aws_ebs_snapshot table to correctly return data instead of an empty row. (#2185)

Dependencies

Whats new

  • Added support for connection key columns: (#768)

    A connection key column defines a column whose value maps 1-1 to a Steampipe connection and so can be used to filter connections when executing an aggregator query. These columns are treated as (optional) KeyColumns. This means they are taken into account in the query planning.

  • Added support for verbose timing information. (#4244)

  • Added support for pushing down sort order. (#447)

  • Updated limit pushdown logic to push down the limit if all sort clauses are pushed down. (#458)

  • Added support for WHERE column=val1 OR column=val2 OR column=val3...

  • Migrated from plugin registry from GCP to GHCR. (#4232)

Bug fixes

  • Fixed hang when timing is disabled. (#4237)
  • Added a signal handler for signal 16 to avoid FDW crash. (#457)

Bug fixes

  • Ensured QueryData passed to connection key column value callback is populated with ConnectionManager. (#797)

What's new?

  • Implemented SNS topic to handle critical alarms notifications.
  • Added Product, Vendor Tags to the IAM Role resources created by the TEF stack.
  • Introduced a new SSM parameter to manage the reserved concurrency settings for the osquery worker lambda function.
  • Updated Log Bucket Lifecycle Policies:
    • Increased Retention Period: Extended the retention period of the lifecycle policy for logs in the log bucket with the /processes prefix from 1 day to 2 days.
    • New Policy Addition: Implemented a new lifecycle policy for managing log retention in the log bucket for logs with the /osquery prefix.

What's new?

  • Implemented critical alarms for RDS DB CPU utilization, DB Max Connections and Redis ElastiCache Memory utilization.
  • Added Product, Vendor Tags to the IAM Role resources created by the TED stack.

Bug fixes

  • The Azure > Compute > Virtual Machine Scale Set > Tags control would sometimes fail to update tags correctly for Scale Sets launched via Azure marketplace. This is fixed and the control will now update tags correctly, as expected.

What's new?

  • Revoke ingress rules that are unapproved for use in Network ACLs. To get started, set the AWS > VPC > Network ACL > Ingress Rules > Approved > * policies.

Bug fixes

  • Minor fixes and improvements.

What's new?

  • You can now delete existing Mount Targets which are unapproved for use in the account. To get started, set the AWS > EFS > Mount Target > Approved policy to Enforce: Delete unapproved.

What's new?

  • Create and manage aws_cloudwatch_metric_alarm resources via Guardrails stacks.

Control Types

  • AWS > CloudWatch > Alarm > Configured

Policy Types

  • AWS > CloudWatch > Alarm > Configured
  • AWS > CloudWatch > Alarm > Configured > Claim Precedence
  • AWS > CloudWatch > Alarm > Configured > Source

Bug fixes

  • Added support for aws_securityhub_account Terraform resource.

What's new?

  • Resource's metadata will now also include createdBy details in Turbot CMDB.

What's new?

Control Types

  • AWS > CIS v3.0
  • AWS > CIS v3.0 > 1 - Identity and Access Management
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
  • AWS > CIS v3.0 > 2 - Storage
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
  • AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
  • AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
  • AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
  • AWS > CIS v3.0 > 3 - Logging
  • AWS > CIS v3.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
  • AWS > CIS v3.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
  • AWS > CIS v3.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions
  • AWS > CIS v3.0 > 3 - Logging > 3.04 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • AWS > CIS v3.0 > 3 - Logging > 3.06 - Ensure rotation for customer created symmetric CMKs is enabled
  • AWS > CIS v3.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs
  • AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket
  • AWS > CIS v3.0 > 4 - Monitoring
  • AWS > CIS v3.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
  • AWS > CIS v3.0 > 5 - Networking
  • AWS > CIS v3.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
  • AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
  • AWS > CIS v3.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2

Policy Types

  • AWS > CIS v3.0
  • AWS > CIS v3.0 > 1 - Identity and Access Management
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account > Attestation
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
  • AWS > CIS v3.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation
  • AWS > CIS v3.0 > 1 - Identity and Access Management > Maximum Attestation Duration
  • AWS > CIS v3.0 > 2 - Storage
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation
  • AWS > CIS v3.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
  • AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v3.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  • AWS > CIS v3.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
  • AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
  • AWS > CIS v3.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
  • AWS > CIS v3.0 > 2 - Storage > Maximum Attestation Duration
  • AWS > CIS v3.0 > 3 - Logging
  • AWS > CIS v3.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
  • AWS > CIS v3.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
  • AWS > CIS v3.0 > 3 - Logging > 3.03 - Ensure AWS Config is enabled in all regions
  • AWS > CIS v3.0 > 3 - Logging > 3.04 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > 3.05 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • AWS > CIS v3.0 > 3 - Logging > 3.06 - Ensure rotation for customer created symmetric CMKs is enabled
  • AWS > CIS v3.0 > 3 - Logging > 3.07 - Ensure VPC flow logging is enabled in all VPCs
  • AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket
  • AWS > CIS v3.0 > 3 - Logging > Maximum Attestation Duration
  • AWS > CIS v3.0 > 4 - Monitoring
  • AWS > CIS v3.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
  • AWS > CIS v3.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
  • AWS > CIS v3.0 > 4 - Monitoring > Maximum Attestation Duration
  • AWS > CIS v3.0 > 5 - Networking
  • AWS > CIS v3.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS > CIS v3.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
  • AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
  • AWS > CIS v3.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' > Attestation
  • AWS > CIS v3.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2
  • AWS > CIS v3.0 > 5 - Networking > Maximum Attestation Duration
  • AWS > CIS v3.0 > Maximum Attestation Duration

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Resource Types:

    • GCP > DNS > Policy
  • Control Types:

    • GCP > DNS > Policy > Active
    • GCP > DNS > Policy > Approved
    • GCP > DNS > Policy > CMDB
    • GCP > DNS > Policy > Discovery
    • GCP > DNS > Policy > Usage
  • Policy Types:

    • GCP > DNS > Policy > Active
    • GCP > DNS > Policy > Active > Age
    • GCP > DNS > Policy > Active > Last Modified
    • GCP > DNS > Policy > Approved
    • GCP > DNS > Policy > Approved > Custom
    • GCP > DNS > Policy > Approved > Usage
    • GCP > DNS > Policy > CMDB
    • GCP > DNS > Policy > Usage
    • GCP > DNS > Policy > Usage > Limit
  • Action Types:

    • GCP > DNS > Policy > Delete
    • GCP > DNS > Policy > Router

What's new?

Control Types

  • GCP > CIS v2.0
  • GCP > CIS v2.0 > 1 - Identity and Access Management
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
  • GCP > CIS v2.0 > 2 - Logging and Monitoring
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
  • GCP > CIS v2.0 > 3 - Networking
  • GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project
  • GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects
  • GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS
  • GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
  • GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
  • GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet
  • GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet
  • GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
  • GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
  • GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
  • GCP > CIS v2.0 > 4 - Virtual Machines
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
  • GCP > CIS v2.0 > 5 - Storage
  • GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
  • GCP > CIS v2.0 > 7 - BigQuery
  • GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
  • GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets

Policy Types

  • GCP > CIS v2.0
  • GCP > CIS v2.0 > 1 - Identity and Access Management
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Ensure that Corporate Login Credentials are Used > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure that Security Key Enforcement is Enabled for All Admin Accounts > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure That Service Account Has No Admin Privileges
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure Essential Contacts is Configured for Organization > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
  • GCP > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager > Attestation
  • GCP > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration
  • GCP > CIS v2.0 > 2 - Logging and Monitoring
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled' > Attestation
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
  • GCP > CIS v2.0 > 2 - Logging and Monitoring > Maximum Attestation Duration
  • GCP > CIS v2.0 > 3 - Networking
  • GCP > CIS v2.0 > 3 - Networking > 3.01 - Ensure That the Default Network Does Not Exist in a Project
  • GCP > CIS v2.0 > 3 - Networking > 3.02 - Ensure Legacy Networks Do Not Exist for Older Projects
  • GCP > CIS v2.0 > 3 - Networking > 3.03 - Ensure That DNSSEC Is Enabled for Cloud DNS
  • GCP > CIS v2.0 > 3 - Networking > 3.04 - Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC
  • GCP > CIS v2.0 > 3 - Networking > 3.05 - Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC
  • GCP > CIS v2.0 > 3 - Networking > 3.06 - Ensure That SSH Access Is Restricted From the Internet
  • GCP > CIS v2.0 > 3 - Networking > 3.07 - Ensure That RDP Access Is Restricted From the Internet
  • GCP > CIS v2.0 > 3 - Networking > 3.08 - Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network
  • GCP > CIS v2.0 > 3 - Networking > 3.09 - Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites
  • GCP > CIS v2.0 > 3 - Networking > 3.10 - Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'
  • GCP > CIS v2.0 > 4 - Virtual Machines
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.01 - Ensure That Instances Are Not Configured To Use the Default Service Account
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.02 - Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.03 - Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.04 - Ensure Oslogin Is Enabled for a Project
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.05 - Ensure 'Enable Connecting to Serial Ports' Is Not Enabled for VM Instance
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.06 - Ensure That IP Forwarding Is Not Enabled on Instances
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.07 - Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK)
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.08 - Ensure Compute Instances Are Launched With Shielded VM Enabled
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.09 - Ensure That Compute Instances Do Not Have Public IP Addresses
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.10 - Ensure That App Engine Applications Enforce HTTPS Connections > Attestation
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.11 - Ensure That Compute Instances Have Confidential Computing Enabled
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
  • GCP > CIS v2.0 > 4 - Virtual Machines > 4.12 - Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects > Attestation
  • GCP > CIS v2.0 > 4 - Virtual Machines > Maximum Attestation Duration
  • GCP > CIS v2.0 > 5 - Storage
  • GCP > CIS v2.0 > 5 - Storage > 5.01 - Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 5 - Storage > 5.02 - Ensure That Cloud Storage Buckets Have Uniform Bucket-Level Access Enabled
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.01 - Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges > Attestation
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.02 - Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.01 - MySQL Database > 6.01.03 - Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.01 - Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.02 - Ensure 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.03 - Ensure 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.04 - Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.05 - Ensure 'Log_min_messages' Database Flag for Cloud SQL PostgreSQL Instance is set at minimum to 'Warning'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.06 - Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.07 - Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.08 - Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.02 - PostgreSQL Database > 6.02.09 - Ensure Instance IP assignment is set to private
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.01 - Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.02 - Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.03 - Ensure 'user Connections' Database Flag for Cloud Sql Sql Server Instance Is Set to a Non-limiting Value
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.04 - Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.05 - Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.06 - Ensure '3625 (trace flag)' database flag for all Cloud SQL Server instances is set to 'on'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.03 - SQL Server > 6.03.07 - Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.04 - Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.05 - Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.06 - Ensure That Cloud SQL Database Instances Do Not Have Public IPs
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > 6.07 - Ensure That Cloud SQL Database Instances Are Configured With Automated Backups
  • GCP > CIS v2.0 > 6 - Cloud SQL Database Services > Maximum Attestation Duration
  • GCP > CIS v2.0 > 7 - BigQuery
  • GCP > CIS v2.0 > 7 - BigQuery > 7.01 - Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible
  • GCP > CIS v2.0 > 7 - BigQuery > 7.02 - Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)
  • GCP > CIS v2.0 > 7 - BigQuery > 7.03 - Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets
  • GCP > CIS v2.0 > Maximum Attestation Duration

Bug fixes

  • Minor fixes and improvements.

What's new?

  • Access approval setting details for projects is now be available in Project CMDB.

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

Enhancements

  • The subscription_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple Azure subscriptions. (#740)
  • Added the version flag to the plugin's Export tool. (#65)

Bug fixes

  • Fixed the plugin's Postgres FDW Extension crash issue.

Dependencies

Bug fixes

  • Action Type for Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved control did not render correctly on mod inspect. This is now fixed.

Whats new

  • It is now possible to set a timeout for benchmark and dashboard execution. These can be set:
    • In the workspace using properties: dashboard_timeout and benchmark_timeout
    • Using the --dashboard-timeout flag for the dashboard run and server commands
    • Using the --benchmark-timeout flag for the benchmark run commands.
    • Using the environment variables POWERPIPE_DASHBOARD_TIMEOUT and POWERPIPE_BENCHMARK_TIMEOUT respectively. (#336)
  • Support installing private mods using a GitHub app token. (#381).
  • Improve the layout of filter and grouping components for control tags and dimensions. (#263)
  • Remove the dashboard input list and dashboard input show commands.
  • Add thousands separator to numeric values in dashboard tables. (#315)
  • Only show benchmark cards for statuses that are contained in the current filter and add status to filter on card click. (#322)

Bug fixes

  • When calling mod update, respect the argument (if any) and only update specified mods. (#331)
  • Fix mod update display of updates to transitive dependencies. (#288)

All new Pipes workspaces will be running Powerpipe v0.2.0 and existing workspaces will be upgraded by Monday 29th April 2024.

For more information on this Powerpipe release, see the release notes.

Bug fixes

  • Server
    • Minor internal improvements.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

  • The Azure > Storage > Storage Account > Data Protection control would go into an error state when container delete retention policy data was not available in CMDB. This issue is fixed and the control will now work as expected.

What's new?

  • You can now removed unapproved Firewall IP Ranges on PostgreSQL servers and flexi servers. To get started, set the Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > * and Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > * policies respectively.
  • You can now stop unapproved flexi servers. To get started, set the Azure > PostgreSQL > Flexible Server > Approved policy to Enforce: Stop unapproved or Enforce: Stop unapproved if new.

Control Types

  • Azure > PostgreSQL > Flexible Server > Firewall
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
  • Azure > PostgreSQL > Server > Firewall
  • Azure > PostgreSQL > Server > Firewall > IP Ranges
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved

Policy Types

  • Azure > PostgreSQL > Flexible Server > Firewall
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > Compiled Rules
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > IP Addresses
  • Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > Rules
  • Azure > PostgreSQL > Server > Firewall
  • Azure > PostgreSQL > Server > Firewall > IP Ranges
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > Compiled Rules
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > IP Addresses
  • Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > Rules

Action Types

  • Azure > PostgreSQL > Flexible Server > Stop
  • Azure > PostgreSQL > Server > Update Firewall IP Ranges

Bug fixes

  • Fixed control category names for v7.2.10, v7.7.10 and v7.14.1.

What's new?

Control Types

  • Azure > CIS v2.0
  • Azure > CIS v2.0 > 01 - Identity and Access Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 Ensure That 'Number of methods required to reset' is set to '2'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
  • Azure > CIS v2.0 > 02 - Microsoft Defender
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring
  • Azure > CIS v2.0 > 03 - Storage Accounts
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"
  • Azure > CIS v2.0 > 04 - Database Services
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
  • Azure > CIS v2.0 > 05 - Logging and Monitoring
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
  • Azure > CIS v2.0 > 06 - Networking
  • Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
  • Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled'
  • Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
  • Azure > CIS v2.0 > 07 - Virtual Machines
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.02 - Ensure Virtual Machines are utilizing Managed Disks
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted
  • Azure > CIS v2.0 > 08 - Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable
  • Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
  • Azure > CIS v2.0 > 09 - Application Services
  • Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption
  • Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
  • Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.10 - Ensure FTP deployments are Disabled
  • Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets
  • Azure > CIS v2.0 > 10 - Miscellaneous
  • Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources

Policy Types

  • Azure > CIS v2.0
  • Azure > CIS v2.0 > 01 - Identity and Access Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.01 - Ensure Security Defaults is enabled on Azure Active Directory > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.02 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.03 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.01 - Security Defaults > 1.01.04 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.01 - Ensure Trusted Locations Are Defined
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.02 - Ensure that an exclusionary Geographic Access Policy is considered > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.03 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.04 - Ensure that A Multi-factor Authentication Policy Exists for All Users > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.05 - Ensure Multi-factor Authentication is Required for Risky Sign-ins > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.02 - Conditional Access > 1.02.06 - Ensure Multi-factor Authentication is Required for Azure Management > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.03 - Ensure that 'Users can create Azure AD Tenants' is set to 'No' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.04 - Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.05 - Ensure Guest Users Are Reviewed on a Regular Basis
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.06 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.07 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.08 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.09 Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.11 - Ensure User consent for applications is set to Do not allow user consent > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users"
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.16 Ensure that 'Guest invite restrictions' is set to "Only users assigned to specific admin roles can invite guest users" > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
  • Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One' > Attestation
  • Azure > CIS v2.0 > 01 - Identity and Access Management > Maximum Attestation Duration
  • Azure > CIS v2.0 > 02 - Microsoft Defender
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.02 - Ensure That Microsoft Defender for App Services Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.03 - Ensure That Microsoft Defender for Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.04 - Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.05 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.06 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.07 - Ensure That Microsoft Defender for Storage Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.08 - Ensure That Microsoft Defender for Containers Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.09 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.10 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.11 - Ensure That Microsoft Defender for DNS Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.12 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.13 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.14 - Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.15 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.16 - Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' > Attestation
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.17 - Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' > Attestation
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.18 - Ensure That 'All users with the following roles' is set to 'Owner'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.19 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.20 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.21 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.01 - Microsoft Defender for Cloud > 2.01.22 - Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.02 - Microsoft Defender for IoT > 2.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On' > Attestation
  • Azure > CIS v2.0 > 02 - Microsoft Defender > 2.03 - Microsoft Defender for External Attack Surface Monitoring
  • Azure > CIS v2.0 > 02 - Microsoft Defender > Maximum Attestation Duration
  • Azure > CIS v2.0 > 03 - Storage Accounts
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account > Attestation
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.04 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.05 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.06 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.08 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.09 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.10 - Ensure Private Endpoints are used to access Storage Accounts
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.11 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.12 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
  • Azure > CIS v2.0 > 03 - Storage Accounts > 3.15 - Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"
  • Azure > CIS v2.0 > 03 - Storage Accounts > Maximum Attestation Duration
  • Azure > CIS v2.0 > 04 - Database Services
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.01 - Ensure that 'Auditing' is set to 'On'
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.04 - Ensure that Azure Active Directory Admin is Configured for SQL Servers
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
  • Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.01 - Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.02 - Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.03 - Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.04 - Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
  • Azure > CIS v2.0 > 04 - Database Services > 4.02 SQL Server - Microsoft Defender for SQL > 4.02.05 - Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.01 - Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.02 - Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.03 - Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.04 - Ensure Server Parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.05 - Ensure Server Parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.06 - Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.07 - Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
  • Azure > CIS v2.0 > 04 - Database Services > 4.03 PostgreSQL Database Server > 4.03.08 - Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.01 - Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.02 - Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.04 - MySQL Database > 4.04.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.02 - Ensure That Private Endpoints Are Used Where Possible
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
  • Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible > Attestation
  • Azure > CIS v2.0 > 04 - Database Services > Maximum Attestation Duration
  • Azure > CIS v2.0 > 05 - Logging and Monitoring
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.03 - Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.04 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.07 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > Maximum Attestation Duration
  • Azure > CIS v2.0 > 06 - Networking
  • Azure > CIS v2.0 > 06 - Networking > 6.01 - Ensure that RDP access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.02 - Ensure that SSH access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.03 - Ensure that UDP access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
  • Azure > CIS v2.0 > 06 - Networking > 6.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
  • Azure > CIS v2.0 > 06 - Networking > 6.06 - Ensure that Network Watcher is 'Enabled'
  • Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis
  • Azure > CIS v2.0 > 06 - Networking > 6.07 - Ensure that Public IP addresses are Evaluated on a Periodic Basis > Attestation
  • Azure > CIS v2.0 > 06 - Networking > Maximum Attestation Duration
  • Azure > CIS v2.0 > 07 - Virtual Machines
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.02 - Ensure Virtual Machines are utilizing Managed Disks
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.05 - Ensure that Only Approved Extensions Are Installed > Attestation
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.06 - Ensure that Endpoint Protection for all Virtual Machines is installed > Attestation
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted
  • Azure > CIS v2.0 > 07 - Virtual Machines > 7.07 - [Legacy] Ensure that VHDs are Encrypted > Attestation
  • Azure > CIS v2.0 > 07 - Virtual Machines > Maximum Attestation Duration
  • Azure > CIS v2.0 > 08 - Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable
  • Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
  • Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services > Attestation
  • Azure > CIS v2.0 > 08 - Key Vault > Maximum Attestation Duration
  • Azure > CIS v2.0 > 09 - Application Services
  • Azure > CIS v2.0 > 09 - Application Services > 9.01 - Ensure App Service Authentication is set up for apps in Azure App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.02 - Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.03 - Ensure Web App is using the latest version of TLS encryption
  • Azure > CIS v2.0 > 09 - Application Services > 9.04 - Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
  • Azure > CIS v2.0 > 09 - Application Services > 9.05 - Ensure that Register with Azure Active Directory is enabled on App Service
  • Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.06 - Ensure That 'PHP version' is the Latest, If Used to Run the Web App > Attestation
  • Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.07 - Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App > Attestation
  • Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.08 - Ensure that 'Java version' is the latest, if used to run the Web App > Attestation
  • Azure > CIS v2.0 > 09 - Application Services > 9.09 - Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
  • Azure > CIS v2.0 > 09 - Application Services > 9.10 - Ensure FTP deployments are Disabled
  • Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets
  • Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets > Attestation
  • Azure > CIS v2.0 > 09 - Application Services > Maximum Attestation Duration
  • Azure > CIS v2.0 > 10 - Miscellaneous
  • Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
  • Azure > CIS v2.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation
  • Azure > CIS v2.0 > 10 - Miscellaneous > Maximum Attestation Duration
  • Azure > CIS v2.0 > Maximum Attestation Duration

Bug fixes

  • Param can be used in query step's args attribute. (#830).
  • File watcher now correctly detect changes in the loop block. (#808).
  • Duplicate step names are now detected and reported as an error. (#820).
  • Better error message for invalid notifier reference. (#826).

What's new?

  • Server
    • Implemented monitoring for worker_factory in the CloudWatch Dashboard widgets "Events Queue Activity" and "Events Queue Backlog".
    • Established a CloudWatch Alarm for the _worker_factory queue.
    • Product, Vendor Tags to the IAM Role resources created by the TE stack.
    • Adjusted the threshold for the CloudWatch Alarm monitoring the _worker queue.

Bug fixes

  • Server

    • Now, users with only Turbot/User access will no longer see grants or active grants belonging to other users. This ensures that you only view grants that are relevant to your permissions.
    • Control will move to error if it fails to determine the state at precheck.
    • System resilience has been enhanced through extended TTL settings and refined management of suspended processes, aiming to improve stability and reduce backlog issues.
    • Refined management of various processes to improve stability and reduce backlog issues.
  • UI

    • Converted the template_input property of the policy setting in the Terraform plan to YAML format, improving clarity and manageability.

Requirements

  • TEF: 1.57.0
  • TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

  • Moved the Turbot > Process Monitor control to operate within the priority queue, ensuring more timely and efficient processing of critical tasks.
  • Updated the Turbot > Workspace > Background Tasks control to modify the next_tick_timestamp for any policy values that previously had incorrect defaults.

Bug fixes

  • Minor fixes and improvements.

What's new?

  • You can now configure rotation reminders for access keys and soft delete for blobs and containers in storage accounts. To get started, set the Azure > Storage > Storage Account > Access Keys > Rotation Reminder > * and Azure > Storage > Storage Account > Data Protection > Soft Delete > * policies respectively.

Control Types

  • Azure > Storage > Storage Account > Access Keys
  • Azure > Storage > Storage Account > Access Keys > Rotation Reminder
  • Azure > Storage > Storage Account > Data Protection
  • Azure > Storage > Storage Account > Data Protection > Soft Delete

Policy Types

  • Azure > Storage > Storage Account > Access Keys
  • Azure > Storage > Storage Account > Access Keys > Rotation Reminder
  • Azure > Storage > Storage Account > Access Keys > Rotation Reminder > Days
  • Azure > Storage > Storage Account > Data Protection
  • Azure > Storage > Storage Account > Data Protection > Soft Delete
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs > Retention Days
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers
  • Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers > Retention Days

Action Types

  • Azure > Storage > Storage Account > Set Data Protection Soft Delete
  • Azure > Storage > Storage Account > Update Rotation Reminder

What's new?

  • You can now removed unapproved Firewall IP Ranges on SQL servers. To get started, set the Azure > SQL > Server > Firewall > IP Ranges > Approved > * policies.

Control Types

  • Azure > SQL > Server > Firewall
  • Azure > SQL > Server > Firewall > IP Ranges
  • Azure > SQL > Server > Firewall > IP Ranges > Approved

Policy Types

  • Azure > SQL > Server > Firewall
  • Azure > SQL > Server > Firewall > IP Ranges
  • Azure > SQL > Server > Firewall > IP Ranges > Approved
  • Azure > SQL > Server > Firewall > IP Ranges > Approved > Compiled Rules
  • Azure > SQL > Server > Firewall > IP Ranges > Approved > IP Addresses
  • Azure > SQL > Server > Firewall > IP Ranges > Approved > Rules

Action Types

  • Azure > SQL > Server > Update Firewall IP Ranges

Enhancements

  • Updated the workspace_dashboard dashboard to include information on the accounts, resources, and active controls across different workspaces. (#31)
  • Updated the workspace_account_report dashboard to display resources, policy settings, alerts, and active controls across workspaces instead of the TE version. (#31)

Enhancements

  • Optimized several queries to minimize API usage, achieving faster performance. (#786)

Bug fixes

  • The rotationPeriod and nextRotationTime attributes for Crypto Keys did not update correctly in CMDB when the rotation policy for such keys was removed. This is now fixed.

What's new?

  • You can now configure Encryption in Transit for Flexi Servers. To get started, set the Azure > MySQL > Flexible Server > Encryption in Transit > * policies.
  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Control Types

  • Azure > MySQL > Flexible Server > Encryption in Transit

Policy Types

  • Azure > MySQL > Flexible Server > Encryption in Transit

Action Types

  • Azure > MySQL > Flexible Server > Update Encryption in Transit

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
  • Resource's metadata will now also include createdBy details in Turbot CMDB.

Policy Types

  • Azure > App Service > App Service Plan > Approved > Custom
  • Azure > App Service > Function App > Approved > Custom
  • Azure > App Service > Web App > Approved > Custom

Bug fixes

  • The AWS > VPC > Flow Log > Configured control would sometimes go into an error state for flow logs created via the AWS console, even though they were correctly claimed by a Guardrails stack. This is now fixed.

What's new?

Enhancements

  • The account_id column has now been assigned as a connection key column across all the tables which facilitates more precise and efficient querying across multiple AWS accounts. (#2133)

Bug fixes

  • Fixed the getDirectoryServiceSnapshotLimit and getDirectoryServiceEventTopics hydrate calls in the aws_directory_service_directory table to correctly return nil for the unsupported ADConnector services instead of an error. (#2170)

What's new?

  • You can now configure log checkpoints for Flexi Servers. To get started, set the Azure > PostgreSQL > Flexible Server > Audit Logging > * policies.
  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Control Types

  • Azure > PostgreSQL > Flexible Server > Audit Logging

Policy Types

  • Azure > PostgreSQL > Flexible Server > Audit Logging
  • Azure > PostgreSQL > Flexible Server > Audit Logging > Log Checkpoints

Action Types

  • Azure > PostgreSQL > Flexible Server > Update Audit Logging

What's new?

  • You can now configure expiration for Key Vault Keys and Secrets. To get started, set the Azure > Key Vault > Key > Expiration > * and Azure > Key Vault > Secret > Expiration > * policies respectively.

Control Types

  • Azure > Key Vault > Key > Expiration
  • Azure > Key Vault > Secret > Expiration

Policy Types

  • Azure > Key Vault > Key > Expiration
  • Azure > Key Vault > Key > Expiration > Days [Default]
  • Azure > Key Vault > Secret > Expiration
  • Azure > Key Vault > Secret > Expiration > Days [Default]

Action Types

  • Azure > Key Vault > Key > Set Expiration
  • Azure > Key Vault > Secret > Set Expiration

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

  • Added CIS v3.0.0 benchmark (powerpipe benchmark run gcp_compliance.benchmark.cis_v300). (#158)

What's new?

  • We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

  • The Azure > Storage > Storage Account > Queue > Logging control would go into a skipped state for storage accounts, irrespective of any policy setting for Logging. This issue is fixed and the control will now work as expected.

v0.40.0 [2024-04-12]

What's new?

Bug fixes

  • Fixed the github_workflow table to correctly return data for dynamic workflows instead of an error. (#412)
  • Fixed the plugin's Postgres FDW Extension crash issue.

What's new?

Enhancements

  • Added snapshot_block_public_access_state column to aws_ec2_regional_settings table. (#2077)

Bug fixes

  • Fixed the getDirectoryServiceSnapshotLimit and getDirectoryServiceEventTopics hydrate calls in the aws_directory_service_directory table to correctly return nil for unsupported SharedMicrosoftAD services instead of an error. (#2156)

What's new?

  • You can now delete existing Public IP Addresses which are unapproved for use in the Subscription. To get started, set the Azure > Network > Public IP Address > Approved policy to Enforce: Delete unapproved.

What's new?

  • Added support for connection key columns. (#768)
  • Added sp_ctx and sp_connection_name columns to all tables. (#769)

What's new?

  • You can now configure Encryption in Transit for Flexi Servers. To get started, set the Azure > PostgresSql > Flexible Server > Encryption in Transit > * policies.

Control Types

  • Azure > PostgreSQL > Flexible Server > Encryption in Transit

Policy Types

  • Azure > PostgreSQL > Flexible Server > Encryption in Transit

Action Types

  • Azure > PostgreSQL > Flexible Server > Update Encryption in Transit

Bug fixes

  • Updated the foundational_security_lambda_2 control to check for the latest Lambda runtimes as per the AWS FSBP document. (#778) (Thanks @sbldevnet for the contribution!)
  • Fixed the title of secretsmanager_secret_unused_90_day control. (#783)

What's new?

  • You can now delete existing Entra ID users which are unapproved to be used in the Tenant. To get started, set the Azure > Active Directory > User > Approved policy to Enforce: Delete unapproved.

Policy Types

  • Azure > Active Directory > User > Approved > Custom

What's new?

  • You can now configure TLS version for Flexi Servers. To get started, set the Azure > MySQL > Flexible Server > Minimum TLS Version > * policies.

Enhancements

  • Added the following controls to the All Controls benchmark: (#253)
    • cosmosdb_account_uses_aad_and_rbac
    • iam_user_not_allowed_to_create_tenants
    • securitycenter_image_scan_enabled

Bug fixes

  • Updated the postgres_db_server_allow_access_to_azure_services_disabled query to check if the endIpAddress column is set to 0.0.0.0 instead of 255.255.255.255 as per the CIS documentation. (#253)

What's new?

  • Account CMDB data will now also include alternate security contact details.

What's new?

Control Types

  • AWS > CIS v2.0
  • AWS > CIS v2.0 > 1 - Identity and Access Management
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
  • AWS > CIS v2.0 > 2 - Storage
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enabled on S3 buckets
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
  • AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
  • AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
  • AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
  • AWS > CIS v2.0 > 3 - Logging
  • AWS > CIS v2.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
  • AWS > CIS v2.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
  • AWS > CIS v2.0 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
  • AWS > CIS v2.0 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs
  • AWS > CIS v2.0 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions
  • AWS > CIS v2.0 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • AWS > CIS v2.0 > 3 - Logging > 3.08 - Ensure rotation for customer created symmetric CMKs is enabled
  • AWS > CIS v2.0 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs
  • AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket
  • AWS > CIS v2.0 > 4 - Monitoring
  • AWS > CIS v2.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
  • AWS > CIS v2.0 > 5 - Networking
  • AWS > CIS v2.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
  • AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
  • AWS > CIS v2.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2

Policy Types

  • AWS > CIS v2.0
  • AWS > CIS v2.0 > 1 - Identity and Access Management
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.01 - Maintain current contact details > Attestation
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.03 - Ensure security questions are registered in the AWS account > Attestation
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.04 - Ensure no 'root' user account access key exists
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.05 - Ensure MFA is enabled for the 'root' user account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.06 - Ensure hardware MFA is enabled for the 'root' user account
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.07 - Eliminate use of the 'root' user for administrative and daily tasks
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.08 - Ensure IAM password policy requires minimum length of 14 or greater
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure IAM password policy prevents password reuse
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.11 - Do not setup access keys during initial user setup for all IAM users that have a console password
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.12 - Ensure credentials unused for 45 days or greater are disabled
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.13 - Ensure there is only one active access key available for any single IAM user
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.14 - Ensure access keys are rotated every 90 days or less
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.15 - Ensure IAM Users Receive Permissions Only Through Groups
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.16 - Ensure IAM policies that allow full ":" administrative privileges are not attached
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.17 - Ensure a support role has been created to manage incidents with AWS Support
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.18 - Ensure IAM instance roles are used for AWS resource access from instances
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.19 - Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.20 - Ensure that IAM Access analyzer is enabled for all regions
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.21 - Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments > Attestation
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted
  • AWS > CIS v2.0 > 1 - Identity and Access Management > 1.22 - Ensure access to AWSCloudShellFullAccess is restricted > Attestation
  • AWS > CIS v2.0 > 1 - Identity and Access Management > Maximum Attestation Duration
  • AWS > CIS v2.0 > 2 - Storage
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3)
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.01 - Ensure S3 Bucket Policy is set to deny HTTP requests
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.02 - Ensure MFA Delete is enable on S3 buckets
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.03 - Ensure all data in Amazon S3 has been discovered, classified and secured when required > Attestation
  • AWS > CIS v2.0 > 2 - Storage > 2.01 - Simple Storage Service (S3) > 2.01.04 - Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'
  • AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2)
  • AWS > CIS v2.0 > 2 - Storage > 2.02 - Elastic Compute Cloud (EC2) > 2.02.01 - Ensure EBS Volume Encryption is Enabled in all Regions
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS)
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.01 - Ensure that encryption-at-rest is enabled for RDS Instances
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.02 - Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  • AWS > CIS v2.0 > 2 - Storage > 2.03 - Relational Database Service (RDS) > 2.03.03 - Ensure that public access is not given to RDS Instance
  • AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS)
  • AWS > CIS v2.0 > 2 - Storage > 2.04 - Elastic File System (EFS) > 2.04.01 - Ensure that encryption is enabled for EFS file systems
  • AWS > CIS v2.0 > 2 - Storage > Maximum Attestation Duration
  • AWS > CIS v2.0 > 3 - Logging
  • AWS > CIS v2.0 > 3 - Logging > 3.01 - Ensure CloudTrail is enabled in all regions
  • AWS > CIS v2.0 > 3 - Logging > 3.02 - Ensure CloudTrail log file validation is enabled
  • AWS > CIS v2.0 > 3 - Logging > 3.03 - Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
  • AWS > CIS v2.0 > 3 - Logging > 3.04 - Ensure CloudTrail trails are integrated with CloudWatch Logs
  • AWS > CIS v2.0 > 3 - Logging > 3.05 - Ensure AWS Config is enabled in all regions
  • AWS > CIS v2.0 > 3 - Logging > 3.06 - Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > 3.07 - Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • AWS > CIS v2.0 > 3 - Logging > 3.08 - Ensure rotation for customer created symmetric CMKs is enabled
  • AWS > CIS v2.0 > 3 - Logging > 3.09 - Ensure VPC flow logging is enabled in all VPCs
  • AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket
  • AWS > CIS v2.0 > 3 - Logging > Maximum Attestation Duration
  • AWS > CIS v2.0 > 4 - Monitoring
  • AWS > CIS v2.0 > 4 - Monitoring > 4.01 - Ensure unauthorized API calls are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.02 - Ensure management console sign-in without MFA is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.03 - Ensure usage of 'root' account is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.04 - Ensure IAM policy changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.05 - Ensure CloudTrail configuration changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.06 - Ensure AWS Management Console authentication failures are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.07 - Ensure disabling or scheduled deletion of customer created CMKs is monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.08 - Ensure S3 bucket policy changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.09 - Ensure AWS Config configuration changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.10 - Ensure security group changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.11 - Ensure Network Access Control Lists (NACL) changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.12 - Ensure changes to network gateways are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.13 - Ensure route table changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.14 - Ensure VPC changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.15 - Ensure AWS Organizations changes are monitored
  • AWS > CIS v2.0 > 4 - Monitoring > 4.16 - Ensure AWS Security Hub is enabled
  • AWS > CIS v2.0 > 4 - Monitoring > Maximum Attestation Duration
  • AWS > CIS v2.0 > 5 - Networking
  • AWS > CIS v2.0 > 5 - Networking > 5.01 - Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
  • AWS > CIS v2.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
  • AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access'
  • AWS > CIS v2.0 > 5 - Networking > 5.05 - Ensure routing tables for VPC peering are 'least access' > Attestation
  • AWS > CIS v2.0 > 5 - Networking > 5.06 - Ensure that EC2 Metadata Service only allows IMDSv2
  • AWS > CIS v2.0 > 5 - Networking > Maximum Attestation Duration
  • AWS > CIS v2.0 > Maximum Attestation Duration