Bug fixes

• Server
  • Resolved a problem where notifications weren’t being delivered due to incorrectly handled rule settings.
  • Improved cleanup of failed DB transactions.

Requirements

• Upgrade to 5.54.3 requires your workspace to be on 5.53.x
• TEF: 1.66.0
• TED: 1.9.1
• Mods:
  • @turbot/turbot: 5.56.0

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• Server
  • Resolved a problem where notifications weren’t being delivered due to incorrectly handled rule settings.

Requirements

• Upgrade to 5.53.7 requires your workspace to be on 5.51.x
• TEF: 1.66.0
• TED: 1.9.1
• Mods:
  • @turbot/turbot: 5.55.0

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug Fixes

• The graphql notifications subcommand, which was inadvertently removed in a previous version, has been restored.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

• servicenow v5.6.0

• servicenow-aws v5.6.0

• servicenow-aws-cloudtrail v5.3.0

• servicenow-aws-cloudwatch v5.3.0

• servicenow-aws-ec2 v5.4.0

• servicenow-aws-iam v5.3.0

• servicenow-aws-kms v5.3.0

• servicenow-aws-rds v5.3.0

• servicenow-aws-s3 v5.5.0

• servicenow-aws-vpc-connect v5.3.0

• servicenow-aws-vpc-core v5.4.0

• servicenow-aws-vpc-internet v5.4.0

• servicenow-aws-vpc-security v5.3.0

• servicenow-azure v5.9.0

• servicenow-azure-activedirectory v5.3.0

• servicenow-azure-aks v5.4.0

• servicenow-azure-apimanagement v5.3.0

• servicenow-azure-applicationgateway v5.3.0

• servicenow-azure-applicationinsights v5.3.0

• servicenow-azure-appservice v5.3.0

• servicenow-azure-automation v5.3.0

• servicenow-azure-compute v5.5.0

• servicenow-azure-cosmosdb v5.3.0

• servicenow-azure-databricks v5.3.0

• servicenow-azure-datafactory v5.3.0

• servicenow-azure-dns v5.3.0

• servicenow-azure-firewall v5.3.0

• servicenow-azure-frontdoorservice v5.3.0

• servicenow-azure-iam v5.3.0

• servicenow-azure-keyvault v5.3.0

• servicenow-azure-loadbalancer v5.3.0

• servicenow-azure-loganalytics v5.3.0

• servicenow-azure-monitor v5.3.0

• servicenow-azure-mysql v5.4.0

• servicenow-azure-network v5.7.0

• servicenow-azure-networkwatcher v5.3.0

• servicenow-azure-postgresql v5.4.0

• servicenow-azure-recoveryservice v5.3.0

• servicenow-azure-relay v5.3.0

• servicenow-azure-searchmanagement v5.2.0

• servicenow-azure-securitycenter v5.3.0

• servicenow-azure-servicebus v5.3.0

• servicenow-azure-signalr v5.3.0

• servicenow-azure-sql v5.4.0

• servicenow-azure-sqlvirtualmachine v5.3.0

• servicenow-azure-storage v5.7.0

• servicenow-azure-synapseanalytics v5.3.0

• servicenow-gcp v5.10.0

• servicenow-gcp-appengine v5.3.0

• servicenow-gcp-bigquery v5.3.0

• servicenow-gcp-bigtable v5.3.0

• servicenow-gcp-composer v5.3.0

• servicenow-gcp-computeengine v5.5.0

• servicenow-gcp-dataflow v5.3.0

• servicenow-gcp-datapipeline v5.3.0

• servicenow-gcp-dataplex v5.3.0

• servicenow-gcp-dataproc v5.3.0

• servicenow-gcp-dns v5.3.0

• servicenow-gcp-functions v5.3.0

• servicenow-gcp-iam v5.3.0

• servicenow-gcp-kms v5.3.0

• servicenow-gcp-kubernetesengine v5.4.0

• servicenow-gcp-logging v5.3.0

• servicenow-gcp-memorystore v5.3.0

• servicenow-gcp-monitoring v5.3.0

• servicenow-gcp-network v5.3.0

• servicenow-gcp-pubsub v5.3.0

• servicenow-gcp-run v5.3.0

• servicenow-gcp-scheduler v5.3.0

• servicenow-gcp-secretmanager v5.3.0

• servicenow-gcp-spanner v5.3.0

• servicenow-gcp-sql v5.4.0

• servicenow-gcp-storage v5.8.0

• servicenow-gcp-vertexai v5.3.0

• servicenow-custom v5.2.0

• servicenow-kubernetes v5.8.0

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

What's new?

Resource Types

• Azure > Virtual Desktop
• Azure > Virtual Desktop > Host Pool
• Azure > Virtual Desktop > Workspace

Control Types

• Azure > Virtual Desktop > Host Pool > Active
• Azure > Virtual Desktop > Host Pool > Allowed
• Azure > Virtual Desktop > Host Pool > Allowed > Custom
• Azure > Virtual Desktop > Host Pool > Allowed > Region
• Azure > Virtual Desktop > Host Pool > CMDB
• Azure > Virtual Desktop > Host Pool > Discovery
• Azure > Virtual Desktop > Host Pool > Tags
• Azure > Virtual Desktop > Workspace > Active
• Azure > Virtual Desktop > Workspace > Allowed
• Azure > Virtual Desktop > Workspace > Allowed > Custom
• Azure > Virtual Desktop > Workspace > Allowed > Region
• Azure > Virtual Desktop > Workspace > CMDB
• Azure > Virtual Desktop > Workspace > Discovery
• Azure > Virtual Desktop > Workspace > Tags

Policy Types

• Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-virtualdesktop
• Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-virtualdesktop
• Azure > Virtual Desktop > Allowed Regions [Default]
• Azure > Virtual Desktop > Approved Regions [Default]
• Azure > Virtual Desktop > Enabled
• Azure > Virtual Desktop > Host Pool > Active
• Azure > Virtual Desktop > Host Pool > Active > Age
• Azure > Virtual Desktop > Host Pool > Active > Last Modified
• Azure > Virtual Desktop > Host Pool > Allowed
• Azure > Virtual Desktop > Host Pool > Allowed > Custom
• Azure > Virtual Desktop > Host Pool > Allowed > Custom > Rules
• Azure > Virtual Desktop > Host Pool > Allowed > Region
• Azure > Virtual Desktop > Host Pool > Allowed > Region > Regions
• Azure > Virtual Desktop > Host Pool > CMDB
• Azure > Virtual Desktop > Host Pool > Regions
• Azure > Virtual Desktop > Host Pool > Tags
• Azure > Virtual Desktop > Host Pool > Tags > Template
• Azure > Virtual Desktop > Permissions
• Azure > Virtual Desktop > Permissions > Levels
• Azure > Virtual Desktop > Permissions > Levels > Modifiers
• Azure > Virtual Desktop > Regions
• Azure > Virtual Desktop > Tags Template [Default]
• Azure > Virtual Desktop > Workspace > Active
• Azure > Virtual Desktop > Workspace > Active > Age
• Azure > Virtual Desktop > Workspace > Active > Last Modified
• Azure > Virtual Desktop > Workspace > Allowed
• Azure > Virtual Desktop > Workspace > Allowed > Custom
• Azure > Virtual Desktop > Workspace > Allowed > Custom > Rules
• Azure > Virtual Desktop > Workspace > Allowed > Region
• Azure > Virtual Desktop > Workspace > Allowed > Region > Regions
• Azure > Virtual Desktop > Workspace > CMDB
• Azure > Virtual Desktop > Workspace > Regions
• Azure > Virtual Desktop > Workspace > Tags
• Azure > Virtual Desktop > Workspace > Tags > Template

Action Types

• Azure > Virtual Desktop > Host Pool > Delete
• Azure > Virtual Desktop > Host Pool > Router
• Azure > Virtual Desktop > Host Pool > Set Tags
• Azure > Virtual Desktop > Workspace > Delete
• Azure > Virtual Desktop > Workspace > Router
• Azure > Virtual Desktop > Workspace > Set Tags

Note: We recommend updating the @turbot/azure-provider mod to v5.19.1 for proper functionality.

What's new?

Resource Types

• Azure > Provider > Cognitive Services

Control Types

• Azure > Provider > Cognitive Services > CMDB
• Azure > Provider > Cognitive Services > Discovery
• Azure > Provider > Cognitive Services > Registered

Policy Types

• Azure > Provider > Cognitive Services > CMDB
• Azure > Provider > Cognitive Services > Registered

Action Types

• Azure > Provider > Cognitive Services > Set Registered

Bug fixes

• Guardrails would fail to process real-time register and unregister events for Virtual Desktop provider. This is now fixed.

What's new?

• You can now configure public network access for database accounts. To get started, set the Azure > Cosmos DB > Database Account > Public Network Access policy.

Control Types

• Azure > Cosmos DB > Database Account > Public Network Access

Policy Types

• Azure > Cosmos DB > Database Account > Public Network Access

Action Types

• Azure > Cosmos DB > Database Account > Set Public Network Access

Bug fixes

• Fixed policy mappings in various control types.

What's new?

• You can now configure advanced data security for workspaces. To get started, set the Azure > Synapse Analytics > Workspace > Advanced Data Security > * policies.

Control Types

• Azure > Synapse Analytics > Workspace > Advanced Data Security

Policy Types

• Azure > Synapse Analytics > Workspace > Advanced Data Security
• Azure > Synapse Analytics > Workspace > Advanced Data Security > Threat Protection
• Azure > Synapse Analytics > Workspace > Advanced Data Security > Threat Protection > Notify Admins
• Azure > Synapse Analytics > Workspace > Advanced Data Security > Threat Protection > Types
• Azure > Synapse Analytics > Workspace > Advanced Data Security > Threat Protection > Types > Email Addresses
• Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment
• Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment > Periodic Scans
• Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Email Addresses
• Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Notify Admins
• Azure > Synapse Analytics > Workspace > Advanced Data Security > Vulnerability Assessment > Storage Account

Action Types

• Azure > Synapse Analytics > Workspace > Update Advanced Data Security

What's new?

• You can now configure public network access for automation accounts. To get started, set the Azure > Automation > Automation Account > Public Network Access policy.

Control Types

• Azure > Automation > Automation Account > Public Network Access

Policy Types

• Azure > Automation > Automation Account > Public Network Access

Action Types

• Azure > Automation > Automation Account > Set Public Network Access

Bug fixes

• Added support to process enable and disable real-time events for Vertex AI API via Service Usage APIs.

Bug fixes

• Unsupported regions were inadvertently included in the AWS > Bedrock > Custom Model > Regions policy, which led to the AWS > Bedrock > Custom Model > Discovery control being in an error state for those regions. We've now removed the unsupported regions from the Regions policy.

What's new?

• Policy Type, Control Type, and Action Type definitions now also include their mapping details to establish clear relationships between them.

What's new?

Resource Types

• Azure > Provider > Virtual Desktop

Control Types

• Azure > Provider > Virtual Desktop > CMDB
• Azure > Provider > Virtual Desktop > Discovery
• Azure > Provider > Virtual Desktop > Registered

Policy Types

• Azure > Provider > Virtual Desktop > CMDB
• Azure > Provider > Virtual Desktop > Registered

Action Types

• Azure > Provider > Virtual Desktop > Set Registered

What's new?

Resource Types

• AWS > Cognito > Identity Pool

Control Types

• AWS > Cognito > Identity Pool > Active
• AWS > Cognito > Identity Pool > Allowed
• AWS > Cognito > Identity Pool > Allowed > Custom
• AWS > Cognito > Identity Pool > Allowed > Region
• AWS > Cognito > Identity Pool > CMDB
• AWS > Cognito > Identity Pool > Classic Authentication Flow
• AWS > Cognito > Identity Pool > Discovery
• AWS > Cognito > Identity Pool > Guest Access
• AWS > Cognito > Identity Pool > Tags

Policy Types

• AWS > Cognito > Allowed Regions [Default]
• AWS > Cognito > Identity Pool > Active
• AWS > Cognito > Identity Pool > Active > Age
• AWS > Cognito > Identity Pool > Active > Last Modified
• AWS > Cognito > Identity Pool > Allowed
• AWS > Cognito > Identity Pool > Allowed > Custom
• AWS > Cognito > Identity Pool > Allowed > Custom > Rules
• AWS > Cognito > Identity Pool > Allowed > Region
• AWS > Cognito > Identity Pool > Allowed > Region > Regions
• AWS > Cognito > Identity Pool > CMDB
• AWS > Cognito > Identity Pool > Classic Authentication Flow
• AWS > Cognito > Identity Pool > Guest Access
• AWS > Cognito > Identity Pool > Regions
• AWS > Cognito > Identity Pool > Tags
• AWS > Cognito > Identity Pool > Tags > Template
• AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-cognito

Action Types

• AWS > Cognito > Identity Pool > Delete
• AWS > Cognito > Identity Pool > Router
• AWS > Cognito > Identity Pool > Update Classic Authentication Flow
• AWS > Cognito > Identity Pool > Update Guest Access
• AWS > Cognito > Identity Pool > Update Tags

Note: We recommend updating the @turbot/aws mod to v5.40.0 for proper functionality.

What's new?

• AWS > EC2 > AMI > * Lambda functions have been migrated to use AWS SDK v3, reducing the mod package size and improving deployment efficiency. You will not notice any differences, and things will continue to work smoothly as before.

What's new?

Policy Types

• Azure > Subscription > Allowed Regions [Default]

Bug fixes

• The real-time Event Handlers would fail to process tagging events for AWS > Secrets Manager > Secret resources. This is now fixed.

What's new?

• Virtual network rules details will now be available in CMDB for servers.

Bug fixes

• The AWS > Lambda > Function > URL Auth Type control previously entered an invalid state when a Function URL was not configured. This issue has now been resolved and the control will correctly transition to a skipped state in such cases.

Bug fixes

• The AWS > DynamoDB > Table > Encryption at Rest control previously remained incorrectly in an alarm state when encryption was enforced on Global Table replicas. This issue has been resolved; the control now transitions to an invalid state for replicas, as AWS Global Tables require a single, coordinated cross-region encryption update rather than per-replica changes.

What's new?

Resource Types

• AWS > Neptune > DB Cluster Snapshot

Control Types

• AWS > Neptune > DB Cluster Snapshot > Active
• AWS > Neptune > DB Cluster Snapshot > Allowed
• AWS > Neptune > DB Cluster Snapshot > Allowed > Custom
• AWS > Neptune > DB Cluster Snapshot > Allowed > Region
• AWS > Neptune > DB Cluster Snapshot > CMDB
• AWS > Neptune > DB Cluster Snapshot > Discovery
• AWS > Neptune > DB Cluster Snapshot > Tags
• AWS > Neptune > DB Cluster Snapshot > Usage

Policy Types

• AWS > Neptune > Allowed Regions [Default]
• AWS > Neptune > DB Cluster Snapshot > Active
• AWS > Neptune > DB Cluster Snapshot > Active > Age
• AWS > Neptune > DB Cluster Snapshot > Active > Last Modified
• AWS > Neptune > DB Cluster Snapshot > Allowed
• AWS > Neptune > DB Cluster Snapshot > Allowed > Custom
• AWS > Neptune > DB Cluster Snapshot > Allowed > Custom > Rules
• AWS > Neptune > DB Cluster Snapshot > Allowed > Region
• AWS > Neptune > DB Cluster Snapshot > Allowed > Region > Regions
• AWS > Neptune > DB Cluster Snapshot > CMDB
• AWS > Neptune > DB Cluster Snapshot > Regions
• AWS > Neptune > DB Cluster Snapshot > Tags
• AWS > Neptune > DB Cluster Snapshot > Tags > Template
• AWS > Neptune > DB Cluster Snapshot > Usage
• AWS > Neptune > DB Cluster Snapshot > Usage > Limit

Action Types

• AWS > Neptune > DB Cluster Snapshot > Delete
• AWS > Neptune > DB Cluster Snapshot > Delete from AWS
• AWS > Neptune > DB Cluster Snapshot > Router
• AWS > Neptune > DB Cluster Snapshot > Set Tags
• AWS > Neptune > DB Cluster Snapshot > Skip alarm for Active control
• AWS > Neptune > DB Cluster Snapshot > Skip alarm for Active control [90 days]
• AWS > Neptune > DB Cluster Snapshot > Skip alarm for Tags control
• AWS > Neptune > DB Cluster Snapshot > Skip alarm for Tags control [90 days]
• AWS > Neptune > DB Cluster Snapshot > Update Tags

Note: We recommend updating the @turbot/aws-rds mod to v5.32.2 and the @turbot/aws mod to v5.40.0 for proper functionality.

Bug fixes

• Server:
  • Materialization now handles invalid policy type mappings gracefully by skipping them instead of failing.

Requirements

• Upgrade to 5.54.2 requires your workspace to be on 5.53.x
• TEF: 1.66.0
• TED: 1.9.1
• Mods:
  • @turbot/turbot: 5.56.0

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• UI
  • Added Terraform import block generation to policy pack developer tab alongside existing import commands.

Bug fixes

• UI
  • Control page policy lists now show complete trunk names without cutting them off.
  • Resource page alert counts now accurately reflect the actual number of alerts

Requirements

• Upgrade to 5.53.6 requires your workspace to be on 5.51.x
• TEF: 1.66.0
• TED: 1.9.1
• Mods:
  • @turbot/turbot: 5.55.0

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• Updated permissions to support real-time event processing for DB cluster snapshot resources used by Neptune and DocDB services.

What's new?

Resource Types

• AWS > Doc DB > DB Cluster Snapshot

Control Types

• AWS > Doc DB > DB Cluster Snapshot > Active
• AWS > Doc DB > DB Cluster Snapshot > Allowed
• AWS > Doc DB > DB Cluster Snapshot > Allowed > Custom
• AWS > Doc DB > DB Cluster Snapshot > Allowed > Region
• AWS > Doc DB > DB Cluster Snapshot > CMDB
• AWS > Doc DB > DB Cluster Snapshot > Discovery
• AWS > Doc DB > DB Cluster Snapshot > Tags
• AWS > Doc DB > DB Cluster Snapshot > Usage

Policy Types

• AWS > Doc DB > Allowed Regions [Default]
• AWS > Doc DB > DB Cluster Snapshot > Active
• AWS > Doc DB > DB Cluster Snapshot > Active > Age
• AWS > Doc DB > DB Cluster Snapshot > Active > Budget
• AWS > Doc DB > DB Cluster Snapshot > Active > Last Modified
• AWS > Doc DB > DB Cluster Snapshot > Allowed
• AWS > Doc DB > DB Cluster Snapshot > Allowed > Custom
• AWS > Doc DB > DB Cluster Snapshot > Allowed > Custom > Rules
• AWS > Doc DB > DB Cluster Snapshot > Allowed > Region
• AWS > Doc DB > DB Cluster Snapshot > Allowed > Region > Regions
• AWS > Doc DB > DB Cluster Snapshot > CMDB
• AWS > Doc DB > DB Cluster Snapshot > Regions
• AWS > Doc DB > DB Cluster Snapshot > Tags
• AWS > Doc DB > DB Cluster Snapshot > Tags > Template
• AWS > Doc DB > DB Cluster Snapshot > Usage
• AWS > Doc DB > DB Cluster Snapshot > Usage > Limit

Action Types

• AWS > Doc DB > DB Cluster Snapshot > Delete
• AWS > Doc DB > DB Cluster Snapshot > Delete from AWS
• AWS > Doc DB > DB Cluster Snapshot > Router
• AWS > Doc DB > DB Cluster Snapshot > Set Tags
• AWS > Doc DB > DB Cluster Snapshot > Skip alarm for Active control
• AWS > Doc DB > DB Cluster Snapshot > Skip alarm for Active control [90 days]
• AWS > Doc DB > DB Cluster Snapshot > Skip alarm for Tags control
• AWS > Doc DB > DB Cluster Snapshot > Skip alarm for Tags control [90 days]
• AWS > Doc DB > DB Cluster Snapshot > Update Tags

Note: We recommend updating the @turbot/aws-rds mod to v5.32.2 and the @turbot/aws mod to v5.40.0 for proper functionality.

What's new?

• Firewall rules details will now be available in CMDB for workspaces.
• Security alert policy and vulnerability assessments details will now be available in CMDB for workspaces.

What's new?

• Firewall rules details will now be available in CMDB for redis cache.

What's new?

• Firewall rules details will now be available in CMDB for flexible servers.

What's new?

• Server
  • Turbot > Notifications > Rule-Based Routing now supports using Turbot > File resources as notification templates — update the @turbot/turbot mod to v5.56.1 or later to enable this feature.

Requirements

• Upgrade to 5.53.5 requires your workspace to be on 5.51.x
• TEF: 1.66.0
• TED: 1.9.1
• Mods:
  • @turbot/turbot: 5.55.0

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• Server
  • Redis/Valkey connection management now tracks connection creation times for improved visibility and connection lifecycle tracking.
  • Maintenance container logic refined to avoid errors when attempting to drop unique index constraints.

Requirements

• Upgrade to 5.53.4 requires your workspace to be on 5.51.x
• TEF: 1.66.0
• TED: 1.9.1
• Mods:
  • @turbot/turbot: 5.55.0

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• Users can now manage trusted access for layers. To get started, set the AWS > Lambda > Function > Layer Trusted Access > * policies.

Control Types

• AWS > Lambda > Function > Layer Trusted Access

Policy Types

• AWS > Lambda > Function > Layer Trusted Access
• AWS > Lambda > Function > Layer Trusted Access > Accounts

Action Types

• AWS > Lambda > Function > Set Layer Trusted Access

What's new?

Policy Types

• AWS > Account > Allowed Regions [Default]

What's new?

• You can now remove unallowed access keys from the CMDB. To get started, set the AWS > IAM > Access Key > Allowed > * policies.

Control Types

• AWS > IAM > Access Key > Allowed
• AWS > IAM > Access Key > Allowed > Custom

Policy Types

• AWS > IAM > Access Key > Allowed
• AWS > IAM > Access Key > Allowed > Custom
• AWS > IAM > Access Key > Allowed > Custom > Rules

What's new?

Resource Types

• Azure > Redis
• Azure > Redis > Redis Cache

Control Types

• Azure > Redis > Redis Cache > Active
• Azure > Redis > Redis Cache > CMDB
• Azure > Redis > Redis Cache > Discovery
• Azure > Redis > Redis Cache > Tags

Policy Types

• Azure > Redis > Approved Regions [Default]
• Azure > Redis > Enabled
• Azure > Redis > Permissions
• Azure > Redis > Permissions > Levels
• Azure > Redis > Permissions > Levels > Modifiers
• Azure > Redis > Redis Cache > Active
• Azure > Redis > Redis Cache > Active > Age
• Azure > Redis > Redis Cache > Active > Last Modified
• Azure > Redis > Redis Cache > CMDB
• Azure > Redis > Redis Cache > Regions
• Azure > Redis > Redis Cache > Tags
• Azure > Redis > Redis Cache > Tags > Template
• Azure > Redis > Regions
• Azure > Redis > Tags Template [Default]
• Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-redis
• Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-redis

Action Types

• Azure > Redis > Redis Cache > Delete
• Azure > Redis > Redis Cache > Router
• Azure > Redis > Redis Cache > Set Tags

What's new?

Resource Types

• Azure > Provider > Redis

Control Types

• Azure > Provider > Redis > CMDB
• Azure > Provider > Redis > Discovery
• Azure > Provider > Redis > Registered

Policy Types

• Azure > Provider > Redis > CMDB
• Azure > Provider > Redis > Registered

Action Types

• Azure > Provider > Redis > Set Registered

What's new?

• You can now configure anonymous pull access for registries. To get started, set the Azure > Container Registry > Registry > Anonymous Pull Access policy.

Control Types

• Azure > Container Registry > Registry > Anonymous Pull Access

Policy Types

• Azure > Container Registry > Registry > Anonymous Pull Access

Action Types

• Azure > Container Registry > Registry > Set Anonymous Pull Access

Bug fixes

• Controls for Lambda functions now use updated CMDB references in internal GraphQL queries. You will not notice any differences, and things will continue to work smoothly as before.

What's new?

• You can now configure anonymous auth for domains. To get started, set the AWS > OpenSearch > Domain > Anonymous Auth policy.

Control Types

• AWS > OpenSearch > Domain > Anonymous Auth

Policy Types

• AWS > OpenSearch > Domain > Anonymous Auth

Action Types

• AWS > OpenSearch > Domain > Disable Anonymous Auth

What's new?

• You can now configure URL auth type for functions. To get started, set the AWS > Lambda > Function > URL Auth Type policy.

Bug fixes

• Fixed action and control mappings in various control types and policy types.

• We've removed the redundant Configuration details for functions from the CMDB. We recommend updating your existing policy settings to reference the top-level attributes from the CMDB data instead.

  Removed: In AWS > Lambda > Function:

  • Configuration

Control Types

• AWS > Lambda > Function > URL Auth Type

Policy Types

• AWS > Lambda > Function > URL Auth Type

Action Types

• AWS > Lambda > Function > Update URL Auth Type

Bug fixes

• Controls for Lambda functions now use updated CMDB references in internal GraphQL queries. You will not notice any differences, and things will continue to work smoothly as before.

Bug fixes

• Guardrails would sometimes fail to process the real-time ec2:DisableSnapshotBlockPublicAccess event for EC2 Account Attributes correctly. This is now fixed.

Bug fixes

• Server

  • Resolved an issue where creating policy values could hang when related policies had no targets.

• UI

  • Policy value cards are now better aligned, improving readability and visual consistency.
  • Smoothed out the header experience on the resources page by removing flicker.

Requirements

• Upgrade to 5.54.1 requires your workspace to be on 5.53.x
• TEF: 1.66.0
• TED: 1.9.1
• Mods:
  • @turbot/turbot: 5.56.0

Base images

• Alpine: 3.17.5
• Ubuntu: 22.04.3

What's new?

• Server
  • Increased type installation limit from 600 to 1500.

Bug fixes

• UI
  • Policy value cards are now better aligned, improving readability and visual consistency.
  • Smoothed out the header experience on the resources page by removing flicker.

Requirements

• Upgrade to 5.53.3 requires your workspace to be on 5.51.x
• TEF: 1.66.0
• TED: 1.9.1
• Mods:
  • @turbot/turbot: 5.55.0

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

You now have more control over when Guardrails creates controls and policy values based on policy settings. Previously, Guardrails would evaluate all possible controls for every resource by default. With this release, Guardrails can be configured to only create controls impacted by policy settings, improving both user experience and backend performance.

The Turbot > Materialization policy supports two modes:

• Always (Default) — Create controls and policy values for all applicable resources, even if no setting exists. This matches legacy behavior.
• Automatic — Create controls and policy values only if a setting is explicitly defined for the primary policy. This can significantly reduce noise and improve performance.

Note that some types, such as those used to discover resources and configure accounts, are always created regardless of the materialization mode.

To get started, we recommend setting the Turbot > Materialization policy to Automatic and updating any cloud mods currently installed, like aws, aws-s3, azure, to their latest versions.

In the upcoming TE version, the default for the Turbot > Materialization policy will change from Always to Automatic. To retain the existing behavior, set the Turbot > Materialization policy to Always before upgrading to the next TE version.

Requirements

• Upgrade to 5.54.0 requires your workspace to be on 5.53.x
• TEF: 1.66.0
• TED: 1.9.1
• Mods:
  • @turbot/turbot: 5.56.0

Base images

• Alpine: 3.17.5
• Ubuntu: 22.04.3

What's new?

• Added the Turbot > Materialization policy to control when Guardrails creates controls and policy values, with modes for Always (legacy behavior) and Automatic (create only when explicitly set), reducing noise and improving performance.

Control Types

• Turbot > Policy Pack > Materialize
• Turbot > Guardrail > Materialize
• Turbot > Materialize

Policy Types

• Turbot > Materialization

• Renamed

  • Turbot > Notifications > Email > CC > Tag > Name to Turbot > Notifications > Email > CC > Tag Name.

• Deprecated

  • Turbot > Notifications > Email > CC > Tag

Requirements

• TE: 5.35.4

What's new?

• You can now configure key based metadata write access for database accounts. To get started, set the Azure > Cosmos DB > Database Account > Key Based Metadata Write Access policy.

Control Types

• Azure > Cosmos DB > Database Account > Key Based Metadata Write Access

Policy Types

• Azure > Cosmos DB > Database Account > Key Based Metadata Write Access

Action Types

• Azure > Cosmos DB > Database Account > Set Key Based Metadata Write Access

Bug fixes

• All Lambda functions have been migrated to use AWS SDK v3, reducing the mod package size and improving deployment efficiency. You will not notice any differences, and things will continue to work smoothly as before.

What's new?

• Server

  • GitHub integration now supports importing GitHub Enterprise organizations, expanding coverage for enterprise users.

• UI

  • The main dashboard’s resource list is now split into favorites and accounts for easier navigation and prioritization.
  • The GitHub import page now includes support for GitHub Enterprise.

Bug fixes

• Server

  • Resolved an issue that could prevent confirmation of SNS subscriptions during event handler setup for accounts.
  • Resolved issues with incorrect index mapping definitions in the maintenance container.

• UI

  • Improved UI consistency and usability across policy value cards, control actions, and resource control lists.

Requirements

• Upgrade to 5.53.2 requires your workspace to be on 5.51.x
• TEF: 1.66.0
• TED: 1.9.1
• Mods:
  • @turbot/turbot: 5.55.0

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• Track and manage domain resources in Guardrails.

Resource Types

• AWS > OpenSearch > Domain

Control Types

• AWS > OpenSearch > Domain > Active
• AWS > OpenSearch > Domain > Approved
• AWS > OpenSearch > Domain > CMDB
• AWS > OpenSearch > Domain > Discovery
• AWS > OpenSearch > Domain > Tags

Policy Types

• AWS > OpenSearch > Domain > Active
• AWS > OpenSearch > Domain > Active > Age
• AWS > OpenSearch > Domain > Active > Last Modified
• AWS > OpenSearch > Domain > Approved
• AWS > OpenSearch > Domain > Approved > Custom
• AWS > OpenSearch > Domain > Approved > Regions
• AWS > OpenSearch > Domain > Approved > Usage
• AWS > OpenSearch > Domain > CMDB
• AWS > OpenSearch > Domain > Regions
• AWS > OpenSearch > Domain > Tags
• AWS > OpenSearch > Domain > Tags > Template
• AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-opensearch

Action Types

• AWS > OpenSearch > Domain > Delete
• AWS > OpenSearch > Domain > Delete from AWS
• AWS > OpenSearch > Domain > Router
• AWS > OpenSearch > Domain > Set Tags
• AWS > OpenSearch > Domain > Skip alarm for Active control
• AWS > OpenSearch > Domain > Skip alarm for Active control [90 days]
• AWS > OpenSearch > Domain > Skip alarm for Approved control
• AWS > OpenSearch > Domain > Skip alarm for Approved control [90 days]
• AWS > OpenSearch > Domain > Skip alarm for Tags control
• AWS > OpenSearch > Domain > Skip alarm for Tags control [90 days]
• AWS > OpenSearch > Domain > Update Tags

What's new?

• Intelligent Assessment controls now also support OpenAI GPT-5 and Anthropic Claude Opus 4.1 models.
• All policy types across AWS, Azure, GCP, GitHub, Kubernetes, and ServiceNow mods now have an associated class. You will not notice any differences, and everything will continue to function smoothly as before.

Bug fixes

• Support for the contactable interface has been removed from all resource types except AWS Account, Azure Subscription, and GCP Project. As a result, the Turbot > Notifications > Email > CC > Tag Name policy can no longer be explicitly set for the affected resource types.

What's new?

• You can now configure public network access for registries. To get started, set the Azure > Container Registry > Registry > Public Network Access policy.

Control Types

• Azure > Container Registry > Registry > Public Network Access

Policy Types

• Azure > Container Registry > Registry > Public Network Access

Action Types

• Azure > Container Registry > Registry > Set Public Network Access

Bug fixes

• Various controls sometimes failed to evaluate their dependent policies correctly, which led to the controls failing without explicitly throwing errors. This issue has been fixed, and such controls will now work as expected.

What's new?

• You can now configure public network access for API management services. To get started, set the Azure > API Management > API Management Service > Public Network Access policy.

Control Types

• Azure > API Management > API Management Service > Public Network Access

Policy Types

• Azure > API Management > API Management Service > Public Network Access

Action Types

• Azure > API Management > API Management Service > Set Public Network Access

What's new?

• You can now import GitHub Enterprise organizations in Guardrails. To get started, select GitHub Enterprise Organization from the Connect screen and configure details. We recommend upgrading TE to v5.53.2 for this change to take effect.
• Added support for class attribute for various policy types.

Policy Types

• GitHub > Config > Base URL

Resource Types

• AWS > IAM > Service Specific Credential

Control Types

• AWS > IAM > Service Specific Credential > Active
• AWS > IAM > Service Specific Credential > Approved
• AWS > IAM > Service Specific Credential > CMDB
• AWS > IAM > Service Specific Credential > Discovery

Policy Types

• AWS > IAM > Service Specific Credential > Active
• AWS > IAM > Service Specific Credential > Active > Age
• AWS > IAM > Service Specific Credential > Active > Last Modified
• AWS > IAM > Service Specific Credential > Approved
• AWS > IAM > Service Specific Credential > Approved > Custom
• AWS > IAM > Service Specific Credential > Approved > Usage
• AWS > IAM > Service Specific Credential > CMDB

Action Types

• AWS > IAM > Service Specific Credential > Delete
• AWS > IAM > Service Specific Credential > Delete from AWS
• AWS > IAM > Service Specific Credential > Router
• AWS > IAM > Service Specific Credential > Skip alarm for Active control
• AWS > IAM > Service Specific Credential > Skip alarm for Active control [90 days]
• AWS > IAM > Service Specific Credential > Skip alarm for Approved control
• AWS > IAM > Service Specific Credential > Skip alarm for Approved control [90 days]

What's new?

• You can now configure Encryption at Rest for agents. To get started, set the AWS > Bedrock > Agent > Encryption at Rest > * policies.

Bug fixes

• The promptOverrideConfiguration.promptConfigurations attribute for agents has now been made dynamic to avoid unnecessary notifications in the activity tab.

Control Types

• AWS > Bedrock > Agent > Encryption at Rest

Policy Types

• AWS > Bedrock > Agent > Encryption at Rest
• AWS > Bedrock > Agent > Encryption at Rest > Customer Managed Key

Action Types

• AWS > Bedrock > Agent > Update Encryption at Rest

What's new?

• Server
  • Added support for the class property in policy types.

Requirements

• Upgrade to 5.53.1 requires your workspace to be on 5.51.x
• TEF: 1.66.0
• TED: 1.9.1
• Mods:
  • @turbot/turbot: 5.55.0

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• Fixed service title to CodeArtifact.

Resource Types

Renamed

• AWS > Code Artifact to AWS > CodeArtifact

Policy Types

Renamed

• AWS > Code Artifact > API Enabled to AWS > CodeArtifact > API Enabled
• AWS > Code Artifact > Enabled to AWS > CodeArtifact > Enabled
• AWS > Code Artifact > Permissions to AWS > CodeArtifact > Permissions
• AWS > Code Artifact > Permissions > Levels to AWS > CodeArtifact > Permissions > Levels
• AWS > Code Artifact > Permissions > Levels > Modifiers to AWS > CodeArtifact > Permissions > Levels > Modifiers
• AWS > Code Artifact > Permissions > Lockdown to AWS > CodeArtifact > Permissions > Lockdown
• AWS > Code Artifact > Permissions > Lockdown > API Boundary to AWS > CodeArtifact > Permissions > Lockdown > API Boundary

Bug fixes

• Removed the unnecessary AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-codeartifact policy.

Policy Types

Removed

• AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-codeartifact

What's new?

Resource Types

• AWS > Code Artifact

Policy Types

• AWS > Code Artifact > API Enabled
• AWS > Code Artifact > Enabled
• AWS > Code Artifact > Permissions
• AWS > Code Artifact > Permissions > Levels
• AWS > Code Artifact > Permissions > Levels > Modifiers
• AWS > Code Artifact > Permissions > Lockdown
• AWS > Code Artifact > Permissions > Lockdown > API Boundary
• AWS > Turbot > Event Handlers > Events > Rules > Event Sources > @turbot/aws-codeartifact
• AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-codeartifact
• AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-codeartifact
• AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-codeartifact

What's new?

• Server
  • Added support for the Storage token audience in the Azure credential resolver.

Bug fixes

• Server
  • Creating a new workspace now correctly adds the missing policy pack (aka) for Smart Folder resource types.
  • Numeric values in wildcard tag filters are now processed correctly.

Requirements

• Upgrade to 5.52.5 requires your workspace to be on 5.51.x
• TEF: 1.66.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• The Azure > Storage > Storage Account > CMDB no longer requires the listkeys permission on storage accounts to fetch details for Blob, Queue, and File Share services. We recommend upgrading TE to v5.52.5 for this change to take effect.

Bug fixes

• The AWS > S3 > Bucket > Encryption In Transit control previously required an Encryption in Transit policy statement with the Sid MustBeEncryptedInTransit and the condition "aws:SecureTransport": "false". This sometimes caused the control to incorrectly enter an alarm state when the bucket had the correct condition but a different Sid. The control has been updated to check only for the relevant Encryption in Transit condition, without explicitly requiring the Sid MustBeEncryptedInTransit.

Bug fixes

• The Azure > Storage > Storage Account > Data Protection > Soft Delete control will no longer attempt to apply soft delete settings if Guardrails does not have the required permissions to read or write soft delete data. Instead, it will transition to an invalid state.

What's new?

• Users can now manage trusted access for datasets. To get started, set the GCP > BigQuery > Dataset > Policy > Trusted Access > * policies.

Control Types

• GCP > BigQuery > Dataset > Policy
• GCP > BigQuery > Dataset > Policy > Trusted Access

Policy Types

• GCP > BigQuery > Dataset > Policy
• GCP > BigQuery > Dataset > Policy > Trusted Access
• GCP > BigQuery > Dataset > Policy > Trusted Access > Domains
• GCP > BigQuery > Dataset > Policy > Trusted Access > Groups
• GCP > BigQuery > Dataset > Policy > Trusted Access > Service Accounts
• GCP > BigQuery > Dataset > Policy > Trusted Access > Users

Action Types

• GCP > BigQuery > Dataset > Set Trusted Access

Bug fixes

• The Azure > PostgreSQL > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

What's new?

• Server
  • The Turbot > Notifications > CC > Tag policy is no longer checked; resource tags previously specified in Turbot > Notifications > CC > Tag > Name are now associated with the Account/CC policy instead of being evaluated independently.

Bug fixes

• Server
  • Policy settings now return results correctly for policies inside Policy Packs when you have valid access.

Requirements

• Upgrade to 5.52.4 requires your workspace to be on 5.51.x
• TEF: 1.66.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• You can now configure and manage project role bindings for service accounts. To get started, set the GCP > IAM > Service Account > Project Role Bindings > * policies.

Control Types

• GCP > IAM > Service Account > Project Role Bindings
• GCP > IAM > Service Account > Project Role Bindings > Approved

Policy Types

• GCP > IAM > Service Account > Project Role Bindings
• GCP > IAM > Service Account > Project Role Bindings > Approved
• GCP > IAM > Service Account > Project Role Bindings > Approved > Rules

Action Types

• GCP > IAM > Service Account > Update Project Role Bindings

Bug fixes

• The Azure > Azure > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > MySQL > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > Monitor > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > Data Factory > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > Cosmos DB > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > Automation > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to Skip. This issue has been resolved; such controls will now correctly transition to a skipped state.

Bug fixes

• CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to Skip. This issue has been resolved; such controls will now correctly transition to a skipped state.

What's new?

• Server
  • Controls now wait for dependent policy values to finish processing, preventing redundant runs and duplicate execution attempts.

Bug fixes

• Server
  • Restrict smart folder and policy pack to create exception if there is a top level setting available.

Requirements

• Upgrade to 5.53.0 requires your workspace to be on 5.51.x
• TEF: 1.66.0
• TED: 1.9.1
• Mods:
  • @turbot/turbot: 5.55.0

Base images

• Alpine: 3.17.5
• Ubuntu: 22.04.3

What's new?

• You can now configure boot diagnostics for virtual machines. To get started, set the Azure > Compute > Virtual Machine > Update Boot Diagnostics policy.

Control Types

• Azure > Compute > Virtual Machine > Boot Diagnostics

Policy Types

• Azure > Compute > Virtual Machine > Boot Diagnostics
• Azure > Compute > Virtual Machine > Boot Diagnostics > Custom Storage Account

Action Types

• Azure > Compute > Virtual Machine > Update Boot Diagnostics

Bug fixes

• Web App and Function App metadata will now also include createdBy details in Guardrails CMDB.

Bug fixes

• Optimized the Azure > Active Directory > Directory > Discovery control to run more efficiently and prevent unnecessary resource updates, thereby reducing CMDB churn.

What's new?

• You can now configure organization restrictions for AWS Lambda function policies. To get started, configure the AWS > Lambda > Function > Policy > Trusted Access > Organization Restrictions policy accordingly.

Policy Types

• AWS > Lambda > Function > Policy > Trusted Access > Organization Restrictions
• AWS > Lambda > Trusted Organizations [Default]

Preview

All of the following resource types, policy types, and control types are currently in preview and may change in future releases.

• Resource Types:

  • Turbot > Rollout
  • Turbot > Guardrail

• Policy Types:

  • Turbot > Notifications > Email > Rollout > Check Template
  • Turbot > Notifications > Email > Rollout > Check Template > Warning Body
  • Turbot > Notifications > Email > Rollout > Check Template > Warning Subject
  • Turbot > Notifications > Email > Rollout > Check Template > Welcome Body
  • Turbot > Notifications > Email > Rollout > Check Template > Welcome Subject
  • Turbot > Notifications > Email > Rollout > Detach Template
  • Turbot > Notifications > Email > Rollout > Detach Template > Warning Body
  • Turbot > Notifications > Email > Rollout > Detach Template > Warning Subject
  • Turbot > Notifications > Email > Rollout > Enforce Template
  • Turbot > Notifications > Email > Rollout > Enforce Template > Warning Body
  • Turbot > Notifications > Email > Rollout > Enforce Template > Warning Subject
  • Turbot > Notifications > Email > Rollout > Enforce Template > Welcome Body
  • Turbot > Notifications > Email > Rollout > Enforce Template > Welcome Subject
  • Turbot > Notifications > Email > Rollout > Preview Template
  • Turbot > Notifications > Email > Rollout > Preview Template > Warning Body
  • Turbot > Notifications > Email > Rollout > Preview Template > Warning Subject
  • Turbot > Notifications > Email > Rollout > Preview Template > Welcome Subject
  • Turbot > Notifications > Email > Rollout > Preview Template > Welcome Body

• Control types

  • Turbot > Rollout > Events

Bug fixes

• The AWS > EC2 > Target Group > Discovery control could previously enter an error state when upserting a target group whose parent load balancer was not available in CMDB. We have improved this process so that all target groups are now upserted under a region, ensuring better consistency and reliability. Existing target groups under load balancers will also be moved under their respective regions automatically.

What's new?

• You can now configure soft delete for file shares in storage accounts. To get started, configure the Azure > Storage > Storage Account > Data Protection > Soft Delete > File Shares > * policies accordingly.
• Delete retention policy details for file share will now be available in CMDB for Storage Accounts.

Policy Types

• Azure > Storage > Storage Account > Data Protection > Soft Delete > File Shares
• Azure > Storage > Storage Account > Data Protection > Soft Delete > File Shares > Retention Days

Bug fixes

• The Azure > Relay > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > Recovery Service > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > Key Vault > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > DNS > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > Databricks > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > Synapse Analytics > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > SQL Virtual Machine Service > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > SignalR Service > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > Service Bus > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The Azure > Network > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.
• The Azure > Network > Bastion Host > Discovery control previously could inadvertently upsert bastion hosts under incorrect resource groups. This issue has been resolved, and the control now upserts bastion hosts more reliably and consistently.

Bug fixes

• The Azure > Log Analytics > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• The AWS > Backup > Recovery Point > CMDB control previously ran every minute if a recovery point’s CalculatedLifecycle.DeleteAt timestamp was already in the past. It now deletes expired recovery points and no longer re-runs automatically when the next tick is also in the past.

What's new?

• Added support for tags attribute in the turbot_policy_pack resource. This will allow users to manage tags on policy packs.

Minimum version requirements:

TE v5.52.3

What's new?

• Server
  • Added support for tags in policy packs, making it easier to organize and filter them.

Note

Upgrade to 5.52.3 requires your workspace to be on 5.51.x; direct upgrades from older versions (e.g., 5.49.x) will fail.

Requirements

• TEF: 1.66.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• The GCP > Turbot > Event Handlers > Pub/Sub > Source policy could previously evaluate incorrectly immediately after a GCP Project import if the Project CMDB data was not up to date. The policy now checks the GCP > Project > CMDB control and evaluates only when that control has run successfully and is in an OK state, preventing incorrect results and improving clarity.
• Event Poller controls now display improved help messages when the API used to fetch events returns an error, instead of only logging the errors under Activities.

Action Types Removed

• GCP > Folder > Event Poller
• GCP > Organization > Event Poller
• GCP > Project > Event Poller

Bug fixes

• The Azure > Compute > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

Bug fixes

• We have updated the internal GraphQL queries for the AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed control to improve performance when evaluating the control’s outcome. There are no visible changes, but things will run smoother and faster than before.

Note: We recommend updating the @turbot/aws-ec2 mod to v5.46.2 for proper functionality.

Policy Types

• AWS > PCI v3.2.1 > EC2
• AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed

Bug fixes

• Added additional metadata for associated security groups to the CMDB data for network interfaces for internal performance improvements.

What's new?

• Track and manage delivery, delivery destination, delivery source, and destination resources in Guardrails.

Resource Types

• AWS > Logs > Delivery
• AWS > Logs > Delivery Destination
• AWS > Logs > Delivery Source
• AWS > Logs > Destination

Control Types

• AWS > Logs > Delivery > Active
• AWS > Logs > Delivery > CMDB
• AWS > Logs > Delivery > Discovery
• AWS > Logs > Delivery > Tags
• AWS > Logs > Delivery Destination > Active
• AWS > Logs > Delivery Destination > CMDB
• AWS > Logs > Delivery Destination > Discovery
• AWS > Logs > Delivery Destination > Tags
• AWS > Logs > Delivery Source > Active
• AWS > Logs > Delivery Source > CMDB
• AWS > Logs > Delivery Source > Discovery
• AWS > Logs > Delivery Source > Tags
• AWS > Logs > Destination > Active
• AWS > Logs > Destination > CMDB
• AWS > Logs > Destination > Discovery

Policy Types

• AWS > Logs > Delivery > Active
• AWS > Logs > Delivery > Active > Age
• AWS > Logs > Delivery > Active > Budget
• AWS > Logs > Delivery > Active > Last Modified
• AWS > Logs > Delivery > CMDB
• AWS > Logs > Delivery > Regions
• AWS > Logs > Delivery > Tags
• AWS > Logs > Delivery > Tags > Template
• AWS > Logs > Delivery Destination > Active
• AWS > Logs > Delivery Destination > Active > Age
• AWS > Logs > Delivery Destination > Active > Budget
• AWS > Logs > Delivery Destination > Active > Last Modified
• AWS > Logs > Delivery Destination > CMDB
• AWS > Logs > Delivery Destination > Regions
• AWS > Logs > Delivery Destination > Tags
• AWS > Logs > Delivery Destination > Tags > Template
• AWS > Logs > Delivery Source > Active
• AWS > Logs > Delivery Source > Active > Age
• AWS > Logs > Delivery Source > Active > Budget
• AWS > Logs > Delivery Source > Active > Last Modified
• AWS > Logs > Delivery Source > CMDB
• AWS > Logs > Delivery Source > Regions
• AWS > Logs > Delivery Source > Tags
• AWS > Logs > Delivery Source > Tags > Template
• AWS > Logs > Destination > Active
• AWS > Logs > Destination > Active > Age
• AWS > Logs > Destination > Active > Budget
• AWS > Logs > Destination > Active > Last Modified
• AWS > Logs > Destination > CMDB
• AWS > Logs > Destination > Regions

Action Types

• AWS > Logs > Delivery > Delete
• AWS > Logs > Delivery > Router
• AWS > Logs > Delivery > Update Tags
• AWS > Logs > Delivery Destination > Delete
• AWS > Logs > Delivery Destination > Router
• AWS > Logs > Delivery Destination > Update Tags
• AWS > Logs > Delivery Source > Delete
• AWS > Logs > Delivery Source > Router
• AWS > Logs > Delivery Source > Update Tags
• AWS > Logs > Destination > Delete
• AWS > Logs > Destination > Router

Bug fixes

• Guardrails stack controls would fail to claim any existing OpenID Connect provider if the OpenID Connect provider was available in Guardrails CMDB and the stack's Source policy included the Terraform plan for the OpenID Connect provider. This is fixed and stack control will now be able to claim existing OpenID Connect providers correctly.

What's new?

• Server
  • Added retry mechanism for Mod expired URL errors.

Bug Fixes

• Server

  • Turbot > Workspace > Background Tasks now ignore deleted resources.
  • Resolved an issue where the worker could crash while processing errors.
  • Addressed a cleanup script bug that was incorrectly removing active Lambda version aliases and associated topics. The script now deletes only unused resources.

• UI

  • Saving in the calculated policy editor is now prevented if there is an error.
  • Alignment of Note in the policy tab is now consistent across all entries.
  • Multi-step queries in the calculated policy editor are now displayed correctly as separate steps.
  • Policy packs no longer show a blank page when the description is missing.
  • Policy Pack details screen should not show summary when AI summary is disabled.

Note

Upgrade to 5.52.2 requires your workspace to be on 5.51.x; direct upgrades from older versions (e.g., 5.49.x) will fail.

Requirements

• TEF: 1.66.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• The Azure > Storage > Storage Account > CMDB control previously encountered errors with Premium storage accounts when attempting to access unsupported Table services. This has now been resolved.

What's new?

• Turbot > Workspace > Background Tasks will no longer go into an error state if the resource does not exist.

Requirements

• TE: 5.35.4

What's new?

• Users can now create and manage cloud resources using Terraform 1.x via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Bug fixes

• The Azure > Storage > Storage Account > CMDB control now stores details of API calls that fail due to insufficient permissions granted to Guardrails' service principal. This enables Guardrails to mark controls that depend on the respective data as invalid, rather than enforcing settings unnecessarily.

Control Types

• Azure > Storage > Storage Account > Stack [Native]

Policy Types

• Azure > Storage > Storage Account > Stack [Native]
• Azure > Storage > Storage Account > Stack [Native] > Drift Detection
• Azure > Storage > Storage Account > Stack [Native] > Drift Detection > Interval
• Azure > Storage > Storage Account > Stack [Native] > Modifier
• Azure > Storage > Storage Account > Stack [Native] > Secret Variables
• Azure > Storage > Storage Account > Stack [Native] > Source
• Azure > Storage > Storage Account > Stack [Native] > Timeout
• Azure > Storage > Storage Account > Stack [Native] > Variables
• Azure > Storage > Storage Account > Stack [Native] > Version

What's new?

• Users can now create and manage cloud resources using Terraform 1.x via Guardrails, fully leveraging all features available in this version. To get started, set the Stack [Native] > * policies.

Control Types

• Azure > Key Vault > Vault > Stack [Native]

Policy Types

• Azure > Key Vault > Vault > Stack [Native]
• Azure > Key Vault > Vault > Stack [Native] > Drift Detection
• Azure > Key Vault > Vault > Stack [Native] > Drift Detection > Interval
• Azure > Key Vault > Vault > Stack [Native] > Modifier
• Azure > Key Vault > Vault > Stack [Native] > Secret Variables
• Azure > Key Vault > Vault > Stack [Native] > Source
• Azure > Key Vault > Vault > Stack [Native] > Timeout
• Azure > Key Vault > Vault > Stack [Native] > Variables
• Azure > Key Vault > Vault > Stack [Native] > Version

Bug fixes

• Fixed invalid CMDB references for the Zone, Region, Multi-Region, and Global Region resource types that caused the Relationships and Import Set controls to enter an error state. The controls now run reliably without errors.

Bug fixes

• The AWS > Account > Budget > Budget control previously reran unnecessarily in workspaces with Turbot > Notifications enabled. This issue has been resolved, and the control now runs as expected.

Bug fixes

• Fixed an issue in the turbot_file resource where removed keys in the content field were incorrectly sent as "key": null in the update payload. The provider now sends the content exactly as specified in the Terraform configuration, ensuring that only the intended keys appear in the Turbot console.

What's new?

• Added CPU and memory settings for the PgBouncer task, giving you more control over resource allocation.

What's new?

• You can now configure cross-tenant replication for storage accounts. To get started, set the Azure > Storage > Storage Account > Cross-Tenant Replication policy.

Control Types

• Azure > Storage > Storage Account > Cross-Tenant Replication

Policy Types

• Azure > Storage > Storage Account > Cross-Tenant Replication

Action Types

• Azure > Storage > Storage Account > Set Cross-Tenant Replication

Bug fixes

• Guardrails previously failed to delete Azure > SQL > * resources due to limitations in the internal Node SDK package version. This issue has now been resolved, and the resources will be deleted as expected.
• The Azure > SQL > * tags controls will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

What's new?

• You can now manage role bindings for service accounts. To get started, set the GCP > IAM > Service Account > Role Bindings > * policies.

Control Types

• GCP > IAM > Service Account > Role Bindings
• GCP > IAM > Service Account > Role Bindings > Approved

Policy Types

• GCP > IAM > Service Account > Role Bindings
• GCP > IAM > Service Account > Role Bindings > Approved
• GCP > IAM > Service Account > Role Bindings > Approved > Rules

Action Types

• GCP > IAM > Service Account > Update Role Bindings

Bug fixes

• In the previous version, an issue was introduced in the CMDB control for Azure > Storage > Storage Account that prevented the retrieval of diagnostic settings. This has now been resolved, and the control successfully processes diagnostic settings for all storage services, including Blob, Table, Queue, and the primary account.

What's new?

• You can now manage role bindings for project users. To get started, set the GCP > IAM > Project User > Role Bindings > * policies.

Control Types

• GCP > IAM > Project User > Role Bindings
• GCP > IAM > Project User > Role Bindings > Approved

Policy Types

• GCP > IAM > Project User > Role Bindings
• GCP > IAM > Project User > Role Bindings > Approved
• GCP > IAM > Project User > Role Bindings > Approved > Rules

Action Types

• GCP > IAM > Project User > Update Role Bindings

What's new?

• Network rule set details will now be available in CMDB for namespaces.

What's new?

Control Types

• Azure > CIS v3.0
• Azure > CIS v3.0 > 02 - Identity
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA)
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
• Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
• Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis
• Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
• Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
• Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
• Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
• Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
• Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
• Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
• Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure User consent for applications is set to Do not allow user consent
• Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
• Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
• Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
• Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
• Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
• Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
• Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
• Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
• Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
• Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
• Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist
• Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
• Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
• Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment
• Azure > CIS v3.0 > 03 - Security
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM)
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.01 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.02 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.02 - Defender Plan APIs
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage > 03.01.05.01 - Ensure That Microsoft Defender for Storage Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan - App Service
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan - App Service > 03.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault > 03.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager > 03.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.14 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT
• Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.07 - Ensure that Private Endpoints are Used for Azure Key Vault
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
• Azure > CIS v3.0 > 04 - Storage Accounts
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.06 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.07 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.08 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.09 - Ensure Private Endpoints are used to access Storage Accounts
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.10 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.12 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.14 - Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.15 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.16 - Ensure 'Cross Tenant Replication' is not enabled
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.17 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
• Azure > CIS v3.0 > 05 - Database Services
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On'
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.03 - Ensure SQL Server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.04 - Ensure that Microsoft Entra authentication is Configured for SQL Servers
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.07 - Ensure Public Network Access is Disabled
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.06 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'
• Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL
• Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB
• Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
• Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible
• Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
• Azure > CIS v3.0 > 06 - Logging & Monitoring
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.02 - Ensure Diagnostic Setting captures appropriate categories
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK)
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights > 06.03.01 - Ensure Application Insights are Configured
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
• Azure > CIS v3.0 > 07 - Networking
• Azure > CIS v3.0 > 07 - Networking > 07.01 - Ensure that RDP access from the Internet is evaluated and restricted
• Azure > CIS v3.0 > 07 - Networking > 07.02 - Ensure that SSH access from the Internet is evaluated and restricted
• Azure > CIS v3.0 > 07 - Networking > 07.03 - Ensure that UDP access from the Internet is evaluated and restricted
• Azure > CIS v3.0 > 07 - Networking > 07.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
• Azure > CIS v3.0 > 07 - Networking > 07.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
• Azure > CIS v3.0 > 07 - Networking > 07.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
• Azure > CIS v3.0 > 07 - Networking > 07.07 - Ensure that Public IP addresses are evaluated on a periodic basis
• Azure > CIS v3.0 > 08 - Virtual Machines
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.01 - Ensure an Azure Bastion Host Exists
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.02 - Ensure Virtual Machines are utilizing Managed Disks
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.05 - Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.06 - Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.11 - Ensure Trusted Launch is enabled on Virtual Machines
• Azure > CIS v3.0 > 09 - Application Services
• Azure > CIS v3.0 > 09 - Application Services > 09.01 - Ensure 'HTTPS Only' is set to On
• Azure > CIS v3.0 > 09 - Application Services > 09.02 - Ensure App Service Authentication is set up for apps in Azure App Service
• Azure > CIS v3.0 > 09 - Application Services > 09.03 - Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
• Azure > CIS v3.0 > 09 - Application Services > 09.04 - Ensure Web App is using the latest version of TLS encryption
• Azure > CIS v3.0 > 09 - Application Services > 09.05 - Ensure that Register with Entra ID is enabled on App Service
• Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled'
• Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use)
• Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use)
• Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use)
• Azure > CIS v3.0 > 09 - Application Services > 09.10 - Ensure that 'HTTP20enabled' is set to 'true' (if in use)
• Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets
• Azure > CIS v3.0 > 09 - Application Services > 09.12 - Ensure that 'Remote debugging' is set to 'Off'
• Azure > CIS v3.0 > 10 - Miscellaneous
• Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources

Policy Types

• Azure > CIS v3.0
• Azure > CIS v3.0 > 02 - Identity
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA)
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.01 - Ensure Security Defaults is enabled on Microsoft Entra ID > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.02 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.03 - Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled
• Azure > CIS v3.0 > 02 - Identity > 02.01 - Security Defaults (Per-User MFA) > 02.01.04 - Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.01 - Ensure Trusted Locations Are Defined
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.02 - Ensure that an exclusionary Geographic Access Policy is considered > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.03 - Ensure that an exclusionary Device code flow policy is considered > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.04 - Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.05 - Ensure that A Multi-factor Authentication Policy Exists for All Users > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.06 - Ensure Multi-factor Authentication is Required for Risky Sign-ins > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.07 - Ensure Multi-factor Authentication is Required for Windows Azure Service Management API
• Azure > CIS v3.0 > 02 - Identity > 02.02 - Conditional Access > 02.02.08 - Ensure Multi-factor Authentication is Required to access Microsoft Admin Portals
• Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'
• Azure > CIS v3.0 > 02 - Identity > 02.03 - Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.04 - Ensure Guest Users Are Reviewed on a Regular Basis
• Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2'
• Azure > CIS v3.0 > 02 - Identity > 02.05 - Ensure That 'Number of methods required to reset' is set to '2' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10'
• Azure > CIS v3.0 > 02 - Identity > 02.06 - Ensure that account 'Lockout Threshold' is less than or equal to '10' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
• Azure > CIS v3.0 > 02 - Identity > 02.07 - Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
• Azure > CIS v3.0 > 02 - Identity > 02.08 - Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'
• Azure > CIS v3.0 > 02 - Identity > 02.09 - Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes'
• Azure > CIS v3.0 > 02 - Identity > 02.10 - Ensure that 'Notify users on password resets?' is set to 'Yes' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'
• Azure > CIS v3.0 > 02 - Identity > 02.11 - Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure User consent for applications is set to Do not allow user consent
• Azure > CIS v3.0 > 02 - Identity > 02.12 - Ensure User consent for applications is set to Do not allow user consent > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'
• Azure > CIS v3.0 > 02 - Identity > 02.13 - Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.14 - Ensure That 'Users Can Register Applications' Is Set to 'No'
• Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
• Azure > CIS v3.0 > 02 - Identity > 02.15 - Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
• Azure > CIS v3.0 > 02 - Identity > 02.16 - Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'
• Azure > CIS v3.0 > 02 - Identity > 02.17 - Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'
• Azure > CIS v3.0 > 02 - Identity > 02.18 - Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.19 - Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'
• Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
• Azure > CIS v3.0 > 02 - Identity > 02.20 - Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
• Azure > CIS v3.0 > 02 - Identity > 02.21 - Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes'
• Azure > CIS v3.0 > 02 - Identity > 02.22 - Ensure that 'Require Multifactor Authentication to register or join devices with Microsoft Entra' is set to 'Yes' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.23 - Ensure That No Custom Subscription Administrator Roles Exist
• Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks
• Azure > CIS v3.0 > 02 - Identity > 02.24 - Ensure a Custom Role is Assigned Permissions for Administering Resource Locks > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
• Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one' > Attestation
• Azure > CIS v3.0 > 02 - Identity > 02.26 - Ensure fewer than 5 users have global administrator assignment
• Azure > CIS v3.0 > 02 - Identity > Maximum Attestation Duration
• Azure > CIS v3.0 > 03 - Security
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM)
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.01 - Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.01 - Microsoft Cloud Security Posture Management (CSPM) > 03.01.01.02 - Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.02 - Defender Plan APIs
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.01 - Ensure That Microsoft Defender for Servers Is Set to 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.02 - Ensure that 'Vulnerability assessment for machines' component status is set to 'On' > Attestation
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.03 - Ensure that 'Endpoint protection' component status is set to 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.04 - Ensure that 'Agentless scanning for machines' component status is set to 'On' > Attestation
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.03 - Defender Plan Servers > 03.01.03.05 - Ensure that 'File Integrity Monitoring' component status is set to 'On' > Attestation
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.02 - Ensure that 'Agentless discovery for Kubernetes' component status 'On' > Attestation
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.04 - Defender Plan Containers > 03.01.04.03 - Ensure that 'Agentless container vulnerability assessment' component status is 'On' > Attestation
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.05 - Defender Plan - Storage > 03.01.05.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan App - Service
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.06 - Defender Plan App - Service > 03.01.06.01 - Ensure That Microsoft Defender for App Services Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.01 - Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.02 - Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.03 - Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.07 - Defender Plan - Databases > 03.01.07.04 - Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.08 - Defender Plan - Key Vault > 03.01.08.01 - Ensure That Microsoft Defender for Key Vault Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.09 - Defender Plan - Resource Manager > 03.01.09.01 - Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.10 - Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' > Attestation
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.11 - Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled' > Attestation
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.12 - Ensure That 'All users with the following roles' is set to 'Owner'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.13 - Ensure 'Additional email addresses' is Configured with a Security Contact Email
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.14 - Ensure That 'Notify about alerts with the following severity' is Set to 'High'
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.15 - Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled > Attestation
• Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT
• Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > 03.02.01 - Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
• Azure > CIS v3.0 > 03 - Security > 03.02 - Microsoft Defender for IoT > Attestation
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.07 - Ensure that Private Endpoints are Used for Azure Key Vault
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
• Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services > Attestation
• Azure > CIS v3.0 > 03 - Security > Maximum Attestation Duration
• Azure > CIS v3.0 > 04 - Storage Accounts
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.01 - Ensure that 'Secure transfer required' is set to 'Enabled'
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.02 - Ensure that Enable Infrastructure Encryption for Each Storage Account in Azure Storage is Set to enabled
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.03 - Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.04 - Ensure that Storage Account Access Keys are Periodically Regenerated > Attestation
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.05 - Ensure that Shared Access Signature Tokens Expire Within an Hour > Attestation
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.06 - Ensure that 'Public Network Access' is 'Disabled' for storage accounts
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.07 - Ensure Default Network Access Rule for Storage Accounts is Set to Deny
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.08 - Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.09 - Ensure Private Endpoints are used to access Storage Accounts
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.10 - Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.11 - Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.12 - Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.13 - Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.14 - Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.15 - Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.16 - Ensure 'Cross Tenant Replication' is not enabled
• Azure > CIS v3.0 > 04 - Storage Accounts > 04.17 - Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'
• Azure > CIS v3.0 > 04 - Storage Accounts > Maximum Attestation Duration
• Azure > CIS v3.0 > 05 - Database Services
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.01 - Ensure that 'Auditing' is set to 'On'
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.02 - Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.03 - Ensure SQL Server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.04 - Ensure that Microsoft Entra authentication is Configured for SQL Servers
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.05 - Ensure that 'Data encryption' is set to 'On' on a SQL Database
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.06 - Ensure that 'Auditing' Retention is 'greater than 90 days'
• Azure > CIS v3.0 > 05 - Database Services > 05.01 - Azure SQL Database > 05.01.07 - Ensure Public Network Access is Disabled
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.02 - Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.03 - Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.04 - Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.05 - Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.07 - [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 05.02.08 - [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'
• Azure > CIS v3.0 > 05 - Database Services > 05.02 - Azure Database for PostgreSQL > 5.2.6 - [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
• Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL
• Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.01 - Ensure server parameter 'require_secure_transport' is set to 'ON' for MySQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.02 - Ensure server parameter 'tls_version' is set to 'TLSv1.2' (or higher) for MySQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.03 - Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.03 - Azure Database for MySQL > 05.03.04 - Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL flexible server
• Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB
• Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.01 - Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
• Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.02 - Ensure That Private Endpoints Are Used Where Possible
• Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
• Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible > Attestation
• Azure > CIS v3.0 > 05 - Database Services > Maximum Attestation Duration
• Azure > CIS v3.0 > 06 - Logging & Monitoring
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs > Attestation
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.02 - Ensure Diagnostic Setting captures appropriate categories
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.03 - Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.05 - Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.06 - Ensure that logging for Azure AppService 'HTTP logs' is enabled
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights > 06.03.01 - Ensure Application Insights are Configured
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it > Attestation
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.05 - Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
• Azure > CIS v3.0 > 06 - Logging & Monitoring > Maximum Attestation Duration
• Azure > CIS v3.0 > 07 - Networking
• Azure > CIS v3.0 > 07 - Networking > 07.01 - Ensure that RDP access from the Internet is evaluated and restricted
• Azure > CIS v3.0 > 07 - Networking > 07.02 - Ensure that SSH access from the Internet is evaluated and restricted
• Azure > CIS v3.0 > 07 - Networking > 07.03 - Ensure that UDP access from the Internet is evaluated and restricted
• Azure > CIS v3.0 > 07 - Networking > 07.04 - Ensure that HTTP(S) access from the Internet is evaluated and restricted
• Azure > CIS v3.0 > 07 - Networking > 07.05 - Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
• Azure > CIS v3.0 > 07 - Networking > 07.06 - Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
• Azure > CIS v3.0 > 07 - Networking > 07.07 - Ensure that Public IP addresses are evaluated on a periodic basis
• Azure > CIS v3.0 > 07 - Networking > Maximum Attestation Duration
• Azure > CIS v3.0 > 08 - Virtual Machines
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.01 - Ensure Virtual Machines are utilizing Managed Disks
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.02 - Ensure Virtual Machines are utilizing Managed Disks
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.03 - Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.04 - Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.05 - Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.06 - Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.07 - Ensure that Only Approved Extensions Are Installed > Attestation
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.08 - Ensure that Endpoint Protection for all Virtual Machines is installed > Attestation
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.09 - [Legacy] Ensure that VHDs are Encrypted > Attestation
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.10 - Ensure only MFA enabled identities can access privileged Virtual Machine > Attestation
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.11 - Ensure Trusted Launch is enabled on Virtual Machines
• Azure > CIS v3.0 > 08 - Virtual Machines > Maximum Attestation Duration
• Azure > CIS v3.0 > 09 - Application Services
• Azure > CIS v3.0 > 09 - Application Services > 09.01 - Ensure 'HTTPS Only' is set to On
• Azure > CIS v3.0 > 09 - Application Services > 09.02 - Ensure App Service Authentication is set up for apps in Azure App Service
• Azure > CIS v3.0 > 09 - Application Services > 09.03 - Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
• Azure > CIS v3.0 > 09 - Application Services > 09.04 - Ensure Web App is using the latest version of TLS encryption
• Azure > CIS v3.0 > 09 - Application Services > 09.05 - Ensure that Register with Entra ID is enabled on App Service
• Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled'
• Azure > CIS v3.0 > 09 - Application Services > 09.06 - Ensure that 'Basic Authentication' is 'Disabled' > Attestation
• Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use)
• Azure > CIS v3.0 > 09 - Application Services > 09.07 - Ensure that 'PHP version' is currently supported (if in use) > Attestation
• Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use)
• Azure > CIS v3.0 > 09 - Application Services > 09.08 - Ensure that 'Python version' is currently supported (if in use) > Attestation
• Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use)
• Azure > CIS v3.0 > 09 - Application Services > 09.09 - Ensure that 'Java version' is currently supported (if in use) > Attestation
• Azure > CIS v3.0 > 09 - Application Services > 09.10 - Ensure that 'HTTP20enabled' is set to 'true' (if in use)
• Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets
• Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets > Attestation
• Azure > CIS v3.0 > 09 - Application Services > 09.12 - Ensure that 'Remote debugging' is set to 'Off'
• Azure > CIS v3.0 > 09 - Application Services > Maximum Attestation Duration
• Azure > CIS v3.0 > 10 - Miscellaneous
• Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
• Azure > CIS v3.0 > 10 - Miscellaneous > 10.01 - Ensure that Resource Locks are set for Mission-Critical Azure Resources > Attestation
• Azure > CIS v3.0 > 10 - Miscellaneous > Maximum Attestation Duration
• Azure > CIS v3.0 > Maximum Attestation Duration

Note

To ensure compatibility and proper functioning of the Guardrails Azure CIS v3 mod, we recommend updating all dependent mods to their latest versions.

What's new?

• Added proxy support for GitHub API requests.

Bug fixes

• Guardrails previously failed to fetch all diagnosticSettings details for storage accounts control due to limitations in the internal Node SDK package version. This has now been resolved, and the CMDB control will successfully fetch all details as expected.

Renamed:

• diagnosticSettings.value to diagnosticSettings

Bug fixes

• Guardrails previously failed to fetch all diagnosticSettings details for vaults control due to limitations in the internal Node SDK package version. This has now been resolved, and the CMDB control will successfully fetch all details as expected.

Bug fixes

• Guardrails previously failed to fetch all diagnosticSettings details for web apps control due to limitations in the internal Node SDK package version. This has now been resolved, and the CMDB control will successfully fetch all details as expected.

What's new?

• Diagnostic Settings for blob, queue, and table will now be available in CMDB for storage accounts.
• Users can now update access tier to cold for storage accounts. To get started, set the Azure > Storage > Storage Account > Access Tier policy to Enforce: Cold.

Bug fixes

• The Azure > Storage > Storage Account > Tags control will no longer pass unnecessary arguments as parameter to the API call while updating tags for the resource.

What's new?

• You can now configure guest configuration extension for virtual machines. To get started, set the Azure > Compute > Virtual Machine > Extensions > Guest Configuration policy.

Control Types

• Azure > Compute > Virtual Machine > Extensions
• Azure > Compute > Virtual Machine > Extensions > Guest Configuration

Policy Types

• Azure > Compute > Virtual Machine > Extensions
• Azure > Compute > Virtual Machine > Extensions > Guest Configuration

Action Types

• Azure > Compute > Virtual Machine > Update Guest Configuration

What's new?

• Added controls for sections 5.01.01, 5.01.02 and 7.01.

Control Types

• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.01 - Ensure that a 'Diagnostic Setting' exists
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.02 - Ensure Diagnostic Setting captures appropriate categories
• Azure > CIS v2.0 > 07 - Virtual Machines > 7.01 - Ensure an Azure Bastion Host Exists

Policy Types

• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.01 - Ensure that a 'Diagnostic Setting' exists
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.01 - Ensure that a 'Diagnostic Setting' exists > Attestation
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.02 - Ensure Diagnostic Setting captures appropriate categories
• Azure > CIS v2.0 > 07 - Virtual Machines > 7.01 - Ensure an Azure Bastion Host Exists

Bug fixes

• CIS controls previously entered an invalid or TBD state when the CMDB controls for associated resources were in a skipped or TBD state, even if the corresponding CIS policies were set to Skip. This issue has been resolved; such controls will now correctly transition to a skipped state.

Bug fixes

• The CMDB data for buckets did not refresh automatically when intelligent tiering configurations were removed from the buckets. This issue has now been fixed.

What's new?

• Added support for PostgreSQL version 15.9, 15.10, 15.11, 15.12 and 15.13.

Bug fixes

• Resolved a bug where destroying a policy pack via Terraform did not delete the policy pack if it was still attached to resources. The terraform destroy command now provides a clear and meaningful error message when such attachments exist.

  Minimum version requirements:

  • TE v5.52.1

What's new?

• Diagnostic Settings details will now be available in CMDB for Subscriptions.

What's new?

• Server
  • Introduced LAMBDA_IN_VPC_GITHUB flag to enable deployment of GitHub mod lambdas inside a VPC.

Bug Fixes

• Server
  • Optimized mod type installation to distribute event execution more evenly over time, minimizing the risk of throttling.
  • Fixed an issue where controls or actions could get stuck if their notification templates were empty or failed to render correctly.
  • The Delete Policy Pack API now throws a clear error when attempting to delete a policy pack that still has attached resources.
  • The maintenance container now ensures the index_list table is populated with any missing indexes, improving database reliability.
  • Unused Lambda functions are now correctly deleted when no aliases remain.

Note

Upgrade to 5.52.1 requires your workspace to be on 5.51.x; direct upgrades from older versions (e.g., 5.49.x) will fail.

Requirements

• TEF: 1.66.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• Resource Types:

  • Azure > Network > Bastion Host

• Control Types:

  • Azure > Network > Bastion Host > Active
  • Azure > Network > Bastion Host > CMDB
  • Azure > Network > Bastion Host > Discovery
  • Azure > Network > Bastion Host > Tags

• Policy Types:

  • Azure > Network > Bastion Host > Active
  • Azure > Network > Bastion Host > Active > Age
  • Azure > Network > Bastion Host > Active > Last Modified
  • Azure > Network > Bastion Host > CMDB
  • Azure > Network > Bastion Host > Regions
  • Azure > Network > Bastion Host > Tags
  • Azure > Network > Bastion Host > Tags > Template

• Action Types:

  • Azure > Network > Bastion Host > Delete
  • Azure > Network > Bastion Host > Router
  • Azure > Network > Bastion Host > Set Tags

What's new?

• HyperVGeneration details will now be available in the CMDB for Virtual Machines.

What's new?

• Conditional Access Policy and Directory Role details will now be available in CMDB for Directories.

Action Types

• Azure > Active Directory > Directory > Router

What's new?

• Resource Types:

  • AWS > Bedrock > Agent
  • AWS > Bedrock > Custom Model
  • AWS > Bedrock > Foundation Model
  • AWS > Bedrock > Imported Model
  • AWS > Bedrock > Knowledge Base
  • AWS > Bedrock > Settings

• Control Types:

  • AWS > Bedrock > Agent > Active
  • AWS > Bedrock > Agent > CMDB
  • AWS > Bedrock > Agent > Discovery
  • AWS > Bedrock > Agent > Tags
  • AWS > Bedrock > Custom Model > Active
  • AWS > Bedrock > Custom Model > CMDB
  • AWS > Bedrock > Custom Model > Discovery
  • AWS > Bedrock > Custom Model > Tags
  • AWS > Bedrock > Foundation Model > CMDB
  • AWS > Bedrock > Foundation Model > Discovery
  • AWS > Bedrock > Imported Model > Active
  • AWS > Bedrock > Imported Model > CMDB
  • AWS > Bedrock > Imported Model > Discovery
  • AWS > Bedrock > Imported Model > Tags
  • AWS > Bedrock > Knowledge Base > Active
  • AWS > Bedrock > Knowledge Base > CMDB
  • AWS > Bedrock > Knowledge Base > Discovery
  • AWS > Bedrock > Knowledge Base > Tags
  • AWS > Bedrock > Settings > CMDB
  • AWS > Bedrock > Settings > Discovery
  • AWS > Bedrock > Settings > Model Invocation Logging Configuration

• Policy Types:

  • AWS > Bedrock > Agent > Active
  • AWS > Bedrock > Agent > Active > Age
  • AWS > Bedrock > Agent > Active > Last Modified
  • AWS > Bedrock > Agent > CMDB
  • AWS > Bedrock > Agent > Regions
  • AWS > Bedrock > Agent > Tags
  • AWS > Bedrock > Agent > Tags > Template
  • AWS > Bedrock > Custom Model > Active
  • AWS > Bedrock > Custom Model > Active > Age
  • AWS > Bedrock > Custom Model > Active > Last Modified
  • AWS > Bedrock > Custom Model > CMDB
  • AWS > Bedrock > Custom Model > Regions
  • AWS > Bedrock > Custom Model > Tags
  • AWS > Bedrock > Custom Model > Tags > Template
  • AWS > Bedrock > Foundation Model > CMDB
  • AWS > Bedrock > Foundation Model > Regions
  • AWS > Bedrock > Imported Model > Active
  • AWS > Bedrock > Imported Model > Active > Age
  • AWS > Bedrock > Imported Model > Active > Last Modified
  • AWS > Bedrock > Imported Model > CMDB
  • AWS > Bedrock > Imported Model > Regions
  • AWS > Bedrock > Imported Model > Tags
  • AWS > Bedrock > Imported Model > Tags > Template
  • AWS > Bedrock > Knowledge Base > Active
  • AWS > Bedrock > Knowledge Base > Active > Age
  • AWS > Bedrock > Knowledge Base > Active > Last Modified
  • AWS > Bedrock > Knowledge Base > CMDB
  • AWS > Bedrock > Knowledge Base > Regions
  • AWS > Bedrock > Knowledge Base > Tags
  • AWS > Bedrock > Knowledge Base > Tags > Template
  • AWS > Bedrock > Settings > CMDB
  • AWS > Bedrock > Settings > Model Invocation Logging Configuration
  • AWS > Bedrock > Settings > Model Invocation Logging Configuration > Data Delivery
  • AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination
  • AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination > CloudWatch Log Group Name
  • AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination > S3 Location
  • AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination > S3 Location for Large Data Delivery
  • AWS > Bedrock > Settings > Model Invocation Logging Configuration > Logging Destination > Service Role ARN
  • AWS > Bedrock > Settings > Regions
  • AWS > Bedrock > Tags Template [Default]
  • AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-bedrock

• Action Types:

  • AWS > Bedrock > Agent > Delete
  • AWS > Bedrock > Agent > Router
  • AWS > Bedrock > Agent > Update Tags
  • AWS > Bedrock > Custom Model > Delete
  • AWS > Bedrock > Custom Model > Router
  • AWS > Bedrock > Custom Model > Update Tags
  • AWS > Bedrock > Imported Model > Delete
  • AWS > Bedrock > Imported Model > Router
  • AWS > Bedrock > Imported Model > Update Tags
  • AWS > Bedrock > Knowledge Base > Delete
  • AWS > Bedrock > Knowledge Base > Router
  • AWS > Bedrock > Knowledge Base > Update Tags
  • AWS > Bedrock > Settings > Router
  • AWS > Bedrock > Settings > Update Model Invocation Logging Configuration

Bug fixes

• In previous versions, apigateway:CreateDeployment events were processed without validating the required stageName parameter, which could result in invalid stage resources in the CMDB. This issue is now fixed.

Bug fixes

• Resolved an issue with real-time event handling for AWS > API Gateway > Stage resources. Specifically, Guardrails was previously not receiving events when a Web ACL was attached to an API Gateway stage. This has now been fixed, and events for such actions are processed as expected.

What's new?

• Users can now configure the private google access settings for subnetworks. To get started, set the GCP > Network > Subnetwork > Private Google Access policy.

Control Types

• GCP > Network > Subnetwork > Private Google Access

Policy Types

• GCP > Network > Subnetwork > Private Google Access

Action Types

• GCP > Network > Subnetwork > Set Private Google Access

Bug fixes

• Previously, GCP > DNS > Managed Zone > Labels control would fail when attempting to update labels on private DNS zones that were linked to a Service Directory namespace. This was caused by the control attempting to modify the serviceDirectoryConfig field, which is not allowed by the Google Cloud DNS API and resulted in an error. This issue has now been resolved.

What's new?

• Users can now manage trusted access for tables. To get started, set the AWS > DynamoDB > Table > Policy > Trusted Access > * policies.
• Resource policy details will now be available in CMDB for tables.

Control Types

• AWS > DynamoDB > Table > Policy
• AWS > DynamoDB > Table > Policy > Trusted Access

Policy Types

• AWS > DynamoDB > Table > Policy
• AWS > DynamoDB > Table > Policy > Trusted Access
• AWS > DynamoDB > Table > Policy > Trusted Access > Accounts
• AWS > DynamoDB > Table > Policy > Trusted Access > CloudFront Origin Access Identities
• AWS > DynamoDB > Table > Policy > Trusted Access > Organization Restrictions
• AWS > DynamoDB > Trusted Accounts [Default]
• AWS > DynamoDB > Trusted Organizations [Default]

Action Types

• AWS > DynamoDB > Table > Set Policy Trusted Access

What's new?

• Added support to process real-time events for GCP > Compute Engine > Region Disk.

Action Types

• GCP > Compute Engine > Region Disk > Router

Bug fixes

• The AWS > Turbot > Event Handlers > Events > Rules > Custom Event Patterns > @turbot/aws-ec2 policy previously depended on the Turbot > Workspace > Workspace Version policy, causing Event Handlers to run after a TE update. This dependency has been safely removed, improving the overall efficiency of the workspace.

What's new?

• You can now use the Intelligent Assessment control, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• Azure > PostgreSQL > Flexible Server > Intelligent Assessment

Policy Types

• Azure > PostgreSQL > Flexible Server > Intelligent Assessment
• Azure > PostgreSQL > Flexible Server > Intelligent Assessment > Context
• Azure > PostgreSQL > Flexible Server > Intelligent Assessment > User Prompt

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls.

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• GCP > Folder > Intelligent Assessment
• GCP > Organization > Intelligent Assessment
• GCP > Project > Intelligent Assessment

Policy Types

• GCP > Folder > Intelligent Assessment
• GCP > Folder > Intelligent Assessment > Context
• GCP > Folder > Intelligent Assessment > User Prompt
• GCP > Organization > Intelligent Assessment
• GCP > Organization > Intelligent Assessment > Context
• GCP > Organization > Intelligent Assessment > User Prompt
• GCP > Project > Intelligent Assessment
• GCP > Project > Intelligent Assessment > Context
• GCP > Project > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• GCP > Pub/Sub > Snapshot > Intelligent Assessment
• GCP > Pub/Sub > Subscription > Intelligent Assessment
• GCP > Pub/Sub > Topic > Intelligent Assessment

Policy Types

• GCP > Pub/Sub > Snapshot > Intelligent Assessment
• GCP > Pub/Sub > Snapshot > Intelligent Assessment > Context
• GCP > Pub/Sub > Snapshot > Intelligent Assessment > User Prompt
• GCP > Pub/Sub > Subscription > Intelligent Assessment
• GCP > Pub/Sub > Subscription > Intelligent Assessment > Context
• GCP > Pub/Sub > Subscription > Intelligent Assessment > User Prompt
• GCP > Pub/Sub > Topic > Intelligent Assessment
• GCP > Pub/Sub > Topic > Intelligent Assessment > Context
• GCP > Pub/Sub > Topic > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• GCP > Logging > Exclusion > Intelligent Assessment
• GCP > Logging > Metric > Intelligent Assessment
• GCP > Logging > Sink > Intelligent Assessment

Policy Types

• GCP > Logging > Exclusion > Intelligent Assessment
• GCP > Logging > Exclusion > Intelligent Assessment > Context
• GCP > Logging > Exclusion > Intelligent Assessment > User Prompt
• GCP > Logging > Metric > Intelligent Assessment
• GCP > Logging > Metric > Intelligent Assessment > Context
• GCP > Logging > Metric > Intelligent Assessment > User Prompt
• GCP > Logging > Sink > Intelligent Assessment
• GCP > Logging > Sink > Intelligent Assessment > Context
• GCP > Logging > Sink > Intelligent Assessment > User Prompt

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment control.

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls.

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• GCP > App Engine > Application > Intelligent Assessment
• GCP > App Engine > Firewall Rule > Intelligent Assessment
• GCP > App Engine > Instance > Intelligent Assessment
• GCP > App Engine > Service > Intelligent Assessment
• GCP > App Engine > Version > Intelligent Assessment

Policy Types

• GCP > App Engine > Application > Intelligent Assessment
• GCP > App Engine > Application > Intelligent Assessment > Context
• GCP > App Engine > Application > Intelligent Assessment > User Prompt
• GCP > App Engine > Firewall Rule > Intelligent Assessment
• GCP > App Engine > Firewall Rule > Intelligent Assessment > Context
• GCP > App Engine > Firewall Rule > Intelligent Assessment > User Prompt
• GCP > App Engine > Instance > Intelligent Assessment
• GCP > App Engine > Instance > Intelligent Assessment > Context
• GCP > App Engine > Instance > Intelligent Assessment > User Prompt
• GCP > App Engine > Service > Intelligent Assessment
• GCP > App Engine > Service > Intelligent Assessment > Context
• GCP > App Engine > Service > Intelligent Assessment > User Prompt
• GCP > App Engine > Version > Intelligent Assessment
• GCP > App Engine > Version > Intelligent Assessment > Context
• GCP > App Engine > Version > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• Azure > SQL > Database > Intelligent Assessment
• Azure > SQL > Elastic Pool > Intelligent Assessment
• Azure > SQL > Managed Instance > Intelligent Assessment
• Azure > SQL > Server > Intelligent Assessment

Policy Types

• Azure > SQL > Database > Intelligent Assessment
• Azure > SQL > Database > Intelligent Assessment > Context
• Azure > SQL > Database > Intelligent Assessment > User Prompt
• Azure > SQL > Elastic Pool > Intelligent Assessment
• Azure > SQL > Elastic Pool > Intelligent Assessment > Context
• Azure > SQL > Elastic Pool > Intelligent Assessment > User Prompt
• Azure > SQL > Managed Instance > Intelligent Assessment
• Azure > SQL > Managed Instance > Intelligent Assessment > Context
• Azure > SQL > Managed Instance > Intelligent Assessment > User Prompt
• Azure > SQL > Server > Intelligent Assessment
• Azure > SQL > Server > Intelligent Assessment > Context
• Azure > SQL > Server > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• Azure > Network > Application Security Group > Intelligent Assessment
• Azure > Network > Express Route Circuits > Intelligent Assessment
• Azure > Network > Network Interface > Intelligent Assessment
• Azure > Network > Network Security Group > Intelligent Assessment
• Azure > Network > Private DNS Zones > Intelligent Assessment
• Azure > Network > Private Endpoints > Intelligent Assessment
• Azure > Network > Private Link Service > Intelligent Assessment
• Azure > Network > Public IP Address > Intelligent Assessment
• Azure > Network > Route Table > Intelligent Assessment
• Azure > Network > Subnet > Intelligent Assessment
• Azure > Network > Virtual Network > Intelligent Assessment
• Azure > Network > Virtual Network Gateway > Intelligent Assessment

Policy Types

• Azure > Network > Application Security Group > Intelligent Assessment
• Azure > Network > Application Security Group > Intelligent Assessment > Context
• Azure > Network > Application Security Group > Intelligent Assessment > User Prompt
• Azure > Network > Express Route Circuits > Intelligent Assessment
• Azure > Network > Express Route Circuits > Intelligent Assessment > Context
• Azure > Network > Express Route Circuits > Intelligent Assessment > User Prompt
• Azure > Network > Network Interface > Intelligent Assessment
• Azure > Network > Network Interface > Intelligent Assessment > Context
• Azure > Network > Network Interface > Intelligent Assessment > User Prompt
• Azure > Network > Network Security Group > Intelligent Assessment
• Azure > Network > Network Security Group > Intelligent Assessment > Context
• Azure > Network > Network Security Group > Intelligent Assessment > User Prompt
• Azure > Network > Private DNS Zones > Intelligent Assessment
• Azure > Network > Private DNS Zones > Intelligent Assessment > Context
• Azure > Network > Private DNS Zones > Intelligent Assessment > User Prompt
• Azure > Network > Private Endpoints > Intelligent Assessment
• Azure > Network > Private Endpoints > Intelligent Assessment > Context
• Azure > Network > Private Endpoints > Intelligent Assessment > User Prompt
• Azure > Network > Private Link Service > Intelligent Assessment
• Azure > Network > Private Link Service > Intelligent Assessment > Context
• Azure > Network > Private Link Service > Intelligent Assessment > User Prompt
• Azure > Network > Public IP Address > Intelligent Assessment
• Azure > Network > Public IP Address > Intelligent Assessment > Context
• Azure > Network > Public IP Address > Intelligent Assessment > User Prompt
• Azure > Network > Route Table > Intelligent Assessment
• Azure > Network > Route Table > Intelligent Assessment > Context
• Azure > Network > Route Table > Intelligent Assessment > User Prompt
• Azure > Network > Subnet > Intelligent Assessment
• Azure > Network > Subnet > Intelligent Assessment > Context
• Azure > Network > Subnet > Intelligent Assessment > User Prompt
• Azure > Network > Virtual Network > Intelligent Assessment
• Azure > Network > Virtual Network > Intelligent Assessment > Context
• Azure > Network > Virtual Network > Intelligent Assessment > User Prompt
• Azure > Network > Virtual Network Gateway > Intelligent Assessment
• Azure > Network > Virtual Network Gateway > Intelligent Assessment > Context
• Azure > Network > Virtual Network Gateway > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment control, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• Azure > MySQL > Flexible Server > Intelligent Assessment

Policy Types

• Azure > MySQL > Flexible Server > Intelligent Assessment
• Azure > MySQL > Flexible Server > Intelligent Assessment > Context
• Azure > MySQL > Flexible Server > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• Azure > Monitor > Action Group > Intelligent Assessment
• Azure > Monitor > Alerts > Intelligent Assessment
• Azure > Monitor > Log Profile > Intelligent Assessment
• Azure > Monitor > Metric Alert > Intelligent Assessment

Policy Types

• Azure > Monitor > Action Group > Intelligent Assessment
• Azure > Monitor > Action Group > Intelligent Assessment > Context
• Azure > Monitor > Action Group > Intelligent Assessment > User Prompt
• Azure > Monitor > Alerts > Intelligent Assessment
• Azure > Monitor > Alerts > Intelligent Assessment > Context
• Azure > Monitor > Alerts > Intelligent Assessment > User Prompt
• Azure > Monitor > Log Profile > Intelligent Assessment
• Azure > Monitor > Log Profile > Intelligent Assessment > Context
• Azure > Monitor > Log Profile > Intelligent Assessment > User Prompt
• Azure > Monitor > Metric Alert > Intelligent Assessment
• Azure > Monitor > Metric Alert > Intelligent Assessment > Context
• Azure > Monitor > Metric Alert > Intelligent Assessment > User Prompt

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls.

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• AWS > Redshift > Cluster > Intelligent Assessment
• AWS > Redshift > Cluster Parameter Group > Intelligent Assessment
• AWS > Redshift > Cluster Subnet Group > Intelligent Assessment
• AWS > Redshift > Manual Cluster Snapshot > Intelligent Assessment

Policy Types

• AWS > Redshift > Cluster > Intelligent Assessment
• AWS > Redshift > Cluster > Intelligent Assessment > Context
• AWS > Redshift > Cluster > Intelligent Assessment > User Prompt
• AWS > Redshift > Cluster Parameter Group > Intelligent Assessment
• AWS > Redshift > Cluster Parameter Group > Intelligent Assessment > Context
• AWS > Redshift > Cluster Parameter Group > Intelligent Assessment > User Prompt
• AWS > Redshift > Cluster Subnet Group > Intelligent Assessment
• AWS > Redshift > Cluster Subnet Group > Intelligent Assessment > Context
• AWS > Redshift > Cluster Subnet Group > Intelligent Assessment > User Prompt
• AWS > Redshift > Manual Cluster Snapshot > Intelligent Assessment
• AWS > Redshift > Manual Cluster Snapshot > Intelligent Assessment > Context
• AWS > Redshift > Manual Cluster Snapshot > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• AWS > RDS > DB Cluster > Intelligent Assessment
• AWS > RDS > DB Cluster Parameter Group > Intelligent Assessment
• AWS > RDS > DB Cluster Snapshot [Manual] > Intelligent Assessment
• AWS > RDS > DB Instance > Intelligent Assessment
• AWS > RDS > DB Parameter Group > Intelligent Assessment
• AWS > RDS > DB Snapshot [Manual] > Intelligent Assessment
• AWS > RDS > Global Cluster > Intelligent Assessment
• AWS > RDS > Option Group > Intelligent Assessment
• AWS > RDS > Subnet Group > Intelligent Assessment

Policy Types

• AWS > RDS > DB Cluster > Intelligent Assessment
• AWS > RDS > DB Cluster > Intelligent Assessment > Context
• AWS > RDS > DB Cluster > Intelligent Assessment > User Prompt
• AWS > RDS > DB Cluster Parameter Group > Intelligent Assessment
• AWS > RDS > DB Cluster Parameter Group > Intelligent Assessment > Context
• AWS > RDS > DB Cluster Parameter Group > Intelligent Assessment > User Prompt
• AWS > RDS > DB Cluster Snapshot [Manual] > Intelligent Assessment
• AWS > RDS > DB Cluster Snapshot [Manual] > Intelligent Assessment > Context
• AWS > RDS > DB Cluster Snapshot [Manual] > Intelligent Assessment > User Prompt
• AWS > RDS > DB Instance > Intelligent Assessment
• AWS > RDS > DB Instance > Intelligent Assessment > Context
• AWS > RDS > DB Instance > Intelligent Assessment > User Prompt
• AWS > RDS > DB Parameter Group > Intelligent Assessment
• AWS > RDS > DB Parameter Group > Intelligent Assessment > Context
• AWS > RDS > DB Parameter Group > Intelligent Assessment > User Prompt
• AWS > RDS > DB Snapshot [Manual] > Intelligent Assessment
• AWS > RDS > DB Snapshot [Manual] > Intelligent Assessment > Context
• AWS > RDS > DB Snapshot [Manual] > Intelligent Assessment > User Prompt
• AWS > RDS > Global Cluster > Intelligent Assessment
• AWS > RDS > Global Cluster > Intelligent Assessment > Context
• AWS > RDS > Global Cluster > Intelligent Assessment > User Prompt
• AWS > RDS > Option Group > Intelligent Assessment
• AWS > RDS > Option Group > Intelligent Assessment > Context
• AWS > RDS > Option Group > Intelligent Assessment > User Prompt
• AWS > RDS > Subnet Group > Intelligent Assessment
• AWS > RDS > Subnet Group > Intelligent Assessment > Context
• AWS > RDS > Subnet Group > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• AWS > Organizations > Organization > Intelligent Assessment
• AWS > Organizations > Organization Root > Intelligent Assessment
• AWS > Organizations > Organizational Account > Intelligent Assessment
• AWS > Organizations > Organizational Unit > Intelligent Assessment

Policy Types

• AWS > Organizations > Organization > Intelligent Assessment
• AWS > Organizations > Organization > Intelligent Assessment > Context
• AWS > Organizations > Organization > Intelligent Assessment > User Prompt
• AWS > Organizations > Organization Root > Intelligent Assessment
• AWS > Organizations > Organization Root > Intelligent Assessment > Context
• AWS > Organizations > Organization Root > Intelligent Assessment > User Prompt
• AWS > Organizations > Organizational Account > Intelligent Assessment
• AWS > Organizations > Organizational Account > Intelligent Assessment > Context
• AWS > Organizations > Organizational Account > Intelligent Assessment > User Prompt
• AWS > Organizations > Organizational Unit > Intelligent Assessment
• AWS > Organizations > Organizational Unit > Intelligent Assessment > Context
• AWS > Organizations > Organizational Unit > Intelligent Assessment > User Prompt

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment control.

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• AWS > IAM > Access Analyzer > Intelligent Assessment
• AWS > IAM > Access Key > Intelligent Assessment
• AWS > IAM > Account Password Policy > Intelligent Assessment
• AWS > IAM > Account Summary > Intelligent Assessment
• AWS > IAM > Credential Report > Intelligent Assessment
• AWS > IAM > Group > Group Policy Attachments > Intelligent Assessment
• AWS > IAM > Group > Inline Policy > Intelligent Assessment
• AWS > IAM > Group > Intelligent Assessment
• AWS > IAM > Instance Profile > Intelligent Assessment
• AWS > IAM > MFA Virtual > Intelligent Assessment
• AWS > IAM > OpenID Connect > Intelligent Assessment
• AWS > IAM > Policy > Intelligent Assessment
• AWS > IAM > Role > Inline Policy > Intelligent Assessment
• AWS > IAM > Role > Intelligent Assessment
• AWS > IAM > Role > Role Policy Attachments > Intelligent Assessment
• AWS > IAM > Root > Intelligent Assessment
• AWS > IAM > Server Certificate > Intelligent Assessment
• AWS > IAM > User > Group Memberships > Intelligent Assessment
• AWS > IAM > User > Inline Policy > Intelligent Assessment
• AWS > IAM > User > Intelligent Assessment
• AWS > IAM > User > User Policy Attachments > Intelligent Assessment

Policy Types

• AWS > IAM > Access Analyzer > Intelligent Assessment
• AWS > IAM > Access Analyzer > Intelligent Assessment > Context
• AWS > IAM > Access Analyzer > Intelligent Assessment > User Prompt
• AWS > IAM > Access Key > Intelligent Assessment
• AWS > IAM > Access Key > Intelligent Assessment > Context
• AWS > IAM > Access Key > Intelligent Assessment > User Prompt
• AWS > IAM > Account Password Policy > Intelligent Assessment
• AWS > IAM > Account Password Policy > Intelligent Assessment > Context
• AWS > IAM > Account Password Policy > Intelligent Assessment > User Prompt
• AWS > IAM > Account Summary > Intelligent Assessment
• AWS > IAM > Account Summary > Intelligent Assessment > Context
• AWS > IAM > Account Summary > Intelligent Assessment > User Prompt
• AWS > IAM > Credential Report > Intelligent Assessment
• AWS > IAM > Credential Report > Intelligent Assessment > Context
• AWS > IAM > Credential Report > Intelligent Assessment > User Prompt
• AWS > IAM > Group > Group Policy Attachments > Intelligent Assessment
• AWS > IAM > Group > Group Policy Attachments > Intelligent Assessment > Context
• AWS > IAM > Group > Group Policy Attachments > Intelligent Assessment > User Prompt
• AWS > IAM > Group > Inline Policy > Intelligent Assessment
• AWS > IAM > Group > Inline Policy > Intelligent Assessment > Context
• AWS > IAM > Group > Inline Policy > Intelligent Assessment > User Prompt
• AWS > IAM > Group > Intelligent Assessment
• AWS > IAM > Group > Intelligent Assessment > Context
• AWS > IAM > Group > Intelligent Assessment > User Prompt
• AWS > IAM > Instance Profile > Intelligent Assessment
• AWS > IAM > Instance Profile > Intelligent Assessment > Context
• AWS > IAM > Instance Profile > Intelligent Assessment > User Prompt
• AWS > IAM > MFA Virtual > Intelligent Assessment
• AWS > IAM > MFA Virtual > Intelligent Assessment > Context
• AWS > IAM > MFA Virtual > Intelligent Assessment > User Prompt
• AWS > IAM > OpenID Connect > Intelligent Assessment
• AWS > IAM > OpenID Connect > Intelligent Assessment > Context
• AWS > IAM > OpenID Connect > Intelligent Assessment > User Prompt
• AWS > IAM > Policy > Intelligent Assessment
• AWS > IAM > Policy > Intelligent Assessment > Context
• AWS > IAM > Policy > Intelligent Assessment > User Prompt
• AWS > IAM > Role > Inline Policy > Intelligent Assessment
• AWS > IAM > Role > Inline Policy > Intelligent Assessment > Context
• AWS > IAM > Role > Inline Policy > Intelligent Assessment > User Prompt
• AWS > IAM > Role > Intelligent Assessment
• AWS > IAM > Role > Intelligent Assessment > Context
• AWS > IAM > Role > Intelligent Assessment > User Prompt
• AWS > IAM > Role > Role Policy Attachments > Intelligent Assessment
• AWS > IAM > Role > Role Policy Attachments > Intelligent Assessment > Context
• AWS > IAM > Role > Role Policy Attachments > Intelligent Assessment > User Prompt
• AWS > IAM > Root > Intelligent Assessment
• AWS > IAM > Root > Intelligent Assessment > Context
• AWS > IAM > Root > Intelligent Assessment > User Prompt
• AWS > IAM > Server Certificate > Intelligent Assessment
• AWS > IAM > Server Certificate > Intelligent Assessment > Context
• AWS > IAM > Server Certificate > Intelligent Assessment > User Prompt
• AWS > IAM > User > Group Memberships > Intelligent Assessment
• AWS > IAM > User > Group Memberships > Intelligent Assessment > Context
• AWS > IAM > User > Group Memberships > Intelligent Assessment > User Prompt
• AWS > IAM > User > Inline Policy > Intelligent Assessment
• AWS > IAM > User > Inline Policy > Intelligent Assessment > Context
• AWS > IAM > User > Inline Policy > Intelligent Assessment > User Prompt
• AWS > IAM > User > Intelligent Assessment
• AWS > IAM > User > Intelligent Assessment > Context
• AWS > IAM > User > Intelligent Assessment > User Prompt
• AWS > IAM > User > User Policy Attachments > Intelligent Assessment
• AWS > IAM > User > User Policy Attachments > Intelligent Assessment > Context
• AWS > IAM > User > User Policy Attachments > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• AWS > Glue > Crawler > Intelligent Assessment
• AWS > Glue > Data Catalog > Intelligent Assessment
• AWS > Glue > Database > Intelligent Assessment
• AWS > Glue > Job > Intelligent Assessment
• AWS > Glue > ML Transform > Intelligent Assessment
• AWS > Glue > Security Configuration > Intelligent Assessment
• AWS > Glue > Table > Intelligent Assessment
• AWS > Glue > Trigger > Intelligent Assessment
• AWS > Glue > Workflow > Intelligent Assessment

Policy Types

• AWS > Glue > Crawler > Intelligent Assessment
• AWS > Glue > Crawler > Intelligent Assessment > Context
• AWS > Glue > Crawler > Intelligent Assessment > User Prompt
• AWS > Glue > Data Catalog > Intelligent Assessment
• AWS > Glue > Data Catalog > Intelligent Assessment > Context
• AWS > Glue > Data Catalog > Intelligent Assessment > User Prompt
• AWS > Glue > Database > Intelligent Assessment
• AWS > Glue > Database > Intelligent Assessment > Context
• AWS > Glue > Database > Intelligent Assessment > User Prompt
• AWS > Glue > Job > Intelligent Assessment
• AWS > Glue > Job > Intelligent Assessment > Context
• AWS > Glue > Job > Intelligent Assessment > User Prompt
• AWS > Glue > ML Transform > Intelligent Assessment
• AWS > Glue > ML Transform > Intelligent Assessment > Context
• AWS > Glue > ML Transform > Intelligent Assessment > User Prompt
• AWS > Glue > Security Configuration > Intelligent Assessment
• AWS > Glue > Security Configuration > Intelligent Assessment > Context
• AWS > Glue > Security Configuration > Intelligent Assessment > User Prompt
• AWS > Glue > Table > Intelligent Assessment
• AWS > Glue > Table > Intelligent Assessment > Context
• AWS > Glue > Table > Intelligent Assessment > User Prompt
• AWS > Glue > Trigger > Intelligent Assessment
• AWS > Glue > Trigger > Intelligent Assessment > Context
• AWS > Glue > Trigger > Intelligent Assessment > User Prompt
• AWS > Glue > Workflow > Intelligent Assessment
• AWS > Glue > Workflow > Intelligent Assessment > Context
• AWS > Glue > Workflow > Intelligent Assessment > User Prompt

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls.

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls.

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• AWS > CloudTrail > Shadow Trail > Intelligent Assessment
• AWS > CloudTrail > Trail > Intelligent Assessment

Policy Types

• AWS > CloudTrail > Shadow Trail > Intelligent Assessment
• AWS > CloudTrail > Shadow Trail > Intelligent Assessment > Context
• AWS > CloudTrail > Shadow Trail > Intelligent Assessment > User Prompt
• AWS > CloudTrail > Trail > Intelligent Assessment
• AWS > CloudTrail > Trail > Intelligent Assessment > Context
• AWS > CloudTrail > Trail > Intelligent Assessment > User Prompt

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls.

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• GCP > Dataproc > Cluster > Intelligent Assessment
• GCP > Dataproc > Job > Intelligent Assessment
• GCP > Dataproc > Workflow Template > Intelligent Assessment

Policy Types

• GCP > Dataproc > Cluster > Intelligent Assessment
• GCP > Dataproc > Cluster > Intelligent Assessment > Context
• GCP > Dataproc > Cluster > Intelligent Assessment > User Prompt
• GCP > Dataproc > Job > Intelligent Assessment
• GCP > Dataproc > Job > Intelligent Assessment > Context
• GCP > Dataproc > Job > Intelligent Assessment > User Prompt
• GCP > Dataproc > Workflow Template > Intelligent Assessment
• GCP > Dataproc > Workflow Template > Intelligent Assessment > Context
• GCP > Dataproc > Workflow Template > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• Azure > Management Group > Intelligent Assessment
• Azure > Resource Group > Intelligent Assessment
• Azure > Subscription > Intelligent Assessment
• Azure > Tenant > Intelligent Assessment

Policy Types

• Azure > Management Group > Intelligent Assessment
• Azure > Management Group > Intelligent Assessment > Context
• Azure > Management Group > Intelligent Assessment > User Prompt
• Azure > Resource Group > Intelligent Assessment
• Azure > Resource Group > Intelligent Assessment > Context
• Azure > Resource Group > Intelligent Assessment > User Prompt
• Azure > Subscription > Intelligent Assessment
• Azure > Subscription > Intelligent Assessment > Context
• Azure > Subscription > Intelligent Assessment > User Prompt
• Azure > Tenant > Intelligent Assessment
• Azure > Tenant > Intelligent Assessment > Context
• Azure > Tenant > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• AWS > Account > Intelligent Assessment
• AWS > Organization > Intelligent Assessment
• AWS > Organization Root > Intelligent Assessment
• AWS > Organizational Unit > Intelligent Assessment

Policy Types

• AWS > Account > Intelligent Assessment
• AWS > Account > Intelligent Assessment > Context
• AWS > Account > Intelligent Assessment > User Prompt
• AWS > Organization > Intelligent Assessment
• AWS > Organization > Intelligent Assessment > Context
• AWS > Organization > Intelligent Assessment > User Prompt
• AWS > Organization Root > Intelligent Assessment
• AWS > Organization Root > Intelligent Assessment > Context
• AWS > Organization Root > Intelligent Assessment > User Prompt
• AWS > Organizational Unit > Intelligent Assessment
• AWS > Organizational Unit > Intelligent Assessment > Context
• AWS > Organizational Unit > Intelligent Assessment > User Prompt

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment control.

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• AWS > API Gateway > API > Intelligent Assessment
• AWS > API Gateway > API Key > Intelligent Assessment
• AWS > API Gateway > API V2 > Intelligent Assessment
• AWS > API Gateway > Account > Intelligent Assessment
• AWS > API Gateway > Authorizer > Intelligent Assessment
• AWS > API Gateway > Authorizer V2 > Intelligent Assessment
• AWS > API Gateway > Domain Name V2 > Intelligent Assessment
• AWS > API Gateway > Integration V2 > Intelligent Assessment
• AWS > API Gateway > Resource > Intelligent Assessment
• AWS > API Gateway > Stage > Intelligent Assessment
• AWS > API Gateway > Stage v2 > Intelligent Assessment
• AWS > API Gateway > Usage Plan > Intelligent Assessment

Policy Types

• AWS > API Gateway > API > Intelligent Assessment
• AWS > API Gateway > API > Intelligent Assessment > Context
• AWS > API Gateway > API > Intelligent Assessment > User Prompt
• AWS > API Gateway > API Key > Intelligent Assessment
• AWS > API Gateway > API Key > Intelligent Assessment > Context
• AWS > API Gateway > API Key > Intelligent Assessment > User Prompt
• AWS > API Gateway > API V2 > Intelligent Assessment
• AWS > API Gateway > API V2 > Intelligent Assessment > Context
• AWS > API Gateway > API V2 > Intelligent Assessment > User Prompt
• AWS > API Gateway > Account > Intelligent Assessment
• AWS > API Gateway > Account > Intelligent Assessment > Context
• AWS > API Gateway > Account > Intelligent Assessment > User Prompt
• AWS > API Gateway > Authorizer > Intelligent Assessment
• AWS > API Gateway > Authorizer > Intelligent Assessment > Context
• AWS > API Gateway > Authorizer > Intelligent Assessment > User Prompt
• AWS > API Gateway > Authorizer V2 > Intelligent Assessment
• AWS > API Gateway > Authorizer V2 > Intelligent Assessment > Context
• AWS > API Gateway > Authorizer V2 > Intelligent Assessment > User Prompt
• AWS > API Gateway > Domain Name V2 > Intelligent Assessment
• AWS > API Gateway > Domain Name V2 > Intelligent Assessment > Context
• AWS > API Gateway > Domain Name V2 > Intelligent Assessment > User Prompt
• AWS > API Gateway > Integration V2 > Intelligent Assessment
• AWS > API Gateway > Integration V2 > Intelligent Assessment > Context
• AWS > API Gateway > Integration V2 > Intelligent Assessment > User Prompt
• AWS > API Gateway > Resource > Intelligent Assessment
• AWS > API Gateway > Resource > Intelligent Assessment > Context
• AWS > API Gateway > Resource > Intelligent Assessment > User Prompt
• AWS > API Gateway > Stage > Intelligent Assessment
• AWS > API Gateway > Stage > Intelligent Assessment > Context
• AWS > API Gateway > Stage > Intelligent Assessment > User Prompt
• AWS > API Gateway > Stage v2 > Intelligent Assessment
• AWS > API Gateway > Stage v2 > Intelligent Assessment > Context
• AWS > API Gateway > Stage v2 > Intelligent Assessment > User Prompt
• AWS > API Gateway > Usage Plan > Intelligent Assessment
• AWS > API Gateway > Usage Plan > Intelligent Assessment > Context
• AWS > API Gateway > Usage Plan > Intelligent Assessment > User Prompt

What's new?

• Workspace Manager can now access log buckets encrypted with customer-managed KMS keys, improving support for secure logging setups.
• The initial setup for PgBouncer support is now available. When enabled, the stack automatically creates the networking and discovery components—like Security Groups and CloudMap—needed for PgBouncer to work.

What's new?

• PgBouncer support is now available.
• Support for Valkey has been introduced, offering a simpler and more cost-effective option than Redis.

PgBouncer

PgBouncer support has been introduced to improve database connection efficiency through lightweight connection pooling. This enhancement benefits high-throughput environments by reducing the overhead of frequent PostgreSQL connections.

Minimum version requirements:

• TE v5.52.0
• TEF v1.68.0
• TED v1.50.0

What's new?

• Server

  • Introduced a new GraphQL resolver that generates AI-driven remediation steps for controls.

• UI

  • Enhanced the UI to display AI-generated remediation steps within the control details view.
  • Added a summary view to the UI for Policy Packs to provide a quick overview of key settings.

Note

Upgrade to 5.52.0 requires your workspace to be on 5.51.x; direct upgrades from older versions (e.g., 5.49.x) will fail.

Requirements

• TEF: 1.66.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• GCP > Storage > Bucket > Intelligent Assessment
• GCP > Storage > Object > Intelligent Assessment

Policy Types

• GCP > Storage > Bucket > Intelligent Assessment
• GCP > Storage > Bucket > Intelligent Assessment > Context
• GCP > Storage > Bucket > Intelligent Assessment > User Prompt
• GCP > Storage > Object > Intelligent Assessment
• GCP > Storage > Object > Intelligent Assessment > Context
• GCP > Storage > Object > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Bug fixes

• We have improved the internal handling of user prompts to ensure better and more consistent evaluations for the Intelligent Assessment control(s).

Control Types

• GCP > IAM > API Key > Intelligent Assessment
• GCP > IAM > Project Role > Intelligent Assessment
• GCP > IAM > Project User > Intelligent Assessment
• GCP > IAM > Service Account > Intelligent Assessment
• GCP > IAM > Service Account Key > Intelligent Assessment
• GCP > Project > Policy > Intelligent Assessment

Policy Types

• GCP > IAM > API Key > Intelligent Assessment
• GCP > IAM > API Key > Intelligent Assessment > Context
• GCP > IAM > API Key > Intelligent Assessment > User Prompt
• GCP > IAM > Project Role > Intelligent Assessment
• GCP > IAM > Project Role > Intelligent Assessment > Context
• GCP > IAM > Project Role > Intelligent Assessment > User Prompt
• GCP > IAM > Project User > Intelligent Assessment
• GCP > IAM > Project User > Intelligent Assessment > Context
• GCP > IAM > Project User > Intelligent Assessment > User Prompt
• GCP > IAM > Service Account > Intelligent Assessment
• GCP > IAM > Service Account > Intelligent Assessment > Context
• GCP > IAM > Service Account > Intelligent Assessment > User Prompt
• GCP > IAM > Service Account Key > Intelligent Assessment
• GCP > IAM > Service Account Key > Intelligent Assessment > Context
• GCP > IAM > Service Account Key > Intelligent Assessment > User Prompt
• GCP > Project > Policy > Intelligent Assessment
• GCP > Project > Policy > Intelligent Assessment > Context
• GCP > Project > Policy > Intelligent Assessment > User Prompt

Bug fixes

• We have improved the internal handling of user prompts to ensure better and more consistent evaluations for the Intelligent Assessment controls.

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• GCP > Compute Engine > Disk > Intelligent Assessment
• GCP > Compute Engine > HTTP Health Check > Intelligent Assessment
• GCP > Compute Engine > HTTPS Health Check > Intelligent Assessment
• GCP > Compute Engine > Health Check > Intelligent Assessment
• GCP > Compute Engine > Image > Intelligent Assessment
• GCP > Compute Engine > Instance > Intelligent Assessment
• GCP > Compute Engine > Instance Template > Intelligent Assessment
• GCP > Compute Engine > Node Group > Intelligent Assessment
• GCP > Compute Engine > Node template > Intelligent Assessment
• GCP > Compute Engine > Project > Intelligent Assessment
• GCP > Compute Engine > Region Disk > Intelligent Assessment
• GCP > Compute Engine > Region Health Check > Intelligent Assessment
• GCP > Compute Engine > Snapshot > Intelligent Assessment

Policy Types

• GCP > Compute Engine > Disk > Intelligent Assessment
• GCP > Compute Engine > Disk > Intelligent Assessment > Context
• GCP > Compute Engine > Disk > Intelligent Assessment > User Prompt
• GCP > Compute Engine > HTTP Health Check > Intelligent Assessment
• GCP > Compute Engine > HTTP Health Check > Intelligent Assessment > Context
• GCP > Compute Engine > HTTP Health Check > Intelligent Assessment > User Prompt
• GCP > Compute Engine > HTTPS Health Check > Intelligent Assessment
• GCP > Compute Engine > HTTPS Health Check > Intelligent Assessment > Context
• GCP > Compute Engine > HTTPS Health Check > Intelligent Assessment > User Prompt
• GCP > Compute Engine > Health Check > Intelligent Assessment
• GCP > Compute Engine > Health Check > Intelligent Assessment > Context
• GCP > Compute Engine > Health Check > Intelligent Assessment > User Prompt
• GCP > Compute Engine > Image > Intelligent Assessment
• GCP > Compute Engine > Image > Intelligent Assessment > Context
• GCP > Compute Engine > Image > Intelligent Assessment > User Prompt
• GCP > Compute Engine > Instance > Intelligent Assessment
• GCP > Compute Engine > Instance > Intelligent Assessment > Context
• GCP > Compute Engine > Instance > Intelligent Assessment > User Prompt
• GCP > Compute Engine > Instance Template > Intelligent Assessment
• GCP > Compute Engine > Instance Template > Intelligent Assessment > Context
• GCP > Compute Engine > Instance Template > Intelligent Assessment > User Prompt
• GCP > Compute Engine > Node Group > Intelligent Assessment
• GCP > Compute Engine > Node Group > Intelligent Assessment > Context
• GCP > Compute Engine > Node Group > Intelligent Assessment > User Prompt
• GCP > Compute Engine > Node template > Intelligent Assessment
• GCP > Compute Engine > Node template > Intelligent Assessment > Context
• GCP > Compute Engine > Node template > Intelligent Assessment > User Prompt
• GCP > Compute Engine > Project > Intelligent Assessment
• GCP > Compute Engine > Project > Intelligent Assessment > Context
• GCP > Compute Engine > Project > Intelligent Assessment > User Prompt
• GCP > Compute Engine > Region Disk > Intelligent Assessment
• GCP > Compute Engine > Region Disk > Intelligent Assessment > Context
• GCP > Compute Engine > Region Disk > Intelligent Assessment > User Prompt
• GCP > Compute Engine > Region Health Check > Intelligent Assessment
• GCP > Compute Engine > Region Health Check > Intelligent Assessment > Context
• GCP > Compute Engine > Region Health Check > Intelligent Assessment > User Prompt
• GCP > Compute Engine > Snapshot > Intelligent Assessment
• GCP > Compute Engine > Snapshot > Intelligent Assessment > Context
• GCP > Compute Engine > Snapshot > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• Azure > Storage > Access Key > Intelligent Assessment
• Azure > Storage > Container > Intelligent Assessment
• Azure > Storage > FileShare > Intelligent Assessment
• Azure > Storage > Queue > Intelligent Assessment
• Azure > Storage > Storage Account > Intelligent Assessment

Policy Types

• Azure > Storage > Access Key > Intelligent Assessment
• Azure > Storage > Access Key > Intelligent Assessment > Context
• Azure > Storage > Access Key > Intelligent Assessment > User Prompt
• Azure > Storage > Container > Intelligent Assessment
• Azure > Storage > Container > Intelligent Assessment > Context
• Azure > Storage > Container > Intelligent Assessment > User Prompt
• Azure > Storage > FileShare > Intelligent Assessment
• Azure > Storage > FileShare > Intelligent Assessment > Context
• Azure > Storage > FileShare > Intelligent Assessment > User Prompt
• Azure > Storage > Queue > Intelligent Assessment
• Azure > Storage > Queue > Intelligent Assessment > Context
• Azure > Storage > Queue > Intelligent Assessment > User Prompt
• Azure > Storage > Storage Account > Intelligent Assessment
• Azure > Storage > Storage Account > Intelligent Assessment > Context
• Azure > Storage > Storage Account > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• Azure > IAM > Role Assignment > Intelligent Assessment
• Azure > IAM > Role Definition > Intelligent Assessment

Policy Types

• Azure > IAM > Role Assignment > Intelligent Assessment
• Azure > IAM > Role Assignment > Intelligent Assessment > Context
• Azure > IAM > Role Assignment > Intelligent Assessment > User Prompt
• Azure > IAM > Role Definition > Intelligent Assessment
• Azure > IAM > Role Definition > Intelligent Assessment > Context
• Azure > IAM > Role Definition > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• Azure > Compute > Availability Set > Intelligent Assessment
• Azure > Compute > Disk > Intelligent Assessment
• Azure > Compute > Disk Encryption Set > Intelligent Assessment
• Azure > Compute > Image > Intelligent Assessment
• Azure > Compute > Snapshot > Intelligent Assessment
• Azure > Compute > Ssh Public Key > Intelligent Assessment
• Azure > Compute > Virtual Machine > Intelligent Assessment
• Azure > Compute > Virtual Machine Scale Set > Intelligent Assessment

Policy Types

• Azure > Compute > Availability Set > Intelligent Assessment
• Azure > Compute > Availability Set > Intelligent Assessment > Context
• Azure > Compute > Availability Set > Intelligent Assessment > User Prompt
• Azure > Compute > Disk > Intelligent Assessment
• Azure > Compute > Disk > Intelligent Assessment > Context
• Azure > Compute > Disk > Intelligent Assessment > User Prompt
• Azure > Compute > Disk Encryption Set > Intelligent Assessment
• Azure > Compute > Disk Encryption Set > Intelligent Assessment > Context
• Azure > Compute > Disk Encryption Set > Intelligent Assessment > User Prompt
• Azure > Compute > Image > Intelligent Assessment
• Azure > Compute > Image > Intelligent Assessment > Context
• Azure > Compute > Image > Intelligent Assessment > User Prompt
• Azure > Compute > Snapshot > Intelligent Assessment
• Azure > Compute > Snapshot > Intelligent Assessment > Context
• Azure > Compute > Snapshot > Intelligent Assessment > User Prompt
• Azure > Compute > Ssh Public Key > Intelligent Assessment
• Azure > Compute > Ssh Public Key > Intelligent Assessment > Context
• Azure > Compute > Ssh Public Key > Intelligent Assessment > User Prompt
• Azure > Compute > Virtual Machine > Intelligent Assessment
• Azure > Compute > Virtual Machine > Intelligent Assessment > Context
• Azure > Compute > Virtual Machine > Intelligent Assessment > User Prompt
• Azure > Compute > Virtual Machine Scale Set > Intelligent Assessment
• Azure > Compute > Virtual Machine Scale Set > Intelligent Assessment > Context
• Azure > Compute > Virtual Machine Scale Set > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• AWS > VPC > Flow Log > Intelligent Assessment
• AWS > VPC > Network ACL > Intelligent Assessment
• AWS > VPC > Security Group > Intelligent Assessment
• AWS > VPC > Security Group Rule > Intelligent Assessment

Policy Types

• AWS > VPC > Flow Log > Intelligent Assessment
• AWS > VPC > Flow Log > Intelligent Assessment > Context
• AWS > VPC > Flow Log > Intelligent Assessment > User Prompt
• AWS > VPC > Network ACL > Intelligent Assessment
• AWS > VPC > Network ACL > Intelligent Assessment > Context
• AWS > VPC > Network ACL > Intelligent Assessment > User Prompt
• AWS > VPC > Security Group > Intelligent Assessment
• AWS > VPC > Security Group > Intelligent Assessment > Context
• AWS > VPC > Security Group > Intelligent Assessment > User Prompt
• AWS > VPC > Security Group Rule > Intelligent Assessment
• AWS > VPC > Security Group Rule > Intelligent Assessment > Context
• AWS > VPC > Security Group Rule > Intelligent Assessment > User Prompt

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• AWS > VPC > Egress Only Internet Gateway > Intelligent Assessment
• AWS > VPC > Elastic IP > Intelligent Assessment
• AWS > VPC > Endpoint > Intelligent Assessment
• AWS > VPC > Endpoint Service > Intelligent Assessment
• AWS > VPC > Internet Gateway > Intelligent Assessment
• AWS > VPC > NAT Gateway > Intelligent Assessment

Policy Types

• AWS > VPC > Egress Only Internet Gateway > Intelligent Assessment
• AWS > VPC > Egress Only Internet Gateway > Intelligent Assessment > Context
• AWS > VPC > Egress Only Internet Gateway > Intelligent Assessment > User Prompt
• AWS > VPC > Elastic IP > Intelligent Assessment
• AWS > VPC > Elastic IP > Intelligent Assessment > Context
• AWS > VPC > Elastic IP > Intelligent Assessment > User Prompt
• AWS > VPC > Endpoint > Intelligent Assessment
• AWS > VPC > Endpoint > Intelligent Assessment > Context
• AWS > VPC > Endpoint > Intelligent Assessment > User Prompt
• AWS > VPC > Endpoint Service > Intelligent Assessment
• AWS > VPC > Endpoint Service > Intelligent Assessment > Context
• AWS > VPC > Endpoint Service > Intelligent Assessment > User Prompt
• AWS > VPC > Internet Gateway > Intelligent Assessment
• AWS > VPC > Internet Gateway > Intelligent Assessment > Context
• AWS > VPC > Internet Gateway > Intelligent Assessment > User Prompt
• AWS > VPC > NAT Gateway > Intelligent Assessment
• AWS > VPC > NAT Gateway > Intelligent Assessment > Context
• AWS > VPC > NAT Gateway > Intelligent Assessment > User Prompt

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls.

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.
• Users can now create and manage tags for VPC transit gateway attachments. To get started, set the AWS > VPC > Transit Gateway Attachment > Tags > * policies.

Control Types

• AWS > VPC > Customer Gateway > Intelligent Assessment
• AWS > VPC > Peering Connection > Intelligent Assessment
• AWS > VPC > Transit Gateway > Intelligent Assessment
• AWS > VPC > Transit Gateway Attachment > Intelligent Assessment
• AWS > VPC > Transit Gateway Attachment > Intelligent Assessment
• AWS > VPC > Transit Gateway Attachment > Tags
• AWS > VPC > Transit Gateway Route Table > Intelligent Assessment
• AWS > VPC > VPN Connection > Intelligent Assessment
• AWS > VPC > VPN Gateway > Intelligent Assessment

Policy Types

• AWS > VPC > Customer Gateway > Intelligent Assessment
• AWS > VPC > Customer Gateway > Intelligent Assessment > Context
• AWS > VPC > Customer Gateway > Intelligent Assessment > User Prompt
• AWS > VPC > Peering Connection > Intelligent Assessment
• AWS > VPC > Peering Connection > Intelligent Assessment > Context
• AWS > VPC > Peering Connection > Intelligent Assessment > User Prompt
• AWS > VPC > Transit Gateway > Intelligent Assessment
• AWS > VPC > Transit Gateway > Intelligent Assessment > Context
• AWS > VPC > Transit Gateway > Intelligent Assessment > User Prompt
• AWS > VPC > Transit Gateway Attachment > Intelligent Assessment
• AWS > VPC > Transit Gateway Attachment > Intelligent Assessment > Context
• AWS > VPC > Transit Gateway Attachment > Intelligent Assessment > User Prompt
• AWS > VPC > Transit Gateway Attachment > Tags
• AWS > VPC > Transit Gateway Attachment > Tags > Template
• AWS > VPC > Transit Gateway Route Table > Intelligent Assessment
• AWS > VPC > Transit Gateway Route Table > Intelligent Assessment > Context
• AWS > VPC > Transit Gateway Route Table > Intelligent Assessment > User Prompt
• AWS > VPC > VPN Connection > Intelligent Assessment
• AWS > VPC > VPN Connection > Intelligent Assessment > Context
• AWS > VPC > VPN Connection > Intelligent Assessment > User Prompt
• AWS > VPC > VPN Gateway > Intelligent Assessment
• AWS > VPC > VPN Gateway > Intelligent Assessment > Context
• AWS > VPC > VPN Gateway > Intelligent Assessment > User Prompt

Action Types

• AWS > VPC > Transit Gateway Attachment > Set Tags
• AWS > VPC > Transit Gateway Attachment > Skip alarm for Tags control
• AWS > VPC > Transit Gateway Attachment > Skip alarm for Tags control [90 days]
• AWS > VPC > Transit Gateway Attachment > Update Tags

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment control.

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls.

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls.

Bug fixes

• Improved the internal handling of user prompts and updated GraphQL dependencies for the Intelligent Assessment controls.

What's new?

• You can now use the Intelligent Assessment controls, which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts. To get started, set the Intelligent Assessment > * policies.

Control Types

• AWS > EC2 > AMI > Intelligent Assessment
• AWS > EC2 > Account Attributes > Intelligent Assessment
• AWS > EC2 > Application Load Balancer > Intelligent Assessment
• AWS > EC2 > Auto Scaling Group > Intelligent Assessment
• AWS > EC2 > Classic Load Balancer > Intelligent Assessment
• AWS > EC2 > Classic Load Balancer Listener > Intelligent Assessment
• AWS > EC2 > Gateway Load Balancer > Intelligent Assessment
• AWS > EC2 > Instance > Intelligent Assessment
• AWS > EC2 > Key Pair > Intelligent Assessment
• AWS > EC2 > Launch Configuration > Intelligent Assessment
• AWS > EC2 > Launch Template > Intelligent Assessment
• AWS > EC2 > Launch Template Version > Intelligent Assessment
• AWS > EC2 > Listener Rule > Intelligent Assessment
• AWS > EC2 > Load Balancer Listener > Intelligent Assessment
• AWS > EC2 > Network Interface > Intelligent Assessment
• AWS > EC2 > Network Load Balancer > Intelligent Assessment
• AWS > EC2 > Snapshot > Intelligent Assessment
• AWS > EC2 > Target Group > Intelligent Assessment
• AWS > EC2 > Volume > Intelligent Assessment

Policy Types

• AWS > EC2 > AMI > Intelligent Assessment
• AWS > EC2 > AMI > Intelligent Assessment > Context
• AWS > EC2 > AMI > Intelligent Assessment > User Prompt
• AWS > EC2 > Account Attributes > Intelligent Assessment
• AWS > EC2 > Account Attributes > Intelligent Assessment > Context
• AWS > EC2 > Account Attributes > Intelligent Assessment > User Prompt
• AWS > EC2 > Application Load Balancer > Intelligent Assessment
• AWS > EC2 > Application Load Balancer > Intelligent Assessment > Context
• AWS > EC2 > Application Load Balancer > Intelligent Assessment > User Prompt
• AWS > EC2 > Auto Scaling Group > Intelligent Assessment
• AWS > EC2 > Auto Scaling Group > Intelligent Assessment > Context
• AWS > EC2 > Auto Scaling Group > Intelligent Assessment > User Prompt
• AWS > EC2 > Classic Load Balancer > Intelligent Assessment
• AWS > EC2 > Classic Load Balancer > Intelligent Assessment > Context
• AWS > EC2 > Classic Load Balancer > Intelligent Assessment > User Prompt
• AWS > EC2 > Classic Load Balancer Listener > Intelligent Assessment
• AWS > EC2 > Classic Load Balancer Listener > Intelligent Assessment > Context
• AWS > EC2 > Classic Load Balancer Listener > Intelligent Assessment > User Prompt
• AWS > EC2 > Gateway Load Balancer > Intelligent Assessment
• AWS > EC2 > Gateway Load Balancer > Intelligent Assessment > Context
• AWS > EC2 > Gateway Load Balancer > Intelligent Assessment > User Prompt
• AWS > EC2 > Instance > Intelligent Assessment
• AWS > EC2 > Instance > Intelligent Assessment > Context
• AWS > EC2 > Instance > Intelligent Assessment > User Prompt
• AWS > EC2 > Key Pair > Intelligent Assessment
• AWS > EC2 > Key Pair > Intelligent Assessment > Context
• AWS > EC2 > Key Pair > Intelligent Assessment > User Prompt
• AWS > EC2 > Launch Configuration > Intelligent Assessment
• AWS > EC2 > Launch Configuration > Intelligent Assessment > Context
• AWS > EC2 > Launch Configuration > Intelligent Assessment > User Prompt
• AWS > EC2 > Launch Template > Intelligent Assessment
• AWS > EC2 > Launch Template > Intelligent Assessment > Context
• AWS > EC2 > Launch Template > Intelligent Assessment > User Prompt
• AWS > EC2 > Launch Template Version > Intelligent Assessment
• AWS > EC2 > Launch Template Version > Intelligent Assessment > Context
• AWS > EC2 > Launch Template Version > Intelligent Assessment > User Prompt
• AWS > EC2 > Listener Rule > Intelligent Assessment
• AWS > EC2 > Listener Rule > Intelligent Assessment > Context
• AWS > EC2 > Listener Rule > Intelligent Assessment > User Prompt
• AWS > EC2 > Load Balancer Listener > Intelligent Assessment
• AWS > EC2 > Load Balancer Listener > Intelligent Assessment > Context
• AWS > EC2 > Load Balancer Listener > Intelligent Assessment > User Prompt
• AWS > EC2 > Network Interface > Intelligent Assessment
• AWS > EC2 > Network Interface > Intelligent Assessment > Context
• AWS > EC2 > Network Interface > Intelligent Assessment > User Prompt
• AWS > EC2 > Network Load Balancer > Intelligent Assessment
• AWS > EC2 > Network Load Balancer > Intelligent Assessment > Context
• AWS > EC2 > Network Load Balancer > Intelligent Assessment > User Prompt
• AWS > EC2 > Snapshot > Intelligent Assessment
• AWS > EC2 > Snapshot > Intelligent Assessment > Context
• AWS > EC2 > Snapshot > Intelligent Assessment > User Prompt
• AWS > EC2 > Target Group > Intelligent Assessment
• AWS > EC2 > Target Group > Intelligent Assessment > Context
• AWS > EC2 > Target Group > Intelligent Assessment > User Prompt
• AWS > EC2 > Volume > Intelligent Assessment
• AWS > EC2 > Volume > Intelligent Assessment > Context
• AWS > EC2 > Volume > Intelligent Assessment > User Prompt

What's new?

• Improved system prompts for Intelligent Assessment, Intelligent Fixes and Policy Pack Summary.

Requirements

• TE: 5.35.4

Bug fixes

• Fixed an issue where SAML directory certificate updates applied via Terraform appeared successful but did not persist in the backend. These updates are now correctly processed and retained.
• Resolved an issue where the log message for policySetting resources was unclear when attempting to create policy settings for non-existent or uninstalled policy types. The log output is now more informative and precise.

What's new?

• Improved Turbot > AI > Control > Intelligent Assessment > System Prompt policy for better responses from the AI provider.
• Updated the default value for Turbot > AI > Configuration > Max Tokens [Default] policy to 1000.

Requirements

• TE: 5.35.4

What's new?

• AI-generated Policy Pack summaries are now available. To get started, set the Turbot > AI > Policy Pack > * policies.

Control Types

• Turbot > Policy Pack > Summary

Requirements

• TE: 5.35.4

What's new?

• The following 15 mods now have the Intelligent Assessment control(s), which enables dynamic, context-aware resource assessments and leverages AI capabilities to evaluate cloud resources based on user prompts.

• aws-backup v5.13.0

• aws-cloudwatch v5.11.0

• aws-directconnect v5.6.0

• aws-dynamodb v5.15.0

• aws-events v5.15.0

• aws-kms v5.20.0

• aws-lambda v5.15.0

• aws-route53 v6.8.0

• aws-s3 v5.32.0

• aws-sns v5.18.0

• aws-sqs v5.18.0

• aws-vpc-core v5.22.0

• gcp-bigquery v5.9.0

• gcp-bigquerydatatransfer v5.2.0

• gcp-functions v5.10.0

Version bump to align with deployment requirements.

Requirements

• TEF: 1.66.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• Added support for five optional EC2 Launch Template tags (LaunchTemplateTag1–LaunchTemplateTag5) via SSM parameters. These tags are automatically applied to EC2 instances, EBS volumes, and network interfaces for improved resource classification and automation.
• Introduced the AmiKmsKeyArn parameter to allow specifying a custom AWS KMS Key ARN for encrypting EBS volumes attached to EC2 instances. This enables support for custom encrypted AMIs.
• Added a new EC2InstanceCustomUserData parameter that appends additional UserData from SSM. This allows for dynamic EC2 initialization without needing changes to the CloudFormation template.

Version bump to align with deployment requirements.

Requirements

• TEF: 1.66.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• You can now configure your preferred provider to use AI capabilities in your workspace.

Policy Types

• Turbot > AI
• Turbot > AI > Configuration
• Turbot > AI > Configuration > API Key [Default]
• Turbot > AI > Configuration > Enabled [Default]
• Turbot > AI > Configuration > Max Tokens [Default]
• Turbot > AI > Configuration > Model [Default]
• Turbot > AI > Configuration > Provider [Default]
• Turbot > AI > Configuration > Temperature [Default]
• Turbot > AI > Control
• Turbot > AI > Control > Intelligent Assessment
• Turbot > AI > Control > Intelligent Assessment > Enabled
• Turbot > AI > Control > Intelligent Assessment > System Prompt
• Turbot > AI > Control > Intelligent Fixes
• Turbot > AI > Control > Intelligent Fixes > Enabled
• Turbot > AI > Control > Intelligent Fixes > System Prompt
• Turbot > AI > Policy Pack
• Turbot > AI > Policy Pack > Summary
• Turbot > AI > Policy Pack > Summary > Enabled
• Turbot > AI > Policy Pack > Summary > System Prompt

Control Categories

• Resource > Allowed
• Resource > Intelligent Assessment

Requirements

• TE: 5.35.4

What's new?

• You can now configure shared key access for storage accounts. To get started, set the Azure > Storage > Storage Account > Shared Key Access policy.

Control Types

• Azure > Storage > Storage Account > Shared Key Access

Policy Types

• Azure > Storage > Storage Account > Shared Key Access

Action Types

• Azure > Storage > Storage Account > Set Shared Key Access

Bug fixes

• The AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket control previously failed to evaluate correctly when there were more than one FieldSelectors present under AdvancedEventSelectors. This issue is now fixed.
• The AWS > CIS v3.0 > 3 - Logging > 3.09 - Ensure that Object-level logging for read events is enabled for S3 bucket control has been enhanced to evaluate both EventSelectors and AdvancedEventSelectors when determining whether object-level logging is enabled. Previously, the control evaluated only EventSelectors, which could result in false alarms when logging was configured using AdvancedEventSelectors.

Bug fixes

• The AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket control previously failed to evaluate correctly when there were more than one FieldSelectors present under AdvancedEventSelectors. This issue is now fixed.
• The AWS > CIS v2.0 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket control has been enhanced to evaluate both EventSelectors and AdvancedEventSelectors when determining whether object-level logging is enabled. Previously, the control evaluated only EventSelectors, which could result in false alarms when logging was configured using AdvancedEventSelectors.

Bug fixes

• The AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated) control previously failed to evaluate correctly when there were more than one FieldSelectors present under AdvancedEventSelectors. This issue is now fixed.
• The AWS > CIS v1.4 > 3 - Logging > 3.11 - Ensure that Object-level logging for read events is enabled for S3 bucket (Automated) control has been enhanced to evaluate both EventSelectors and AdvancedEventSelectors when determining whether object-level logging is enabled. Previously, the control evaluated only EventSelectors, which could result in false alarms when logging was configured using AdvancedEventSelectors.

Version bump to align with deployment requirements.

Requirements

• TEF: 1.66.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• The AWS > KMS > Key > Policy Statements > Approved control will now be skipped for AWS-managed KMS keys.

Bug fixes

• The AWS > CIS v3.0 > 3 - Logging > 3.08 - Ensure that Object-level logging for write events is enabled for S3 bucket control has been enhanced to evaluate both EventSelectors and AdvancedEventSelectors when determining whether object-level logging is enabled. Previously, the control evaluated only EventSelectors, which could result in false alarms when logging was configured using AdvancedEventSelectors.

Bug fixes

• Server

  • Fixed access issue in policy pack management.

• UI

  • Fixed an issue where importing a GCP Organization via the UI did not automatically create the required Private Key setting.

Security Updates

Fixed access issue in policy pack management

In version 5.51.3, a security issue was introduced that mistakenly allowed users with any Turbot/* permissions — at the Turbot level, when using the API — to:

• Create or update policy associations within a policy pack
• Delete a policy pack if it was not attached to any resource

This has now been fixed, and the correct permission model has been restored — only users with Turbot/Admin permissions can perform these operations.

Requirements

• TEF: 1.66.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

Bug fixes

• The AWS > CloudTrail > Trail > CMDB control has been updated to correctly refresh the EventSelectors and AdvancedEventSelectors details when these settings are removed in AWS. This update ensures that the CMDB data accurately reflects the current state of the trail configuration.

Bug fixes

• The AWS > CIS v2.0 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket control has been enhanced to evaluate both EventSelectors and AdvancedEventSelectors when determining whether object-level logging is enabled. Previously, the control evaluated only EventSelectors, which could result in false alarms when logging was configured using AdvancedEventSelectors.

Bug fixes

• The AWS > CIS v1.4 > 3 - Logging > 3.10 - Ensure that Object-level logging for write events is enabled for S3 bucket (Automated) control has been enhanced to evaluate both EventSelectors and AdvancedEventSelectors when determining whether object-level logging is enabled. Previously, the control evaluated only EventSelectors, which could result in false alarms when logging was configured using AdvancedEventSelectors.

Bug fixes

• Load Balancer listeners upserted in Guardrails along with their parent Load Balancers occasionally lacked createTimestamp and createdBy metadata. This omission caused the AWS > EC2 > Load Balancer Listener > Approved control to evaluate incorrectly. We have enhanced our real-time event handling to ensure metadata is accurately populated in such scenarios.

What's new?

• Server
  • Added support for custom webhook URLs in notifications, allowing integration with any third-party systems beyond Slack and Microsoft Teams.
  • ECS tasks now include no-new-privileges for enhanced security posture.

Bug fixes

• Server
  • Email notifications now list recipients in the To field instead of BCC for improved clarity.
  • Resolved an issue where resource-level policy settings could fail when a large number of policy packs were attached.

Requirements

• TEF: 1.66.0
• TED: 1.9.1

Base images

Alpine: 3.17.5 Ubuntu: 22.04.3

What's new?

• Policy Types:
  • Turbot > Notifications > Webhook
  • Turbot > Notifications > Webhook > Authorization Header
  • Turbot > Notifications > Webhook > Action Template
  • Turbot > Notifications > Webhook > Action Template > Body
  • Turbot > Notifications > Webhook > Control Template
  • Turbot > Notifications > Webhook > Control Template > Body

Requirements

• TE: 5.35.4

Resource Types

• AWS > S3 Table
• AWS > S3 Table > Namespace
• AWS > S3 Table > Table
• AWS > S3 Table > Table Bucket

Control Types

• AWS > S3 Table > Namespace > Active
• AWS > S3 Table > Namespace > CMDB
• AWS > S3 Table > Namespace > Discovery
• AWS > S3 Table > Table > Active
• AWS > S3 Table > Table > CMDB
• AWS > S3 Table > Table > Discovery
• AWS > S3 Table > Table Bucket > Active
• AWS > S3 Table > Table Bucket > CMDB
• AWS > S3 Table > Table Bucket > Discovery
• AWS > S3 Table > Table Bucket > Policy
• AWS > S3 Table > Table Bucket > Policy > Trusted Access

Policy Types

• AWS > S3 Table > API Enabled
• AWS > S3 Table > Approved Regions [Default]
• AWS > S3 Table > Enabled
• AWS > S3 Table > Namespace > Active
• AWS > S3 Table > Namespace > Active > Age
• AWS > S3 Table > Namespace > Active > Last Modified
• AWS > S3 Table > Namespace > CMDB
• AWS > S3 Table > Namespace > Regions
• AWS > S3 Table > Permissions
• AWS > S3 Table > Permissions > Levels
• AWS > S3 Table > Permissions > Levels > Modifiers
• AWS > S3 Table > Permissions > Lockdown
• AWS > S3 Table > Permissions > Lockdown > API Boundary
• AWS > S3 Table > Regions
• AWS > S3 Table > Table > Active
• AWS > S3 Table > Table > Active > Age
• AWS > S3 Table > Table > Active > Last Modified
• AWS > S3 Table > Table > CMDB
• AWS > S3 Table > Table > Regions
• AWS > S3 Table > Table Bucket > Active
• AWS > S3 Table > Table Bucket > Active > Age
• AWS > S3 Table > Table Bucket > Active > Last Modified
• AWS > S3 Table > Table Bucket > CMDB
• AWS > S3 Table > Table Bucket > Policy
• AWS > S3 Table > Table Bucket > Policy > Trusted Access
• AWS > S3 Table > Table Bucket > Policy > Trusted Access > Accounts
• AWS > S3 Table > Table Bucket > Regions
• AWS > S3 Table > Trusted Accounts [Default]
• AWS > Turbot > Permissions > Compiled > API Boundary > @turbot/aws-s3table
• AWS > Turbot > Permissions > Compiled > Levels > @turbot/aws-s3table
• AWS > Turbot > Permissions > Compiled > Service Permissions > @turbot/aws-s3table