Bug fixes

• Removed unnecessary attributes from the default value of the Kubernetes > Pod > osquery > Configuration > Columns policy, which previously caused churn by unnecessarily triggering the Kubernetes > Pod > CMDB control.

Bug fixes

• Server
  • Removed stray debug logs.

Requirements

• TEF: 1.65.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• Server
  • Improved error handling for Runnable Monitor and Event Monitor to catch uncaught exceptions.

Requirements

• TEF: 1.65.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• Control Types:
  • Adjusted the sequence of operations for Turbot > Workspace > Background Tasks to ensure a more reliable and consistent execution flow.

Requirements

• TE: 5.35.4

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
• Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
• Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
• Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Improved the logic in the Table and Configuration Item controls to avoid querying credentials unnecessarily when those controls are skipped.
• Improved the GraphQL input query for the Configuration Item > Record policy to retrieve only the essential details required for the policy's functionality. This enhancement enables Guardrails to evaluate policies more efficiently, improving performance and reducing processing load.

Bug fixes

• CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to Skip. This issue has been resolved; such controls will now correctly transition to a skipped state.

Bug fixes

• The Azure > Storage > Storage Account > Tags control previously failed to update tags for storage accounts of type StandardV2_LRS. This issue has been resolved, and the control now correctly updates tags for this storage account type.
• The Azure > Storage > Queue > Discovery control previously entered an error state for storage accounts of kind FileStorage. This issue has been resolved, and the control will now be skipped for such storage accounts.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• You can now configure and manage rotation for secrets. To get started, set the AWS > Secrets Manager > Secret > Rotation > * policies.

Control Types

• AWS > Secrets Manager > Secret > Rotation

Policy Types

• AWS > Secrets Manager > Secret > Rotation
• AWS > Secrets Manager > Secret > Rotation > Schedule Expression

Action Types

• AWS > Secrets Manager > Secret > Set Rotation

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

Bug fixes

• Server

  • Reduced the time taken to collect and process data in Account > Statistics, resulting in noticeably faster and a smoother experience.
  • Enhanced the reliability of Turbot > Mod > Runnable Monitor and Turbot > Mod Event Monitor by improving how they handle temporary lock conflicts, ensuring more consistent operation.
  • Fixed an issue where moving a resource between parents could create an incorrect path.
  • Policy packs can now only be attached to resources where it is feasible to attach.

• UI

  • Resolved a layout issue where long resource names could break the detail headers on the Control, Process, and Policy pages.

Requirements

• TEF: 1.65.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

Bug fixes

• Guardrails previously upserted DB parameter groups into the CMDB with incorrect casing when they were created using uppercase letters in AWS. This occasionally caused the AWS > RDS > DB Parameter Group > CMDB control to enter an error state due to duplicate AKAs. We have improved the handling of create and copy real-time events for parameter groups to ensure they are now upserted correctly and more reliably.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

Bug fixes

• The AWS > VPC > Transit Gateway Attachment > CMDB control would sometimes go into an error state when ResourceOwnerId for the resource was not available in the CMDB data. This is fixed and the control will now work correctly, as expected.

Bug fixes

• Guardrails stack controls that created or claimed IAM roles would sometimes run unnecessarily due to a mismatch in the default value for force_detach_policies in the Terraform mapping for the resource type. We have now removed the conflicting default to prevent such unnecessary executions. You now need to explicitly define force_detach_policies to override the existing Terraform default value (if required by your use case).

What's new?

• You can now configure retention period for log groups. To get started, set the AWS > Logs > Log Group > Retention > * policies.

Control Types

• AWS > Logs > Log Group > Retention

Policy Types

• AWS > Logs > Log Group > Retention
• AWS > Logs > Log Group > Retention > Period

Action Types

• AWS > Logs > Log Group > Update Retention

What's new?

• UI
  • Added support for multiple input queries (with ability to use Nunjucks template functionality) in the calculated policy editor allowing teams to create complex calculated policies involving a pipeline of GraphQL queries.

Bug fixes

• Server

  • Turbot/ReadOnly permission is now sufficient to create, delete, and update favorites.
  • Resolved an issue that was blocking users from running quick actions due to incorrect permission checks.
  • Tightened permissions for smart folder attachments and detachments to prevent unauthorized access.
  • Account/ReadOnly users can now successfully manage favorites, including creation, deletion, and updates.

• UI

  • Policy settings can now be created by users with Account/Admin permission, as intended, instead of incorrectly requiring Account/Owner.
  • Quick action runs no longer fail for users with a single grant due to a UI permission check issue.

Requirements

• TEF: 1.65.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• Users can now create and manage cloud resources using Terraform 1.x via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

• AWS > CloudFront > Distribution > Stack [Native]

Policy Types

• AWS > CloudFront > Distribution > Stack [Native]
• AWS > CloudFront > Distribution > Stack [Native] > Drift Detection
• AWS > CloudFront > Distribution > Stack [Native] > Drift Detection > Interval
• AWS > CloudFront > Distribution > Stack [Native] > Modifier
• AWS > CloudFront > Distribution > Stack [Native] > Secret Variables
• AWS > CloudFront > Distribution > Stack [Native] > Source
• AWS > CloudFront > Distribution > Stack [Native] > Timeout
• AWS > CloudFront > Distribution > Stack [Native] > Variables
• AWS > CloudFront > Distribution > Stack [Native] > Version

Bug fixes

• The GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-iam rendered the real-time events filter for Project User resource type incorrectly, which caused the GCP > Logging > Sink > Configured control for Logging sinks created via Event Handlers to go into an error state. This issue is now fixed.
• The GCP > IAM > Project User > CMDB control entered an error state due to incorrect internal references introduced in the previous version of the mod (v5.17.0). This issue has been fixed, and the control now works as expected.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Types:
  • Turbot > Quick Actions > Permission Levels to allow account, azure and gcp as a permission type.
  • Added class: ACCOUNT to Turbot > Notifications > CC > Tag and Turbot > Notifications > CC > Tag > Name.

Bug fixes

• Control Types:
  • The Turbot > Workspace > Usage control will be skipped in GovCloud deployments.

Requirements

• TE: 5.35.4

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

Bug fixes

• The GCP > Project > Labels control failed to apply labels to projects according to the GCP > Project > Labels > Template policy. This issue has been fixed.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Internal definitions for the AWS > Organization resource type have been updated. All functionality will continue to work smoothly as before.

Bug fixes

• We've updated internal definitions for Quick Actions on the AWS > S3 > Bucket > Public Access Block control type. All functionality will continue to work smoothly as before.

What's new?

• The AWS > EC2 > Target Group > Discovery control sometimes failed to upsert target groups under gateway load balancers that were not present in the CMDB. This occurred because Guardrails was unable to discover those gateway load balancers due to an outdated list of supported regions. The list has been refreshed for the AWS > EC2 > Gateway Load Balancer resource type, enabling Guardrails to discover and manage these resources across all supported AWS regions.

Bug fixes

• Server

  • Improved how policy values are selected for the priority queue, resulting in faster and more efficient processing.

• UI

  • Pagination and title-based sorting are now supported in policy targets, making navigation smoother.
  • The Permissions modal is more stable and won’t crash if some data is missing.

Requirements

• TEF: 1.65.0
• TED: 1.9.1

Base images

Alpine: 3.17.5` Ubuntu: 22.04.3

Bug fixes

• CMDB controls for custom tables and records occasionally failed to update data in the CMDB correctly. This issue has been resolved.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

Bug fixes

• Server

  • Resolved an issue that was preventing users from logging in via SAML.

• UI

  • Action buttons now show up correctly on the process logs page, whether you’re viewing control or policy.

Requirements

• TEF: 1.65.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Added support for Contactable interface in various resource types.

Bug fixes

• We've enhanced event handling to dynamically filter cloud provider events based on the CMDB policy for each resource type. If a resource's CMDB policy is not set to Enforce: Enabled, events for that resource type will be excluded from the event handling configuration. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

What's new?

• Added support to process real-time events for ServiceNow custom tables and their records.
• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

What's new?

Resource Types

• ServiceNow > Custom
• ServiceNow > Custom > Record
• ServiceNow > Custom > Table

Control Types

• ServiceNow > Custom > Record > CMDB
• ServiceNow > Custom > Record > Discovery
• ServiceNow > Custom > Table > Business Rule
• ServiceNow > Custom > Table > CMDB
• ServiceNow > Custom > Table > Discovery

Policy Types

• ServiceNow > Custom > Record > CMDB
• ServiceNow > Custom > Record > CMDB > Query
• ServiceNow > Custom > Record > CMDB > Title
• ServiceNow > Custom > Table > Business Rule
• ServiceNow > Custom > Table > Business Rule > Name
• ServiceNow > Custom > Table > CMDB
• ServiceNow > Custom > Table > CMDB > Tables

Action Types

• ServiceNow > Custom > Record > Router

What's new?

• The AWS > Region > Discovery > Connection Region policy has been deprecated and will be removed in the next major version of the mod (v6.0.0). Two new policies, AWS > Account > Connection Region [Default] and AWS > Region > Connection Region, have been introduced. These policies streamline connection region management across all global resource types in various services. For the deprecated AWS > Region > Discovery > Connection Region policy, we recommend migrating existing settings to the AWS > Region > Connection Region policy if you intend to define a connection region for discovering Region resources. Alternatively, you may configure the AWS > Account > Connection Region [Default] policy, which serves as the default region for discovering all global resources across services in your account.

Policy Types

• AWS > Account > Connection Region [Default]
• AWS > Region > Connection Region

Renamed

• AWS > Region > Discovery > Connection Region to AWS > Region > Discovery > Connection Region [Deprecated]

What's new?

• You can now configure a connection region to allow Guardrails to fetch details for S3 accounts in CMDB. To get started, set the AWS > S3 > Connection Region policy. This policy defaults to the value of the AWS > Account > Connection Region [Default] policy, which can be used to define a default connection region for all global resources in an account.

Policy Types

• AWS > S3 > Connection Region

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

Bug fixes

• Guardrails previously processed the organizations:MoveAccount real-time event incorrectly for individually imported management accounts, inadvertently deleting them from the CMDB. We have tightened the validation checks to prevent such deletions in these cases.

Bug fixes

• Discovery controls for various SageMaker resources previously attempted to fetch a maximum of 10 resources per API call, which occasionally led to throttling when a high number of resources existed in the account. This limit has now been increased to 100 (the maximum supported by the APIs) to enable the Discovery controls to retrieve all resources without errors and upsert them into the CMDB.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

Bug fixes

• We have improved event handling configuration to filter AWS Organization events that Guardrails listens for, based on the CMDB policies for resource types. If the CMDB policy for a resource type is not set to Enforce: Enabled, the EventBridge rule for Organizations will exclude events for that resource type.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Server
  • Introducing scoped Account/* permissions to help application teams manage their own accounts.
  • Notifications routing based on permissions.

Bug fixes

• Server

  • Controls no longer crashes when there's a parsing issue in rule-based notifications. Instead, it logs the error gracefully and continues running.
  • Fixed a problem where certain operations could trigger a "callback already called" error, improving overall reliability of caching.
  • The Type Installed control now spreads events over time to reduce the likelihood of API throttling during large-scale installations or updates.
  • Guardrails now skips storing resource tags larger than 1 KB to ensure only valid tags are saved and to avoid potential issues later.
  • The osquery worker now correctly uses the TURBOT_RDS_SSL_FILE environment variable to point to the right certificate file, fixing an issue where it previously referenced the wrong path.
  • To improve reliability and performance, Guardrails prioritizes events in the order Type Installed > Policies > Scheduled Actions > Controls.
  • Resolved an issue where authenticated users without the appropriate permissions were able to access process logs.

• UI

  • Switching between self and descendant modes no longer clears existing filter configurations — your selections will now persist as expected.

Account Permissions

Introduced a new category of permissions — Account/ — designed specifically for application teams who need limited visibility and control over resources within their own accounts. These are distinct from the Turbot/ permissions used by governance teams.

• Account levels:

  • Account/Owner
  • Account/Admin
  • Account/Operator
  • Account/ReadOnly

• These levels are now explained alongside Turbot/* levels, with clear usage guidance:

  • Turbot/* — for managing the Guardrails platform
  • Account/* — for managing resources and notifications within cloud accounts

Notification Routing to Guardrails Profiles

You can now route notifications to Guardrails user profiles dynamically based on resource permissions — a major upgrade from static email/webhook targeting. This allows for context-aware delivery to users like Account Owners or Admins.

• Supported formats:
  • Specific roles like Account/Owner, Turbot/Owner
  • Wildcards like Account/*
  • Special role Account/CC for tagging-based routing
  • Use case:
    • Automatically notify account teams responsible for a resource, based on their assigned permission

Access Controls Refined for Process Logs

Access to process logs is now restricted to users with appropriate permissions, specifically those with Turbot/Metadata or higher.

Previously, any authenticated user could retrieve process logs via the API. This behavior has been corrected to align with expected permission boundaries and prevent overexposure of operational data.

Requirements

• TEF: 1.65.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• Cleaned up unnecessary help messages from AWS > VPC > Security Group Rule > CMDB control.

Bug fixes

• The GCP > IAM > Service Account > CMDB control would sometimes enter a skipped state for newly imported projects if certain required attributes were missing from the IAM service's CMDB data. The control will now go into a TBD state instead and rerun after five minutes to allow the IAM service's CMDB data to populate correctly for newly imported projects.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

Bug fixes

• Guardrails would sometimes ignore the GCP > BigQuery > Table > CMDB policy set to Enforce: Disabled and still upsert table resources via real-time events in CMDB. These resources were subsequently cleaned up by the CMDB control. This issue has been resolved, and the CMDB policy will now be correctly respected before upserting resources.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Types:
  • Turbot > Notifications > Email > CC
  • Turbot > Notifications > Email > CC > Tag
  • Turbot > Notifications > Email > CC > Tag > Name
  • Updated Turbot > Workspace > Retention > Activity Retention to 90 days
  • Updated default policy for Turbot > Notifications > Rule-Based Routing updated to use Account/* as the default recipient profile.
  • Relaxed the regex for MS teams webhook URL in Turbot > Notifications > Rule-Based Routing to allow broader URL formats.

Turbot > Workspace > Retention > Activity Retention

The default retention period for activity has been updated to 90 days (previously unlimited)

Storing too much historical activity data can slow down the system and increase storage costs. By setting a 90-day default, we ensure:

• Faster queries and improved UI performance
• A better balance between data retention and storage efficiency

Need more or less retention? You can adjust based on your needs:

For self-hosted environments, the 90-day default will apply when upgrading to @turbot/turbot version 5.51.0 or higher, unless a custom retention policy is set.

Requirements

• TE: 5.35.4

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.
• Added support for af-south-1, ap-east-1, ap-southeast-3, ap-southeast-5, ap-southeast-7, ca-west-1, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1 and me-south-1 regions in the AWS > Lambda > Regions policy.
• Corrected the region in the AWS > Lambda > Function Alias > Regions policy by updating us-west-3 to the correct region, us-west-2.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated internal dependencies and now use newer Azure SDK versions to discover and manage Security Center resources in Guardrails. This release includes breaking changes in the CMDB data for security center. We recommend updating your existing settings to refer to the updated attributes as mentioned below:

Added:

• policy.enforcementMode
• policy.nonComplianceMessages
• policy.systemData

Removed:

• policy.sku

Renamed:

• settings[*].properties.enabled to settings[*].enabled

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The CMDB control for various resource types inadvertently removed the partition value from a resource's metadata when the AWS > Account > Partition policy value was null, resulting in a malformed AKA. We have tightened checks on partition values to ensure the control no longer updates resources with incorrect partition details.

Bug fixes

• Real-time delete events for topics would sometimes result in the deletion of subscriptions under a different topic in the CMDB. This issue has been fixed, and subscriptions are now cleaned up more reliably than before.

Bug fixes

• The AWS > MySQL > Server > CMDB policy will now be set to Skip by default because the resource type has been deprecated and will be removed in the next major version. Please check Single Server retirement for more information.

Resource Types

Renamed

• Azure > MySQL > Server to Azure > MySQL > Server [Deprecated]

Control Types

Renamed

• Azure > MySQL > Server > Active to Azure > MySQL > Server [Deprecated] > Active
• Azure > MySQL > Server > Approved to Azure > MySQL > Server [Deprecated] > Approved
• Azure > MySQL > Server > CMDB to Azure > MySQL > Server [Deprecated] > CMDB
• Azure > MySQL > Server > Discovery to Azure > MySQL > Server [Deprecated] > Discovery
• Azure > MySQL > Server > Encryption in Transit to Azure > MySQL > Server [Deprecated] > Encryption in Transit
• Azure > MySQL > Server > Tags to Azure > MySQL > Server [Deprecated] > Tags

Policy Types

Renamed

• Azure > MySQL > Server > Active to Azure > MySQL > Server [Deprecated] > Active
• Azure > MySQL > Server > Active > Age to Azure > MySQL > Server [Deprecated] > Active > Age
• Azure > MySQL > Server > Active > Last Modified to Azure > MySQL > Server [Deprecated] > Active > Last Modified
• Azure > MySQL > Server > Approved to Azure > MySQL > Server [Deprecated] > Approved
• Azure > MySQL > Server > Approved > Custom to Azure > MySQL > Server [Deprecated] > Approved > Custom
• Azure > MySQL > Server > Approved > Regions to Azure > MySQL > Server [Deprecated] > Approved > Regions
• Azure > MySQL > Server > Approved > Usage to Azure > MySQL > Server [Deprecated] > Approved > Usage
• Azure > MySQL > Server > CMDB to Azure > MySQL > Server [Deprecated] > CMDB
• Azure > MySQL > Server > Encryption in Transit to Azure > MySQL > Server [Deprecated] > Encryption in Transit
• Azure > MySQL > Server > Regions to Azure > MySQL > Server [Deprecated] > Regions
• Azure > MySQL > Server > Tags to Azure > MySQL > Server [Deprecated] > Tags
• Azure > MySQL > Server > Tags > Template to Azure > MySQL > Server [Deprecated] > Tags > Template

Action Types

Removed

• Azure > MySQL > Server > Delete
• Azure > MySQL > Server > Router
• Azure > MySQL > Server > Set Tags
• Azure > MySQL > Server > Update Encryption in Transit

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• We have improved our event handling configuration to filter AWS SQS events that Guardrails listens for based on the AWS > SQS > Queue > CMDB policy. If the CMDB policy is not set to Enforce: Enabled, the EventBridge rule for SQS will not be configured, preventing events for that resource type. This enhancement significantly reduces the number of unnecessary events processed by Guardrails.

Policy Types

• AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-sqs

Removed

• AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-sqs

What's new?

• Added S3 Lifecycle rules for Hive bucket.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

Bug fixes

• The AWS > Turbot > IAM stack control occasionally encountered an error while attaching tags with special characters to Guardrails-managed users and roles. This issue is now fixed.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Added support for Contactable interface in various resource types.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.
• Updated the default permissions required to run Quick Actions to include Account-type permissions in addition to the existing Turbot-type permissions.
• Added support for Contactable interface in various resource types.

Bug fixes

• The Azure > Compute > Disk > Discovery control occasionally encountered an error while upserting attached disks under VMs that were not available in Guardrails CMDB. Now, all disks will be upserted under their respective resource groups, ensuring the Discovery control functions more smoothly and reliably than before.

What's new?

• Added a new SSM parameter to forward the DB logs to CloudWatch log group.
• Added support for postgres version 16.5, 16.6, 16.7 and 16.8.
• Updated defaults for database and cache instances
  • Database instance type: Default updated to db.m6g.large.
  • Allocated database storage: Default increased to 400 GB.
  • Storage throughput: Default set to 500 MB/s.
  • Database engine parameter group family: Now defaults to postgres16.
  • Database engine version: Updated to 16.4.
  • Cache node type: Default updated to cache.r6g.large.
  • Allocated IOPS: Default increased to 12,000.
  • DB parameter group: Now defaults to HiveParamGroup16.
  • Shared buffer: Default set to {DBInstanceClassMemory/20480} for optimized performance.
  • Maximum statement duration: Default updated to 600,000 ms (10 minutes) to improve query execution limits.

What's new?

• Added parameter to manage ALB timeout, allowing better control over request handling.
• Added parameter to customize API Gateway domain name. For backward compatibility, the default value remains gateway.
• Added parameter to control message rate in the queue, enabling better queue message management.
• S3 Lifecycle Rules now automatically enable ‘Expired Object Delete Markers’ for cleanup and remove incomplete multipart uploads after 7 days to prevent storage waste.
• HOP limit increased to 2 for improved request forwarding.
• Route53 Record for API Gateway now includes the GatewayPrefix to enhance routing accuracy.

Bug fixes

• Guardrails would fail to process real-time delete events for subscriptions. This is now fixed.
• Fixed pagination for Azure > Turbot > Event Poller control.
• Real-time Microsoft.Resources tagging events will now be processed only for subscriptions and resource groups, and will be ignored for other resource types. This will avoid unnecessary triggers for subscription & resource group router actions.

What's new?

• Server
  • Added multi region KMS encryption for Tenant Master Key.
  • Guardrails now provides an override parameter at the TE level to configure API and Event container memory reservations, improving ECS task scaling and resource flexibility.

Multi Region KMS Key

Starting from TEF v1.65.0 and TE v5.49.0, a new multi-region KMS key is created at the TEF level.

When workspaces are upgraded to TE v5.49.0, Guardrails use this new key to re-encrypt the existing Tenant Master Key within the workspaces. The Tenant Master Key itself remains unchanged-only its encryption is updated. The previous version, encrypted with a regional KMS key, remains available.

If a workspace is downgraded to TE v5.48.0, the multi-region encryption persists. Upon re-upgrading to TE v5.49.0, re-encryption does not occur again.

This process works seamlessly unless TEF is downgraded to a version earlier than v1.65.0.

Requirements

• TEF: 1.65.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• Added contactable interface.
• New policy type classes GUARDRAIL, SETTING, and ACCOUNT have been introduced to define the scope of policies.

Requirements

• TE: 5.35.4

What's new?

• UI
  • Update controls trend graph to use the latest counts.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• You can now filter ServiceNow records using encoded query strings and discover them in Guardrails. To get started, set the CMDB > Query policy for various resource types. For more details, refer to the ServiceNow documentation on encoded query strings.

Policy Types

• ServiceNow > Application > CMDB > Query
• ServiceNow > Cost Center > CMDB > Query
• ServiceNow > User > CMDB > Query

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

Bug fixes

• Filter policies for real-time events will now evaluate correctly if CMDB policies for resource types are set to Skip or Enforce: Disabled.

Bug fixes

• The GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-storage policy now respects CMDB policy settings for resource types and filters out real-time events when the policies are set to Skip or Enforce: Disabled. We recommend upgrading the gcp mod to v5.30.2 or higher in order to process real-time events correctly.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• Mute controls if you want to ignore them. The turbot_control_mute allows muting a control to help streamline operations without compromising security policies.

Bug fixes

• Fixed typo in an error message while calling Guardrails APIs.

Documentation

• Updated example for turbot_policy_pack resource.
• Fixed spacing in turbot_turbot_directory documentation.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• UI
  • Users can now select permissions (ReadOnly + Global Event Handlers or Full Remediation) to apply to the IAM role in the CFN template when importing an AWS Organization or Account.

Bug fixes

• UI
  • Fixed an issue where the terminate process call sometimes received an empty input when terminating a queued process.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
• Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• We've updated the runtime of the lambda functions to Node 22. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.

Bug fixes

• Guardrails would sometimes update resource metadata details inadvertently in CMDB due to incorrect handling of real-time update events. This issue has been fixed, and real-time update events are now processed more reliably.
• Controls and their associated actions previously retried unnecessarily when their API calls returned an error. This issue has now been fixed.

What's new?

• Server
  • Updated Workspace Manager Lambda to automatically populate the Turbot > Workspace > Guardrails Master Account policy for improved management.

Bug fixes

• UI
  • Adjusted stats limit to 30 days, ensuring a full month of data visibility.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• The AWS > VPC > Transit Gateway Attachment > Discovery [Cross-Account] control would sometimes upsert transit gateway attachments in a deleted or deleting state. This issue is now fixed.

Bug fixes

• The AWS > VPC > Transit Gateway Attachment > CMDB control previously, in some cases, inadvertently deleted cross-account transit gateway attachments from Guardrails CMDB. This issue has now been fixed.

What's new?

• You can now configure a custom tag name to start/stop DB clusters via the AWS > RDS > DB Cluster > Schedule control. To get started, set the AWS > RDS > DB Cluster > Schedule Tag > Name policy.

Policy Types

• AWS > RDS > DB Cluster > Schedule Tag > Name

What's new?

Action Types

• Azure > Subscription > Router

Bug fixes

• Guardrails would fail to process real-time tagging events for subscriptions. This is now fixed.
• The default template input in Azure > Subscription > Tags > Template policy referred to an incorrect policy for its value. This is now fixed.

Bug fixes

• Resolved a race condition in Turbot > Smart Retention to ensure smoother execution.

Requirements

• TE: 5.35.4

Bug fixes

• Fixed the naming convention for EventBridge rule for organization level events.

Bug fixes

• In version 5.35.0, we added support for importing an AWS organization into Guardrails but inadvertently introduced a bug that prevented real-time events for the aws-organizations mod from being processed correctly. This issue has now been fixed.

Policy Types

Renamed

• AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-organizations to AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws

Bug fixes

• Guardrails failed to handle real-time creation and tagging events for organizational account resources. This is now fixed.

Policy Types

• AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-organizations

Removed

• AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-organizations

Bug fixes

• Server
  • Rolled back dynamic queueing adjustments to restore previous behavior.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Version bump to align with deployment requirements.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• UI

  • Addressed an issue where resource card links on the Resources dashboard were not working as expected.

• Server

  • Prevented the runnable monitor from entering an infinite loop.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• UI
  • Policy pack descriptions are now visible in the list view and detail page header for better clarity.

Bug fixes

• UI
  • Run and Terminate buttons now appear properly on the process detail page, ensuring a smoother experience.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• The GCP > Storage > Bucket > Policy > Trusted Access control previously failed to evaluate results correctly and caused internal process timeouts when Guardrails was denied access to fetch IAM policy bindings for buckets. This issue has been resolved, ensuring that the control now evaluates results and terminates correctly as expected.

Bug fixes

• The Azure > Compute > Virtual Machine > Tags control would sometimes failed to update tags on spot instances. This is now fixed.

Bug fixes

• The AWS > S3 > Bucket > Discovery control incorrectly went into a skipped state when the AWS > S3 > Bucket > CMDB policy was set to Enforce: Enabled but ignore permission errors. This is fixed and control will now work as expected.

What's new?

• UI
  • Added 'Resource Type' column to activity ledger CSV exports.
  • Improved usability of the Resource trend graph.

Bug fixes

• Server
  • Recursive loops in Lambda are now handled seamlessly without termination.
  • Optimize message queue dispatch based on DB CPU usage, connections, and queue load.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• Policy Types:
  • Turbot > Workspace > Guardrails Master Account

Requirements

• TE: 5.35.4

Bug fixes

• The Azure > SQL > Server > CMDB control sometimes failed to fetch data for the associated firewall rules. This issue has now been fixed.

Bug fixes

• The Azure > CIS v2.0 > 04 - Database Services > 4.01 SQL Server - Auditing > 4.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) control sometimes failed to evaluate the control state correctly. This issue is now fixed.

What's new?

• You can now configure a custom tag name to start/stop DB instances via the AWS > RDS > DB Instance > Schedule control. To get started, set the AWS > RDS > DB Instance > Schedule Tag > Name policy.

Policy Types

• AWS > RDS > DB Instance > Schedule Tag > Name

Bug fixes

• The AWS > CloudSearch > Domain > CMDB policy will now be set to Skip by default because the resource type has been deprecated and will be removed in the next major version. Please check end of support for more information.

Bug fixes

• Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.

Bug fixes

• Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.

Bug fixes

• Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.

Bug fixes

• Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.

Bug fixes

• Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.

Bug fixes

• Stack [Native] controls now run faster when in skipped state. We've added Precheck conditions in such controls to avoid running GraphQL input queries when skipped, resulting in faster and lighter control runs.

What's new?

• UI
  • Resources and Controls tab now features summary cards for better visibility.

Bug fixes

• UI
  • No more NaN values in summary cards; they now display correctly.
  • Mute and Run Control buttons now respect proper permission checks in the Control Detail page.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• The AWS > Account > CMDB control occasionally encountered an error state while fetching tagging details for accounts. This issue has now been fixed.

Bug fixes

• In the previous version, we introduced support for fetching AWS tags on accounts imported as part of an organization. However, this inadvertently caused a bug that removed tags added via the Guardrails API or Terraform on existing account resources. This issue has now been fixed, ensuring that tags added via Guardrails are preserved for individual accounts that are not part of any organization.
• Fixed pattern validation for AWS > Turbot > Event Handlers [Global] > Events > Target > IAM Role ARN policy.

Bug fixes

• Minor internal improvements.

Bug fixes

• UI
  • The role name was not updating correctly in the CFN template for AWS Org import and has now been fixed.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• The real-time event handlers did not process account level events if the associated organization was imported using a delegated account. This is now fixed.

What's new?

• Guardrails now supports configurable soft limits for API and Event container memory reservations in TEF, improving ECS task scaling and resource flexibility.
• Added Guardrails KMS key, a multi-region KMS key for encrypting internal Turbot Guardrails data.
• Added support for Node.js 22 in the Lambda runtime.

What's new?

• Support for IAM based authentication in Redis.

What's new?

• Added a new SSM parameter to enable GCP organization import.
• Introduced Redis-based IAM authentication support.

What's new?

• Server

  • Deprecation Notice: The SmartFolder API has been deprecated and replaced with a new Policy Pack API:
    • createSmartFolder → Use createPolicyPack instead.
    • deleteSmartFolders → Use deletePolicyPacks instead.
    • attachSmartFolders → Use attachPolicyPacks instead.
    • putSmartFolderAttachments → Use putPolicyPackAttachments instead.
    • updateSmartFolders → Use updatePolicyPacks instead.
    • detachSmartFolders → Use detachPolicyPacks instead.
  • The new Policy Pack API introduces targeted resource types, allowing policy packs to be associated only with specific resource types. This is an optional feature, providing more control over policy pack applicability.
  • Added Mute/Un-mute Controls, an alternative to policy setting exceptions. When a control is muted, it will still run in the background but will not affect compliance or trigger alerts.
  • Introduced the Daily Stats API, which tracks daily statistics for each account, helping users monitor trends and activity over time.
  • Added two new policies:
    • Policy Setting Levels: Defines where policy settings can be created.
    • Policy Pack Levels: Specifies where policy packs can be attached.

• UI

  • Added support for muting/un-muting controls directly from the interface.
  • The Import Page UI has been redesigned and now supports:
    • AWS organization import
    • GitHub organization import
    • GCP organization import using service-account-impersonation
  • Added new metrics with separate charts for resources, controls, and actions, making it easier to track compliance and trends.

Bug fixes

• Server

  • Fixed native stack (OpenTofu) and stack (Terraform) log order.

• UI

  • Fixed log message indentation issues for improved readability.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• Policy Types:

  • Turbot > Workspace > Retention > Account Statistics Retention
  • Turbot > Workspace > Retention > Account Statistics Retention > Purge Limit
  • Turbot > Workspace > Policy Pack Attachment Levels
  • Turbot > Workspace > Policy Setting Levels

• Control Types:

  • Turbot > Statistics > Accounts

Requirements

• TE: 5.35.4

What's new?

• Users can now discover folders, projects and resources under your organization. To get started, import an organization in your Guardrails workspace.

Resource Types

• GCP > Organization
• GCP > Folder

Control Types

• GCP > Folder > CMDB
• GCP > Folder > Discovery
• GCP > Organization > CMDB
• GCP > Project > Discovery
• GCP > Turbot > Folder Event Poller
• GCP > Turbot > Organization Event Poller

Policy Types

• GCP > External ID Label Name
• GCP > Organization > CMDB
• GCP > Organization > CMDB > Exclude
• GCP > Folder > CMDB
• GCP > Turbot > Folder Event Poller
• GCP > Turbot > Folder Event Poller > Filter
• GCP > Turbot > Folder Event Poller > Interval
• GCP > Turbot > Folder Event Poller > Window
• GCP > Turbot > Organization Event Poller
• GCP > Turbot > Organization Event Poller > Filter
• GCP > Turbot > Organization Event Poller > Interval
• GCP > Turbot > Organization Event Poller > Window

Action Types

• GCP > Folder > Event Poller
• GCP > Folder > Folder Event Handler
• GCP > Folder > Router
• GCP > Organization > Event Poller
• GCP > Organization > Organization Event Handler
• GCP > Organization > Router

What's new?

• Users can now exclude subscriptions that they do not wish to import while importing a tenant in Guardrails. To get started, set the Azure > Tenant > CMDB > Exclude policy.

• Users can now create and manage tags for subscriptions. To get started, set the Azure > Subscription > Tags > * policies.

Control Types

• Azure > Subscription > Tags

Policy Types

• Azure > Subscription > Tags
• Azure > Subscription > Tags > Template
• Azure > Tenant > CMDB > Exclude

Action Types

• Azure > Subscription > Set Tags

What's new?

• Users can now discover OUs, accounts and resources under your organization. To get started, import an organization in your Guardrails workspace.

Resource Types

• AWS > Organization
• AWS > Organization Root
• AWS > Organizational Unit

Control Types

• AWS > Account > Discovery
• AWS > Organization > CMDB
• AWS > Organization Root > CMDB
• AWS > Organization Root > Discovery
• AWS > Organizational Unit > CMDB
• AWS > Organizational Unit > Discovery
• AWS > Turbot > Organization Event Poller

Policy Types

• AWS > Account > Turbot IAM Role > External ID [Default]
• AWS > Account > Turbot IAM Role > Name [Default]
• AWS > Organization > CMDB
• AWS > Organization > CMDB > Exclude
• AWS > Organization > Turbot IAM Role
• AWS > Organization > Turbot IAM Role > External ID
• AWS > Organization Root > CMDB
• AWS > Organizational Unit > CMDB
• AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-organizations
• AWS > Turbot > Organization Event Poller
• AWS > Turbot > Organization Event Poller > Interval
• AWS > Turbot > Organization Event Poller > Window

Action Types

• AWS > Organization > Organization Event Handler
• AWS > Organization > Organization Event Poller
• AWS > Organization Root > Router
• AWS > Organizational Unit > Router

Bug fixes

• The GitHub > Organization > Event Handlers control will now use Turbot > Workspace > GitHub > Secrets policy to set the webhook secret.

What's new?

Resource Types

• GitHub
• GitHub > Organization
• GitHub > Repository

Control Types

• GitHub > Organization > Blocked Users
• GitHub > Organization > CMDB
• GitHub > Organization > Deploy Keys
• GitHub > Organization > Deploy Keys > Enabled
• GitHub > Organization > Event Handlers
• GitHub > Organization > Member Privileges
• GitHub > Organization > Member Privileges > Base Permissions
• GitHub > Organization > Member Privileges > Pages Creation
• GitHub > Organization > Member Privileges > Repository Creation
• GitHub > Organization > Member Privileges > Repository Forking
• GitHub > Repository > CMDB
• GitHub > Repository > Code Security
• GitHub > Repository > Code Security > Push Protection
• GitHub > Repository > Code Security > Secret Scanning
• GitHub > Repository > Default Branch
• GitHub > Repository > Dependabot
• GitHub > Repository > Dependabot > Alerts
• GitHub > Repository > Dependabot > Security Updates
• GitHub > Repository > Discovery
• GitHub > Repository > Discussions
• GitHub > Repository > Discussions > Enabled
• GitHub > Repository > Forking
• GitHub > Repository > Forking > Enabled
• GitHub > Repository > Projects
• GitHub > Repository > Projects > Enabled
• GitHub > Repository > Pull Request
• GitHub > Repository > Pull Request > Delete Branch on Merge
• GitHub > Repository > Pull Request > Merge Configuration
• GitHub > Repository > Visibility
• GitHub > Repository > Wikis
• GitHub > Repository > Wikis > Enabled

Policy Types

• GitHub > Config
• GitHub > Config > Personal Access Token
• GitHub > Login Names
• GitHub > Organization > Blocked Users
• GitHub > Organization > Blocked Users > Usernames
• GitHub > Organization > CMDB
• GitHub > Organization > Deploy Keys
• GitHub > Organization > Deploy Keys > Enabled
• GitHub > Organization > Event Handlers
• GitHub > Organization > Event Handlers > Events
• GitHub > Organization > Member Privileges
• GitHub > Organization > Member Privileges > Base Permissions
• GitHub > Organization > Member Privileges > Pages Creation
• GitHub > Organization > Member Privileges > Repository Creation
• GitHub > Organization > Member Privileges > Repository Forking
• GitHub > Repository > CMDB
• GitHub > Repository > Code Security
• GitHub > Repository > Code Security > Push Protection
• GitHub > Repository > Code Security > Secret Scanning
• GitHub > Repository > Default Branch
• GitHub > Repository > Default Branch > Name
• GitHub > Repository > Dependabot
• GitHub > Repository > Dependabot > Alerts
• GitHub > Repository > Dependabot > Security Updates
• GitHub > Repository > Discussions
• GitHub > Repository > Discussions > Enabled
• GitHub > Repository > Forking
• GitHub > Repository > Forking > Enabled
• GitHub > Repository > Projects
• GitHub > Repository > Projects > Enabled
• GitHub > Repository > Pull Request
• GitHub > Repository > Pull Request > Delete Branch on Merge
• GitHub > Repository > Pull Request > Merge Configuration
• GitHub > Repository > Pull Request > Merge Configuration > Settings
• GitHub > Repository > Visibility
• GitHub > Repository > Wikis
• GitHub > Repository > Wikis > Enabled

Action Types

• GitHub > Organization > Event Handlers
• GitHub > Organization > Router
• GitHub > Organization > Update
• GitHub > Organization > Update Blocked Users
• GitHub > Repository > Router
• GitHub > Repository > Update
• GitHub > Repository > Update Dependabot

Bug fixes

• The Azure > SQL > Server > CMDB control occasionally deleted servers from Guardrails CMDB when they used the SQL authentication method. This issue has been fixed, and such resources will no longer be removed from the CMDB.

What's new?

• Added support for Drift Detection, Version and Timeout policies for the Stack [Native] controls.

Policy Types

• Azure > Network > Virtual Network > Stack [Native] > Drift Detection
• Azure > Network > Virtual Network > Stack [Native] > Drift Detection > Interval
• Azure > Network > Virtual Network > Stack [Native] > Timeout
• Azure > Network > Virtual Network > Stack [Native] > Version

What's new?

• Added support for Drift Detection, Version and Timeout policies for the Stack [Native] controls.

Policy Types

• AWS > VPC > Stack [Native] > Drift Detection
• AWS > VPC > Stack [Native] > Drift Detection > Interval
• AWS > VPC > Stack [Native] > Timeout
• AWS > VPC > Stack [Native] > Version
• AWS > VPC > VPC > Stack [Native] > Drift Detection
• AWS > VPC > VPC > Stack [Native] > Drift Detection > Interval
• AWS > VPC > VPC > Stack [Native] > Timeout
• AWS > VPC > VPC > Stack [Native] > Version

What's new?

• Added support for Drift Detection, Version and Timeout policies for the Stack [Native] controls.

Policy Types

• AWS > S3 > Bucket > Stack [Native] > Drift Detection
• AWS > S3 > Bucket > Stack [Native] > Drift Detection > Interval
• AWS > S3 > Bucket > Stack [Native] > Timeout
• AWS > S3 > Bucket > Stack [Native] > Version

What's new?

• Added support for Drift Detection, Version and Timeout policies for the Stack [Native] controls.

Policy Types

• AWS > IAM > Stack [Native] > Drift Detection
• AWS > IAM > Stack [Native] > Drift Detection > Interval
• AWS > IAM > Stack [Native] > Timeout
• AWS > IAM > Stack [Native] > Version

What's new?

• Added support for Drift Detection, Version and Timeout policies for the Stack [Native] controls.

Policy Types

• GCP > Project > Stack [Native] > Drift Detection
• GCP > Project > Stack [Native] > Drift Detection > Interval
• GCP > Project > Stack [Native] > Timeout
• GCP > Project > Stack [Native] > Version

What's new?

• Added support for Drift Detection, Version and Timeout policies for the Stack [Native] controls.

Policy Types

• Azure > Subscription > Stack [Native] > Drift Detection
• Azure > Subscription > Stack [Native] > Drift Detection > Interval
• Azure > Subscription > Stack [Native] > Timeout
• Azure > Subscription > Stack [Native] > Version

What's new?

• Added support for Drift Detection, Version and Timeout policies for the Stack [Native] controls.

Policy Types

• AWS > Account > Stack [Native] > Drift Detection
• AWS > Account > Stack [Native] > Drift Detection > Interval
• AWS > Account > Stack [Native] > Timeout
• AWS > Account > Stack [Native] > Version
• AWS > Region > Stack [Native] > Drift Detection
• AWS > Region > Stack [Native] > Drift Detection > Interval
• AWS > Region > Stack [Native] > Timeout
• AWS > Region > Stack [Native] > Version

Bug fixes

• Server
  • Added support for drift detection in OpenTofu 1.x (open-source Terraform) integration via Guardrail.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• Server
  • Added support for OpenTofu v1.8.3 (open source Terraform) container to run Stack [Native] controls.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

• GCP > Project > Stack [Native]

Policy Types

• GCP > Project > Stack [Native]
• GCP > Project > Stack [Native] > Modifier
• GCP > Project > Stack [Native] > Secret Variables
• GCP > Project > Stack [Native] > Source
• GCP > Project > Stack [Native] > Variables

What's new?

• Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

• Azure > Subscription > Stack [Native]

Policy Types

• Azure > Subscription > Stack [Native]
• Azure > Subscription > Stack [Native] > Modifier
• Azure > Subscription > Stack [Native] > Secret Variables
• Azure > Subscription > Stack [Native] > Source
• Azure > Subscription > Stack [Native] > Variables

What's new?

• Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

• Azure > Network > Virtual Network > Stack [Native]

Policy Types

• Azure > Network > Virtual Network > Stack [Native]
• Azure > Network > Virtual Network > Stack [Native] > Modifier
• Azure > Network > Virtual Network > Stack [Native] > Secret Variables
• Azure > Network > Virtual Network > Stack [Native] > Source
• Azure > Network > Virtual Network > Stack [Native] > Variables

What's new?

• Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

• AWS > VPC > Stack [Native]
• AWS > VPC > VPC > Stack [Native]

Policy Types

• AWS > VPC > Stack [Native]
• AWS > VPC > Stack [Native] > Modifier
• AWS > VPC > Stack [Native] > Secret Variables
• AWS > VPC > Stack [Native] > Source
• AWS > VPC > Stack [Native] > Variables
• AWS > VPC > VPC > Stack [Native]
• AWS > VPC > VPC > Stack [Native] > Modifier
• AWS > VPC > VPC > Stack [Native] > Secret Variables
• AWS > VPC > VPC > Stack [Native] > Source
• AWS > VPC > VPC > Stack [Native] > Variables

What's new?

• Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

• AWS > Account > Stack [Native]
• AWS > Region > Stack [Native]

Policy Types

• AWS > Account > Stack [Native]
• AWS > Account > Stack [Native] > Modifier
• AWS > Account > Stack [Native] > Secret Variables
• AWS > Account > Stack [Native] > Source
• AWS > Account > Stack [Native] > Variables
• AWS > Region > Stack [Native]
• AWS > Region > Stack [Native] > Modifier
• AWS > Region > Stack [Native] > Secret Variables
• AWS > Region > Stack [Native] > Source
• AWS > Region > Stack [Native] > Variables

What's new?

• Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

• AWS > S3 > Bucket > Stack [Native]

Policy Types

• AWS > S3 > Bucket [Native]
• AWS > S3 > Bucket [Native] > Modifier
• AWS > S3 > Bucket [Native] > Secret Variables
• AWS > S3 > Bucket [Native] > Source
• AWS > S3 > Bucket [Native] > Variables

What's new?

• Users can now create and manage cloud resources using OpenTofu 1.x (open source Terraform) via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

• AWS > IAM > Stack [Native]

Policy Types

• AWS > IAM > Stack [Native]
• AWS > IAM > Stack [Native] > Modifier
• AWS > IAM > Stack [Native] > Secret Variables
• AWS > IAM > Stack [Native] > Source
• AWS > IAM > Stack [Native] > Variables

Bug fixes

• The real-time Event Handlers would fail to update details for Flow Logs attached to Virtual Networks. This is now fixed.

Bug fixes

• Guardrails would fail to update CMDB for virtual networks when flow logs were created or removed from such resources. This is now fixed.

Bug fixes

• The AWS > VPC > VPC > Flow Logging control previously attempted to destroy and recreate flow logs with CloudWatch log groups as the destination on successive runs due to an incorrect ARN reference to the log destination. This issue is now fixed, and the control will no longer unnecessarily destroy and recreate flow logs in such cases.

Bug fixes

• Server
  • Minor internal improvements.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

Bug fixes

• We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

Bug fixes

• We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

Bug fixes

• In a previous version, we resolved an issue in the Azure > Compute > Virtual Machine Scale Set > Tags control to ensure tags were updated correctly for Scale Sets launched via the Azure Marketplace. However, the control occasionally failed to update tags for Scale Sets on certain purchase plans. This issue has now been addressed, and the control will update tags correctly and reliably for all types of Scale Sets.

Bug fixes

• We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

Bug fixes

• We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

Bug fixes

• We have updated internal dependencies for the Terraform Version policy across various stack controls to prevent unnecessary control reruns. You wouldn't notice any difference and things will run more smoothly and reliably than before.

Bug fixes

• UI
  • Updated the filter logic on the Reports page for more accurate results.
  • Resolved an issue where resource links in the Permissions section redirected to the profile page instead of the resource page when grouped by resources.

Requirements

• TEF: 1.59.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3