Subscribe to all changelog posts via RSS or follow #changelog on our Slack community to stay updated on everything we ship.
Bug fixes
AWS > VPC > VPC > Flow Logging control previously attempted to destroy and recreate flow logs with CloudWatch log groups as the destination on successive runs due to an incorrect ARN reference to the log destination. This issue is now fixed, and the control will no longer unnecessarily destroy and recreate flow logs in such cases.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Azure > Compute > Virtual Machine Scale Set > Tags control to ensure tags were updated correctly for Scale Sets launched via the Azure Marketplace. However, the control occasionally failed to update tags for Scale Sets on certain purchase plans. This issue has now been addressed, and the control will update tags correctly and reliably for all types of Scale Sets.Bug fixes
Bug fixes
Bug fixes
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Azure > Turbot > Event Poller. To get started, set the Azure > Turbot > Event Poller > Excluded Events policy.Policy Types
What's new?
AWS > SQS > Queue > Encryption at Rest policy to one of the following values: Check: SQS SSE, Check: SQS SSE or higher, Enforce: SQS SSE or Enforce: SQS SSE or higher.What's new?
Kubernetes > Cluster > Approved > * policies.Control Types
Policy Types
Bug fixes
Azure > App Service > Function App > HTTPS Only control would sometime fail to enable the setting in Azure. This is now fixed.Bug fixes
GCP > Compute Engine > Instance > Serial Port Access and GCP > Compute Engine > Instance > Block Project Wide SSH Keys controls would sometimes go into an error state due to incorrect references to CMDB attributes. This is fixed and the controls will now work as expected.What's new?
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved policy was set to Enforce: Delete unapproved. This is now fixed.What's new?
What's new?
Bug fixes
createTimestamp for Web Apps and Function Apps incorrectly when processing update events for these resources. We have updated the internal logic to ensure the createTimestamp is now updated correctly and more reliably than before.What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
Bug fixes
createdBy details in their metadata. The internal logic has been updated to ensure createdBy details are added more reliably for these disks.What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
What's new?
Bug fixes
GCP > IAM > Service Account Key > Active control has been updated to use validAfterTime instead of metadata.createTimestamp to accurately evaluate the age of the resource.What's new?
What's new?
AWS > RDS > DB Cluster > Approved > Encryption at Rest > * policies.Policy Types
What's new?
On Target per Budget. To get started, set the AWS > Account > Budget > Enabled policy to Check: Budget > State is On Target.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
AWS > VPC > Route > CMDB control would go into an error state due to an incorrect use of a function from an internal node package. This is now fixed.Bug fixes
createdBy details for storage accounts due to mishandled real-time update events. This issue has been fixed, and createdBy details will now be stored more reliably and consistently than before.createTimestamp details from being stored in the metadata of new storage accounts upserted in Guardrails CMDB. This issue has now been resolved, and createTimestamp details are now stored correctly and reliably.What's new?
createdBy details in Guardrails CMDB.Bug fixes
AWS > VPC > VPC > Flow Logging control would sometimes fail to update flow logs if the Max Aggregation Interval in the stack's source policy was updated. This is fixed and the stack control will now update such resources correctly, as expected.What's new?
AWS > VPC > VPC > Flow Logging control. To get started, set the AWS > VPC > VPC > Flow Logging > Cloud Watch > Maximum Aggregation Interval policy and/or AWS > VPC > VPC > Flow Logging > S3 > Maximum Aggregation Interval policy.Policy Types
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
AWS > IAM > Credential Report resource type have now been updated to target either the AWS > IAM > Root or AWS > IAM > User resource types, depending on the specific control requirements. This adjustment more accurately aligns each control with the relevant resources, enabling more precise and targeted checks.Bug fixes
Azure > Security Center > Security Center > Auto Provisioning control is now deprecated and will now move to an Invalid state if enforcements are applied. This follows the deprecation plan announcement from Azure. The control will be removed in a future mod version.Control Types
Renamed
Policy Types
Renamed
Action Types
Removed
What's new?
Control Types
Policy Types
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
Policy Types
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Azure > Security Center > Security Center > CMDB control would go into an error state if it was not able to fetch policy assignment details correctly. This issue has now been fixed.Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
Bug fixes
Bug fixes
Bug fixes
What's new?
KeyVault > Vault
Added :
enableSoftDeletepublicNetworkAccessenableRbacAuthorizationKeyVault > Key
Added :
hsmPlatformRemoved:
key.ekey.nKeyVault > Secret
Modified :
ID property does not contain the secret version.Removed:
expiresupdatedcreatedBug fixes
Azure > Key Vault > Key > CMDB control would go into an error state while fetching key rotation policy details for managed keys. The control will no longer attempt to fetch the key rotation policy details for such keys and will work as expected.What's new?
What's new?
Server
Activity Retention feature for Smart Retention control to enhance version and data management.UI
Bug fixes
Server
Notify or Ignore keywords were missing in the notification rules.UI
+ button for adding permissions now correctly applies the appropriate attributes.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Policy Types:
Control Types:
Turbot > Smart Retention control to enhance version and data management.Requirements
What's new?
Azure > MySQL > Flexible Server > Set Minimum TLS Version policy to Check: TLS 1.2 or higher.What's new?
Azure > Management Group
Modified :
type property is updated as type: Microsoft.Management/managementGroups, earlier it was /providers/Microsoft.Management/managementGroupsWhat's new?
Bug fixes
What's new?
Renamed:
transparentDataEncryption.status to transparentDataEncryption.statedatabaseThreatDetectionPolicy to databaseSecurityAlertPolicyAdded:
Azure SQL > Server
administrators blockisManagedIdentityInUse autoRotationEnabled externalGovernanceStatus minimalTlsVersionprivateEndpointConnectionspublicNetworkAccessrestrictOutboundNetworkAccessserverAzureADAdministrator.azureADOnlyAuthenticationAzure SQL > Database
availabilityZonecurrentBackupStorageRedundancydatabaseSecurityAlertPolicy. creationTimetransparentDataEncryption.locationisInfraEncryptionEnabledisLedgerOnmaintenanceConfigurationIdrequestedBackupStorageRedundancymaintenanceConfigurationIdAzure SQL > ElasticPool
maintenanceConfigurationIdModified:
serverAzureADAdministrator.name has been changed from string (activeDirectory) to string (ActiveDirectory).databaseThreatDetectionPolicy.disabledAlerts has been changed from string ("") to object ([]).databaseThreatDetectionPolicy.emailAddresses has been changed from string ("") to object ([]).databaseThreatDetectionPolicy.emailAccountAdmins has been changed from string (Disabled/Enabled) to boolean (false/true).disabledAlerts has been changed from string ("") to object ([]).Removed:
databaseThreatDetectionPolicy.useServerDefaultBug fixes
What's new?
What's new?
Network > NetworkInterface
Added :
auxiliaryModeauxiliarySkukinddisableTcpStateTrackingNetwork > PrivateDNSZone
Added :
internalIdNetwork > VirtualNetworkGateway
Added :
allowVirtualWanTrafficallowRemoteVnetTrafficModified :
activeActive property updated as activeWhat's new?
Added:
tagskindResource Types
Control Types
Policy Types
Action Types
Bug fixes
What's new?
Removed:
clientSecretUrlWhat's new?
Bug fixes
What's new?
Bug fixes
What's new?
Bug fixes
What's new?
Added:
createMode
Bug fixes
Bug fixes
AWS > Account > Budget > Budget control would enter an error state for US Gov cloud accounts because the budget APIs are not supported for these accounts. We have updated the control to avoid making these API calls and instead rely on the AWS > Account > Budget > State policy being updated periodically, allowing the control to evaluate the outcome correctly.What's new?
Control Types
Policy Types
What's new?
What's new?
GCP > Project > ServiceNow > Relationships > * policies.Control Types
Policy Types
What's new?
Azure > Subscription > ServiceNow > Relationships > * policies.Control Types
Policy Types
What's new?
AWS > Account > ServiceNow > Relationships > * policies.Control Types
Policy Types
What's new?
Removed:
tTLBug fixes
What's new?
Added:
createdByupdatedBysystemDatacreatedDateTimeBug fixes
What's new?
Added:
softDeletePolicyazureADAuthenticationAsArmPolicyWhat's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
GCP > Global Region > ServiceNow > Relationships > *, GCP > Multi-Region > ServiceNow > Relationships > *, GCP > Region > ServiceNow > Relationships > * and GCP > Zone > ServiceNow > Relationships > * policies respectively.Control Types
Policy Types
What's new?
GCP > Storage > Bucket > ServiceNow > Relationships > * and GCP > Storage > Object > ServiceNow > Relationships > * policies respectively.Control Types
Policy Types
What's new?
Azure > Resource Group > ServiceNow > Relationships > * policies.Control Types
Policy Types
What's new?
Azure > Storage > Container > ServiceNow > Relationships > *, Azure > Storage > File Share > ServiceNow > Relationships > *, Azure > Storage > Queue > ServiceNow > Relationships > * and Azure > Storage > Storage Account > ServiceNow > Relationships > * policies respectively.Control Types
Policy Types
What's new?
AWS > VPC > Elastic IP > ServiceNow > Relationships > *, AWS > VPC > Internet Gateway > ServiceNow > Relationships > * and AWS > VPC > NAT Gateway > ServiceNow > Relationships > * policies respectively.Control Types
Policy Types
Control Types
Policy Types
What's new?
AWS > EC2 > AMI > ServiceNow > Relationships > *, AWS > EC2 > Instance > ServiceNow > Relationships > *, AWS > EC2 > Key Pair > ServiceNow > Relationships > *, AWS > EC2 > Network Interface > ServiceNow > Relationships > *, AWS > EC2 > Snapshot > ServiceNow > Relationships > * and AWS > EC2 > Volume > ServiceNow > Relationships > * policies respectively.Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
AWS > VPC > Flow Log > ServiceNow > Relationships > *, AWS > VPC > Network ACL > ServiceNow > Relationships > *, AWS > VPC > Security Group > ServiceNow > Relationships > * and AWS > VPC > Security Group Rule > ServiceNow > Relationships > * policies respectively.Control Types
Policy Types
What's new?
AWS > VPC > Route Table > ServiceNow > Relationships > *, AWS > VPC > Subnet > ServiceNow > Relationships > * and AWS > VPC > VPC > ServiceNow > Relationships > * policies respectively.Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
AWS > S3 > Bucket > ServiceNow > Relationships > * policies.Control Types
Policy Types
What's new?
AWS/Billing/Admin, AWS/Billing/Metadata and AWS/Billing/Operator now also include purchase orders permissions.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
Added:
In Azure > Compute > Disk:
supportedCapabilities.diskControllerTypesdiskIopsReadWritelastOwnershipUpdateTimeIn Azure > Compute > Virtual Machine:
resourcestimeCreatedetagIn Azure > Compute > Virtual Machine Scale Set:
constrainedMaximumCapacityetagscaleInPolicytimeCreatedupgradePolicystorageProfile. diskControllerTypeIn Azure > Compute > Snapshot:
dataAccessAuthModeincrementalSnapshotFamilyIdRemoved:
In Azure > Compute > Virtual Machine:
statuses.timeBug fixes
What's new?
Added:
Azure > App Service > App Service Plan
elasticScaleEnablednumberOfWorkerszoneRedundantAzure > App Service > Function App
configuration.acrUseManagedIdentityCredsconfiguration.acrUserManagedIdentityIDconfiguration.elasticWebAppScaleLimitconfiguration.ipSecurityRestrictionsDefaultActionconfiguration.metadataconfiguration.minTlsCipherSuiteconfiguration.scmIpSecurityRestrictionsDefaultActiondnsConfigurationpublicNetworkAccessvnetBackupRestoreEnabledvnetContentShareEnabledvnetImagePullEnabledvnetRouteAllEnabledAzure > App Service > Web App
configuration.acrUseManagedIdentityCredsconfiguration.acrUserManagedIdentityIDconfiguration.elasticWebAppScaleLimitconfiguration.ipSecurityRestrictionsDefaultActionconfiguration.metadataconfiguration.minTlsCipherSuiteconfiguration.scmIpSecurityRestrictionsDefaultActiondnsConfigurationpublicNetworkAccessvnetBackupRestoreEnabledvnetContentShareEnabledvnetImagePullEnabledvnetRouteAllEnabledBug fixes
What's new?
What's new?
Renamed:
JitNetworkAccessPolicies to jitNetworkAccessPoliciesPricing to pricingLocations to locationsBug fixes
What's new?
Bug fixes
What's new?
Added:
frontdoorIdrulesEnginesextendedPropertiesbackendPoolsSettingsbackendPool.privateLinkAliasbackendPool.privateLinkLocationbackendPool.privateEndpointStatusbackendPool.privateLinkResourceIdbackendPool.privateLinkApprovalMessageroutingRule.rulesEngineroutingRule.routeConfiguration.odataTyperoutingRule.routeConfiguration.cacheConfiguration.cacheDurationroutingRule.routeConfiguration.cacheConfiguration.queryParameters routingRule.webApplicationFirewallPolicyLinkModified:
routingRule.backendPool to routingRule.routeConfiguration.backendPoolroutingRule.forwardingProtocol to routingRule.routeConfiguration.forwardingProtocolroutingRule.customForwardingPath to routingRule.routeConfiguration.customForwardingPathroutingRule.cacheConfiguration.dynamicCompression to routingRule.routeConfiguration.cacheConfiguration. dynamicCompressionroutingRule.cacheConfiguration.queryParameterStripDirective to routingRule.routeConfiguration.cacheConfiguration. queryParameterStripDirectiveBug fixes
What's new?
Bug fixes
What's new?
Added:
networkProfile.podCidrsnetworkProfile.ipFamiliesnetworkProfile.outboundTypenetworkProfile.serviceCidrsnetworkProfile.networkPolicynetworkProfile.loadBalancerProfile.backendPoolTypenetworkProfile.loadBalancerProfile.countIPv6networkProfile.loadBalancerProfile.idleTimeoutInMinutesnetworkProfile.loadBalancerProfile.allocatedOutboundPortsagentPoolProfiles.modeagentPoolProfiles.osSKUagentPoolProfiles.enableFipsagentPoolProfiles.osDiskTypeagentPoolProfiles.spotMaxPriceagentPoolProfiles.scaleDownModeagentPoolProfiles.enableUltraSSDagentPoolProfiles.kubeletDiskTypeagentPoolProfiles.upgradeSettings.maxSurgeagentPoolProfiles.nodeImageVersionagentPoolProfiles.enableEncryptionAtHostagentPoolProfiles.currentOrchestratorVersionBug fixes
What's new?
Added:
hostNamePrefixserverless. connectionTimeoutInSecondsBug fixes
What's new?
Added:
Azure > Service Bus > Namespace
disableLocalAuthstatuszoneRedundantAzure > Service Bus > Queue
maxMessageSizeInKilobytesAzure > Service Bus > Topic
maxMessageSizeInKilobytesBug fixes
What's new?
Bug fixes
What's new?
Added: Azure > Recovery Service > Vault
properties.backupStorageVersionproperties.bcdrSecurityLevelproperties.publicNetworkAccessproperties.restoreSettingsproperties.secureScoreproperties.securitySettingsBug fixes
Bug fixes
AWS > RoboMaker > Robot Application > CMDB, AWS > RoboMaker > Fleet > CMDB and AWS > RoboMaker > Robot > CMDB policies will now be set to Skip by default because the resource types have been deprecated and will be removed in the next major version. Please check end of support for more information.What's new?
AWS > ECS > Account Settings > Fargate FIPS Mode policy.Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Resource Types
Control Types
Policy Types
Action Types
What's new?
Server
UI
+ sign to grant permissions in the context of both the identity and resource.Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
resource/turbot_policy_pack_attachment: terraform apply failed to detect existing Policy Pack attachments. (#181)What's new?
Added:
flowTyperequestSourceBug fixes
What's new?
Bug fixes
Resource Types
Policy Types
What's new?
AWS/User grant should include support:* permissions. To get started, set the AWS > Account > Permissions > Support Level policy.Policy Types
Bug fixes
AWS > Turbot > IAM stack control did not correctly evaluate user memberships in custom IAM groups when the AWS > Turbot > Permissions > Custom Group Levels [Account] policy was set, and users were granted permissions for those custom IAM groups. This issue has now been fixed.Bug fixes
AWS > EC2 > Volume > CMDB control would sometimes run unnecessarily due to a bad internal GraphQL dependency. This is now fixed.Bug fixes
Kubernetes > Cluster > CMDB > Expiration policy was inadvertently added to the Kubernetes > Cluster > CMDB control. This precheck condition has now been removed.Resource Types
Control Types
Policy Types
Action Types
What's new?
Bug fixes
Enforce: Enabled for the service.What's new?
Added:
authOptionsdisableLocalAuthencryptionWithCmknetworkRuleSetprivateEndpointConnectionspublicNetworkAccesssemanticSearchsharedPrivateLinkResourcesBug fixes
What's new?
Action Types
Bug fixes
Enforce: Enabled for the service.Bug fixes
Enforce: Enabled for the service.Bug fixes
Enforce: Enabled for the service.Bug fixes
Enforce: Enabled for the service.Bug fixes
Enforce: Enabled for the service.Bug fixes
Enforce: Enabled for the service.Bug fixes
Enforce: Enabled for the service.Bug fixes
Enforce: Enabled for the service.Bug fixes
Enforce: Enabled for the service.Bug fixes
Enforce: Enabled for the service.Bug fixes
Enforce: Enabled for the service.What's new?
Added: Azure > Synapse Analytics > Workspace
azureADOnlyAuthenticationcreateManagedPrivateEndpoint encryptionextraPropertiespublicNetworkAccesssettingstrustedServiceBypassEnabledworkspaceUIDAzure > Synapse Analytics > SQL Pool
storageAccountTypeBug fixes
What's new?
Action Types
What's new?
Added:
authConfig
dataEncryption
standbyAvailabilityZone
network. delegatedSubnetResourceId
network. privateDnsZoneArmResourceId
replicaCapacity
replicationRole
systemData
configurations.documentationLink
configurations.isConfigPendingRestart
configurations.isDynamicConfig
configurations.isReadOnly
configurations.unit
Modified:
firewallRules has been changed from array ([]) to object ({}).Bug fixes
What's new?
Bug fixes
Bug fixes
serviceProperties.table.clientRequestId and serviceProperties.table.requestId properties for storage accounts have now been made dynamic to avoid unnecessary notifications in the activity tab.Bug fixes
What's new?
Policy Types
Bug fixes
osquery error events.Bug fixes
osquery agent.What's new?
Policy Types
Control Types
Policy Types
What's new?
Policy Types
Control Types
Policy Types
What's new?
Policy Types
What's new?
Policy Types
Bug fixes
modifyVolume event for EBS Volume Notifications. This issue is now fixed.What's new?
Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Bug fixes
Action Types
What's new?
Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Bug fixes
What's new?
Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Bug fixes
What's new?
Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Bug fixes
Bug fixes
What's new?
Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Bug fixes
What's new?
Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Bug fixes
What's new?
createdBy details in Guardrails CMDB.Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Bug fixes
AWS > EC2 > Volume > Performance Configuration control would sometimes fail to set the expected configuration per AWS > EC2 > Volume > Performance Configuration > * policies and move to an Invalid state if the required data was not available for new volumes in the CMDB. The control will now move to TBD instead and retry after 5 minutes to fetch the required data correctly and set the performance configuration as expected.What's new?
Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Bug fixes
What's new?
Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Bug fixes
What's new?
Bug fixes
Enforce: Enabled for the service.Bug fixes
Enforce: Enabled for the service.Bug fixes
Enforce: Enabled for the service.What's new?
Azure > Storage> Storage Account > CMDB control will now also fetch diagnostic settings details and store them in CMDB.Resource Types
Control Types
Policy Types
Bug fixes
What's new?
Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Bug fixes
Bug fixes
Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.Bug fixes
Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.Bug fixes
Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.Bug fixes
Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.Control Types
Policy Types
Bug fixes
Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.Bug fixes
Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.Bug fixes
Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.Bug fixes
Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.Bug fixes
Import Set controls will not require permissions to read the sys_db_object & sys_dictionary tables in ServiceNow.What's new?
AWS > RDS > DB Cluster > Parameter Group > * policies.Control Types
Policy Types
Action Types
Bug fixes
Bug fixes
Enforce: Enabled for the service.Bug fixes
Server
UI
Import button on the Connect page has been updated to Connect.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
What's new?
You can now configure Master Authorized Networks for region and zone clusters via Guardrails. To get started, set the GCP > Kubernetes Engine > Region Cluster > Master Authorized Networks Config and GCP > Kubernetes Engine > Zone Cluster > Master Authorized Networks Config policies respectively.
Improved descriptions for various resource types to ensure they are clearer and more helpful.
Control Types
Policy Types
Action Types
What's new?
Bug fixes
Resource Types
Control Types
Policy Types
Action Types
What's new?
Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Bug fixes
Enforce: Enabled but ignore permission errors. However, the CMDB control previously ignored permission errors only on the HeadBucket operation and still entered an error state for permission errors on sub-API calls. The CMDB control will now ignore all sub-API calls if the HeadBucket operation is denied access. If the HeadBucket operation is successful, the control will attempt to make all sub-API calls and ignore access denied errors if encountered.What's new?
Resource Types
Control Types
Policy Types
Action Types
Resource Types
Control Types
Policy Types
Action Types
What's new?
Approved > Usage policy for resource types will now default to Approved instead of Approved if AWS > {service} > Enabled.Bug fixes
AWS > VPC > VPC > Stack control would sometimes go into an error state while upserting newly created flow logs in Guardrails due to incorrect mapping of its parent resource. This issue has now been fixed, and the control will upsert flow logs more consistently and reliably than before.Bug fixes
Enforce: Enabled for the service.What's new?
rds-ca-rsa4096-g1.Resource Types
Control Types
Policy Types
Action Types
What's new?
AWS > Turbot > Logging > Bucket > Default Encryption policy is now deprecated because all buckets are now encrypted by default in AWS. As a result, all buckets created and managed via the AWS > Turbot > Logging > Bucket stack control will now be encrypted by AWS SSE by default. We've also removed ACL settings for buckets and now apply bucket ownership controls instead via the stack control to align with the latest AWS recommendations. Please upgrade the @turbot/aws-s3 mod to v5.26.0 for the stack control to work reliably as before.Policy Types
Renamed
What's new?
aws_s3_bucket_ownership_controls Terraform resource for buckets.What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
What's new?
AWS > Config > Configuration Recording stack control. To get started, set the AWS > Config > Configuration Recording > Terraform Version policy. We recommend using versions 0.11, 0.12, or 0.15 for this control to create and manage resources effectively and reliably.Policy Types
What's new?
GCP > Turbot > Event Handlers > Pub/Sub control. To get started, set the GCP > Turbot > Event Handlers > Pub/Sub > Topic > Labels policy.Policy Types
Bug fixes
ec2:RevokeSecurityGroupEgress and ec2:RevokeSecurityGroupIngress events. This issue is now fixed.Bug fixes
AWS > Turbot > Event Handlers control did not correctly raise the real-time CreateTags and DeleteTags events for VPC security group rules. This issue is now fixed.What's new?
GCP > Network > Subnetwork > Flow Log policy.Control Types
Policy Types
Action Types
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Resource Types
Control Types
Policy Types
Action Types
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
What's new?
GCP > IAM > Service Account > Active or GCP > IAM > Service Account > Approved policy to Enforce: Disable inactive with <x> days warning or Enforce: Disable unapproved respectively.Action Types
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Bug fixes
AWS > ECR > Repository > CMDB control went into an error state for shared repositories upserted incorrectly in Guardrails CMDB. Shared repositories will now not be upserted under shared accounts or regions, but will only be upserted under their owner accounts and regions.Bug fixes
ec2:CreateReplaceRootVolumeTask for instances. This is now fixed.What's new?
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Resource Group > ServiceNow > Configuration Item control would fail to fetch instance credentials internally and did not process the data correctly in ServiceNow. This issue has now been fixed.Bug fixes
Bug fixes
Bug fixes
Control Types
Policy Types
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
What's new?
What's new?
AWS/DynamoDB/Admin, AWS/DynamoDB/Metadata and AWS/DynamoDB/Operator now include permissions for Resource Policy, Imports, Time to Live and Global Table Version.What's new?
Control Types
Policy Types
What's new?
Control Types
Policy Types
What's new?
Table logging for Storage Accounts via Azure > Storage > Storage Account > Table > Logging control. To get started, set the Azure > Storage > Storage Account > Table > Logging policy.Control Types
Policy Types
Action Types
Azure > Storage > Storage Account > Update Encryption at Rest
Azure > Storage > Storage Account > Update Storage Account Table Logging
The Storage Account CMDB data will now also include information about the account's table service properties.
We've removed the dependency on listKeys permission for Azure > Storage Account > Container > Discovery to run its course to completion. This release includes breaking changes in the CMDB data for containers. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Renamed:
isImmutableStorageWithVersioningEnabled to isImmutableStorageWithVersioning.enabled
Removed:
preventEncryptionScopeOverride
Bug fixes
Azure > Storage > Storage Account > CMDB control would go into an error state while trying to fetch default Queue and Blob properties if Guardrails did not have permission to list the storage account keys. The control will now not attempt to fetch default Queue and Blob properties if Guardrails does not have the required access for listKeys, and will run its course to completion without going into an error state.Bug fixes
AWS > S3 > Bucket > CMDB control if it would go into an error state due to insufficient permissions for the headBucket operation.What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types
Policy Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
What's new?
AWS > S3 > Bucket > CMDB control would go into an error state if Guardrails did not have permissions to call the headBucket operation on a bucket. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > S3 > Bucket > CMDB policy to Enforce: Enabled but ignore permission errors.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > App Service > Web App > Client Certificate Mode control, ensuring that the Client Certificate Mode is set to Require correctly. However, we missed an edge case where the control wouldn’t enforce any mode other than the default setting of Ignore. We have now addressed all cases, and the control will work more reliably and consistently than before.What's new?
What's new?
Server
UI
Smart Folders are now called Policy Packs.Policy Packs from UI.Bug fixes
Server
UI
Policy Packs from the UI.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Enforce: Sync policy value for integrating Import Sets in ServiceNow.Control Types
Policy Types
Control Types
Policy Types
Control Types
Policy Types
Control Types
Policy Types
Control Types
Policy Types
What's new?
Bug fixes
Azure > App Service > Web App > Client Certificate Mode control did not apply Enforce: Require settings correctly. This is now fixed.What's new?
google_monitoring_alert_policy and google_monitoring_notification_channel Terraform resources.Control Types
Policy Types
What's new?
google_logging_metric Terraform resource.Control Types
Policy Types
Bug fixes
Azure > Storage > Storage Account > Queue > Logging control failed to set queue logging properties correctly. This issue has been fixed, and the control will now function correctly as intended.Bug fixes
Bug fixes
What's new?
GCP > Compute > Instance > Shielded Instance Configuration > * policies.Control Types
Policy Types
Action Types
What's new?
Azure > CIS v2.0 > 5.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) control will also evaluate SQL databases for SKU Basic/Consumption.Control Types
Policy Types
Bug fixes
Azure > CIS v2.0 > 4 - Database Services > 01.03 - Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key control did not evaluate the result correctly, as expected. This is now fixed.What's new?
DOCUMENTATION:
resource/turbot_policy_pack: Added documentation for akas attribute for the resource. (#179)What's new?
GCP > SQL > Instance > Encryption In Transit policy.Control Types
Policy Types
Action Types
What's new?
Control Types
Policy Types
What's new?
Basic to Standard for Public IP Addresss via Azure > Network > Public IP Address > Standard SKU control. To get started, set the Azure > Network > Public IP Address > Standard SKU policy.Control Types
Policy Types
Action Types
What's new?
To get started configuring these rules through Guardrails, the following policies should set according to your desired firewall rules configuration:
Azure > Cosmos DB > Database Account > Firewall - Configure default access rules for the public endpoint
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved - Remove unapproved IP ranges
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required - Grant access to specific IP ranges
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved - Remove unapproved virtual network subnets
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required - Grant access to specific virtual network subnets
Please note that if the Azure > Cosmos DB > Database Account > Firewall policy is set to Enforce: Allow only approved virtual networks and IP ranges, only applications in the configured IP ranges, virtual network subnets, and trusted Microsoft services will be allowed to access the database accounts. If these boundaries are not properly configured beforehand or an application is outside of these boundaries, it will lose access to the database accounts.
Control Types
Policy Types
Action Types
Bug fixes
Bug fixes
What's new?
Bug fixes
GCP > Project > CMDB control went into an error state while fetching Access Approval settings for the project if Access Transparency was disabled at the organization level. We have now handled such cases gracefully, and the control will fetch all available details without going into an error state.What's new?
GCP > SQL > Instance > Authorized Network > * policies.GCP > SQL > Instance > Database Flags policy.GCP > SQL > CMDB policy to Enforce: Disabled.Control Types
Policy Types
Action Types
What's new?
We've updated internal dependencies and now use the latest Azure SDK versions to discover and manage Storage resources in Guardrails. This release includes breaking changes in the CMDB data for storage accounts. We recommend updating your existing policy settings to refer to the updated attributes as mentioned below.
Renamed:
serviceProperties.blob.DeleteRetentionPolicy to serviceProperties.blob.deleteRetentionPolicyserviceProperties.blob.DeleteRetentionPolicy.Days to serviceProperties.blob.deleteRetentionPolicy.daysserviceProperties.blob.DeleteRetentionPolicy.Enabled to serviceProperties.blob.deleteRetentionPolicy.enabledserviceProperties.blob.StaticWebsite to serviceProperties.blob.staticWebsiteserviceProperties.blob.StaticWebsite.Enabled to serviceProperties.blob.staticWebsite.enabledserviceProperties.blob.logging to serviceProperties.blob.blobAnalyticsLoggingserviceProperties.queue.logging to serviceProperties.queue.queueAnalyticsLoggingAdded:
serviceProperties.blob.deleteRetentionPolicy.AllowPermanentDeleteModified:
serviceProperties.blob.cors has been changed from string ("") to array ([]).serviceProperties.queue.cors has been changed from string ("") to array ([]).Users can now enable/disable Blob logging for storage accounts. To get started, set the Azure > Storage > Storage Account > Blob > Logging > * policies.
Users can now check if storage accounts are approved for use based on Infrastructure Encryption settings. To get started, set the Azure > Storage > Storage Account > Approved > Infrastructure Encryption policy.
Control Types
Renamed
Policy Types
Renamed
Action Types
Renamed
What's new?
Azure > App Service > Web App > Client Certificate Mode policy.Control Types
Policy Types
Action Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
GCP > BigQuery > Dataset > Encryption at Rest > * policies.Control Types
Policy Types
Action Types
What's new?
Control Types
Policy Types
Bug fixes
AWS > EC2 > Snapshot > CMDB policy was set to Enforce: Enabled for Snapshots not created with AWS Backup. This issue has now been fixed.What's new?
GCP > DNS > Managed Zone > DNSSEC Configuration policy.GCP > DNS > Policy > Logging policy.Control Types
Policy Types
Action Types
Bug fixes
What's new?
Azure > Compute > Virtual Machine > Trusted launch policy.Azure > Compute > Disk > Encryption at Rest > * policies.Control Types
Policy Types
Action Types
What's new?
Azure > App Service > Web App > System Assigned Identity policy.Control Types
Policy Types
Action Types
Bug fixes
Azure > App Service > Web App > FTPS State control failed to set the FTPS State correctly for web apps. This issue is now fixed.What's new?
Policy Types
What's new?
Azure > Network Watcher > Flow Log > Retention Policy > * policies.Control Types
Policy Types
Action Types
What's new?
Azure > Active Directory > Directory > CMDB control will now also fetch named locations and authorization policy details and store them in CMDB.Bug fixes
AWS > IAM > Account Password Policy > Settings control not applying custom settings correctly. This issue is fixed, and the CMDB details will now refresh correctly, allowing the corresponding Settings control to work as expected.What's new?
Azure > Security Center > Security Center > CMDB control will now also fetch security settings details and store them in CMDB.Bug fixes
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
The default value for GCP > Storage > Bucket > ServiceNow > Import Set now shows the resource_type_uri correctly.
Control Types
Added
Policy Types
Added
What's new?
ServiceNow > Turbot > Watches > GCP Archive and Delete Record action now supports archiving Import Set records.Control Types
Added
Policy Types
Added
What's new?
ServiceNow > Turbot > Watches > Azure Archive and Delete Record action now supports archiving Import Set records.Bug fixes
ServiceNow > Application > CMDB, ServiceNow > Cost Center > CMDB & ServiceNow > User > CMDB have been updated from Enforce: Enabled to Skip.Policy Types
Added
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
OUTBOUND_SECURITY_GROUP_ID environment variable in Lambda functions now defaults to using the TEF outbound security group when there is no override specified in TEF and TE.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved and Azure > Network > Network Security Group > Egress Rules > Approved controls previously deleted an entire rule if at least one of the corresponding port prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected port prefixes instead of deleting the entire rule in such cases.Bug fixes
AWS > RDS > DB Instance > Approved control will now be skipped for instances that belong to a cluster. To check if a cluster is approved for use, please set the AWS > RDS > DB Cluster > Approved > * policies.AWS > RDS > DB Instance > Approved control did not stop an unapproved instance if the corresponding policy was set to Enforce: Stop unapproved or Enforce: Stop unapproved if new, and deletion protection for the instance was enabled. The control will now stop instances correctly in such cases.What's new?
EncryptionInTransit TopicPolicy has shifted from a custom resource to AWS CloudFormation’s AWS::SNS::TopicPolicy.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Server
UI
Depends-on tab on the controls page has been renamed to Related. It now includes the information from the Depends-on tab along with additional related controls information.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved control would sometimes fail to revoke rejected rules when the corresponding policy was set to Enforce: Delete unapproved. This has been fixed, and the control will now work more reliably and consistently than before.Bug fixes
Turbot > osquery > Event Handler action was not able to handle events for large payloads. This issue is now fixed.Bug fixes
GCP > Project > CMDB control would incorrectly delete a project from Guardrails CMDB if it was unable to fetch Access Approval settings for the project. This issue has been fixed and the control will now attempt to fetch all available details and will not delete the project from CMDB.Bug fixes
Azure > Security Center > Security Center > Auto Provisioning policy.Control Types
Policy Types
Action Types
What's new?
What's new?
Azure > Security Center > Security Center > Defender Plan control now also supports services like Cloud Posture, Containers and Cosmos DB.What's new?
Server
@azure/msal-node package.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
AWS > EC2 > Snapshot > CMDB policy to Enforce: Enabled for Snapshots not created with AWS Backup.Bug fixes
AWS > Turbot > Service Roles > Source policy went to an invalid state if all but the AWS > Turbot > Service Roles > Event Handlers [Global] policy was enabled. This issue impacted the AWS > Turbot > Service Roles stack control, preventing the role from being created correctly. This has been fixed, and the AWS > Turbot > Service Roles > Source policy will now work as expected.Bug fixes
AWS > CIS v3.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered control did not evaluate the result correctly, as expected. This is now fixed.What's new?
Updated the existing Flags attribute to include new specific flags that control the operation of Mod Lambda functions within a Virtual Private Cloud (VPC). This update allows Lambdas to use static IP addresses, improving network stability and predictability across different cloud environments. New flags Added to Flags Attribute:
Introduced a new SSM parameter outbound_cidr_ranges to retrieve the Elastic IPs associated with the NAT gateways.
What's new?
Server
osquery/logger API to support payloads up to 10MB.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Bug fixes
AWS > CIS v2.0 > 1 - Identity and Access Management > 1.02 - Ensure security contact information is registered control did not evaluate the result correctly, as expected. This is now fixed.Bug fixes
Azure > Network > Network Security Group > Ingress Rules > Approved and Azure > Network > Network Security Group > Egress Rules > Approved controls previously deleted an entire rule if at least one of the corresponding address prefixes was rejected, even if the others were approved. These controls will now revoke only the rejected address prefix instead of deleting the entire rule in such cases.Bug fixes
GCP > Turbot > Event Handlers > Logging would go into an Invalid state because of incorrect filter patterns defined in the GCP > Turbot > Event Handlers > Logging > Sink > Compiled Filter > @turbot/gcp-bigquerydatatransfer policy. This is fixed and the control will now work as expected.Bug fixes
compute.networks.delete for default networks incorrectly, resulting in the inadvertent deletion of those networks from CMDB. This is now fixed.What's new?
Resource Types
Policy Types
What's new?
Control Types
Policy Types
Bug fixes
s3:PutBucketReplication for buckets. This is now fixed.AWS > S3 > Bucket > Access Logging control would sometimes go into an error state if the target bucket name started with a number. This is fixed and the control will now work more smoothly and consistently than before.Bug fixes
$logs) for storage accounts. This is now fixed.Bug fixes
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
osquery instead of Osquery.Bug fixes
Kubernetes > Node resources will no longer include the conditions.lastHeartbeatTime or resource_version properties to avoid unnecessary notifications in the activity tab.What's new?
Resource Types
Policy Types
What's new?
Resource Types
Policy Types
What's new?
Server
api/latest/osquery/enrollapi/latest/osquery/configapi/latest/osquery/loggerserviceNowCredential resolver specifically for Kubernetes clusters.@turbot/sdk) to version 5.15.0 and our fn toolkit (@turbot/fn) to version 5.22.0, to support FIFO queues.UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types
Policy Types
Action Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
What's new?
Resource Types
Control Types
Policy Types
Action Types
Bug fixes
GCP > IAM > Service Account Key > Active control will no longer attempt to delete a system-managed service account key deemed inactive by the control.What's new?
AWS > IAM > Access Key > Active > Latest policy.AWS > IAM > Server Certificate > Active > Expired policy.Policy Types
Bug fixes
GCP > Project > CMDB control would go into an error state if Access Approval API was disabled in GCP. This is now fixed.What's new?
/processes prefix from 1 day to 2 days./osquery prefix.What's new?
Bug fixes
Azure > Compute > Virtual Machine Scale Set > Tags control would sometimes fail to update tags correctly for Scale Sets launched via Azure marketplace. This is fixed and the control will now update tags correctly, as expected.What's new?
AWS > VPC > Network ACL > Ingress Rules > Approved > * policies.Bug fixes
What's new?
AWS > EFS > Mount Target > Approved policy to Enforce: Delete unapproved.What's new?
aws_cloudwatch_metric_alarm resources via Guardrails stacks.Control Types
Policy Types
Bug fixes
aws_securityhub_account Terraform resource.What's new?
createdBy details in Turbot CMDB.What's new?
Control Types
Policy Types
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
What's new?
Control Types
Policy Types
Bug fixes
What's new?
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved control did not render correctly on mod inspect. This is now fixed.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Azure > Storage > Storage Account > Data Protection control would go into an error state when container delete retention policy data was not available in CMDB. This issue is fixed and the control will now work as expected.What's new?
Azure > PostgreSQL > Server > Firewall > IP Ranges > Approved > * and Azure > PostgreSQL > Flexible Server > Firewall > IP Ranges > Approved > * policies respectively.Azure > PostgreSQL > Flexible Server > Approved policy to Enforce: Stop unapproved or Enforce: Stop unapproved if new.Control Types
Policy Types
Action Types
Bug fixes
What's new?
Control Types
User consent for applications is set to Do not allow user consentEnable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabledPolicy Types
User consent for applications is set to Do not allow user consentUser consent for applications is set to Do not allow user consent > AttestationEnable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabledWhat's new?
worker_factory in the CloudWatch Dashboard widgets "Events Queue Activity" and "Events Queue Backlog"._worker_factory queue._worker queue.Bug fixes
Server
UI
template_input property of the policy setting in the Terraform plan to YAML format, improving clarity and manageability.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Turbot > Process Monitor control to operate within the priority queue, ensuring more timely and efficient processing of critical tasks.Turbot > Workspace > Background Tasks control to modify the next_tick_timestamp for any policy values that previously had incorrect defaults.Bug fixes
What's new?
Azure > Storage > Storage Account > Access Keys > Rotation Reminder > * and Azure > Storage > Storage Account > Data Protection > Soft Delete > * policies respectively.Control Types
Policy Types
Action Types
What's new?
Azure > SQL > Server > Firewall > IP Ranges > Approved > * policies.Control Types
Policy Types
Action Types
Bug fixes
rotationPeriod and nextRotationTime attributes for Crypto Keys did not update correctly in CMDB when the rotation policy for such keys was removed. This is now fixed.What's new?
Azure > MySQL > Flexible Server > Encryption in Transit > * policies.createdBy details in Turbot CMDB.Control Types
Policy Types
Action Types
What's new?
createdBy details in Turbot CMDB.Policy Types
Bug fixes
AWS > VPC > Flow Log > Configured control would sometimes go into an error state for flow logs created via the AWS console, even though they were correctly claimed by a Guardrails stack. This is now fixed.What's new?
Azure > PostgreSQL > Flexible Server > Audit Logging > * policies.Control Types
Policy Types
Action Types
What's new?
Azure > Key Vault > Key > Expiration > * and Azure > Key Vault > Secret > Expiration > * policies respectively.Control Types
Policy Types
Action Types
What's new?
What's new?
Bug fixes
Azure > Storage > Storage Account > Queue > Logging control would go into a skipped state for storage accounts, irrespective of any policy setting for Logging. This issue is fixed and the control will now work as expected.What's new?
Azure > Network > Public IP Address > Approved policy to Enforce: Delete unapproved.What's new?
Azure > PostgresSql > Flexible Server > Encryption in Transit > * policies.Control Types
Policy Types
Action Types
What's new?
Azure > Active Directory > User > Approved policy to Enforce: Delete unapproved.Policy Types
What's new?
Azure > MySQL > Flexible Server > Minimum TLS Version > * policies.What's new?
What's new?
What's new?
Control Types
Policy Types
Bug fixes
What's new?
AWS > EC2 > Account Attributes > Instance Metadata Service Defaults > * policies.Bug fixes
AWS > EC2 > Instance > Approved control would sometimes fail to stop instances that were discovered in Guardrails via real-time events if the AWS > EC2 > Instance > Approved policy was set to Enforce: Stop unapproved if new. This is now fixed.What's new?
What's new?
connection_throttling parameter for PostgreSQL servers. To get started, set the Azure > PostgreSQL > Server > Audit Logging > Connection Throttling policy.What's new?
What's new?
AWS > KMS > Key > Approved policy to Enforce: Disable unapproved.Bug fixes
Enforce: Enabled but ignore permission errors for the AWS > SNS > Subscription > CMDB policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors inadvertently introduced a bug, resulting in the removal of real-time events for Subscription from the SNS EventBridge rule created by the Event Handlers. This issue has now been fixed.Bug fixes
Enforce: Enabled but ignore permission errors for the AWS > KMS > Key > CMDB policy, allowing the corresponding CMDB control to ignore permission errors, if any, and proceed to completion. However, configuring the CMDB policy to Enforce: Enabled but ignore permission errors inadvertently introduced a bug, resulting in the removal of the EventBridge Rule for KMS by the Event Handlers. This issue has now been fixed.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
Policy Types:
Action Types:
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Enforce: Disabled. This is now fixed.Bug fixes
AWS > VPC > VPC > Stack control failed to claim security group rules correctly if the protocol for such rules was set to All or TCP in the stack's source policy. This issue has been fixed, and the control will now claim such rules correctly.Bug fixes
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
AWS > SageMaker > Code Repository > Regions policy, which led to the AWS > SageMaker > Code Repository > Discovery control being in an error state for those regions. We've now removed the unsupported US Gov cloud regions from the Regions policy.What's new?
Bug fixes
Enforce: Disabled. This is now fixed.Bug fixes
Enforce: Disabled. This is now fixed.AWS > VPC > VPC > Stack control that prevented it from recognizing security group rules with the port range set to 0 correctly. However, the control still failed to claim existing security group rules available in Guardrails CMDB, due to an inadvertent bug introduced in v5.9.2. This issue has now been fixed, and the control will correctly claim existing security group rules.Bug fixes
Enforce: Disabled. This is now fixed.Bug fixes
lists events for various storage resources. We've now improved our events filter to ignore these lists events, thereby reducing unnecessary processing.Bug fixes
Enforce: Disabled. This is now fixed.Bug fixes
Enforce: Disabled. This is now fixed.Bug fixes
Enforce: Disabled. This is now fixed.AWS > EC2 > Snapshot > Active and AWS > EC2 > Snapshot > Approved controls will now not attempt to delete a snapshot if it has one or more AMIs attached to it.ec2-reports:* permissions are now removed from the mod.Bug fixes
CreateDefaultVpc events. However, we overlooked an edge case in the fix. We have now addressed this issue, ensuring that Internet Gateways will be reliably discovered and upserted into the Guardrails CMDB. We recommend updating the aws-vpc-core mod to version 5.17.1 or higher to enable Guardrails to correctly process real-time CreateDefaultVpc events for Internet Gateways.Enforce: Disabled. This is now fixed.Bug fixes
AWS > VPC > VPC > Stack control would sometimes go into an error state after creating security group rules with port range set to 0. This occurred because the control failed to recognize the existing rule in Guardrails CMDB and attempted to create a new rule instead. This issue has been fixed, and the stack control will now work correctly as expected.AWS > VPC > Security Group > CMDB control would sometimes go into an error state for security groups shared from other AWS accounts. We will now exclude shared security groups and only upsert security groups that belong to the owner account.What's new?
You can now also manage the IAM Permissions model for Guardrails Users via the AWS > Turbot > IAM > Managed control. The AWS > Turbot > IAM > Managed control is faster and more efficient than the existing AWS > Turbot > IAM control because it utilizes Native AWS APIs rather than Terraform to manage IAM resources. Please note that this feature will work as intended only on TE v5.42.19 or higher and turbot-iam mod v5.11.0 or higher.
Control Types
Policy Types
Policy Types Renamed
Action Types
Bug fixes
The AWS > IAM > Group > CMDB, AWS > IAM > Role > CMDB, and AWS > IAM > User > CMDB controls previously failed to fetch all attachments for groups, roles, and users, respectively, due to the lack of pagination support. This issue has been fixed, and the controls will now correctly fetch all respective attachments.
Bug fixes
Server
/tenant/${workspaceFullId} to Advanced.resolvedSchema if not available in the schema.UI
AWS > Turbot > IAM > Managed control.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Turbot > IAM > Permissions > Compiled > Levels > Turbot policy will now be evaluated correctly and consistently.Bug fixes
What's new?
The AWS > S3 > Bucket CMDB data will now also include information about Bucket Intelligent Tiering Configuration.
A few policy values in the AWS > S3 > Bucket > Encyprion at Rest policy have now been deprecated and will be removed in the next major mod version (v6.0.0) because they are no longer supported by AWS.
| Deprecated Values
|-
| Check: None
| Check: None or higher
| Enforce: None
| Enforce: None or higher
Bug fixes
CreateDefaultVpc events. This issue has been fixed, and Internet Gateways will now be more reliably upserted into the Guardrails CMDB.
We recommend updating the aws-vpc-core mod to v5.17.1 or higher to allow Guardrails to process the CreateDefaultVpc event for Internet Gateways correctly.Bug fixes
CreateDefaultVpc events. This issue has been fixed, and DHCP Options will now be more reliably upserted into the Guardrails CMDB.Bug fixes
lists events for various Dataproc resources. We've now improved our events filter to ignore these lists events, thereby reducing unnecessary processing.Bug fixes
GCP > Turbot > Event Handlers > Pub/Sub stack control previously attempted to create a topic and its IAM member incorrectly when the GCP > Turbot > Event Handlers > Logging > Unique Writer Identity policy was set to Enforce: Unique Identity, but the project number for the project was not available. This is fixed and the control will transition to an Invalid state until Guardrails can correctly fetch the project number.What's new?
Control Types:
Policy Types:
Action Types
Bug fixes
AWS > S3 > Bucket > Encryption in Transit and AWS > S3 > Bucket > Encryption at Rest control to wait for a few minutes before applying the respective policies to new buckets created via Cloudformation Stacks. We've now extended this feature to all buckets regardless of how they were created, to ensure that IaC changes can be correctly applied to buckets without interference from immediate policy enforcements.What's new?
What's new?
Note
To use the latest RDS certificate in commercial cloud, please upgrade TE to 5.42.3 or higher and update the RDS CA Certificate for Commercial Cloud parameter.
Bug fixes
Server
UI
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
What's new?
Control Types:
Policy Types:
What's new?
AWS > Secrets Manager > Secret > CMDB control would go into an error state if Guardrails did not have permissions to describe a secret. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > Secrets Manager > Secret > CMDB policy to Enforce: Enabled but ignore permission errors.What's new?
You can now attach custom IAM Groups to Guardrails users if the AWS > Turbot > Permissions policy is set to Enforce: User Mode. To get started, set the AWS > Turbot > Permissions > Custom Group Levels [Account] policy and then attach the custom group to a user via the Grant Permission button on the Permissions page. Please note that this feature will work as intended only on TE v5.42.18 or higher and turbot-iam mod v5.11.0 or higher.
Policy Types:
Policy Types renamed:
What's new?
Control Types:
Policy Types:
Bug fixes
AWS > VPC > VPC > Stack control would sometimes fail to claim existing Flow Logs in Guardrails CMDB. This is now fixed.What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
AWS > SNS > Subscription > CMDB control would go into an error state if Guardrails did not have permissions to describe a subscription. Users can now ignore such permission errors and allow the CMDB control to run its course to completion. To get started, set the AWS > SNS > Subscription > CMDB policy to Enforce: Enabled but ignore permission errors.What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
GCP > Compute Engine > Instance Template > CMDB control would sometimes go into an error state due to a bad internal build. This is fixed and the control will now work as expected.Bug fixes
Azure > Subscription, importing subscriptions encountered schema validation problems. This issue has been resolved, and you can now successfully import subscriptions as before.Bug fixes
What's new?
ap-northeast-3 in the AWS > Account > Regions policy.What's new?
af-south-1, ap-northeast-3, ap-south-2, ap-southeast-3, ap-southeast-4, ca-west-1, eu-central-2, eu-south-1, eu-south-2, il-central-1 and me-central-1 regions in the AWS > Logs > Regions policy.What's new?
You can now configure Block Public Access for Snapshots. To get started, set the AWS > EC2 > Account Attributes > Block Public Access for Snapshots policy.
You can now also disable Block Public Access for AMIs. To get started, set the AWS > EC2 > Account Attributes > Block Public Access for AMIs policy.
AWS/EC2/Admin, AWS/EC2/Metadata and AWS/EC2/Operator now includes permissions for Verified Access Endpoints, Verified Access Groups and Verified Access Trust Providers.
Control Types:
Policy Types:
Action Types:
Bug fixes
What's new?
Deny: * for HTTP in SNS Policy.What's new?
Bug fixes
Deny:* policy for HTTP traffic back to the turbot-policy-parameter custom lambda code.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
createdBy details in Turbot CMDB.What's new?
createdBy details in Turbot CMDB.What's new?
createdBy details in Turbot CMDB.v1.10.1 of the Terraform Provider for Guardrails is now available.
Bug fixes
resource/turbot_file: terraform apply failed to update content of an existing File in Guardrails. This is now fixed.What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
What's new?
createdBy details in Turbot CMDB.What's new?
What's new?
What's new?
createdBy details in Turbot CMDB.Bug fixes
The AWS > EC2 > Key Pair > Discovery control would sometimes go into an error state if a Key Pair alias included escape characters. This is now fixed.
Control Types renamed:
AWS > EC2 > Volume > Configuration to AWS > EC2 > Volume > Performance ConfigurationPolicy Types renamed:
AWS > EC2 > Volume > Configuration to AWS > EC2 > Volume > Performance ConfigurationAWS > EC2 > Volume > Configuration > IOPS Capacity to AWS > EC2 > Volume > Performance Configuration > IOPS CapacityAWS > EC2 > Volume > Configuration > Throughput to AWS > EC2 > Volume > Performance Configuration > ThroughputAWS > EC2 > Volume > Configuration > Type to AWS > EC2 > Volume > Performance Configuration > TypeAction Types renamed:
AWS > EC2 > Volume > Update Configuration to AWS > EC2 > Volume > Update Performance ConfigurationBug fixes
Turbot > Policy Setting Expiration control will now run every 12 hours to manage policy setting expirations more consistently than before.What's new?
What's new?
What's new?
createdBy details in Turbot CMDB.What's new?
createdBy details in Turbot CMDB.What's new?
What's new?
What's new?
createdBy details in Turbot CMDB.What's new?
createdBy details in Turbot CMDB.What's new?
What's new?
createdBy details in Turbot CMDB.Bug fixes
What's new?
What's new?
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
What's new?
createdBy details in Turbot CMDB.What's new?
createdBy details in Turbot CMDB.What's new?
What's new?
What's new?
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Action Types:
What's new?
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
GCP > Turbot > Event Poller control now includes a precheck condition to avoid running GraphQL input queries when the GCP > Turbot > Event Poller policy is set to Disabled. You won’t notice any difference and the control should run lighter and quicker than before.Bug fixes
Azure > Turbot > Event Poller and Azure > Turbot > Management Group Event Poller controls now include a precheck condition to avoid running GraphQL input queries when the Azure > Turbot > Event Poller and Azure > Turbot > Management Group Event Poller policies are set to Disabled respectively. You won’t notice any difference and the controls should run lighter and quicker than before.Bug fixes
Azure > Turbot > Directory Event Poller control now includes a precheck condition to avoid running GraphQL input queries when the Azure > Turbot > Directory Event Poller policy is set to Disabled. You won’t notice any difference and the control should run lighter and quicker than before.Bug fixes
AWS > Turbot > Event Poller control now includes a precheck condition to avoid running GraphQL input queries when the AWS > Turbot > Event Poller policy is set to Disabled. You won’t notice any difference and the control should run lighter and quicker than before.What's new?
Resource Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
aws_network_interface_sg_attachment Terraform resource for AWS > EC2 > Network Interface.Bug fixes
AWS > EC2 > Instance > CMDB control would sometimes trigger multiple times if EnclaveOptions was not set as part of the AWS > EC2 > Instance > CMDB > Attributes policy. This would result in unnecessary Lambda runs for the control. The EnclaveOptions attribute is now available in the CMDB data by default and the EnclaveOptions policy value in AWS > EC2 > Instance > CMDB > Attributes policy has now been deprecated, and will be removed in the next major version.What's new?
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Server
Require Signed Assertion Response.UI:
Require Signed Assertion Response for enhanced security in SAML authentication.Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Enhanced Security and Compatibility Guide for SAML Authentication
Description:
The recent update to @node-saml/passport-saml mandates the signing of the assertion response. To ensure backward compatibility, we have introduced a new configuration option in the UI:
By default, this option is set to Disabled to maintain compatibility with existing setups.
Recommendations: We recommend enabling this option as it adds an additional layer of security. However, please be aware that enabling this setting might impact the SAML login functionality.
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
What's new?
Control Types:
Policy Types:
Bug fixes
AWS > RDS > DB Instance > Discovery control would sometimes upsert DocumentDB Instances as RDS Instances in Guardrails CMDB. This is fixed and the control will now filter out DocumentDB Instances while upserting resources in CMDB.What's new?
What's new?
Control Types:
Policy Types:
Action Types:
Bug fixes
AWS > IAM > Account Password Policy > CMDB control would incorrectly go into an Alarm state when Guardrails was denied access to fetch the Account Password Policy data. This is fixed and the control will now move to an Error state instead for such cases.Bug fixes
What's new?
AWS/CloudFront/Admin and AWS/CloudFront/Metadata will now also include permissions for CloudFront KeyValueStore.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
What's new?
Policy Types:
Control Types:
Action Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
Action Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
Bug fixes
ServiceNow > Turbot > Watches > AWS control would fail to delete/archive records in ServiceNow. This is now fixed.Bug fixes
Requirements
Base images
Alpine: 3.17.5 Ubuntu: 22.04.3
Bug fixes
cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
cmdb_ci* Table. This is fixed and users will now be able to extend the resource's Table off of any Table in ServiceNow.Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
Bug fixes
AWS > Turbot > Event Poller policy will now be automatically set to Disabled if any of the AWS > Turbot > Event Handlers or AWS > Turbot > Event Handlers [Global] policies is set to Enforce: Configured.Bug fixes
Bug fixes
What's new?
Resource Types:
Policy Types:
Control Types:
Action Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
Action Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Policy Types:
Control Types:
What's new?
Server
UI:
What's new?
What's new?
Resource Types:
Policy Types:
What's new?
What's new?
What's new?
You can now Enable/Disable Firebase Management API via Guardrails. To get started, set the GCP > Firebase > API Enabled policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Control Types:
Policy Types:
Action Types:
What's new?
Added support for newer US, Europe, India and US Government regions in the Azure > Synapse Analytics > Regions policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
What's new?
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
createdBy details in Turbot CMDB.What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
createdBy details in Turbot CMDB.What's new?
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Server
passport-saml to @node-saml/passport-saml: 4.0.4Require Signed Authentication Response and Strict Audience Validation.UI:
Require Signed Authentication Response and Strict Audience Validation for enhanced security in SAML authentication.Enhanced Security and Compatibility Guide for SAML Authentication
Description
The recent package change for @node-saml/passport-saml has made it mandatory to sign the audience response and perform audience validation. To maintain backward compatibility, we have introduced two new options in the UI:
To make it backward compatible, both of these options are initially set to Disabled by default.
Important Note: This change ensures that the audience response is signed and audience validation is enforced. These checks were not available in earlier versions of the package.
Recommendations
We recommend customers enable both of these properties as they add an additional layer of security. However, it's important to be aware that enabling these properties might potentially break SAML login functionality. Therefore, certain steps need to be taken before enabling them.
Here are specific recommendations for popular Identity Providers (IDPs):
Okta
OneLogin
Azure Entra ID (Previously Known as Azure AD)
Signing option to be "SIGN SAML response and assertion". The Signing option is available on the Signing Certificate page of Entra IDPlease follow these recommendations carefully to make sure you're able to transition smoothly to the updated SAML package.
What's new?
createdBy details in Turbot CMDB.What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
Action Types:
What's new?
Resource Types:
Policy Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
createdBy details in Turbot CMDB.Bug fixes
AWS > ElastiCache > Snapshot > CMDB control would go into an error state due to a bad internal build. This is fixed and the control will now work correctly as expected.What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
GCP > Turbot > Event Handlers stack. To get started, set the GCP > Turbot > Event Handlers > Logging > Unique Writer Identity policy.Bug fixes
Bug fixes
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
createdBy details in Turbot CMDB.What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
createdBy details in Turbot CMDB.What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
What's new?
What's new?
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
Bug fixes
AWS > EC2 > Account Attributes > CMDB control would go into an error state due to a bad internal build. This is fixed and the control will now work correctly as expected.What's new?
What's new?
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
Bug fixes
What's new?
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Added support for ap-northeast-3 and us-gov-east-1 regions in the AWS > SageMaker > Regions policy.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
What's new?
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
Added support for ap-south-1, af-south-1, cn-north-1 and us-gov-east-1 regions in the AWS > WorkSpaces > Regions policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
Added support for cn-north-1, cn-northwest-1, us-gov-east-1 and us-gov-west-1 regions in the AWS > MQ > Regions policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
Added support for cn-north-1, cn-northwest-1, us-gov-east-1 and us-gov-west-1 regions in the AWS > FSx > Regions policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
Added support for ca-central-1, eu-west-2, sa-east-1, us-east-2 and us-gov-east-1 regions in the AWS > AppStream > Regions policy.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Bug fixes
AWS > EC2 > Volume > Discovery control would go into an error state because of an unintended GraphQL query bug. This is fixed and the control will now work correctly as expected.What's new?
What's new?
What's new?
Server:
UI:
Bug fixes
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
You can now configure Block Public Access for AMIs. To get started, set the AWS > EC2 > Account Attributes > Block Public Access for AMIs policy to Enforce: Enable Block Public Access for AMIs.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Control Types:
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Action Types:
What's new?
AWS/Amplify/Admin and AWS/Amplify/Metadata now also include permissions for Deployment, WebHook and Artifacts.
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
Users can now perform quick actions on resources to remediate cloud configuration issues or skip Turbot alarms for issues that they want to come back to later. To get started, click on the Actions button, which will reveal a dropdown menu with available actions, and select one. See Quick Actions for more information.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Policy Types:
Action Types:
What's new?
What's new?
What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
What's new?
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Control Types:
Policy Types:
Action Types:
What's new?
AWS/MSK/Admin, AWS/MSK/Metadata and AWS/MSK/Operator now also include permissions for Cluster V2, Scram Secrets and Kafka VPC Connections.
We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Resource's metadata will now also include createdBy details in Turbot CMDB.
Rebranded to a Turbot Guardrails Mod. To maintain compatibility, none of the existing resource types, control types or policy types have changed, your existing configurations and settings will continue to work as before.
Policy Types:
Action Types:
Bug fixes
What's new?
Control Types:
Policy Types:
Action Types:
What's new?
Added support for Global Event Handlers. This release contains new Guardrails policies and controls to support deployment of Global Event Handlers for AWS.
Control Types:
Policy Types:
What's new?
AWS/RDS/Admin, AWS/RDS/Metadata and AWS/RDS/Operator now include permissions for Performance Insights.What's new?
Added support for new multi-regions NAM8, NAM9, NAM10, NAM11, NAM12, NAM13, NAM14, NAM15, NAM-EUR-ASIA1, NAM-EUR-ASIA3, IN, EUR5, EUR6, EUROPE and EMEA in the GCP > Project > Regions policy.
Policy Types Removed:
Bug fixes
AWS > VPC > Security Group > CMDB control would sometimes go into an error state if the TE version installed on the workspace was 5.42.1 or lower. This is fixed and the control will now work as expected.What's new?
Bug fixes
Requirements
What's new?
europe-west10 region in the GCP > Project > Regions policy.What's new?
asia-northeast3, asia-south2, asia-southeast2, australia-southeast2, europe-central2, europe-southwest1, europe-west10, europe-west12, europe-west8, europe-west9, me-central1, me-west1, northamerica-northeast2, southamerica-west1, us-east5, us-south1, us-west3 and us-west4 regions in the GCP > Compute Engine > Regions policy.Bug fixes
Bug fixes
What's new?
Bug fixes
AWS > EC2 > Instance > Schedule control would try and perform the same start/stop action again if the state of the instance was changed outside of the control within 1 hour of the successful start/stop run. This is fixed and the control will now not trigger a start/stop action again for a minimum of 1 hour of the previous successful run.What's new?
What's new?
Bug fixes
What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
What's new?
Users can now delete Login Profiles for IAM Users.
Control Types:
Policy Types:
Action Types:
What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
Bug fixes
Bug fixes
AWS > Turbot > Event Handlers now support real-time events for AWS S3 Multi-Region Access Point.What's new?
Resource Types:
Control Types:
Policy Types:
Action Types:
What's new?
AWS/S3/Admin and AWS/S3/Metadata now include permissions for Multi-Region Access Point Routes.What's new?
What's new?
We've updated the runtime for lambda functions in the aws-config mod to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
Policy Types:
Action Types
What's new?
What's new?
Resource Types:
Policy Types:
What's new?
What's new?
GCP/OAuth/Admin and GCP/OAuth/Metadata now also include oauthconfig:* permissions. Click here for more details.What's new?
What's new?
Bug fixes
Requirements
What's new?
What's new?
Bug fixes
What's new?
What's new?
What's new?
Server:
UI
Note
IAM change in this release:
What's new?
guardrails.turbot.com, guardrails.turbot-stg.com or guardrails.turbot-dev.com to publish a guardrails mod. To maintain compatibility, none of the existing commands have changed, your existing configuration and commands will continue to work as before.What's new?
Policy Types:
Resource Types:
Smart Folders are now called Policy Packs.Requirements
v1.10.0 of the Terraform Provider for Guardrails is now available.
Documentation
Rebrand to Turbot Guardrails provider. Resource and data source names in this provider have not changed to maintain compatibility. Existing templates will continue to work as-is without need to change anything.
What's new?
Resources Deleted by Turbot report.Requires
Container Info
22.04, jammy-202304253.17.3Bug fixes
slackWebhookUrl in Turbot > Notifications > Rule-Based Routing policy.Requirements
What's new?
Requires
Container Info
22.04, jammy-202304253.17.3What's new?
Requires
Container Info
22.04, jammy-202304253.17.3What's new?
What's new?
Requirements
What's new?
Enterprise
Requires
Container Info
22.04, jammy-202304253.17.3Enterprise
Requires
Container Info
22.04, jammy-202304253.17.3What's new?
Enterprise
Requires
Container Info
22.04, jammy-202304253.18.0What's new?
Requires
What's new?
v5.10.0 of the Turbot IAM mod.Requires
What's new?
What's new?
What's new?
SameSite configuration to strict.Enterprise
Requires
What's new?
What's new?
3.75.0 when
Turbot > Stack Terraform Version [Default] is set to 0.15.*Bug fixes
Action fails due to cloud provider throttling, Turbot will
now reschedule the control that triggered the action, those actions should now
be more consistently applied under heavy loads.Note AWS IAM permissions change in this release:
Turbot > Cache > Health Check control.What's new?
What's new?
Turbot > Type Installed > Background Tasks is now removedRequirements
What's new?
v5.40.0. db_pair security group now includes Elasticache rules, when Elasticache is enabled.Deprecation
db_pair security group, the Elasticache cache_pair security group is no longer required. It will be removed in a future release.Bug fixes
Enterprise
Requires
What's new?
Enterprise
Requires TEF: v1.46.0 TED: v1.9.1
What's new?
Bug fixes
2.10.7.Enterprise
Requires TEF: v1.45.0 TED: v1.9.1
What's new?
launch templates to launch configurations.gp3.What's new?
alternatePersona in the actor field if
available.Bug fixes
Enterprise
vm2 package to 3.9.11 in the ECS containers.What's new?
Bug fixes
Enterprise
Requires TEF: v1.42.1 TED: v1.9.1
What's new?
Bug fixes
Bug fixes
Activity sub-tab on the resource page.Enterprise
Requires TEF: v1.42.1 TED: v1.9.1
What's new?
Bug fixes
Requires TEF: v1.42.1 TED: v1.9.1
Bug fixes
Enterprise
inline.Requires TEF: v1.42.1 TED: v1.9.1
What's new?
Bug fixes
Enterprise
Requires TEF: v1.42.1 TED: v1.9.1
What's new?
Bug fixes
Enterprise
Requires TEF: v1.42.1 TED: v1.9.1
Bug fixes
unidentified if
persona and identity are not available.Unidentified, now they will carry the identity of the launcher,
most of the time this will be the Turbot identity unless the action is
launched by a user from Turbot UI.Enterprise
Enterprise
UI
Enterprise
What's new?
Quick Actions Quick Actions is a new feature that allows Turbot users to initaite specific (one time) control enforcements on their cloud environment via the Turbot UI. Cloud operations teams can use Quick Actions to remediate cloud configuration issues (e.g. enable encryption on a resource) or snooze Turbot alarms for issues that we want to come back to later. More details in the documentation. Quick actions will be rolling out across all supported cloud services in the coming months (based on your feedback); this initial release covers resources in the following AWS mods:
Disabling the Quick Actions feature
Quick Actions use the permissions granted to the Turbot service user or cross-account role used to import your cloud service account into Turbot. Execution of quick actions will fail if the underlying role prevents those actions from occuring.
The Quick Actions feature is disabled by default, but can easily be enabled
via the Turbot > Quick Actions > Enabled policy. If you would like to
prevent lower level Turbot administrators from enabling Quick Actions for
their cloud service accounts, then make sure you set
Turbot > Quick Actions > Enabled to Disabled at the Turbot level using the
Required option.
The policy Turbot > Quick Actions > Permission Levels offers fine-grained
control over which Turbot permission levels are required to execute specific
quick actions. These permission limits can be set globally and specific
exceptions can be managed down to the individual cloud service account level.
Enterprise
Bug fixes
turbot completion command was displayed twice on running turbot help.Bug fixes
What's new?
Bug fixes
What's new?
What's new?
TEF KMS Key parameter name changed to TEF KMS Key Arn.What's new?
What's new?
What's new?
What's new?
db_pair security group from TEF 1.47.0.Deprecation
db_pair security group, the Elasticache
cache_pair security group is no longer required. It will be removed in a
future release.Requirements
What's new?
What's new?
Warning
What's new?
What's new?
What's new?
gp3.
More info on using gp3What's new?
What's new?
What's new?
What's new?
What's new?
Warning
turbot_policy_parameter.Bug fixes
What's new?
Requirements
Warning
turbot_policy_parameter.What's new?
turbot_parameters and turbot_policy_parameter lambda functions now include VPC config.turbot_policy_parameter IAM Role now includes EC2 network interfaces policy. What's new?
Requirements
What's new?
Requirements
What's new?
Requirements
Bug fixes
turbot template build to
fail.Bug fixes
template build was loading the lock-file from the base branch to determine
the current template version. When using a work-in-progress (wip) branch, this
could lead to identifying an incorrect current version, leading to rebasing
errors. Fix by loading the lock file from the wip branch.What's new?
What's new?
Bug fixes
Requirements
Bug fixes
Requirements
What's new?
What's new?
Bug fixes
Requirements
Bug fixes
Bug fixes
turbot template build now cleans up branches after a rebase failure.Warning
Bug fixes
Bug fixes
Requirements
Warning
Bug fixes
Warning
Bug fixes
Bug fixes
Requirements
Warning
What's new?
What's new?
Bug fixes
Requirements
What's new?
turbot template build --rebase command now cleans up the work in progress
branch if the template render fails.Bug fixes
turbot template build --rebase command was failing to re-apply manual
changes.turbot template build --fleet-mode would stop building all branches if a
single one failed.Bug fixes
What's new?
Bug fixes
What's new?
Requirements
Warning
What's new?
turbot_transient KMS key specifically used for encryption of transient data (e.g. SNS, SQS).Bug fixes
What's new?
turbot compose (used by all CLI commands that compose mods) now omits the
releaseNotes field from turbot.head.json. It is still included in
turbot.dist.json.turbot template has a new --unchanged-issue <issue_id> argument. When a
template build operation commits changes to git, if no files have actually
changed then the commit message will use this issue instead of the normal
--issue <issue_id> field. The commit message will also specify "no changes".What's new?
turbot publish has a new --timeout <secs> argument to customize the
publish timeout. The default has been increased to 2 minutes.turbot template build --issue 1234 --close-issue will set the commit
message to close the issue.Bug fixes
turbot test should not fail with the the error
TypeError: tmod.parse is not a function.Warning
What's new?
Bug fixes
Development
Mode. It was harmless, but not necessary unless ElastiCache is enabled in
TED.Bug fixes
Requirements
Bug fixes
turbot template build --patch --push-instance-root command failed to push
changes to the wip branch.What's new?
Bug fixes
Requirements
What's new?
ECSDesiredInstanceCount parameter, which now defaults to
using ECSMinInstanceCount instead. This frees up a precious parameter slot
for other options.DevelopmentMode parameter for internal use, which groups options
like using the latest container image (instead of cached).What's new?
ExperimentalFeatures flag, allowing gradual introduction of new
capabilities. The first one is installation of ElastiCache preparing for
future use in TE.Requirements
Bug fixes
turbot pack and turbot publish were failing to run pre-pack script when
--dir arg is used.Bug fixes
turbot inspect should give a clear error message for invalid templates.Bug fixes
turbot inspect --format changelog should properly escape CSV fields with
commas.Bug fixes
Bug fixes
Bug fixes
Bug fixes
What's new?
Requirements
What's new?
Requirements
What's new?
turbot install - checks if a compatible version of each dependency is
already installed. If so, it is does not install from the registry unless
there is a newer version available.turbot template build --rebase rebuilds templates while using rebase to
better merge and preserve custom changes to the rendered files since the last
build.What's new?
Warning
Bug fixes
What's new?
Bug fixes
turbot configure fails when no command line credentials arguments are given
but they set in environmentturbot workspace list should ignore TURBOT_PROFILE env var and only filter
profiles if one is given in command line.turbot download should fall back to use the production registry if the user
is not logged in.Bug fixes
turbot pack were not caught and
reported correctly.What's new?
turbot pack, turbot up and turbot publish
for faster troubleshooting.Bug fixes
turbot graphql queries for control, policy-value, etc were not properly
handling the --resource-id and --resource-aka arguments.Bug fixes
turbot configure was failing for some Windows users when used in interactive
mode.What's new?
Bug fixes
turbot configure was always failing validation when using interactive mode
to enter credentials.Bug fixes
turbot install [mod] was not working. You can now install specific mods as
expected.What's new?
turbot install [mod[@version]] to
install a specific mod as a local dependency.turbot workspace configure are now validated before
saving, so you can be confident they are good to go.What's new?
turbot workspace list to see a list of your currently configured
workspaces.turbot workspace configure added, with the same behavior as
turbot configure.Bug fixes
turbot test was failing for some GCP controls due to an update in the GCP
auth library package. This has been fixed.See v1.18.1
Bug fixes
What's new?
Requirements
What's new?
t3.medium.What's new?
ALB Log Prefix and ALB Idle Timeout.What's new?
Requirements
What's new?
169.254.170.2 to the default NO_PROXY parameter. This is required for stack containers to execute in some proxy environments.Bug fixes
turbot install was attempting to install the latest version, which would
fail if that version was not available or recommended. It will now install the
latest recommended version, or if none are recommended, the latest available
version.Bug fixes
Bug fixes
preinstall and preinstallation
which felt messy. This patch release brought to you by our clean up crew.Requirements
What's new?
What's new?
Requirements
What's new?
Flags parameter now has validation rules and defaults to NONE (CloudFormation does not like empty string defaults for SSM parameters).What's new?
Flags parameter will allow features to be enabled or disabled at the
installation level giving us more flexibility to innovate and gradually
deploy features.Warning
TrackFunctions in v1.7.0 was pl. Consider changing this to
none (the new, more common, default in v1.8.0) if you don't require that
tracking.What's new?
m5.8xlarge.Bug fixes
What's new?
http:// proxy for
all traffic - no need for endpoints or similar in any case. (We do not yet
support custom certificates and https:// proxies.)Bug fixes
Bug fixes
force-recommended as this causes
issues when using the yargs conflicts parameter.What's new?
RECOMMENDED in the
registry, telling users it's the best choice. Use
turbot publish --force-recommended and turbot modify --force-recommended
to mark this version as RECOMMENDED and set all currently recommended
versions to AVAILABLE.Bug fixes
turbot test was showing incorrect test data validation errors, due to a
graphql schema change that had not been handled by the CLI.What's new?
Allow Self-Signed Certificate parameter, instructing Turbot to ignore
certificate errors when connecting to external services - for example -
enterprise environments with an outbound internet proxy.What's new?
${ResourceNamePrefix}_connectivity_checker manually to test.What's new?
turbot inspect now enforces valid semantic versions in mod version numbers.
We admire your creativity, but encourage you to express it elsewhere.Bug fixes
turbot up --zip, which broke during a dependency update.What's new?
Bug fixes
turbot login was failing if the ~/.config folder did not exist.turbot template build was always expecting a wip-* instance branch to
exist. It's now correctly limited to runs where --use-instance-root-branch
is passed.What's new?
HTTPS_PROXY environment variable. Login, install mods
and publish to our registry all via your favorite proxy. (Provided it's a
http:// proxy, we don't support https:// yet.)What's new?
What's new?
rds.force_admin_logging_level and track_functions,What's new?
turbot registry modify --mod "@turbot/aws" --mod-version "5.0.0" --status RECOMMENDED --description "updated description".turbot publish using the
--status RECOMMENDED flag.turbot template build now supports instance root branch names with a random
suffix, following the naming convention: wip/<instance root name>/*. We've
found scheme much more effective at scale.RELEASE_NOTES.md as well as CHANGELOG.md when
building a mod. Release notes are intended for users while a changelog is
intended for developers or others obsessed over details.turbot test validates input query, but only works for a single query (not
for the more advanced array of queries syntax). Previously the test would
always fail for an array of queries, so we're now skipping the test in these
cases until it can be fully supported.Bug fixes
turbot publish --dir <mod folder> did not work if run outside the mod
folder - the function zips were not correctly created.What's new?_
turbot login (and similar) now requires both
--username and --password or neither. They just can't live without each
other.Bug fixes
turbot template build --patch command was failing without running the git
command.Bug fixes
What's new?
_ consistently in names (instead of mixing _ and
- together).What's new?
Self
Signed Certificate In ALB parameter to ignore these certificate errors.Bug fixes
Warning
What's new?
What's new?
Bug fixes
What's new?
What's new?
What's new?
turbot compose the +schema directive can now map from openApi format
schema to valid JSON schema.Bug fixes
turbot template build fleet operations were failing due to an error
displaying the summary. This has been fixed.What's new?
Warning
What's new?
Bug fixes
What's new?
turbot test to check GraphQL mutations (e.g. updatePolicySetting) are
called as expected from controls.turbot compose no longer errors when a glob matches no source files.Warning
Security access from the load balancer to ECS has changed from requiring port 8443 to requiring the full high port range of 32768-65535. This allows us to run ECS in bridge mode and efficiently reuse IP addresses across Turbot core containers.
The outbound security group now allows port 80 outbound by default. This makes cloud-init in the ECS optimized image run much faster than only providing port 443 outbound.
If you are upgrading from a previous TEF version, you will need to make the modifications listed below:
Add ports 32768-65535 to the Load Balancer Security Group OUTBOUND to the API Security Group
Add ports 32768-65535 to the API Security Group INBOUND from the Load Balancer Security Group
Add port 80 to the Outbound Internet Security Group OUTBOUND to 0.0.0.0/0
What's new?
What's new?
What's new?
turbot test to check GraphQL mutations (e.g. updatePolicySetting) are
called as expected from controls.turbot compose no longer errors when a glob matches no source files.What's new?
+schema has been added for turbot compose. This allows
you to include a specific item from a schema file, including all definitions
which are referenced.turbot template build will now run even if there are changes on the local
branch, if neither the --use-fleet-branch or --use-instance-root-branch
arguments are set. This is useful when running building templates for the
first time with local config updated but not committed.What's new?
turbot inspect --format changelog now includes the uri of each control,
policy, resource and action item.Bug fixes
turbot up was broken in 1.7.0. This has been fixed.turbot pack and turbot publish had to be run out of the target mod
directory. They can now be run out of any directory by passing the --dir
flagWhat's new?
turbot aws credentials now supports --aws-profile <aws_profile>,
--profile <turbot_profile> and
--access-key <turbot_access_key> --secret-key <turbot_secret_key>
combinations.Bug fixes
turbot test was doing type coercion of input data before validation. It now
expects correct types to be passed, matching the behavior of the Turbot
server.Bug fixes
What's new?
--no-color to simplify the output of any command. Sometimes less is
more.turbot template build --git --branch <branch-name> allows you to specify the
branch the build operations will be committed onto.turbot template build no longer supports the --config flag. Use
template.yml files instead.Bug fixes
turbot install was not downloading files. Now it does.turbot template build was creating template.yml files for every template
instance. This is noisy and defeats the value of template inheritence, so has
been stopped.Bug fixes
turbot template build --git should checkout the original git branch at the
end of the build. Broken in v1.5.0.What's new?
turbot template build --git now skips instances without a template-lock
file, which cannot be resolved anyway.Bug fixes
turbot up and turbot publish were stalling for large mods.Bug fixes
turbot template build --git should checkout the original git branch at the
end of the build. Broken in v1.4.0.What’s new?
turbot template build.turbot template build --fleet-mode now defaults to update, which is almost
always the right choice.turbot template build --git it is no longer necessary to
specify a base git branch, it sensibly assumes you want to use the current
branch.turbot pack --zip-file awesome.zip to output mods with any name you
prefer.Bug fixes
turbot template outdated fixed to work with specific template definition
directories.turbot template build --git. Previously we were polluting that goodness with
failures as well.template-lock.yml to data that is absolutely necessary, removing noise
from change logs.turbot template update. Please use turbot template build instead,
as you probably already were.What's new?
turbot inspect --output-format will now accept either a file path to the
template or the template string directly.turbot template build.turbot template build will
now merge successful changes onto a single branch and write failed patches to
the filesystem for easier review.What's new?
max_connections, deadlock_timeout,
idle_in_transaction_session_timeout and statement_timeout.What's new?
What's new?
Bug fixes
turbot template build has a special case "provider" field in the render
context. Long term it will be removed. Short term, it should not break for
vendor level mods like @turbot/aws or @turbot/linux.What's new?
Instance Type for Replica DB will now default to Same as Primary DB, which
is a lot easier than having to set and maintain it manually when most of the
time they are the same anyway.What's new?
turbot template build actions before they happen. (Add
--yes to keep the previous behavior.)turbot template build across
many instances.Bug fixes
turbot download will now give up gracefully on failed downloads, relieving
it of an eternity of failed retries.What's new?
Requirements
What's new?
Warning
Instance Type for Replica DB is new and must be set during
upgrade. (Note: Fixed in v1.3.0 to use Same as Primary DB by default.)What's new?
Bug fixes
turbot template build crash added by v1.1.0.What’s new?
turbot aws credentials --account 123456789012 --profile my-account to
generate and save temporary AWS credentials into your local AWS profile.
Easily work across many AWS accounts using your single Turbot profile.turbot template build to target all instances of a specific template,
which is great when you are in the process of converting code to use the
template (some code in template management, some still custom).Bug fixes
turbot test was broken in v1.0.4 due to a missing dependency. Life is better
with friends.Bug fixes
Bug fixes
What's new?
Bug fixes
arn:aws-us-gov:.Warning
What's new?
Bug fixes
turbot template should allow rendering of the filename as well as folder
names, e.g. src/{{instance}}/resource/types/{{instance}}.yml.Bug fixes
test.options are useful, but not required, so turbot test should not crash
if they are not set for a test.Bug fixes
turbot test has a test.awsProfile field to set the AWS profile to use when
running tests locally. This has been moved into the generic, customizable
test.options.awsProile location since it's relevant to AWS mods specifically
rather than a core feature of Turbot.What's new?
Bug fixes
What's new?
What's new?